0

I have the following code. What I'm trying to do is clean the _POST input of any markup and iterate the foreach loop on the information in _POST, but what I have doesn't seem to be working because I think $post_loop comes back empty and I'm not sure why that is. The $save variable is assigned correctly.

$save = cleanInput($_POST["save"]);
$post_loop = cleanInput($_POST);
$obs_loop;

foreach ($post_loop as $key=>$value) {

 if ($match = ereg('[0-9].*', $key)) {

   list($obsid, $action) = explode("_", $key);

   if ($save == "Send Final Response to CDO") {
     $save = 'final';
   }  else if ($save == "Save Choices") {
     $save = 'save';
   }         

   $query = "LOCK TABLES obs_responses WRITE, obs WRITE";
   $result = mysql_query($query) or die("Locking Failed". mysql_error());

   if ($action != 'problem' && $action != 'const_narr' && $action != 'acnonects' && $action != 'gt2spec') {
   $upd_query = $db->prepare("update obs_responses set $action = '$value' where obsID = $obsid");
   if (!$upd_query->execute()) { die("UPDATE failed"); }

   } else if ($action == 'problem' || $action == 'const_narr' || $action == 'acnonects' || $action == 'gt2spec') {

   $value = addslashes($value);

   $prob_query = $db->prepare("update obs set $action = '$value' where obsID = $obsid");
   if (!$prob_query->execute()) { die("UPDATE of problem failed"); }
 }

 }

The clean input function looks like:

function cleanInput($invalue) {
  $outvalue = trim($invalue);
  $outvalue = stripslashes($outvalue);
  $outvalue = htmlspecialchars($outvalue);
  return $outvalue;
}
got2b
  • 29
  • 1
  • 1
  • 6
  • how would we know what `cleanInput()` does ? –  Jul 31 '17 at 22:02
  • ereg: Warning This function was DEPRECATED in PHP 5.3.0, and REMOVED in PHP 7.0.0. and mysql_* as well –  Jul 31 '17 at 22:02
  • 1
    cleanInput() is designed for strings not arrays - and looks like a bad idea regardless –  Jul 31 '17 at 22:05
  • ok, I guess cleanInput isn't necessary but I can't just iterate over $_POST – got2b Jul 31 '17 at 22:08
  • oop-procedurall-prepared statements, unbound parameters, did you just randomly stick together a dozen lines of code from various places and hope it would work? –  Jul 31 '17 at 22:11
  • for one thing, you're mixing different mysql apis, so that alone is failing. Just don't use this code. Start over using a prepared statement exclusively – Funk Forty Niner Jul 31 '17 at 22:13

0 Answers0