We have all heard the stories, 18 year old child prodigy builds incredible online system only to be bankrupted by some bad apple through various SQL injection attacks. Well, maybe not so dramatic but still the thought of people being able to gain complete access to your database because of one small oversight is frightening to say the least.

How do SQL injections work? Let me give you an example, you have a script that updates a row in your database which may look something like this SELECT * FROM creditcard_data WHERE mycard='".$_REQUEST['mycardnumber'].”‘. The goal would be to only display my information to me not everyone else in the worlds. If in the text box we submitted the following 1234' OR '1234'='1 and didn’t escape our extra slashes we would come up with the following query SELECT * FROM creditcard_data WHERE mycard='1234' OR '1234'='1234'. This would return true for every row giving us every single credit card number in the table, and a similar attack would work equally well on an INSERT, DELETE or UPDATE query.

Now the question is, how do we prevent this? PHP has two built in functions addslashes() and stripslashes(), however you must add slashes to every incoming variable and strip the slashes off of every outgoing variable. Obnoxious, no? Have no fear, I have two functions which will take care of the you forgetting factor as well as the all important cleaner code factor. On the top of every page, include the following line of code do_slashes($_REQUEST) and this line of code to the array of output from your database undo_slashes($value).

Below are are my functions, enjoy!