On a PHP file, I receives more than 20 variables coming from the client(submitted via a web form) and I have to apply mysql_real_escape_string() more than 20 times, it is quite troublesome, is there a better way to do this job?
views:
179answers:
4
+1
A:
No, that is the best way. As answered in this old question, you should always use whatever tools the language/system has available for you.
However, your issue still remains about it being tedious. I'd suggest a loop. Assuming your variables are in $_POST:
$vars = array("foo", "bar", "baz"); // names of variables
foreach ($vars as $var) {
// tricky $$ usage will create the variables
// $foo, $bar, etc., with the escaped values.
${$var} = mysql_real_escape_string($_POST[$var]);
// you could also store an array of inputs, like $inputs[$var] = ...;
}
jtbandes
2009-11-17 05:46:40
Urgh, don't pollute the namespace like that.
notJim
2009-11-17 05:53:27
RageZ
2009-11-17 05:53:32
@jtbandes: sorry for the wrong editing, yeah right polluting the name space is really nice.
RageZ
2009-11-17 05:54:41
+1
A:
like, foreach?
$names = array('foo', 'bar', 'baz');
$inputs = array();
foreach ($names as $name) {
$inputs[$name] = mysql_real_escape_string($_POST[$name]);
}
just somebody
2009-11-17 05:47:47
+4
A:
you can use array_map also
$_POST = array_map('mysql_real_escape_string',$_POST);
RageZ
2009-11-17 05:49:30
@inshallah: Good point I have kind of mistaken both ^^ but array_map would also work .
RageZ
2009-11-17 05:56:29
Not "also"! **Only** :-). Check the docs, `array_walk()` will not collect the output from applying the `mysql_real_escape_string()`.
Inshallah
2009-11-17 05:58:24
Applying mysql_real_escape_string to the POST array is entirely the wrong time for it: you are treating an output issue (injecting text into SQL string literals) as an input issue (taking user submissions). When you add a variable to a query that doesn't come from the POST array, you will have failed to escape it. When you output a variable from the POST array to the page, you will get unwanted slashes. SQL-string-literal escaping must be done when making SQL and only then.
bobince
2009-11-17 06:29:10
@bobince, yes that's very true, but I don't think the answer deserves to be downvoted for that oversight, since it doesn't focus on the security issue but rather on the eliminating repetition through `array_map()`. You can replace the assignment to `$_POST` with something else (like directly concatenating into the query with `implode(....)`), and this answer will be just as valid.
Inshallah
2009-11-17 06:47:45
also to be noted there is the `filter` extension: http://php.net/manual/en/book.filter.php
RageZ
2009-11-17 08:53:33
+3
A:
is there a better way to do this job?
Certainly: parameterised queries.
They're a little bit wordy in PHP, and unfortunately since they require you to move to mysqli (or some other data access layer that provides the feature, and maybe others like database-independence), instead of the old mysql_ functions there would have to be some rewriting. But taking the SQL string literal escaping out of your application and putting it in the data access layer where it belongs is a big improvement.
bobince
2009-11-17 06:34:09