tags:

views:

477

answers:

3
+1  Q: 

Sanitizing form data in PHP

Is it possible to sanitize all input sent by one method in PHP by simply doing

$var = mysql_real_escape_string($_POST);

and then access elements of $var as I would have of $_POST ?

+4  A: 

I don't think you can call mysql_real_escape_string on an array.

But this would work

$cleanData = array_map('mysql_real_escape_string', $_POST);

array_map works by calling the function named in quotes on every element of the array passed to it and returns a new array as the result.

Like superUntitled, I prefer to have a custom function that uses the built-in sanitizing functions as appropriate. But you could still use a custom function with array_map to achieve the same result.

Mark Biek  2009-05-21 19:40:42
Thanks Mark, I did not know about the array_map function, props!
superUntitled  2009-05-21 19:45:00
It's a handy one :)
Mark Biek  2009-05-21 19:46:08
Could one include in their "escape" function a check-for-array statement, and if it is an array, sanitize all of the elements in the array with the array_map function
superUntitled  2009-05-21 19:47:24
Certainly could. Just use is_array() (and is_object(), if you wanted to catch that too).
ceejayoz  2009-05-21 19:48:04
I'm not sure that would work if your escape function had multiple paths for sanitizing a value, like your example below.
Mark Biek  2009-05-21 19:49:19
A: 

As a side note, I would recommend using a function to sanitize your results:

function escape($txt) {
    if (get_magic_quotes_gpc())
        $txt = stripslashes($txt);

    if (!is_numeric($txt))
        $txt = "'" . mysql_real_escape_string($txt) . "'";

   return $txt;
}
superUntitled  2009-05-21 19:40:43
A: 

What I find handy is to encapsulate the request data (Post, Get, Cookie etc) in to an Object and then to add a filter method which u can pass an array of function names to. This way you can use it like this:

$array = array('trim','mysql_real_escape_string');
$request->filter($array);

Body of the method works using a loop an array_map like in Mark's example. I wouldn't run the mysql_real_escape_string over my entire $_POST though, only on the necessary fields ( the ones that are getting queried or inserted )

xenon  2009-05-21 19:51:08

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases