Multiple Adsense ads on one website - avoiding SQL injections

Question

I'm working on a website where members can post their own adsense banners onto the site. Initially I wanted to use the Adsense API to share revenues with users. (They would just have to enter their Adsense publisher ID) but I found out that I don't meet the requirements to use the API.

My alternative is to allow users to submit their entire Adsense unit code which would look like,

<script type="text/javascript"><!--
google_ad_client = "pub-xxxxxxxx";
/* 300x250, created 10/4/10 */
google_ad_slot = "7431428552";
google_ad_width = 300;
google_ad_height = 250;
//-->
</script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js"&gt;
</script>

Is there a safe way to filter all that to make sure users don't submit harmful code?

Answer 1

An adsense client ID is a number. So make sure that it is a number by using ctype_digit. Note: ctype_digit() returns true if the string is empty. Use an additional == comparison if necessary.

This should be done before putting it in the database. As it's a number, and can't be negative, I suggest you to use BIGINT UNSIGNED as datatype for your collumn. INT can't be used because the ID is quite long. As an alternative, you can use VARCHAR.