mysql_escape_string whole post array?

Question

I was wondering is it possible to just my_sql_escape string the whole $_POST and $_GET array so you dont miss any variables?

Not sure how to test it or I would've myself. Thanks!

Bailey Parker · Accepted Answer · 2011-10-02T08:02:29.017

12

I would use the array_walk() function. It's better suited because modifies the POST superglobal so any future uses are sanitized.

array_walk_recursive( $_POST, 'mysql_real_escape_string' );

However, make sure that you don't rely on this line to completely protect your database from attacks. The best protection is limiting character sets for certain fields. Ex. Email's don't have quotes in them (so only allow letters, numbers, @, dashes, etc.) and names don't have parenthesis in them (so only allow letters and selected special characters)

EDIT: Changed array_walk() to array_walk_recursive() thanks to @Johan's suggestion. Props to him.

edited Oct 02 '11 at 08:02

answered Jan 12 '11 at 05:44

Bailey Parker

15,599
5
53
91

Thanks. Yeah I am pretty much validating every field as well. Are there holes in the escape_string function? – NoviceCoding Jan 12 '11 at 06:15
1

Nothing will ever fully protect you. Off the top of my head I can't name any specific flaws that would concern `mysql_real_escape_string`. One important thing to remember is this doesn't (and shouldn't be used) to sanitize file uploads so you will need to take the necessary precautions (protecting against null byte hacks and the like). – Bailey Parker Jan 12 '11 at 06:20
4

-1 You should use `array_walk_recursive`, because this code will fail if any of your $_POST items contains an array. – Johan Oct 02 '11 at 05:58
@Col.Shrapnel Wasn't that what the OP was asking for? – Bailey Parker Oct 02 '11 at 09:21
1. nope, he didn't ask for the future uses. 2. even if he did, a stupid question is not an excuse for the stupid answer. – Your Common Sense Oct 02 '11 at 09:42
1

@PhpMyCoder, I thought the use of array_walk is pretty inspired, so +1 for that of couse you still need to quote the array if you want to safely use in in an SQL statement. Something like: `$array = "'".implode("','",$array)."'";` should do the trick, although **that** will only work for one-dimensional arrays. 2nd pet peeve is that it's not a great idea to change superglobals. But to use `$var = $_POST['something']` and work with `$var` from that point on. – Johan Oct 02 '11 at 11:06
@Col.Shrapnel Better answer = PDO – Bailey Parker Oct 02 '11 at 19:03
@Johan I agree on the modifying superglobals. And I wouldn't call walking a sanatization function over an array "inspired," but if you want to, thanks! However, imploding `$_POST` values entirely depends on the situation. If you want to store all of the values in one field in a DB, then sure. But if you only want to extract single values to insert into a column (say `first_name[0]` and `last_name[0]` form a person's name) then you need to recursively walk instead of implode. – Bailey Parker Oct 02 '11 at 19:18

score 5 · Answer 2 · answered Jan 12 '11 at 04:34

5

$escaped_POST = array_map('mysql_real_escape_string', $_POST);

Though, I would recommend using MySQLi instead.

answered Jan 12 '11 at 04:34

Kevin

3,771
2
31
40

So you cant modify the $_POST variable itself (just wondering). Like $_POST = array_map('mysql_real_escape_string',$_POST);? Thanks for the recommendation. Second time i've heard of MySQLi to I will look into it and see how difficult it is it transfer over – NoviceCoding Jan 12 '11 at 04:41
@NoviceCoding: You can, but it's best not to pollute superglobals. – BoltClock Jan 12 '11 at 04:42
Yes, you can overwrite the `$_POST` variable, but what happens when you want to use one of the original, unescaped values later on? :) – Kevin Jan 12 '11 at 04:43
1

Hmm, i'd use `array_walk_recursive` instead of `array_map`. _POST might have array values – meze Jan 12 '11 at 04:46
Ok as far as coding etiquette I get why its a bad idea to reuse $_POST but if it meant I would have to rename every call on $_POST nothing bad would happen if I just modify $_POST instead right? Not sure how it works but $_POST resets right? – NoviceCoding Jan 12 '11 at 04:47
Yes, you can modify it and that'll replace the original values in $_POST. But not all variables that needed to be quoted come from _POST. Not all needed to be quoted. So it's better to use prepared statement and quote strings when you can't. – meze Jan 12 '11 at 04:58

score 2 · Answer 3 · answered Jan 12 '11 at 04:37

2

you can use

foreach(array_keys($_POST) as $key)
{

  $clean[$key] = mysql_real_escape_string($_POST[$key]);

}

and after this to access post data use echo $clean['name'];

answered Jan 12 '11 at 04:37

Bhanu Prakash Pandey

3,805
1
24
16

for echo you use `htmlspecialchars()`, not `mysql_real_escape_string()` – Johan Oct 02 '11 at 11:07

score 1 · Answer 4 · answered Jul 03 '15 at 08:14

1

Try This

foreach(array_keys($_GET) as $key){ $_GET[$key] = mysql_real_escape_string($_GET[$key]);}
foreach(array_keys($_POST) as $key){ $_POST[$key] = mysql_real_escape_string($_POST[$key]);}

To mysql_real_escape_string Whole

answered Jul 03 '15 at 08:14

Danyial Shahid Ali

517
8
24

mysql_escape_string whole post array?

4 Answers4

Linked