I am testing an external script I wrote. I just discovered that the user can inject code into an UPDATE query through one of the form fields by entering clever values. For example:

UPDATE tablename SET field = '$_POST[var]'

So I need to check that the posted variable is clean. I'm not sure where to start and I want to cover all possibilities. Any hints, tips, advice?

thx

vB3 3.0.0
I don't suppose vB3 has a function for this?

vB3 has the globalize() function. This works too:

foreach ($_REQUEST as $key => $value)
{
$_REQUEST[$key] = htmlspecialchars_uni($value); // htmlspecialchars() for non-vB pages
}

Whoops, that's HTML injection...SQL injection is the same, but use addslashes() instead of htmlspecialchars[_uni]().

Oh that makes sense... to escape bad characters.

Where is addslashes() defined? I can't find it.

addslashes() is a default PHP function :)

http://uk.php.net/addslashes

thx