I found that turning Magic_quotes_gpc on and keeping on prevent almost all injections people try.
I found that turning Magic_quotes_gpc on and keeping on prevent almost all injections people try.
This is a red herring. Magic quotes do not offer sufficient protection against SQL injection (which is simple to prevent), and they actually complicate a security-conscious developer’s input filtering.
Therefore, I would argue that magic quotes decrease the security of an application rather than increase it.
Magic quote prevent Delete statements, insertion statements, and most other stuff. Its kept the infidels at bay for my site these last couple of years.
There’s also addslashes and mysql_escape_quotes.
Magic quote prevent Delete statements, insertion statements, and most other stuff.
You really think so? 
I think you’d be surprised what I could do to your database if you’re relying on the escaping provided by magic quotes as your only protection. This is an extremely poor approach.
There’s also addslashes and mysql_escape_quotes.
addslashes() is just the function magic quotes uses (well, magic_quotes_gpc, which is what most people refer to), so it has the same weaknesses. There is no such function as mysql_escape_quotes().
Imagine a delete query:
DELETE FROM table WHERE record_id = [parameter]
where [parameter] is a $_GET parameter. Aside of other problems that might occur, you’d also face a danger of someone sending you “43 OR (1 = 1)” (without the quotes) as that value. Since no special char is used, the variable is not escaped with magic quoting. Actually, NO escaping would protect you here, you’d have to use some other aproach.
Regards
Does something like this has to be talked OVER AND OVER AGAIN?!?
We need something new here!!!
Anyway, just for being relevant, the solution to the ‘quoted’ post would be to use ‘quoting’ (as opposed to just “escaping”, but in my world escaping is escaping+quoting).
And hey, has ANYONE ALREADY MENTIONED QUOTING AND ESCAPING?! No? Really? Check out the first page of this thread… If you can’t find any of these two words then you should kill me.
I’m sick of this thread. This thread is evil. I’m unwatching it. I’m also evil though, so you should take this matter unpersonally and leave me alone.
I’ve tried alot of delete queries, they don’t work. I use htmlspecialchars and strip_tags in conjunction with magic quotes but I doubt that changes anything. I probably have some other database setting turned on.
An int is an int, don’t frigging quote it to make it a string 
MySQL’s query optimizer may go nuts with the indexes
Do the proper verification, is_numeric() won’t hurt your fingers
Oh and it’s even written here:
“Quotes around numeric data in queries”