You could apply it like this:
Code: Select all
$input = $_POST[input];
if (get_magic_quotes_gpc()) $input = stripslashes($input); // just in case you're on an old server, probably not necessary (but won't hurt either)
if (preg_match('/((select|delete).+from|update.+set|(alter|truncate|drop).+table|<[a-z])/i',$input)
{
print("Sorry, your input seems invalid so I won't store it.");
}
else
{
$input = mysql_real_escape_string($input);
// now use $input in any SQL query
print("Sanitized: $input");
}This is just because you're printing $input as HTML here, which you wouldn't do if you're merely using it inside SQL queries. To output (as HTML) any string that comes from user input directly (e.g. from a form) or indirectly (retrieved from database, e.g. previously stored form input), use htmlspecialchars.
So just for debugging purposes, you could change that last line to:
Code: Select all
print("Sanitized: ".htmlspecialchars($input));