Is it possible to sanitize all input sent by one method in PHP by simply doing
$var = mysql_real_escape_string($_POST);
and then access elements of $var as I would have of $_POST ?
Asked
Active
Viewed 2,494 times
5 Answers
9
I don't think you can call mysql_real_escape_string on an array.
But this would work
$cleanData = array_map('mysql_real_escape_string', $_POST);
array_map works by calling the function named in quotes on every element of the array passed to it and returns a new array as the result.
Like superUntitled, I prefer to have a custom function that uses the built-in sanitizing functions as appropriate. But you could still use a custom function with array_map to achieve the same result.
-
Thanks Mark, I did not know about the array_map function, props! – superUntitled May 21 '09 at 19:45
-
Could one include in their "escape" function a check-for-array statement, and if it is an array, sanitize all of the elements in the array with the array_map function – superUntitled May 21 '09 at 19:47
-
Certainly could. Just use is_array() (and is_object(), if you wanted to catch that too). – ceejayoz May 21 '09 at 19:48
-
I'm not sure that would work if your escape function had multiple paths for sanitizing a value, like your example below. – Mark Biek May 21 '09 at 19:49
1
this function will remove html tags from anything you pass to it
function strip_html(&$a){
if(is_array($a)){
foreach($a as $k=>$v){
$a[$k]=preg_replace('/<[^<]+?>/','',$v);
}
}else{
$a=preg_replace('/<[^<]+?>/','',$a);
}
return;
}
Joshua Woodward
- 11
- 1
1
As a side note, I would recommend using a function to sanitize your results:
function escape($txt) {
if (get_magic_quotes_gpc())
$txt = stripslashes($txt);
if (!is_numeric($txt))
$txt = "'" . mysql_real_escape_string($txt) . "'";
return $txt;
}
superUntitled
- 22,351
- 30
- 83
- 110
0
@Shadow:
Array_Map will work with single dimension array but it wont work with multi-dimension arrays. So, this will work.
$cleanData = array_map('mysql_real_escape_string', $_POST);
but if that $_POST array were to have another array, like this:
$array = $_POST['myArray']['secondArray'];
If you have an array such as above, array map will throw an error when you try to run a function that only takes a String as an argument, because it wont be handle to an array when its expecting just a string.
The solution provided on the below page is much more handy, and does it recursively for every element inside the array.
0
What I find handy is to encapsulate the request data (Post, Get, Cookie etc) in to an Object and then to add a filter method which u can pass an array of function names to. This way you can use it like this:
$array = array('trim','mysql_real_escape_string');
$request->filter($array);
Body of the method works using a loop an array_map like in Mark's example. I wouldn't run the mysql_real_escape_string over my entire $_POST though, only on the necessary fields ( the ones that are getting queried or inserted )
xenon
- 1,435
- 19
- 35