What you are doing here is potentially altering valid user information coming into MySQL. For example, if someone legitimately enters in -- or ; into some string that is going to be put into MySQL, some comment or such, then what is put in, and then put out if you display it, won't be the same. You should in pretty much all cases be safe with just using the mysql_real_escape_string, which takes care of the - for you as well. Adam. On Sun, Aug 16, 2009 at 11:42 AM, Dotan Cohen<dotancohen@xxxxxxxxx> wrote: > I am sanitizing user-entered data before storing in mysql with this function: > > function clean_mysql ($dirty) { > $dirty=trim($dirty); > $dirty=str_replace ("--", "", $dirty); > $dirty=str_replace (";", "", $dirty); > $clean=mysql_real_escape_string($dirty); > return $clean; > } > > Is this good enough to prevent SQL injection attacks? Should I add > anything else? Thanks! > > Dotan Cohen > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- Adam Randall http://www.xaren.net AIM: blitz574 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php