Don’t manually escape all your variables

Let’s start with something fairly simple, shall we?

I’ve seen way too many programmers escaping all $_POST and $_GET variables like this:

$name = mysql_real_escape_string($_POST['name']);
$email = mysql_real_escape_string($_POST['email']);
$password = mysql_real_escape_string($_POST['password']);

I suggest you simply use something like this from now on:

$post = array();
$get = array();
foreach ($_POST as $key => $value) {
	$post[$key] = escape_string($value);
}
foreach ($_GET as $key => $value) {
	$get[$key] = escape_string($value);
}
/**
 * escape given variable so we can use it in an SQL query
 * @param anything $value
 * @return anything $escaped_value
 */
function escape_string($value) {
	if (get_magic_quotes_gpc()) {
		$value = stripslashes($value);
	}	
	if (!is_numeric($value)) {
		$value = mysql_real_escape_string($value);
	}	
	return $value;
}

This way you can always use $post instead of $_POST and $get instead of $_GET if you need escaped values. And you can always access the original values in the original $_POST and $_GET variables. Pretty neat, huh? 🙂