mysql_escape_string all $_post and $_get
Posted: Thu Apr 14, 2005 11:25 am
I know there are tons of threads concerning mysql_escape_string but I didn't find what im looking for.
Basicly what I want to do is do mysql_escape_string and str_replace on all Post and Get Variables.
Option 1, I Found:
This doesn't want to work for me. I don't understand why "@import_request_variables("CGP", "");" is needed.
I understand this that you just need to call check_params(); and it should work.
Option 2, I found: (in this Forum)
Here I would do:
dbSafe($_GET);
dbSafe($_POST);
This works. But my concern is what if POST is a multiple array?
So I want to know which Option (or if others are better) is the best one. And what are the disadvanteges doing this on all Post and Get Variables. (I'm guessing there are some...)
Basicly what I want to do is do mysql_escape_string and str_replace on all Post and Get Variables.
Option 1, I Found:
Code: Select all
<?
function ekran($var) {
if(is_array($var) != 1) {
$var = str_replace(';', '', $var);
if($var != mysql_real_escape_string($var)) return mysql_real_escape_string($var);
}
else return array_filter($var);
}
function check_params() {
array_filter($_GET, "ekran");
array_filter($_POST, "ekran");
}
@import_request_variables("CGP", "");
?>I understand this that you just need to call check_params(); and it should work.
Option 2, I found: (in this Forum)
Code: Select all
// process vars for db insertion
function dbSafe(&$array) {
foreach ($array as $key=>$value) {
$value = str_replace(';', '', $value);
$array[$key] = mysql_escape_string($value);
}
}dbSafe($_GET);
dbSafe($_POST);
This works. But my concern is what if POST is a multiple array?
So I want to know which Option (or if others are better) is the best one. And what are the disadvanteges doing this on all Post and Get Variables. (I'm guessing there are some...)