Many days ago, my friend read this question: How can I prevent SQL injection in PHP?. And, I know that there are many good answers to solve this problem.
I have a friend, who is working with PHP better than me. Yesterday, he said to me: "There are many good answers, in here. But, can you write other code for solving this problem?".
He still uses PHP 4; so, he do not like to use any mysqli_ function, not me.
So, I have created a simple function, in PHP:
<?php
function MyFun($MyVar)
{
if(!get_magic_quotes_gpc()) { $MyVar = addslashes($MyVar); }
$MyVar = strip_tags($MyVar);
$MyVar = htmlentities($MyVar);
return trim($MyVar);
}
?>
I used my function in every $_POST[]; or $_GET[];, for instance:
$Var1 = MyFun($_POST['Txt1']);
$Var2 = MyFun($_GET['Txt2']);
My friend said that: "It can not prevent any SQL injection.". I do not think so.
Can you tell me: "Is it safe to prevent SQL injection, with this function?".
