Possible Duplicate:
How to prevent SQL injection?
This is my attempt at cleaning up what I will be putting into my database
$pictureID = $_REQUEST['pictureID'];
$userID = $_REQUEST['userID'];
$username = $_REQUEST['username'];
//Sanatize //Protext against injection
$username = filter_var($username, FILTER_SANITIZE_EMAIL);
$userID = filter_var($userID, FILTER_SANITIZE_STRING);
$pictureID = filter_var($pictureID, FILTER_SANITIZE_STRING);
$username = stripslashes($username);
$username = mysql_real_escape_string($username);
$userID = stripslashes($userID);
$userID = mysql_real_escape_string($userID);
$pictureID = stripslashes($pictureID);
$pictureID = mysql_real_escape_string($pictureID);
I have two questions, is the above enough?
Also, if I do echo $pictureID nothing appears, however, if I remove the $pictureID = mysql_real_escape_string($pictureID); then echo $pictureID works.
Is this the correct behavior?
Wow...
You really do not need that much.
Try using PDO or mysqli with a prepared query, then all of that nonsense should not be needed.
See this canned comment for advice:
Please, don't use
mysql_*functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO, or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial.
To protect against SQL-injection, the only required call is this:
$pictureID = mysql_real_escape_string( $pictureID );
This method-call effectively escapes all special characters, which could potentially change the intended operation of your query.
As @NullPointer pointed out, using PHP's PDO would be a good alternative, since mysql_* is deprecated as of PHP 5.5+. Nevertheless, I don't think it will get completely removed from PHP very soon.