2

I haven't yet learned how to use parameterized queries (which according to some other posts on this site is something that I absolutely need to do first thing tomorrow morning) and I want to get a whack of form data into a query, escaped.

Twice, I have come across this solution:

$_POST = array_map('mysqli_real_escape_string', $_POST);

This, from what I can tell, runs all of the variables in the $_POST array through the escape function. I have seen that exact line upvoted, but when I add it to my existing PHP it creates a bunch of blank values.

I was under the impression that mysqli_real_escape_string needed a 2nd parameter - the link/connection. Is this what's causing my problem? The data takes just fine in the database if that line is removed and my variables take their unescaped values from $_POST.

armadadrive
  • 963
  • 2
  • 11
  • 42
  • And apparently I need to read up on PDO. – armadadrive Sep 05 '13 at 00:07
  • Do you connect to your DB before using `mysql_real_escape_string()`? What happens if you print the $_POST array out? ie are there values to begin with? – James Sep 05 '13 at 00:09
  • No, the database connection hasn't happened yet. Is that the problem? The $_POST array contains all values that it should; when that line is commented out the query runs successfully and all values are entered as they came in. – armadadrive Sep 05 '13 at 00:11
  • `string mysqli_real_escape_string ( mysqli $link , string $escapestr )` You need to pass $link (database connection) as first parameter. – Dejan Marjanović Sep 05 '13 at 00:22
  • So inside of the array_map function I can pass parameters to the callback function? – armadadrive Sep 05 '13 at 00:29
  • That is singularly the worst line of code I've seen in weeks. Yikes. It's basically a super-hack implementation of the [magic quotes](http://php.net/manual/en/security.magicquotes.php) feature that was deliberately removed from PHP because of abuse. You have no excuse to not learn about parameterized queries, [they're only a few more lines of code](http://bobby-tables.com/php). Just spend thirty minutes, familiarize yourself with them, and delete this abomination before you get yourself into serious trouble. – tadman Sep 05 '13 at 00:56
  • Hahaha, well @tadman, you've certainly made your point! – armadadrive Sep 05 '13 at 01:45
  • If it is any consolation @tadman, I have since learned about PDO and am now implementing that instead. ;) – armadadrive Sep 10 '13 at 00:30
  • @armadadrive Not a consolation here. Just one less person writing legacy code and instead doing it right. Nice work. – tadman Sep 10 '13 at 14:11

3 Answers3

3

array_map returns new array, if you're overwriting $_POST, better solution would be to use array_walk.

array_walk($_POST, function(&$string) use ($link) { 
  $string = mysqli_real_escape_string($link, $string);
});

Note that $link must be valid connection.

Function [ <internal:mysqli> function mysqli_real_escape_string ] {

  - Parameters [2] {
    Parameter #0 [ <required> $link ]
    Parameter #1 [ <required> $string_to_escape ]
  }
}
Dejan Marjanović
  • 19,244
  • 7
  • 52
  • 66
2

You must pass values ​​escaped to another variable:

$post = array_map('mysqli_real_escape_string', $_POST);

Or:

foreach($_POST as $k => $v) {
    $_POST[$k] = mysqli_real_escape_string($v);
}

Note: Unless the array is referenced, foreach operates on a copy of the specified array and not the array itself.

Maykonn
  • 2,738
  • 6
  • 33
  • 51
  • 1
    I might be wrong, but I don't think that this is the issue - mysqli_real_escape_string can be used like this (from the manual): `$city = mysqli_real_escape_string($link, $city);` – armadadrive Sep 05 '13 at 00:19
0

Then yes this is your answer:

mysql_real_escape_string() requires a connection to the database as it uses the database's character set to determine what is needed to be escaped.
Without this, PHP has no idea what char set you're using and so what to escape.

There are many:
http://dev.mysql.com/doc/refman/5.0/en/charset-unicode-sets.html
And all with different chars.

James
  • 4,644
  • 5
  • 37
  • 48
  • That makes sense. Why would the examples I have seen show no parameters given to the callback function? Are they not required if that line is placed after a connection has been established? – armadadrive Sep 05 '13 at 00:16
  • However you do it, DB conn is required for `mysql_real_escape_string()`. Either in that line or before it. It's up to you, but I prefer to keep certain things separate rather than bunch everything together. DB connections are usually called from an include file at the top of the script anyway, before all of this code. – James Sep 05 '13 at 00:26
  • 2
    Don't confuse `mysql` and `mysqli`. They are two completely different libraries, and a connection on one does not do anything for the other. – tadman Sep 05 '13 at 00:58