[eluser]Rick Jolly[/eluser]
[quote author="jplanet" date="1251516767"]
It took me less than a minute to get the job done, as opposed to the many hours it would take to re-write the queries as so many have suggested...and, oddly, keep suggesting, despite my pleas that it wouldn't work for this situation ;-).[/quote]
Your function as it is doesn't save you any time. These are the same:
Code:
$escaped = postsafe($index);
$escaped = mysql_real_escape_string($_POST[$index]);
Keep in mind that xss_clean won't protect you against sql injection so you might want to seperate that out and also allow for automatically sql-escaping an entire array. You might also pass in the array instead of acting directly on $_POST to be more flexible.
The trouble with this approach is your sql is going to remain messy, and more importantly, you might miss the odd sql input leaving yourself vulnerable. If you're maintaining this, you're better to do it right in the first place.