Is there a way to, in as little code as possible, to filter a string for both SQL injection and the most common forms of attack?
In my scripts I'm using the following, I would like to know whether it's reasonably safe and whether someone else has a suggestion:
$cleanName = htmlspecialchars(addslashes($dirtyName));
See how I filtered it both for html chars and for quotes and double-quotes.
NOTE: I'm using addslashes()
rather than mysql_real_escape_string()
because I don't want to hardcode the DB I'm using into my code.
Is this ok?
Thanks in advance