Possible Duplicate:
How to prevent SQL injection?
This is my attempt at cleaning up what I will be putting into my database
$pictureID = $_REQUEST['pictureID'];
$userID = $_REQUEST['userID'];
$username = $_REQUEST['username'];
//Sanatize //Protext against injection
$username = filter_var($username, FILTER_SANITIZE_EMAIL);
$userID = filter_var($userID, FILTER_SANITIZE_STRING);
$pictureID = filter_var($pictureID, FILTER_SANITIZE_STRING);
$username = stripslashes($username);
$username = mysql_real_escape_string($username);
$userID = stripslashes($userID);
$userID = mysql_real_escape_string($userID);
$pictureID = stripslashes($pictureID);
$pictureID = mysql_real_escape_string($pictureID);
I have two questions, is the above enough?
Also, if I do echo $pictureID
nothing appears, however, if I remove the $pictureID = mysql_real_escape_string($pictureID);
then echo $pictureID
works.
Is this the correct behavior?