In some PHP code we've inherited, the PHP admin value register_globals is set to ON. Some parts of the code address variables as $_POST['var'] and some parts just use $var.
In order to stop sql injection attacks, I would like to sanitise all POST and GET parameters using mysql_real_escape_string.
I've written a function that goes at the top of each page to loop through the $_POST and $_GET arrays to sanitise those values. But how do I do it for the variables that have been inserted into the page as $var?
Trawling through the code changing all instances of $var to $_POST['var'] is going to be a nightmare as there is a lot of code. I don't want to sanitise the whole of the GLOBALS array either in case it has any unwanted side-effects.