0

I have a page that collect many data and i need to escape those data before made a sql query insert into db.

I write this before the SQL query :

foreach($_POST as $k => $v) $_POST[$k] = mysqli_real_escape_string($conn,$v);

My $conn is :

$conn = new mysqli('localhost', 'xxx', 'yyy', 'zzz');

Still work but i'm not sure if it's safe.

geomo
  • 139
  • 1
  • 1
  • 15

3 Answers3

3

This is extremely wrong way of dealing with POST variables. Wrong in so many ways.

And surely it is not safe.

depends on the way you are going to use POST data in the query, this code could be corrected or could be unusable and unsafe at all.

As Barmar said, you ought to use prepared statements. Better if you have a prepared statement for the insert data too.

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
  • I like how your name is Your common Sense :-) – Aysennoussi Feb 22 '14 at 10:15
  • can you explain more, how could it be unsafe? – CodeBird Feb 22 '14 at 10:18
  • in so many ways to list them all here. Strictly speaking, tha function you have fancy to use **has absolutely nothing to do with whatever safety.** – Your Common Sense Feb 22 '14 at 10:35
  • ok so you mean mysqli_real_escape_string is bad for safety, for example against XSS attacks. I do use binding, but was just asking if you meant if the foreach way is bad, or the mysqli_escape_string. thanks for the explanation – CodeBird Feb 22 '14 at 11:07
  • 2
    It is not "bad". It's just inapplicable for the safety matters. – Your Common Sense Feb 22 '14 at 11:10
  • if you are using binding, then using mysqli_real_escape_string makes absolutely no sense – Your Common Sense Feb 22 '14 at 11:18
  • I don't use the escape_string haven't used it since long, was just asking to know what exactly are you talking about. – CodeBird Feb 22 '14 at 13:38
  • I see, just confused you with the OP. Well, the answer is simple, nowhere (beside some ignorant articles) it is said that mysqli_real_escape_string has any relation to whatever safety or security. And indeed it is. So, it should never be used by the means of any protection, despite of any superstitions shared by PHP users. – Your Common Sense Feb 22 '14 at 13:41
  • Well It is great to speak about how bad a script is but it does not advance any of here looking for solutions- Isn't what this website is for solution? Even an example of a better script- With comparison to a bad script will work- and how about "addslashes" – Albuquerque Web Design Apr 22 '19 at 22:32
2

this should be safe.

$query=$conn->prepare("select * from yourtable where colum= ? and column2 = ? ");
$query->bind_param('ss', $_POST['var1'],$_POST['var2'] );
echo_Me
  • 37,078
  • 5
  • 58
  • 78
-2

try this

$conn = new mysqli('localhost', 'xxx', 'yyy', 'zzz');

$ARR_DATA = array();
foreach($_POST as $k => $v) 
{
   $ARR_DATA[$k] = mysqli_real_escape_string($conn,$v); // store your escaped value in $ARR_DATA
}

Now you can use $ARR_DATA values instead of using $_POST wherever you want.

Satish Sharma
  • 9,547
  • 6
  • 29
  • 51