Code: Select all
$varName = $_POST['varName'];Next I take the same long list, but use this:
Code: Select all
$varName = mysql_real_escape_string(trim(strip_tags($varName)));2) Does mysql_real_escape_string need to have an active connection to the database in order to function? I'm trying to sanitize it right away, so that anything else I do before the INSERT step will already have it saniztized (such as then running it through regex for email, etc.)
3) And the real question, can I shorted this by using an array? I have seen code using array's on POST data, but I was unsure if POST comes as an array, or if I would somehow have to put it into an array to begin with. The code I was looking at is:
Code: Select all
if (get_magic_quotes_gpc()){
$_GET = array_map('stripslashes', $_GET);
$_POST = array_map('stripslashes', $_POST);
$_COOKIE = array_map('stripslashes', $_COOKIE);
}I am assuming this code will stripslashes() from each variable in the POST array? And is there automatically a POST array?
Also, I believe from the above array, I would perhaps run that, then run directly after it the same general code except no "if" check for magic_quotes, and stripslashes would be replaced with mysql_real_escape_string(). Is this sound logic? I will be accepting credit cards and don't want to allow injection obviously. Thank you for any help you can give.