0

For my school homework I have to create a function that uses trim(), htmlspecialchars() and mysql_real_escape_string() to prevent SQL- and HTML injection.

I've been trying for a while but I can't get it to work. I've tried a foreach loop and an extract function. I must be doing something wrong, or missing something.

So far, I've got this: (just to see if the variables are being processed)

foreach ($_Post as $Key => $Value) { $$Key = $Value; echo $$Key."<br>"; }

But it won't return anything.

I can use the trim etc on every variable on its own, but there must be a much easier way.

I've got the $_POST variables 'voorletters', 'tussenvoegsel', 'naam', 'adres', 'huisnummer' (numbers), 'telefoon' (numbers), 'postcode', 'woonplaats', 'geslacht', 'email' and 'wachtwoord' (password).

Please help me :(! I'm a beginner concerning php, so please try to explain thoroughly.

SchmitzIT
  • 9,227
  • 9
  • 65
  • 92
Lisa
  • 897
  • 9
  • 27
  • why you trying to set the key equal to the value? – sofl Nov 16 '12 at 10:13
  • I want to have it this way: $_POST['voorletters'] = "imput" gives eventually: $voorletters = "imput"; With the security checks ofcourse.. – Lisa Nov 16 '12 at 10:19
  • a very simple solution could be this: `foreach($_POST as &$val) $val = mysql_real_escape_string(htmlspecialchars(trim($val)));` ..it passes any post value by reference and mask/escape it. – sofl Nov 16 '12 at 10:23
  • I'd expect schools to teach prepared statements rather than a legacy API that's basically discontinued... – Álvaro González Nov 16 '12 at 10:24
  • Does this answer your question? [Use foreach and mysqli\_real\_escape\_string for many post value](https://stackoverflow.com/questions/21952706/use-foreach-and-mysqli-real-escape-string-for-many-post-value) – Dharman Oct 20 '21 at 09:53

4 Answers4

1

What about this

foreach($_POST as $key => $value) {
    echo 'Current value in $_POST["' . $key . '"] is : ' . $value . '<br>';
    $_POST[$key] = your_filter($value);
}

where your_filter() is your function calling trim, htmlspecialchars, etc. :

function your_filter($value) {
    $newVal = trim($value);
    $newVal = htmlspecialchars($newVal);
    $newVal = mysql_real_escape_string($newVal);
    return $newVal;
}

Pay attention to the variable name too which is $_POST not $_Post. You don't need to use $$ here, you have the key name in the loop in $key and you can access/replace the value in the array with $_POST[$key]

EDIT : added an echo to print current value

EDIT2 : added an example of your_filter() function

koopajah
  • 23,792
  • 9
  • 78
  • 104
  • Okay, when having to apply multiple filters, can I do it like this? `foreach($_POST as $key => $value) { echo 'Current value in $_POST["' . $key . '"] is : ' . $value . '
    '; $_POST[$key] = trim($value); $_POST[$key] = htmlspecialchars($value); $_POST[$key] = mysql_real_escape_string($value); }`     – Lisa Nov 16 '12 at 10:26
  • No because doing this you don't change $value so you will only store the result of mysql_real_escape_string($value);. I updated my answer to show a function to do what you want. You can also do it directly in a foreach – koopajah Nov 16 '12 at 10:30
  • Okay. How can I get the $_POST variables in variables like $voorletters (from $_POST['voorletters']) ? – Lisa Nov 16 '12 at 10:38
  • you would do what you were trying to do in your question : `$$key = your_filter($value);` but why would you need to do that? – koopajah Nov 16 '12 at 10:40
  • So I can get all the variables to be saved in the database, with this line: `$query="INSERT INTO klant VALUES ('$klantnummer', '$voorletters', '$tussenvoegsel', '$naam', '$adres', '$huisnummer', '$postcode', '$woonplaats', '$geslacht', '$telefoon', '$email', '$wachtwoord', '$datumin', '$status')"; $result = mysql_query($query) or die(mysql_error());` – Lisa Nov 16 '12 at 10:41
  • Ok. so `$$key = your_filter($value);` will work but it really is not a proper way to insert data in your database. You should check Mysqli extension. But if your homework is written like this I guess it's not your fault. – koopajah Nov 16 '12 at 10:44
  • Well, I see everytime I search something on php.net, there is an error that mysql statements are discontinued or something? But we have to work with mysql at my school, not mysqli. The school's fault I guess, haha. But thanks a lot! You've really helped me out! – Lisa Nov 16 '12 at 10:48
0
// $_POST = array('voorletters' => '<<', 'tussenvoegsel' => '>>', 'naam' => '<<');

foreach($_POST as &$val) //pass any post value by reference
   $val = mysql_real_escape_string(htmlspecialchars(trim($val)));


extract($_POST);
echo $voorletters;
echo $tussenvoegsel;
echo $naam;
sofl
  • 1,024
  • 8
  • 13
-1
foreach ($_POST as $Key => $Value) { 

 echo yourFunctionName($Value)."<br/>"; 

}
Leon Armstrong
  • 1,285
  • 3
  • 16
  • 41
-1

Try This...

function real_escape_and_trim($value)
{
    $value = trim($value);
    $value = mysql_real_escape_string($value);
    return $value;
}

foreach($_POST as $key => $value)
{
    $_POST[$key] = real_escape_and_trim($value);
}

$field_name = $_POST['field_name'];
Edwin Thomas
  • 1,186
  • 2
  • 18
  • 31