There's no way for us to tell if that solves the issue, because we don't see how you the application code is using the $_GET
, $_POST
and $_REQUEST
variables. It might actually break other uses of the request variables to force them all to have escaping.
- You might use them as unquoted numeric values in SQL, instead of as quoted string or date literals. Escaping doesn't help unless you're quoting the values in SQL.
- You might use them as column names, SQL keywords, etc. Escaping is only for strings and dates, it doesn't escape the back-tick.
- You might not use them in SQL at all. You might use them for some other function argument, or in a
case
statement or as an associative array key, etc.
Basically, you're trying to do the same thing that magic quotes used to do, but magic quotes was deprecated because it's a bad idea to have a one-size-fits-all solution for security. It's just based on too many assumptions that turn out not to be true.
The proper solution (if you must stick with ext/mysql for now) is to apply filtering or escaping to request variables as you use them in SQL.
Of course it's best to upgrade to ext/mysqli or PDO, and use query parameters. But I realize this is a lot more work to adapt a large codebase to a new API, and you're looking for what you can do short-term.
You might also look at mod_security, which can help you filter out suspicious patterns of request variables without changing any PHP code at all. But it's also a lot of work to design mod_security rules that will work for your app without blocking legitimate requests.