Exacto asi como dice
the_web_saint yo tengo este script para evitar inyeccion
Código PHP:
<?
// Evitamos la inyeccion SQL
// Modificamos las variables pasadas por URL
foreach( $_GET as $variable => $valor ){
$_GET [ $variable ] = str_replace ( "'" , "" , $_GET [ $variable ]);
$_GET [ $variable ] = str_replace ( "\"" , "" , $_GET [ $variable ]);
}
// Modificamos las variables de formularios
foreach( $_POST as $variable => $valor ){
$_POST [ $variable ] = str_replace ( "'" , "" , $_POST [ $variable ]);
$_POST [ $variable ] = str_replace ( "\"" , "" , $_POST [ $variable ]);
$_POST [ $variable ] = str_replace ( "á" , "á" , $_POST [ $variable ]);
$_POST [ $variable ] = str_replace ( "é" , "é" , $_POST [ $variable ]);
$_POST [ $variable ] = str_replace ( "í" , "í" , $_POST [ $variable ]);
$_POST [ $variable ] = str_replace ( "ó" , "ó" , $_POST [ $variable ]);
$_POST [ $variable ] = str_replace ( "ú" , "ú" , $_POST [ $variable ]);
$_POST [ $variable ] = str_replace ( "Á" , "Á" , $_POST [ $variable ]);
$_POST [ $variable ] = str_replace ( "É" , "É" , $_POST [ $variable ]);
$_POST [ $variable ] = str_replace ( "Í" , "Í" , $_POST [ $variable ]);
$_POST [ $variable ] = str_replace ( "Ó" , "Ó" , $_POST [ $variable ]);
$_POST [ $variable ] = str_replace ( "Ú" , "Ú" , $_POST [ $variable ]);
$_POST [ $variable ] = str_replace ( "ñ" , "ñ" , $_POST [ $variable ]);
$_POST [ $variable ] = str_replace ( "Ñ" , "Ñ" , $_POST [ $variable ]);
}
?>
a parte que nos resuelve el problema de las letras tildadas y las Ñ ñ ahi puedes cambiar datos o incluso podrias poner un script con expresiones regulares para eliminar los datos y caracteres que no te sirvan.
Saludos.