mysql_real_escape_string() for entire $_REQUEST array, or need to loop through it?

Related searches

Is there an easier way of safely extracting submitted variables other than the following?

if(isset($_REQUEST['kkld'])) $kkld=mysql_real_escape_string($_REQUEST['kkld']);
if(isset($_REQUEST['info'])) $info=mysql_real_escape_string($_REQUEST['info']);
if(isset($_REQUEST['freq'])) $freq=mysql_real_escape_string($_REQUEST['freq']);

(And: would you use isset() in this context?)

To escape all variables in one go:

$escapedGet = array_map('mysql_real_escape_string', $_GET);

To extract all variables into the current namespace (i.e. $foo = $_GET['foo']):

extract($escapedGet);

Please do not do this last step though. There's no need to, just leave the values in an array. Extracting variables can lead to name clashes and overwriting of existing variables, which is not only a hassle and a source of bugs but also a security risk. Also, as @BoltClock says, stick to $_GET or $_POST. Also2, as @zerkms points out, there's no point in mysql_real_escaping variables that are not supposed to be used in a database query, it may even lead to further problems.


Note that really none of this is a particularly good idea at all, you're just reincarnating magic_quotes and global_vars, which were horrible PHP practices from ages past. Use prepared statements with bound parameters via mysqli or PDO and use values through $_GET or filter_input. See http://www.phptherightway.com.

php, mysql_real_escape_string() for entire $_REQUEST array, or need to loop through if(isset($_REQUEST['kkld'])) (And: would you use isset() in this context?) Definition and Usage. The real_escape_string() / mysqli_real_escape_string() function escapes special characters in a string for use in an SQL query, taking into account the current character set of the connection.

You can also use a recursive function like this to accomplish that

function sanitate($array) {
   foreach($array as $key=>$value) {
      if(is_array($value)) { sanitate($value); }
      else { $array[$key] = mysql_real_escape_string($value); }
   }
   return $array;
}
sanitate($_POST);

mysql_real_escape_string() for entire $_REQUEST array, or need to , mysql_real_escape_string() for entire $_REQUEST array, or need to loop through it? There's no need to, just leave the values in an array. Ok, here's an easy one, I want to apply mysql_real_escape_string to all the elements in an array so that I can use them already escaped without having to do so explicitly to each one. So, for

As far as I'm concerned Starx' and Ryan's answer from Nov 19 '10 is the best solution here as I just needed this, too.

When you have multiple input fields with one name (e.g. names[]), meaning they will be saved into an array within the $_POST-array, you have to use a recursive function, as mysql_real_escape_string does not work for arrays.

So this is the only solution to escape such a $_POST variable.

function sanitate($array) {
    foreach($array as $key=>$value) {
        if(is_array($value)) { sanitate($value); }
            else { $array[$key] = mysql_real_escape_string($value); }
   }
   return $array;
}
sanitate($_POST);

mysql_real_escape_string - Manual, mysql_real_escape_string — Escapes special characters in a string for use in an SQL statement mysql_real_escape_string() calls MySQL's library function $ query = "SELECT * FROM actors WHERE last_name = '$_lastname'"; a little framework and want to do an insert to a table based on the request URI, it's in your� mysqli_real_escape_string (mysqli $link, string $escapestr) : string This function is used to create a legal SQL string that you can use in an SQL statement. The given string is encoded to an escaped SQL string, taking into account the current character set of the connection.

StripTags and MysqlRealEscape an array with PHP, You can use array_map() to specify a callback function to each element of a given mysql_real_escape_string() for entire $_REQUEST array, or need to loop� 3 mysql_real_escape_string() for entire $_REQUEST array, or need to loop through it? Nov 19 '10. 3 How animate path in WAAPI? Mar 13 '16. View all questions and

If you use mysqli extension and you like to escape all GET variables:

$escaped_get = array_map(array($mysqli, 'real_escape_string'), $_GET);

PHP foreach loop through post request, I use a variation of this code on most websites I have coded as it is versitile and full of uses when working with dynamic content. An example might be reusing the same mail() function for differant forms, you could loop through what is posted The $_REQUEST can be changed to just $_POST to check only� Is there a way to loop through all GET and POST Variables? For instance; if I send 3 Get variables, but I do not want to know the names of each variable. I want to loop through and echo the name of the variable and the value.

Applies the user-defined callback function to each element of the array array.. array_walk() is not affected by the internal array pointer of array. array_walk() will walk through the entire array regardless of pointer position.

What I am considering doing is writing a routine that applies mysql_real_escape_string before any insert/update by looping through all the values. The easiest way would seem to me to do this at the start of each page by calling a routine similar to the below (taken from php.net):

Instead of a condition, the parentheses at the top of a foreach loop contain an array, followed by the keyword as, and then the name of a new variable that will be used to store each item of the

Comments
  • Guys, I know you all want to get more reputation, but why no one explained that it is a weird idea at all?? And that only the necessary data should be sanitized, not all.
  • @zerkms, Well I dont think this is a WEIRD IDEA, as it can come handy in certain situation. However I also agree that not all data should be sanitized except few who make up the query.
  • @Starx: you should not rely on any magic way to protect data from any kind of attacks. In each particular situation you should apply necessary function. IE: when (and only when) you need to perform an sql query - you apply mysql_real_escape_string() only to the variables used in the query.
  • @zerkms, What are you exactly referring to When you said Magic way?
  • @Starx: the main idea of the topic is to get some magic code that makes variables safe to use in queries ;-)
  • @ajo Data itself is never dangerous, it's the context you use it in that may make it dangerous. mysql_real_escape only protects you when using data in SQL queries. If you're not using the data in SQL queries it will (may) only change the data, it won't make it any more or less save. If you echo the data into an HTML page, mysql_real_escaping it won't help, you'd need to use htmlentities instead... Context is important!
  • Well, there was this comment of ajo I was responding to, before he deleted it... I'll leave my comment here anyway.
  • I know by now everyone should be using PDO or prepared statements, but wouldn't this fall over when a $_REQUEST or $_POST variable is an array? for example, when submitting multiple checkbox values with same name
  • @wired00 Yes, sure. Such wholesale escaping actually never was a great idea to begin with, but in the limited case of the OP it served a purpose. It should only be applied if you know what you're doing though (as always).
  • cool thanks for the clarification. Yeah I assumed in the OP case its fine, because he is using a $_GET anyways. Just wanted to confirm for my own case. We have a TONNE of legacy code which is unviable to convert to PDO, so having to use mysqli_real_escape_string()