-2

I am trying to make my php scripts more secure.

Because i got a form with alot of post variables I don't want to check each variable.

On stackoverflow i found this script at a post but it had a score of -2 so i think this isn't secure but i cant find any reason why it woudln't be secure

 foreach($_POST as $key => $value)
 {
     $value = filter_var($value, FILTER_SANITIZE_STRING);
     $value = mysql_real_escape_string($value);
     $_POST[$key] = $value ;
 }

Is this script secure to make the $_POST variables safe ?

edit Safe to use in a sql statement

Sven van den Boogaart
  • 11,833
  • 21
  • 86
  • 169

2 Answers2

1

It's a bit overdone, but should keep you safe.

However, to simplify things, you should consider using prepared statements. Strongly suggested.

See this: How can I prevent SQL injection in PHP?

Also, meet my buddy Bobby: http://bobby-tables.com/

Those should be enough to get you started.

Community
  • 1
  • 1
Shomz
  • 37,421
  • 4
  • 57
  • 85
0

It's not great, but... No one solution fits all problems and you haven't really stated any problem to solve. here are some pointers that may help you.

mysql_real_escape_string is deprecated, plus it doesn't make your variable safe to use in php code, just to copy/paste in a sql statement string. Also it's used without a connection, so character set cannot be taken into account (unless there happens to be a global connection, which is another bad idea)

Personally, I consider changing values in $_POST to be a bad practice because now you don't know what your user actually posted.

However; If you take out the mysql_real_escape_string (only do that sort of thing when you're working with a database in the next statement) and write the changed values to another array and read from that in your code (i.e. not $_POST) it could be quite usable for your situation.

Kris
  • 40,604
  • 9
  • 72
  • 101