Hi -

I am seeking some guidance on a complicated/annoying issue I am having on a client's website. The client's website contains a fairly extensive, custom built application that was built relying on magic quotes. Their hosting company is now requiring magic quotes to be disabled which I happen to think is generally a smart thing to disable.

However, this is a really large application and the original developer clearly failed architecture 101 (redundant code). There are approximately 1200 insert or update statements that take data from a form and most of those have at least 5-10 fields, if not more. Sadly, the client just doesn't have the budget to rebuild it and, shockingly, I don't feel like going through that many SQL statements unless I really have to. Now I need to see if I can find a way (other than going through each SQL statement) to protect those without magic quotes.

I've tried a global for loop on post and get variables running stripslashes, a variation on mysql_real_escape_string and character checks. Unfortunately not everything in a POST or GET is going in the database so when I test that out there are slashes added that shouldn't be and slashes removed that should have stuck around.

Any of you have an idea on a way to globally protect POST and GET, without magic quotes? Or do I need to get cracking on working through this pile of insert/update statements?

Thanks for any help you can provide!