mysqli_real_escape_string() for entire $_POST array in php

Question

I have $_POST with 20 keys. I want to apply mysqli_real_escape_string() for the entire $_POST array. So, should I apply mysqli_real_escape_string() to all 20 keys separately? Or is there any loop or any specific function available for it?

My Post array is like the example below:

$_POST =array(
      "A1"=>'xxxxxxxx',
      "A2"=>'xxxxxxxx',
      ........
      ........
      ........
      ..........
      .........
      .........
      "A20"=> 'xxxxxxxxx'
);

**STOP!!** "I want to apply mysqli_real_escape_string() for entire $_POST array" — That is a bad solution to pretty much any problem. Data should be escaped at **the last moment** before being used for whatever it is being used for (i.e. just before being inserted into SQL not just after it comes out of HTTP). What's more, mysqli_real_escape_string should be avoided in favour of bound variables / prepared statements. — Quentin, May 17 '18 at 09:09

Domenik Reitzner · Answer 1 · 2018-05-17T09:29:55.487

-2

You can do something like this:

$escaped = array_map(function($var) use ($mysqli){
    return mysqli_real_escape_string($mysqli, $var);
},$_POST);

edited May 17 '18 at 09:29

answered May 17 '18 at 09:09

Domenik Reitzner

1,583
1
12
21

[*`mysqli_real_escape_string()` expects parameter 1 to be mysqli*…](https://stackoverflow.com/q/2973202/476) – deceze May 17 '18 at 09:16
The fixed version now doesn't work because [`$mysqli` is not in scope](https://stackoverflow.com/a/16959577/476). – deceze May 17 '18 at 09:23
1

so fixed that too. – Domenik Reitzner May 17 '18 at 09:30
It worked in one page, but didn't in another. `mysqli_real_escape_string() expects parameter 2 to be string, array given in...` – Sid Sep 13 '19 at 13:18

mysqli_real_escape_string() for entire $_POST array in php

1 Answers1