Page 1 of 2
mysql_real_escape an entire array and export values.
Posted: Sat Aug 26, 2006 9:35 pm
by screevo
Ok. Say I have
Code: Select all
<?
$test['a'] = "blah ' blah ' ";
$test['b'] = "choo ' choo ' ";
?>
and I want to end up with
Code: Select all
$a="blah \' blah \' ";
$b="blah \' blah \' ";
Is there a function I can use to escape all the values in the array and export them? In particular, I want to be able to do this to $_POST data without having to declare each variable manually.
SM
Posted: Sat Aug 26, 2006 9:37 pm
by feyd
array_map() may be of interest.
While you technically could use
extract(), it can be a security hole. Instead I would recomment examining all of the
array_keys() to determine if the data is what you are expecting before you use
extract().
Posted: Sat Aug 26, 2006 9:40 pm
by Weirdan
Code: Select all
$test = array_map('mysql_real_escape_string', $test);
You'd better not export variables out of the array with unpredictable keys.
Posted: Sat Aug 26, 2006 10:42 pm
by screevo
Well, here's what I'm doing.
In the admin panel of this CMS i've written for my website, there are five fields for editing or creating a page.
So I know what's in those fields. I put it there myself.
Currently, I have to do this:
Code: Select all
<?
$id = mysql_real_escape_string($_POST['id'];
$link = mysql_real_escape_string($_POST['link'];
$linkimage = mysql_real_escape_string($_POST['linkimage'];
$title = mysql_real_escape_string($_POST['title'];
$content = mysql_real_escape_string($_POST['content'];
?>
I want to be able to just do functionName($_POST) and have it create all those variables and escape them.
So far I see methods to escape the entire array, but what about to create all those variables too?
Code: Select all
<?
function escapeExtractArray($a) {
$temp=array_map("mysql_real_escape_string",$a);
extract($temp);
}
?>
Is that what I would want?
EDIT: Apparently not, because I just tried it and it didn't work...
SM
Posted: Sat Aug 26, 2006 11:53 pm
by feyd
Extract() creates the variables in the local space. As illustration, when done in an function the variables will be made available in that function. But when the function is terminated, so are the variables.
As we've already said, be EXTREMELY careful in how you use extract().
Posted: Sat Aug 26, 2006 11:54 pm
by screevo
What are some of the bad things that can happen with extract, and how does it differ from me setting those variables manually by doing "$x=$_POST['x']"
Posted: Sun Aug 27, 2006 12:13 am
by feyd
- Extract can overwrite existing variables.
- Without filtering the keys you could create variables you didn't expect.
- Without analysis of the data you could inadvertantly expose the path to your files or get query errors you don't expect.
to name a few.
Posted: Sun Aug 27, 2006 1:01 am
by timvw
Code: Select all
<?php
$available_values = $_POST;
$wanted_variables = array('id', 'link', 'linkimage', 'title', 'content');
function makeVariables($available_values, $wanted_variables) {
foreach($wanted_variables as $wanted_variable) {
if (array_key_exists($wanted_variable, $available_values)) {
${$wanted_variable} = mysql_real_escape_string($available_values[$wanted_variable]);
} else {
// perhaps assign default value??
// or throw an exception??
}
}
}
?>
Posted: Sun Aug 27, 2006 5:32 am
by Ollie Saunders
That seems pretty nice timvw. You variable names are difficult to distingish though.
Posted: Sun Aug 27, 2006 6:51 am
by Weirdan
That seems pretty nice timvw.
yeah. with some 'global' thrown into it might even work

Posted: Sun Aug 27, 2006 6:55 am
by screevo
Weirdan wrote:That seems pretty nice timvw.
yeah. with some 'global' thrown into it might even work

Heh. I figured someone would point that out eventually. I ended up just doing
Code: Select all
$post=array_map('mysql_real_escape_string',$_POST);
extract($post);
whenever I needed this function, which I believe was only twice.
Posted: Sun Aug 27, 2006 7:07 am
by Weirdan
I ended up just doing
You have been warned.
Posted: Sun Aug 27, 2006 7:13 am
by screevo
Weirdan wrote:I ended up just doing
You have been warned.
Yes. And I checked over my code.
1. That variable is always initiated IN a function, so I'm not concerned about overwriting an existing variable. It's at the beginning of a function, and since I don't use globals, it cant overwrite something that doesnt exist.
2. Only 5 variables would ever be used in a query: id, link, linkimage, title, content. So any extra variables would just be destroyed when the function exits.
3. All the variables come from the same five field form. The only way to allow it to pass MORE than the five variables would be to create a page manually with more form fields. If someone did it OFF site, it would be caught by the username/password field. If someone did it from ON site, well, that would be me. And either way, there are no calls for other variables.
So all things considered, I think the benefits of more concise code outweigh any risks, because in this application, there are none.
register_globals="off" is my friend.
Just to be safe, I suppose...
Code: Select all
$form=array('id', 'link', 'linkimage', 'title', 'content');
foreach($form as $form) {
if (array_key_exists($_POST,$form)) {
${$form} = mysql_real_escape_string($_POST[$form]);
}
}
SM
Posted: Sun Aug 27, 2006 7:31 am
by Weirdan
Code: Select all
$form=array('id', 'link', 'linkimage', 'title', 'content');
foreach($form as $var) {
if (array_key_exists($var, $_POST)) {
${$var} = mysql_real_escape_string($_POST[$var]);
} else {
${$var} = null; // or some default value
}
}
Posted: Sun Aug 27, 2006 7:37 am
by screevo
Other than setting any undefineds as null, whats the difference between yours and mine? You do $form as $var, I do $form as $form. I don't notice any difference other than the null thing. I don't understand the difference between not defining $var at all, and defining it as null.
So far, mine works with no errors.
