Zoxive wrote:Escaping strings alone is not enough so prevent sql injection.
You need to verify, that it only contains the characters of which you allow.
Ex. Usernames: 5-16 Characters long, only Letters and numbers and underscores.
While the first statement is generally true ( I wrote a paper on the subject:
"The Unexpected SQL Injection"), it is not true in this context. Escaping strings is not intended as a security measure only, it is provided
exactly so you can put any string you like in the data part of an SQL query. Thus the verifications you advise for are okay, but not necessary to prevent SQL injection. The escaping does that part.
jimthunderbird wrote:Your code is concise and elegant, guess it prevents most of the sql injection attempts.

No, the code is
horrible, it uses functions that every PHP programmer should scratch in their head, and never ever use, and it uses a couple of wrong and dangerous misconceptions.
The EscapeQuotes() function is flawed, I've written a
long rant about it, which I won't repeat here.
The other abomination is the use of extract(), as it injects into the global namespace any values passed in $_POST. Welcome back
register_globals.
In short, this is a horrible way to write code, even if the small piece presented here is not vulnerable.