Thanks to all of you for your input.
Either i haven't been able to be as clear as i can or i haven't been able to appreciate your suggestions.
Previously, addslashes was used to escape only those values that needed them for INSERT statements only, for example:
Code: Select all
$value1 = "I need lot's of help";
$value2 = 10493;
$sql = "INSERT INTO table SET field1='".addslashes($value1)."', field2='$value2' ";
//In this example, $value2 was not addslashed because it is an integer
But now, as part of php security, we've come to learn that EVERY value needs to be mysql_real_escaped regardless of the nature of the statement or the value.
This entails 'fixing' up every one of our sqls. At the moment, our site has hundreds (or thousands) of sqls and the thought of manually mysql_escaping the 10's of thousands of values is not very exciting and so, bearing in mind that the sql's pass through a wrapper, my intention is leave them alone (removing the addslashes from those that had them) and then pass the sql's through a function that uses a regular expression that does the following:
Code: Select all
function escape($sql)
{
$escaped_sql = // Don't know what goes here;
return $escaped_sql;
}
$old_sql = "INSERT INTO table SET field1='$value1', field2='$value2' "
$new_sql = escape($old_sql);
//which should return INSERT INTO table SET field1='".mysql_real_escapestring($value1)."', field2='".mysql_real_escapestring($value2)."'
So, what (i think) i need is help putting together the escape function.
Thanks for the help once again.