Is SQL injection a risk today?

Question

I\'ve been reading about SQL injection attacks and how to avoid them, although I can never seem to make the \"awful\" examples given work, e.g. see this post

Answer 1

This is still a big problem. You can't assume that magic_quotes is turned on in every PHP installation you might use.

To see if magic qotes is turned on and clear out the mess from magic quotes:

if ( get_magic_quotes_gpc() !== 0 ) { $foo = stripslashes( $foo ); }

Then cleaning your statements a little:

$foo = mysql_real_escape_string( $foo );
$sql = "select * from foo where bar='{$foo}'";

etc.

In fact, you're better off just strictly turning of magic_quotes if you have the ability to do so.

I hope that helps you.