Page 1 of 1

POST[] and Array (Sanitizing Question)

Posted: Fri Jan 13, 2006 2:10 pm
by MikeCXT
Hello. Currently I have a form that posts all variables to reg.php. Then reg.php will do a

Code: Select all

$varName = $_POST['varName'];
to each Variable... creating a long list of variables being defined from their POST counterpart.

Next I take the same long list, but use this:

Code: Select all

$varName = mysql_real_escape_string(trim(strip_tags($varName)));
1) My first question is: I believe this is enough sanitizing to prevent sql_injection, am I correct?

2) Does mysql_real_escape_string need to have an active connection to the database in order to function? I'm trying to sanitize it right away, so that anything else I do before the INSERT step will already have it saniztized (such as then running it through regex for email, etc.)

3) And the real question, can I shorted this by using an array? I have seen code using array's on POST data, but I was unsure if POST comes as an array, or if I would somehow have to put it into an array to begin with. The code I was looking at is:

Code: Select all

if (get_magic_quotes_gpc()){ 
 $_GET = array_map('stripslashes', $_GET); 
 $_POST = array_map('stripslashes', $_POST); 
 $_COOKIE = array_map('stripslashes', $_COOKIE); 
}
I have never been very confident about using arrays, just never used one yet.
I am assuming this code will stripslashes() from each variable in the POST array? And is there automatically a POST array?

Also, I believe from the above array, I would perhaps run that, then run directly after it the same general code except no "if" check for magic_quotes, and stripslashes would be replaced with mysql_real_escape_string(). Is this sound logic? I will be accepting credit cards and don't want to allow injection obviously. Thank you for any help you can give.

Posted: Fri Jan 13, 2006 3:13 pm
by wtf
I had similar question recently. Check it out viewtopic.php?t=41707&highlight=