PHP addslashes using array

Question

I am attempting to update multiple records using one form, but have run into a problem in attempting to use the addslashes function.

The form looks like this:

<form name="form1" method="post" action="editnewscategorysubmit.php">
<table width="405">
<tr>
<td width="246"><span class="link1">News Category </span></td>
<td width="146" colspan="2"><span class="link1">Delete?</span></td>
</tr>
<tr>
<td>
<input type='text' name='title[]' value='$title' style='width:700px;'>
<input type='hidden' name='id[]' value='$id'>
</td>
<td>
<div style='padding-left:8px;'><a onclick='return confirmSubmit()' href='deletenewscategory.php?id=$id'><img src='images/delete.jpg' border='0'></a></div>
</td>
</tr>                               
<tr>
<td><input name="image" type="image" src="images/submit.png" alt="Submit Form" border="0" /></td>
<td colspan="2">&nbsp;</td>
</tr>
</table>
</form>

The PHP code that processes this looks like this:

$identity = $_REQUEST['id'];
$title = addslashes($_REQUEST['title']);
include 'connection.php';
for($i=0;$i<count($identity);$i++)
{
$query = "update newscategory set title = '$title[$i]' where id = '$identity[$i]'";
$result = mysql_query($query) or die(mysql_error());
}
echo "Success. The news categories were updated.";
include 'return.php';

The warning that is returned is:

Warning: addslashes() expects parameter 1 to be string, array given in /home/u180175506/public_html/editnewscategorysubmit.php on line 71

What I am trying to do is to addslashes (or from what I'm reading, using mysql_real_escape_string is preferred!) to each value prior to updating the table. Is there something I'm missing? Thanks!

Answer 1

Function:

function addslashes_recursive( $data )
{
    if ( is_array( $data ) )
    {
        return array_map( 'addslashes', $data );
    }
    else
    {
        return addslashes( $data );
    }
}  

Single line

$array = array_map( 'addslashes', $array );

Answer 2

There are multiple ways to run some function over an array. A simple loop:

$stillNotSafeData = array();
foreach ($_REQUEST as $key => $value) {
    if (!is_array($value)) {
        $stillNotSafeData[$key] = addslashes($value);
    } else {
        foreach ($value as $innerKey => $innerValue) {
            $stillNotSafeData[$key][$innerKey] = addslashes($innerValue);
        }
    }
}

Or using array_walk_recursive:

array_walk_recursive($_REQUEST, function(&$item, $key) {
    $item = addslashes($item);
});

But as you already note you should not use addslashes for this. However once you have a valid connection to mysql using the mysql_* functions you can do the same thing using mres.

But you neither should do that. The mysql_* functions has been officailly deprecated for some time now (and will be removed in less than a year from the language core).

Besides the fact it will be removed soon there are also some "edge" cases which get around it: SQL injection that gets around mysql_real_escape_string()

Long story short: stop using the mysql_* functions.

What you really want to do is use either mysqli or PDO. These support prepared statements and bound parameters. This post will help you with this: How can I prevent SQL injection in PHP?

Answer 3

array_map('addslashes', $_REQUEST['title']);

http://php.net/manual/en/function.array-map.php

Ofcourse there are other ways to apply function to each array element. You can foreach() it, and apply addslashes() to each value, or assign $var to addslashes($title[$i]) in your for loop.