Unable to read a var inside a function

Question

I want to read a variable from inside a weird function that I copied from this git .

This is the original function:

$values = array_map(function ($value) use ($connection) {
  if ($value===null) return null;
//  return mysqli_real_escape_string($connection,(string)$value);
  return pg_escape_string($connection,(string)$value);
},array_values($input));

and I changed it into this in order to adapt it to my needs (file upload)

$values = array_map(function ($value) use ($connection) {
    if ($value === null)
        return null;
    if (gettype($value) === "array"){

        $tmpname=$value['tmp_name'];

       $value=$value['name'];

    }
    return mysqli_real_escape_string($connection, (string) $value);
}, array_values($input));

The problem is that I can't read $tmpname from outside this function.
Can anyone help me?

Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) — RiggsFolly, Aug 10 '17 at 21:47
@RiggsFolly is there anyway to secure it without using parameterized statements ? — Neji Soltani, Aug 10 '17 at 21:51
are trying to make a file upload ? why you can't just do `$_FILES['upload']['tmp_name']` where `upload` is your input attribute name — yoeunes, Aug 10 '17 at 21:53
@yoeunes have a look inside the git , it's an api to support any table given by the link — Neji Soltani, Aug 10 '17 at 21:56
@rtfm thanks , but the devote wasn't necessary not everybody supposed to know that — Neji Soltani, Aug 10 '17 at 21:57
not my vote.... why you would think me vs 100k+ other users is i guess flattering :-) — , Aug 10 '17 at 21:59
I don't understand what you are trying to do with this function. The original one is for escape each stringfrom array into a PGSQL cleaned query array. By the way I think you have a typo at your return line, maybe: `return mysqli_real_escape_string($connection, (string) $value);` I could be wrong — Mcsky, Aug 10 '17 at 22:39

score 0 · Answer 1 · answered Aug 11 '17 at 06:35

So the answer as @rtfm said is to set a global var like this

$values = array_map(function ($value) use ($connection) {
    if ($value === null)
        return null;
    if (gettype($value) === "array"){

        global $tmpname;
        $tmpname=$value['tmp_name'];
       $value=$value['name'];
    }
    return mysqli_real_escape_string($connection, (string) $value);
}, array_values($input));

Unable to read a var inside a function

1 Answers1