mysql_escape_string all $_post and $_get

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
joachimseitz
Forum Commoner
Posts: 25
Joined: Fri Feb 20, 2004 10:36 am
Location: Germany
Contact:

mysql_escape_string all $_post and $_get

Post by joachimseitz »

I know there are tons of threads concerning mysql_escape_string but I didn't find what im looking for.

Basicly what I want to do is do mysql_escape_string and str_replace on all Post and Get Variables.

Option 1, I Found:

Code: Select all

<?
function ekran($var) {
   if(is_array($var) != 1) {
       $var = str_replace(';', '', $var);
       if($var != mysql_real_escape_string($var)) return mysql_real_escape_string($var);
   }
   else return array_filter($var);
}
function check_params() {
   array_filter($_GET, "ekran");
   array_filter($_POST, "ekran");
}
@import_request_variables("CGP", "");
?>
This doesn't want to work for me. I don't understand why "@import_request_variables("CGP", "");" is needed.
I understand this that you just need to call check_params(); and it should work.

Option 2, I found: (in this Forum)

Code: Select all

// process vars for db insertion
function dbSafe(&$array) {

    foreach ($array as $key=>$value) {
        $value = str_replace(';', '', $value);
        $array[$key] = mysql_escape_string($value);
    }
}
Here I would do:
dbSafe($_GET);
dbSafe($_POST);

This works. But my concern is what if POST is a multiple array?

So I want to know which Option (or if others are better) is the best one. And what are the disadvanteges doing this on all Post and Get Variables. (I'm guessing there are some...)
User avatar
Burrito
Spockulator
Posts: 4715
Joined: Wed Feb 04, 2004 8:15 pm
Location: Eden, Utah

Post by Burrito »

what I would do is sort of a combination of the two samples you posted.

1)create a function and pass one parameter
2)determine if the param is an array
a)if an array, loop the array and add mysql_escape_string to the values
b)either put them back into an array, or return them separately
3)return the values escaped

Burr
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

joachimseitz
Forum Commoner
Posts: 25
Joined: Fri Feb 20, 2004 10:36 am
Location: Germany
Contact:

Post by joachimseitz »

Code: Select all

function dbsafe($var) {
   if(is_array($var) != 1) {
      $var = str_replace(';', '', $var);
      return mysql_escape_string($var);
   }
   else return array_map('dbsafe', $var);
}
function check_params() {
   $_POST = array_map('dbsafe', $_POST);
   $_GET = array_map('dbsafe', $_GET);
}
all i need to do now is call up: check_params()
seems to work this way for multidimensional arrays (like checkboxes)

here my test script:

Code: Select all

<form name="form" method="post">
<input type="checkbox" name="colors[]" value="'red'"> Red
<input type="checkbox" name="colors[]" value="blue;;"> Blue
<input type="checkbox" name="colors[]" value="gr'een"> Green
<input type="checkbox" name="colors[]" value="yellow;;"> Yellow<br>
<p><input type="submit" name="hoho" value="ho'ho;"></p>
</form>
<?
function dbsafe($var) {
   if(is_array($var) != 1) {
      $var = str_replace(';', '', $var);
      return mysql_escape_string($var);
   }
   else return array_map('dbsafe', $var);
}
function check_params() {
   $_POST = array_map('dbsafe', $_POST);
   $_GET = array_map('dbsafe', $_GET);
}

check_params();

echo "<br>New:";
var_dump ($_POST);
?>
so anybody see any disadvantages doing this?


feyd | Please review how to post code using

Code: Select all

and

Code: Select all

tags. Read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]
Post Reply