Taken from the PHP documentation, this works as-is for PHP >= 4.3 to keep evildoers from trying to hack your database. Remember, evildoers can work around any client-side javascript validation!
If you are using the MODx DBAPI, remove the part that sets the single quote if not integer, since MODx adds single quotes.
function quote_smart($value)
{
// Stripslashes
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
// Quote if not integer - remove or comment out if using MODx DBAPI
if (!is_numeric($value)) {
$value = "'" . mysql_real_escape_string($value) . "'";
}
// if using MODx DBAPI uncomment this
// $value = mysql_real_escape_string($value);
return $value;
}
Filter all of your incoming data through this:
$val1 = quote_smart($_POST['value1']);
$val2 = quote_smart($_POST['value2']);
$query = "INSERT INTO $dbase.$table (`field1`, `field2`) VALUES ($val1, $val2)";