5

My code is like this 

 public function addQuestions($data){


    $ans = array();
    $ans[1] = $data['ans1'];
    $ans[2] = $data['ans2'];
    $ans[3] = $data['ans3'];
    $ans[4] = $data['ans4'];
    $ans= mysqli_real_escape_string($this->db->link, $data[$ans]);

}

Is this right way to use array in this sql function ??

Strawberry
  • 33,750
  • 13
  • 40
  • 57
Yusuf
  • 71
  • 1
  • 8
  • mysqli_real_escape_string second parameter is `escape string` `mysqli_real_escape_string ( mysqli $link , string $escapestr )` – JYoThI Aug 12 '17 at 05:40
  • 2
    It has to be mentioned. You shouldn't be escaping data for sql queries - you should use prepared and parameterized queries. That way you are actually executing safe and secure queries, and you don't mangle data. Win win – JimL Aug 12 '17 at 06:26
  • Since there are a lot of answers recommending to use functions like `array_walk` and `array_map`, I would recommend checking out this answer explaining the differences: https://stackoverflow.com/a/3432266/4796321 – Sainan Aug 12 '17 at 07:12
  • Your code and approach are outdated for at least a decade. We're all using parameterized queries and don't have to worry about escaping anything any more. I suggest you do a bit of googling to see what we're talking about. – N.B. Aug 12 '17 at 10:18

4 Answers4

5

Since you wish to do something to each element of array $ans, it would be most appropriate to use array_map(), as follows:

public function addQuestions($data){


    $ans = array();
    $ans[1] = $data['ans1'];
    $ans[2] = $data['ans2'];
    $ans[3] = $data['ans3'];
    $ans[4] = $data['ans4'];

    $escaped_ans = array_map(function( $e ) {
             return mysqli_real_escape_string( $this->db->link, $e);
    }, $ans );
slevy1
  • 3,797
  • 2
  • 27
  • 33
1

I don't have enough reputation to comment on Milan's post, but beware of array_walk, it won't change your original array. For Milan's code to actually affect your array, the function would have to be

function myescape(&$val) //Note the '&' which calls $val by reference.
{
    $val = mysqli_real_escape_string($val);
}

array_walk($ans, 'myescape');

To answer your question though:

public function addQuestions($data){
    $ans = array('',$data['ans1'],$data['ans2'],$data['ans3'],$data['ans4']);
    //I would recommend using an object/associative array in this case though, just the way $data is already

    $ans_escaped = array_map(function($val) {
        return mysqli_real_escape_string($this->db->link, $val);
    }, $ans);

    //do whatever you need to do with escaped array
}

My advice though, would be to really look into prepared statements. It might just seem like extra work that you don't want to bother with - at first - but once you learn it, you will never want to do it any other way.

0

Since you have an array, and you want mysqli_real_escape_string on each element of an array, you can use array_walk():

function myescape($val)
{
    return mysqli_real_escape_string($val);
}

... then

array_walk($ans, 'myescape');
Milan Chheda
  • 8,159
  • 3
  • 20
  • 35
0

if you use MYSQL PDO you won't need add "mysqli_real_escape_string" because all your variables a safe (from SQL injection) after you bind it

http://php.net/manual/en/pdostatement.bindparam.php

Lesiuk Alexey
  • 237
  • 1
  • 2
  • 7