5

I'm trying to sanitize $_POST data with array_map and mysqli_real_escape_string

the problem is that when I use the $link variable inside of array_map is it somehow gets converted to a string, I'm pretty sure I have the syntax right, but this one has been knawing at me for a while.

here is my (simplified) code:

$link = mysqli_connect($host, $user, $password);
$row = array_map('mysqli_real_escape_string', $row, array($link, $row));
Nate
  • 579
  • 1
  • 7
  • 14
  • 1
    Don't mangle $_POST. And don't do your own escaping. You should be using prepared statements with placeholders, which removes the need to escape. There's very very few usage cases where you can't use prepared statements and would have to escape values yourself. – Marc B Jul 12 '13 at 16:24
  • thanks for the input, I've been considering prepared statements for a while now, I guess this is the push I needed – Nate Jul 12 '13 at 16:33

1 Answers1

11

While everybody recommends PDO, if you do wish to use the mysqli class to achieve what you wanted you need to pass the mysqli link and real_escape_string property to the array_map as an array like so:

$link = mysqli_connect($host, $user, $password);
$escaped_row = array_map(array($link, 'real_escape_string'), $row);
willdanceforfun
  • 11,044
  • 31
  • 82
  • 122