Basicly what I want to do is do mysql_escape_string and str_replace on all Post and Get Variables.
Option 1, I Found:
Code: Select all
<?
function ekran($var) {
if(is_array($var) != 1) {
$var = str_replace(';', '', $var);
if($var != mysql_real_escape_string($var)) return mysql_real_escape_string($var);
}
else return array_filter($var);
}
function check_params() {
array_filter($_GET, "ekran");
array_filter($_POST, "ekran");
}
@import_request_variables("CGP", "");
?>I understand this that you just need to call check_params(); and it should work.
Option 2, I found: (in this Forum)
Code: Select all
// process vars for db insertion
function dbSafe(&$array) {
foreach ($array as $key=>$value) {
$value = str_replace(';', '', $value);
$array[$key] = mysql_escape_string($value);
}
}dbSafe($_GET);
dbSafe($_POST);
This works. But my concern is what if POST is a multiple array?
So I want to know which Option (or if others are better) is the best one. And what are the disadvanteges doing this on all Post and Get Variables. (I'm guessing there are some...)