As it is explained everywhere on the web , the general solution to prevent mysql injection attacks in php is to use mysql_real_escape_string function , there are many guides on how to use it in conjunction with sprintf to escape dangerous characters before executing a mysql query, but I found a very innovative solution in a comment on php.net website , it recommends to escape all variables sent by user by get or post method in the beginning of every page which executes mysql queries :
first make sure magic_quotes_gpc is turned off on your php configuration , it can be checked on php info page.
this step makes sure your variables are not escaped twice.
This article explains how to disable magic quotes : Disabling Magic Quotes Guide
put the following code in the beginning of every page executing mysql queries :
1 2 3 4 5 6 7 8 9 10 11 | include ('mysql_connect.php');//This stops SQL Injection in POST varsforeach ($_POST as $key => $value) { $_POST[$key] = mysql_real_escape_string($value);}//This stops SQL Injection in GET varsforeach ($_GET as $key => $value) { $_GET[$key] = mysql_real_escape_string($value);} |
mysql_real_escape_string needs you to be connected to your mysql database when you call it , so I have placed include (‘mysql_connect.php’); in the beginning of script , you can replace it with your own mysql connect commands.