The think is that i have a complete working website with many calls to the MySQL server and doing some research on this site i saw that making my querys in this form:
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
mysql_real_escape_string($user),
mysql_real_escape_string($password));
I can solve the security issue, but, as i said, i have many calls to the MySQL server, and the best way (in my case) to solve the problem is going directly to the vars im passing to the query but whitout using a MySQL function because im out of the query. Let me explain it, i have this:
mysql_query("SELECT * FROM `post` WHERE id=" . $_GET['edit']);
I cant do modifications to this query because i have a lot of this in all my code, insted i preefer to check for injections on the var, $_GET[‘edit’].
How can i using pure PHP check for SQL injections on the variables of the querys? Like:
$_GET['edit']=freehack($_GET['edit']);
Don’t do it this way. By replacing the value of your
$_GETparameters with “safe” versions, you are contaminating your input data, which you may need for other places.Only escape data when you need to use it on the database layer. It will only take you a little time to fix your queries, and will save you a ton of headache in the long run.
In any case, what you are doing is still not secure! See: PHP: Is mysql_real_escape_string sufficient for cleaning user input?
You really should be using prepared queries with PDO. Also, you should be checking your user input for validity before using it in a query.