I have this function on my old site. Trying to change things to the new MySQLi from MySQL. And this function have some MySQL code in it.
I tried to just replace it to mysqli_real_escape_string , but it’s not working
Not sure how to do this with MySQLi. Maybe someone have a solutions to this?
Code below:
//Function to sanitize values received from the form. Prevents SQL injection
function clean($str) {
$str = @trim($str);
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
return mysql_real_escape_string($str);
}
//Sanitize the POST values
$name = clean($_POST['name']);
With mysqli you simply keep the SQL and data separate by using a prepare statement for the SQL and a bind statement for the data.
You will of course still need to validate all inputs properly as well as you should already be doing in place of clean() - unless all of your database fields are allowed to contain any random character string as valid input.