array_map/array_walk keeps reporting invalid callback, not found, and/or undefined.

Question

I just wanted a more elegant automated solution to my form validation. On PHP.net I found a cool class script from the SQL injection page. Here it is the code (modified). It's suppose to go through my $_POST array and apply the validation function.

class secure
{   
    function secureSuperGlobalPOST($v)
    {
    $_POST[$v] = htmlspecialchars(stripslashes($_POST[$v]));
    $_POST[$v] = str_ireplace("script", "blocked", $_POST[$v]);
    $_POST[$v] = mysql_escape_string($_POST[$v]);
    return $_POST[$v];
    }

    function secureGlobals()
    {
    // This was originally array_walk; I'm just trying to figure out what's up...
    array_map('secureSuperGlobalPOST', $_POST);
    }
}

// This last line is attempt at using it. This was not provided with the code.
secure::secureGlobals();

So then I get this error:

_"Warning: array_map() expects parameter 1 to be a valid callback, function 'secureSuperGlobalPOST' not found or invalid function name in C:\wamp\www\mysite\register.php on line 19"_

I have been looking forever, but I cannot figure out why it wouldn't be valid, not found (it's in the same class), or why it would be invalid name (it's the same exact name!).

Answer 1

That's because secureSuperGlobalPOST is not a global function.

You have to either take it out of the class, or make it a static method and use:

array_map('secure::secureSuperGlobalPOST', $_POST);

---

By the way you are not using callbacks the right way. A better way would be:

function secureVar($v)
{
    return mysql_escape_string(htmlspecialchars(
               str_ireplace("script", "blocked", $v)));
}

Then call

array_walk($_POST, 'secure::secureVar');
array_walk($_GET,  'secure::secureVar');

So you get to re-use code.

---

Another thing I want to point out is that this is not the proper way to avoid XSS. This is the lazy way. You shoudn't do that. What if your users entered a text that said: "I read your script"? As it is, it would get converted into "I read your blocked".

Answer 2

Declare secureSuperGlobalPOST as static and use:

return array_map('self::secureSuperGlobalPOST', $_POST);

or:

return array_map(array('self','secureSuperGlobalPOST'), $_POST);

If you don't want secureGlobalPOST to be a static method:

return array_map(array('secure','secureSuperGlobalPOST'), $_POST);

But you must still catch the return value in your last statement.

$result=secure::secureGlobals();