MySQLReal_Escape_String and Strip_tags protection

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
bunnyali2011
Forum Newbie
Posts: 4
Joined: Mon May 21, 2012 8:10 am

MySQLReal_Escape_String and Strip_tags protection

Post by bunnyali2011 »

I have a FOR EACH loop, which is applied on a check-box, but when I applied protections to protect it against SQL injection and XSS, it gives me errors. Here the codes below:

The check-box name is:

<input type="checkbox" name="delete[]" value="'.$row['img_ID'].'"/>

Code: Select all

if (isset($_POST['delete'])) {
$del_img = mysql_real_escape_string(strip_tags($_POST['delete']));
foreach($del_img as $id => $val)
{
$ids[] = $val;
}
mysql_query("DELETE FROM photos WHERE img_ID IN (".implode(',',$ids).")");
echo "Record Deleted.";
}
The errors I'm getting:

Warning: strip_tags() expects parameter 1 to be string

Warning: Invalid argument supplied for foreach()

Notice: Undefined variable: ids

Warning: implode() [function.implode]: Invalid arguments passed

When I remove the protections, the codes work perfectly...
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: MySQLReal_Escape_String and Strip_tags protection

Post by Celauran »

$_POST['delete'] is an array. You're treating it as a string.
bunnyali2011
Forum Newbie
Posts: 4
Joined: Mon May 21, 2012 8:10 am

Re: MySQLReal_Escape_String and Strip_tags protection

Post by bunnyali2011 »

Yes, that's the problem, any suggestion how to protect it? I'm a newbie
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: MySQLReal_Escape_String and Strip_tags protection

Post by Celauran »

Move it into your foreach loop.

Code: Select all

foreach ($_POST['delete'] as $delete)
{
    $ids[] = mysql_real_escape_string(strip_tags($delete));
}
User avatar
Grizzzzzzzzzz
Forum Contributor
Posts: 125
Joined: Wed Sep 02, 2009 8:51 am

Re: MySQLReal_Escape_String and Strip_tags protection

Post by Grizzzzzzzzzz »

assuming every item in the array is a string, probably just something like this?

Code: Select all

foreach($array as $key => $array_item)
{
  $array[$key] = mysql_real_escape_string($array_item);
}
edit: beaten to it :wink:
bunnyali2011
Forum Newbie
Posts: 4
Joined: Mon May 21, 2012 8:10 am

Re: MySQLReal_Escape_String and Strip_tags protection

Post by bunnyali2011 »

Well both your answers are good, but I prefer to take the first one as it has simplified the code, I mean remove the key value lol... THANK YOU BOTH OF YOU GUYS... You are great...Im new here...and Im satisfied of this forum.. :)
bunnyali2011
Forum Newbie
Posts: 4
Joined: Mon May 21, 2012 8:10 am

Re: MySQLReal_Escape_String and Strip_tags protection

Post by bunnyali2011 »

Well, someone told me, an SQL injection can be done here: 0); DROP TABLE photos; --
Post Reply