How to use string functions to clean array variables

Question

I have this php code for html form

if(isset($_POST['job_title'])){
  foreach($_POST['job_title'] as $selected) {
     $job_title[] = $selected ;
  }
  $job_title = json_encode($job_title);
  $job_title = clean_string($job_title);
}

and the this is what clean_string function code which cleans input for SQL

function clean_string($string){
   global $connection;
   $string = trim($string);
   $string = stripslashes($string);
   $string = htmlspecialchars($string);
   $string = htmlentities($string);
   $string = mysqli_real_escape_string($connection,$string);
   return $string;
}

So when this code execute it cause an error like( expects parameter 1 to be string, array given)

How to solve this problem ? Thanks in advance

The question is what are you trying to stop with this sanitization? why are you using `htmlspecialchars` [***and***](http://stackoverflow.com/questions/46483/htmlentities-vs-htmlspecialchars) `htmlentities`? Generally a global clean function is suitable. — Script47, Aug 20 '16 at 14:41
This variable will be inserted to the database so i'm trying to sanitize special characters for more security ! @Script47 — Mustafa Alsuhaibi, Aug 20 '16 at 14:44
POST data contains normal data ! this problem is because im trying to use string function on an array , so I was wondering if there is a way to go around this @ObjectManipulator — Mustafa Alsuhaibi, Aug 20 '16 at 14:45
@MustafaAlsuhaibi then prepared statements are what is required. As it currently stands you don't know *what* you are trying to stop. — Script47, Aug 20 '16 at 14:46
You're not really using it on an array. You're using it on a JSON. — Indrasis Datta, Aug 20 '16 at 14:47
Please show the content of your $_POST['job_title']. Does it contain multiple fields? You can't expect any help unless you explain these things clearly. — Indrasis Datta, Aug 20 '16 at 14:50
@Script47 please can you explain more about ( prepared statements) — Mustafa Alsuhaibi, Aug 20 '16 at 14:52
@ObjectManipulator thats the result of `print_r` `["web developer","designer"]` — Mustafa Alsuhaibi, Aug 20 '16 at 14:55

Poiz · Accepted Answer · 2016-08-20T14:59:19.463

Uncle Sam might probably argue that this is what you are most likely intent on doing:

<?php

    if(isset($_POST['job_title'])){
        foreach($_POST['job_title'] as $selected) {
            $job_title[] = clean_string($selected);
        }
        $job_title  = json_encode($job_title);
    }


    function clean_string($string){
        global $connection;
        $string = trim($string);
        $string = stripslashes($string);
        $string = htmlspecialchars($string);
        $string = htmlentities($string);
        $string = mysqli_real_escape_string($connection,$string);
        return $string;
    }

Alternative II: Using array_map()

<?php
    if(isset($_POST['job_title'])){
        foreach($_POST['job_title'] as $selected) {
            $job_title[] = $selected;
        }
        $job_title  = json_encode(array_map("clean_string", $job_title) );
    }


    function clean_string($string){
        global $connection;
        $string = trim($string);
        $string = stripslashes($string);
        $string = htmlspecialchars($string);
        $string = htmlentities($string);
        $string = mysqli_real_escape_string($connection,$string);
        return $string;
    }

Yes the code was like this before , But I thought its preferable to put it after using `json_encode` ! So is it enough to use it before `json_encode` ?? @Poiz — Mustafa Alsuhaibi, Aug 20 '16 at 14:50
@MustafaAlsuhaibi Absolutely... if you need to use it on an Array, you could follow the updated post that uses array_map() — Poiz, Aug 20 '16 at 14:58

Indrasis Datta · Answer 2 · 2016-08-20T15:19:26.183

From what you've posted, it looks like the custom function clean_string($string) accepts a string parameter and returns a string.

And you have an array $job_title which needs to be sanitized.

The problem you're facing is you're passing a JSON to clean_string($string) in this line:

  $job_title = json_encode($job_title);
  $job_title = clean_string($job_title);  // JSON object is passed.

So, you simply need to traverse each element through the array $job_title and keep passing each value to clean_string(). This can be achieved using array_map().

if (isset($_POST['job_title'])) {
    foreach ($_POST['job_title'] as $selected) {
        $job_title[] = $selected ;
    }
    $job_title = array_map("clean_string", $job_title);  // Modify this line
    $job_title = json_encode($job_title);  // Add it here if you need to json encode the sanitized input
}

You removed `json_encode` which I need it more because `$POST['job_title']` contains multiple values that I need to `json_encode` and `json_decode` for them — Mustafa Alsuhaibi, Aug 20 '16 at 15:05
In that case you can apply json_encode after the clean_string function has been applied. — Indrasis Datta, Aug 20 '16 at 15:07

How to use string functions to clean array variables

2 Answers2