DB_escape_string()
But pretty sure that all $_POST variables get DB_escape_string'ed inside session.inc at the start of the script so injection nonsense is avoided.
Code:
foreach ($_POST as $PostVariableName => $PostVariableValue) {
if (gettype($PostVariableValue) != 'array') {
if(get_magic_quotes_gpc()) {
$_POST['name'] = stripslashes($_POST['name']);
}
$_POST[$PostVariableName] = DB_escape_string($PostVariableValue);
} else {
foreach ($PostVariableValue as $PostArrayKey => $PostArrayValue) {
if(get_magic_quotes_gpc()) {
$PostVariableValue[$PostArrayKey] = stripslashes($value[$PostArrayKey]);
}
$PostVariableValue[$PostArrayKey] = DB_escape_string($PostArrayValue);
}
}
}
/* iterate through all elements of the $_GET array and DB_escape_string them
to limit possibility for SQL injection attacks and cross scripting attacks
*/
foreach ($_GET as $GetKey => $GetValue) {
if (gettype($GetValue) != 'array') {
$_GET[$GetKey] = DB_escape_string($GetValue);
}
}
Perhaps this code is munting your category name - what is the character that is causing the trouble? Perhaps we need to trap it for future.
