Page 1 of 1

mysql_escape_string all $_post and $_get

Posted: Thu Apr 14, 2005 11:25 am
by joachimseitz
I know there are tons of threads concerning mysql_escape_string but I didn't find what im looking for.

Basicly what I want to do is do mysql_escape_string and str_replace on all Post and Get Variables.

Option 1, I Found:

Code: Select all

<?
function ekran($var) {
   if(is_array($var) != 1) {
       $var = str_replace(';', '', $var);
       if($var != mysql_real_escape_string($var)) return mysql_real_escape_string($var);
   }
   else return array_filter($var);
}
function check_params() {
   array_filter($_GET, "ekran");
   array_filter($_POST, "ekran");
}
@import_request_variables("CGP", "");
?>
This doesn't want to work for me. I don't understand why "@import_request_variables("CGP", "");" is needed.
I understand this that you just need to call check_params(); and it should work.

Option 2, I found: (in this Forum)

Code: Select all

// process vars for db insertion
function dbSafe(&$array) {

    foreach ($array as $key=>$value) {
        $value = str_replace(';', '', $value);
        $array[$key] = mysql_escape_string($value);
    }
}
Here I would do:
dbSafe($_GET);
dbSafe($_POST);

This works. But my concern is what if POST is a multiple array?

So I want to know which Option (or if others are better) is the best one. And what are the disadvanteges doing this on all Post and Get Variables. (I'm guessing there are some...)

Posted: Thu Apr 14, 2005 11:35 am
by Burrito
what I would do is sort of a combination of the two samples you posted.

1)create a function and pass one parameter
2)determine if the param is an array
a)if an array, loop the array and add mysql_escape_string to the values
b)either put them back into an array, or return them separately
3)return the values escaped

Burr

Posted: Thu Apr 14, 2005 6:34 pm
by feyd

Posted: Fri Apr 15, 2005 10:05 am
by joachimseitz

Code: Select all

function dbsafe($var) {
   if(is_array($var) != 1) {
      $var = str_replace(';', '', $var);
      return mysql_escape_string($var);
   }
   else return array_map('dbsafe', $var);
}
function check_params() {
   $_POST = array_map('dbsafe', $_POST);
   $_GET = array_map('dbsafe', $_GET);
}
all i need to do now is call up: check_params()
seems to work this way for multidimensional arrays (like checkboxes)

here my test script:

Code: Select all

<form name="form" method="post">
<input type="checkbox" name="colors[]" value="'red'"> Red
<input type="checkbox" name="colors[]" value="blue;;"> Blue
<input type="checkbox" name="colors[]" value="gr'een"> Green
<input type="checkbox" name="colors[]" value="yellow;;"> Yellow<br>
<p><input type="submit" name="hoho" value="ho'ho;"></p>
</form>
<?
function dbsafe($var) {
   if(is_array($var) != 1) {
      $var = str_replace(';', '', $var);
      return mysql_escape_string($var);
   }
   else return array_map('dbsafe', $var);
}
function check_params() {
   $_POST = array_map('dbsafe', $_POST);
   $_GET = array_map('dbsafe', $_GET);
}

check_params();

echo "<br>New:";
var_dump ($_POST);
?>
so anybody see any disadvantages doing this?


feyd | Please review how to post code using

Code: Select all

and

Code: Select all

tags. Read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]