hardening an array

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
magicrobotmonkey
Forum Regular
Posts: 888
Joined: Sun Mar 21, 2004 1:09 pm
Location: Cambridge, MA

hardening an array

Post by magicrobotmonkey »

Here's the scenario. I've got an array of items for lookup in a db. I want to be able to go

Code: Select all

$findIn = implode("', '", $arrayItems);
$query = "SELECT * FROM `table` WHERE `ID` IN ('".$findIn."');";
I can't just do this, though, because the array of items came from user input. Specifically, from a text box exploded into the array. I can't addslashes before putting items into the array because I do all sorts of comparisons and what not on the array before it gets to this point. I don't want to loop through it becuase it could be big and I am trying to be optimal. I obviously can't addslashes after the implosion because I'm putting those quotes in there, which I need because it is an alphanumeric field and could have spaces.

So, any ideas?
malcolmboston
DevNet Resident
Posts: 1826
Joined: Tue Nov 18, 2003 1:09 pm
Location: Middlesbrough, UK

Post by malcolmboston »

cant you addslashes also on the data your comparing it to?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

array_walk() maybe?
magicrobotmonkey
Forum Regular
Posts: 888
Joined: Sun Mar 21, 2004 1:09 pm
Location: Cambridge, MA

Post by magicrobotmonkey »

Malcom: once you start adding/stripping slashes unecesarily, things just go downhill

feyd: close, but because it now passes the values and the keys, the built in stripslashed didn't like the number of params. I used array_map instead:

Code: Select all

$findIn = implode("', '",array_map('addslashes', $arrayItems));
$query = "SELECT * FROM `table` WHERE `ID` IN ('".$findIn."');";
Right idea though. Next time I'll read the ol manual first....
Post Reply