Page 1 of 1

MySQLReal_Escape_String and Strip_tags protection

Posted: Mon May 21, 2012 8:13 am
by bunnyali2011
I have a FOR EACH loop, which is applied on a check-box, but when I applied protections to protect it against SQL injection and XSS, it gives me errors. Here the codes below:

The check-box name is:

<input type="checkbox" name="delete[]" value="'.$row['img_ID'].'"/>

Code: Select all

if (isset($_POST['delete'])) {
$del_img = mysql_real_escape_string(strip_tags($_POST['delete']));
foreach($del_img as $id => $val)
{
$ids[] = $val;
}
mysql_query("DELETE FROM photos WHERE img_ID IN (".implode(',',$ids).")");
echo "Record Deleted.";
}
The errors I'm getting:

Warning: strip_tags() expects parameter 1 to be string

Warning: Invalid argument supplied for foreach()

Notice: Undefined variable: ids

Warning: implode() [function.implode]: Invalid arguments passed

When I remove the protections, the codes work perfectly...

Re: MySQLReal_Escape_String and Strip_tags protection

Posted: Mon May 21, 2012 8:52 am
by Celauran
$_POST['delete'] is an array. You're treating it as a string.

Re: MySQLReal_Escape_String and Strip_tags protection

Posted: Mon May 21, 2012 8:54 am
by bunnyali2011
Yes, that's the problem, any suggestion how to protect it? I'm a newbie

Re: MySQLReal_Escape_String and Strip_tags protection

Posted: Mon May 21, 2012 9:11 am
by Celauran
Move it into your foreach loop.

Code: Select all

foreach ($_POST['delete'] as $delete)
{
    $ids[] = mysql_real_escape_string(strip_tags($delete));
}

Re: MySQLReal_Escape_String and Strip_tags protection

Posted: Mon May 21, 2012 9:12 am
by Grizzzzzzzzzz
assuming every item in the array is a string, probably just something like this?

Code: Select all

foreach($array as $key => $array_item)
{
  $array[$key] = mysql_real_escape_string($array_item);
}
edit: beaten to it :wink:

Re: MySQLReal_Escape_String and Strip_tags protection

Posted: Mon May 21, 2012 9:18 am
by bunnyali2011
Well both your answers are good, but I prefer to take the first one as it has simplified the code, I mean remove the key value lol... THANK YOU BOTH OF YOU GUYS... You are great...Im new here...and Im satisfied of this forum.. :)

Re: MySQLReal_Escape_String and Strip_tags protection

Posted: Mon May 21, 2012 9:24 am
by bunnyali2011
Well, someone told me, an SQL injection can be done here: 0); DROP TABLE photos; --