We have a web application written in PHP that talks to an MS SQL database running on IIS 6.0. We need to prevent SQL injection through users typing in ' and then what ever SQL they want to add into form fields etc. Up to now we have used addslashes() which is fine, however we want a global solution to ensure that we haven't missed any. However we don't want to go through the entire product (over 500 pages of source code) and remove every addslashes. We already have lots of code that deals with database queries, because we support MSSQL and MySQL so we break the query strings apart and ensure they are in the correct format for each database type etc.
What we want is the ability to incorporate into this code the ability to check if slashes have been added or not, and if not then add them. I'm thinking regular expressions would be the way to go but I have no experiance with these. Obviously just adding slashes to a query won't work as take this string:
INSERT INTO table (field1, field2) VALUES( 'test', 'test2')
Adding slashes will produce:
INSERT INTO table(field1, field2) VALUES(\'test\', \'test2\')
This is not correct.
So any ideas? Loads of points as we need a solution by Monday.