I don't see how that function is doing anything after the first if statement. Because it's going to return something no matter what and the rest of the code is going to be ignored.

I think I would do this:

function clean($s) {
 if (get_magic_quotes_gpc())
 $s = stripslashes($s);
 return mysql_real_escape_string($s)
}

And you can use this like you said,

clean($_GET['input']);

Also magic_quotes is no substitute for mysql_real_escape_string. As magic_quotes is not multibyte safe, so can easily be bypassed, however mysql_real_escape_string is multibyte safe.

So magic_quotes is a last resort not your first.

Mysql_real_escape_string is the better method; also doesnt lead to having to strip slashes on all of your output.

Also, so long as your array isn`t recursive, you don`t need a foreach loop:

$_POST = array_map [uk2.php.net]('Clean',$_POST);

If its recursive you`ll need a custom function.

dc

Thanks for your advice!
With "return mysql_real_escape_string($s)" I get error:
Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock'

I want to clean a variable of a query (no MySQL involved). For example link.php?input=value

What is the variable being used for?

If you just wanna get rid of the: \'

To clean it you just would do stripslashes($_GET['q'])

If you are going to use the function above, you should pass the link variable to it by reference like the following:

function clean($s, &$link) { 
if (get_magic_quotes_gpc()) 
$s = stripslashes($s); 
return mysql_real_escape_string($s, $link) 
}

This should work properly :)

The functions mysql_real_escape_string only works when the database is open, otherwise I get error "Can't connect to local MySQL server through socket ". So how to sanitize input on pages without database? The variable is part of the dynamic URL and is required to build HTML code, depending on value of variable.
Will $string = htmlentities($_GET['string']) be enough?

I got message from my host that my variable was expoited by a spammer.

To receive unexpected strings from $_GET is bad for business.
If you can to collate it against a set of expected strings then could be enough htmlentities or htmlspecialchars.

If you want to save it on db try something like this:

# clean GET!
# ----------
$_SERVER['REQUEST_URI'] = str_replace("'", '', $_SERVER['REQUEST_URI']);

spammers are the worst >:O

The following 2 messages were cut out to new thread by eelixduppy. New thread at: php/3694440.htm [webmasterworld.com]
11:12 am on July 9, 2008 (est -4)

This is my function to clean variable for MySQL query (with explanation for NeilsPHP)

function clean_sql($varia) {
// REMOVE BLANK SPACE
$varia=rtrim($varia);
$varia=ltrim($varia);
// REMOVE HTML TAGS
$varia=strip_tags($varia);
// CHECK IF GET_MAGIC_QUOTE IS ON AND STRIP SLASH ACCORDINGLY
if (get_magic_quotes_gpc()) {$varia = stripslashes($varia);}
// CLEAN SPECIFICALLY FOR MYSQL QUERY
$varia = mysql_escape_string($varia);
return $varia;}

If you variable is not used for Mysql query but it is shown in your HTML webpage, then a simple function with htmlentities would be better

function clean($varia) {
$varia=rtrim($varia);
$varia=ltrim($varia);
// CHANGE SPECIAL CHARACTERS INTO HTML ENTITIES
$varia=htmlentities($varia, ENT_QUOTES);
$varia=str_replace("\n","<br>",$varia);
if (get_magic_quotes_gpc()) {$varia = stripslashes($varia);}
return $varia;}

Note that I work in UTF-8 environment. If you have many issues with special characters, make sure that you are in a free-hassle utf-8 environment (configure default charset in ini, httpd.conf, apache, mysql, etc.).

@NeilsPHP

First, you must be sure that text entered into your form have the correct encoding

<form accept-charset="utf-8" ...

Then, if you know what you variable are (integer, string, email address, etc.), you must always check them before any else. Below, rowstart is obligatory a number and and if it failed, then assign a default value.

if(isset($_GET["rowstart"]) AND $_GET["rowstart"]!="") {$rowstart=$_GET["rowstart"];
if(!numeric($rowstart)) {$rowstart="0";}} else {$rowstart="0";}

Regarding the file upload issues, just read [webmasterworld.com...] . You'll see that it is slightly different because your file variables are store in an array - $_FILES["uploaded_file"]

FromBelgium said

"I want to clean a variable of a query (no MySQL involved). For example link.php?input=value"

This is contradictory - Do you want to clean a value returned by a MySQL query or just clean a GET/POST variable ?

One question here,
mysql_escape_string OR mysql_real_escape_string ?

Also,can I use a function modified(using all relevant commands from above) for BOTH purposes ?

You'd want to use mysql_real_escape_string where you can. This takes into account the charset for the database connection that you are using.