getting rid of magic quotes

[woodplease]

i have some code which checks to see if a username  and an email is in use. from what i can understand, it uses magic quotes to prevent sql injection. i've heard that magic quotes are not going to be in use in php6, so how can i change it so that it uses real escape string instead?

if (!get_magic_quotes_gpc()) {
$_POST['username'] = addslashes($_POST['username']);
}
$usercheck = $_POST['username'];
$check = mysql_query("SELECT username FROM users WHERE username = '$usercheck'") 
or die(mysql_error());
$check2 = mysql_num_rows($check);
if ($check2 != 0) {
die('Sorry, the username '.$_POST['username'].' is already in use.');
}

if (!get_magic_quotes_gpc()) {
$_POST['email'] = addslashes($_POST['email']);
}
$emailcheck = $_POST['email'];
$check = mysql_query("SELECT email FROM users WHERE email = '$emailcheck'") 
or die(mysql_error());
$check2 = mysql_num_rows($check);
if ($check2 != 0) {
die('Sorry, the email '.$_POST['email'].' is already registered to another account.');
}

 

Thanks

[woodplease]

ok, i think i've managed to take out the magic quotes.  could someone tell me if what i've done is sufficient to prevent sql injection?

// checks if the email is in use
$mail = $_POST['email'];
$emailcheck = mysql_real_escape_string($mail);

//if (!get_magic_quotes_gpc()) {
//$_POST['email'] = addslashes($_POST['email']);
//}
//$emailcheck = $_POST['email'];
$check = mysql_query("SELECT email FROM users WHERE email = '$emailcheck'") 
or die(mysql_error());
$check2 = mysql_num_rows($check);

//if the name exists it gives an error
if ($check2 != 0) {
die('Sorry, the email '.$emailcheck.' is already registered to another account.');
}

[systemick]

The mysql_real_escape_string function will prevent sql injection. The only other thing I would add is that you don't need the first 2 lines of code. You could just write

 

$check = mysql_query("SELECT email FROM users WHERE email = '".mysql_real_escape_string($_POST['mail'])."'")