mysql_real_escape an entire array and export values.

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

screevo
Forum Commoner
Posts: 25
Joined: Fri Aug 25, 2006 12:04 am

mysql_real_escape an entire array and export values.

Post by screevo »

Ok. Say I have

Code: Select all

<?
$test['a'] = "blah ' blah ' ";
$test['b'] = "choo ' choo ' ";
?>
and I want to end up with

Code: Select all

$a="blah \' blah \' ";
$b="blah \' blah \' ";
Is there a function I can use to escape all the values in the array and export them? In particular, I want to be able to do this to $_POST data without having to declare each variable manually.

SM
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

array_map() may be of interest.

While you technically could use extract(), it can be a security hole. Instead I would recomment examining all of the array_keys() to determine if the data is what you are expecting before you use extract().
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

Code: Select all

$test = array_map('mysql_real_escape_string', $test);
You'd better not export variables out of the array with unpredictable keys.
screevo
Forum Commoner
Posts: 25
Joined: Fri Aug 25, 2006 12:04 am

Post by screevo »

Well, here's what I'm doing.

In the admin panel of this CMS i've written for my website, there are five fields for editing or creating a page.

So I know what's in those fields. I put it there myself.

Currently, I have to do this:

Code: Select all

<?
$id = mysql_real_escape_string($_POST['id'];
$link = mysql_real_escape_string($_POST['link'];
$linkimage = mysql_real_escape_string($_POST['linkimage'];
$title = mysql_real_escape_string($_POST['title'];
$content = mysql_real_escape_string($_POST['content'];
?>
I want to be able to just do functionName($_POST) and have it create all those variables and escape them.

So far I see methods to escape the entire array, but what about to create all those variables too?

Code: Select all

<?
function escapeExtractArray($a) {
$temp=array_map("mysql_real_escape_string",$a);
extract($temp);
}
?>
Is that what I would want?

EDIT: Apparently not, because I just tried it and it didn't work...


SM
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Extract() creates the variables in the local space. As illustration, when done in an function the variables will be made available in that function. But when the function is terminated, so are the variables.

As we've already said, be EXTREMELY careful in how you use extract().
screevo
Forum Commoner
Posts: 25
Joined: Fri Aug 25, 2006 12:04 am

Post by screevo »

What are some of the bad things that can happen with extract, and how does it differ from me setting those variables manually by doing "$x=$_POST['x']"
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

  • Extract can overwrite existing variables.
  • Without filtering the keys you could create variables you didn't expect.
  • Without analysis of the data you could inadvertantly expose the path to your files or get query errors you don't expect.
to name a few.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Code: Select all

<?php
$available_values = $_POST; 
$wanted_variables = array('id', 'link', 'linkimage', 'title', 'content');

function makeVariables($available_values, $wanted_variables) {
 foreach($wanted_variables as $wanted_variable) {
  if (array_key_exists($wanted_variable, $available_values)) {
   ${$wanted_variable} = mysql_real_escape_string($available_values[$wanted_variable]);
  } else {
    // perhaps assign default value??
   // or throw an exception??
  }
 }
}
?>
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

That seems pretty nice timvw. You variable names are difficult to distingish though.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

That seems pretty nice timvw.
yeah. with some 'global' thrown into it might even work :lol:
screevo
Forum Commoner
Posts: 25
Joined: Fri Aug 25, 2006 12:04 am

Post by screevo »

Weirdan wrote:
That seems pretty nice timvw.
yeah. with some 'global' thrown into it might even work :lol:
Heh. I figured someone would point that out eventually. I ended up just doing

Code: Select all

$post=array_map('mysql_real_escape_string',$_POST);
extract($post);
whenever I needed this function, which I believe was only twice.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

I ended up just doing
You have been warned.
screevo
Forum Commoner
Posts: 25
Joined: Fri Aug 25, 2006 12:04 am

Post by screevo »

Weirdan wrote:
I ended up just doing
You have been warned.
Yes. And I checked over my code.

1. That variable is always initiated IN a function, so I'm not concerned about overwriting an existing variable. It's at the beginning of a function, and since I don't use globals, it cant overwrite something that doesnt exist.

2. Only 5 variables would ever be used in a query: id, link, linkimage, title, content. So any extra variables would just be destroyed when the function exits.

3. All the variables come from the same five field form. The only way to allow it to pass MORE than the five variables would be to create a page manually with more form fields. If someone did it OFF site, it would be caught by the username/password field. If someone did it from ON site, well, that would be me. And either way, there are no calls for other variables.

So all things considered, I think the benefits of more concise code outweigh any risks, because in this application, there are none.

register_globals="off" is my friend.

Just to be safe, I suppose...

Code: Select all

$form=array('id', 'link', 'linkimage', 'title', 'content'); 
foreach($form as $form) {
     if (array_key_exists($_POST,$form)) {
          ${$form} = mysql_real_escape_string($_POST[$form]);
     }
}
SM
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

Code: Select all

$form=array('id', 'link', 'linkimage', 'title', 'content');
foreach($form as $var) {
     if (array_key_exists($var, $_POST)) {
          ${$var} = mysql_real_escape_string($_POST[$var]);
     } else {
          ${$var} = null; // or some default value
     }
}
screevo
Forum Commoner
Posts: 25
Joined: Fri Aug 25, 2006 12:04 am

Post by screevo »

Other than setting any undefineds as null, whats the difference between yours and mine? You do $form as $var, I do $form as $form. I don't notice any difference other than the null thing. I don't understand the difference between not defining $var at all, and defining it as null.

So far, mine works with no errors. :?:
Post Reply