I’ve read many documents for preventing sql injection.
they said using PDO and mysql_real_escape_string.
I program BBS code(old-style…),
and people using my BBS code,
do some simple code like :
select * from $g4[member_table] where mb_id='$mb_id' and mb_1='$my_option'
$mb_id do mysql_real_escape_string
but $my_option do not maybe.
so I want to clean all $_GET, $_POST, $_REQUEST varibales using php function like clean_sql().
clean_sql() clear all sql statements
when $my_option value is “1′ union select * from g4_member where mb_id=’admin'”
please let me knows function like clean_sql() ?
===
cleal_sql must be work with php 4.x.
Best practices when it comes to SQL injections is the same whether or not you use UNIONs or not. Same goes for
$_POST,$_GET,$_REQUESTor any other form of user provided data. Either use prepared statements (via PDO or MySQLi) ormysqli_real_escape_string().Of course, you should be taking it a step further and validating and sanitizing user provided data before attempting to save it into your database. Functions like
filter_var()andctype_*are an easy way to validate and/or sanitize data.