Page 1 of 1

mysql_real_escape_string in arrays

Posted: Wed Oct 07, 2009 10:22 am
by m2babaey
Hi
Because I'm asking whether these functions work, I selected this forum for my post
If I have a large website with lots of form data, I have to use mysql_real_escape_string for each form field.
I saw a code somewhere that seems to do all
For example if I include connect.php at the first line of all my php files, and put this code in connect.php, will that be enough?
What do you think?

Code: Select all

$db = mysql_connect("localhost", "user", "pass") or die("Could not connect.");
if(!$db) 
    die("no db");
if(!mysql_select_db("board",$db))
    die("No database selected.");
if(!get_magic_quotes_gpc())
{
  $_GET = array_map('mysql_real_escape_string', $_GET); 
  $_POST = array_map('mysql_real_escape_string', $_POST); 
  $_COOKIE = array_map('mysql_real_escape_string', $_COOKIE);
}
else
{  
   $_GET = array_map('stripslashes', $_GET); 
   $_POST = array_map('stripslashes', $_POST); 
   $_COOKIE = array_map('stripslashes', $_COOKIE);
   $_GET = array_map('mysql_real_escape_string', $_GET); 
   $_POST = array_map('mysql_real_escape_string', $_POST); 
   $_COOKIE = array_map('mysql_real_escape_string', $_COOKIE);
}

Re: mysql_real_escape_string in arrays

Posted: Wed Oct 07, 2009 10:34 am
by jackpf
You've basically recreated magic quotes...which was an awful feature.

Google magic quotes, and you'll find all the reasons why you shouldn't do stuff like that ;)