array file input generates warning for mysqli_real_escape_st

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
m2babaey
Forum Contributor
Posts: 364
Joined: Sun May 20, 2007 9:26 am

array file input generates warning for mysqli_real_escape_st

Post by m2babaey »

Hi
I have written this code in my config file (included everywhere) to avoid sql injection

Code: Select all

$_POST = array_map("mysql_escape",$_POST);
and here is the function definition

Code: Select all

function mysql_escape($input)
{
    global $conn;
    return mysqli_real_escape_string($conn,$input);
}
the problem is when I add this input to my form,

Code: Select all

<input id="photoUpload" type="file" name="TourPhoto[]" value='1' multiple accept="image/*">
and submit the form, I see this warning:
Warning: mysqli_real_escape_string() expects parameter 2 to be string, array given in C:\xampp\htdocs\project\functions.php on line 6
Although the script works, file is uploaded
If I change "TourPhoto[]" to "TourPhoto", the warning disappears; but I need to input multiple files and I'd like to know where I am wrong?
Thanks in advance for your help
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: array file input generates warning for mysqli_real_escap

Post by requinix »

array_map() is not recursive and will only work on the elements right in the $_POST array. If one of those elements is an array then you will get that warning.

But what you are doing is wrong. Never escape values like that. To avoid SQL injection you should (a) use prepared statements and no form of escaping at all, or (b) escape values right at the moment you are putting them into the SQL queries.
m2babaey
Forum Contributor
Posts: 364
Joined: Sun May 20, 2007 9:26 am

Re: array file input generates warning for mysqli_real_escap

Post by m2babaey »

requinix wrote: But what you are doing is wrong. Never escape values like that. To avoid SQL injection you should (a) use prepared statements and no form of escaping at all, or (b) escape values right at the moment you are putting them into the SQL queries.
Thanks, could you please explain me more about this? why escaping values at the moment of page load isn't good?
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: array file input generates warning for mysqli_real_escap

Post by requinix »

Three easy reasons:

1. You will forget that a value has been escaped and you will escape it again. I promise you that will happen. That additional escaping will cause data corruption which can be very annoying to fix in the future.
2. You will forget whether or not you had escaped a value earlier. I promise that will happen too. You'll have to go back through your code to see if the value was ever escaped anywhere else and either (a) find it and be able to go back to what you were doing or (b) not find it and never be sure as to whether you simply didn't find it or whether you weren't escaping it at all.
3. One escaping method will not fix all your problems. What if you want to output one of those values onto the page? You'll have to unescape it first to remove the backslashes for the SQL, then re-escape it specifically for HTML. What if you need to pass those values into other code? You don't know what that code will do, and the code doesn't know that the value was escaped previously.

It's also a matter of principle. The data starts off as pure, innocent data. It is precisely what you received from the user, no question about it. By escaping it you turn the data into something else - no longer pure data, it's now "string values that are usable in a SQL query".
Post Reply