I haven't paid any attention to this topic until now, but if people are going to take away and use the code provided here then I'd like to ask you about something.
Why are the three
str_replace calls there? Surely that goes against using
mysql_real_escape_string since if any potentially malicious characters do get escaped, you then remove them leaving a backslash behind.
PHP Code:
$value = $_GET['value']; // oranges'
// Example using VI's sql_safe function
$safe_value = sql_safe($value); // oranges\
echo "SELECT * FROM mytable WHERE mycol = '{$safe_value}';";
// SELECT * FROM mytable WHERE mycol = 'oranges\';
// ^ Malformed query
// Without the str_replaces
$safe_value = sql_safe_no_str_replaces($value); // oranges\'
echo "SELECT * FROM mytable WHERE mycol = '{$safe_value}';";
// SELECT * FROM mytable WHERE mycol = 'oranges\'';
// ^ Properly escaped
Sure, you might prevent potentially malicious attacks getting through but you'll also make a mess when there needn't be one.
Also, consider what happens if an empty string is fed into the function. Will it, or wont it, mess up your query?
All that said, it's late and I might be barking up the wrong tree! Correct me if I'm being stupid.
