Mysql_escape_string whole post array?

Asked
Active3 hr before
Viewed126 times

8 Answers

whole
90%

To mysql_real_escape_string Whole, for echo you use htmlspecialchars(), not mysql_real_escape_string() – Johan Oct 2 '11 at 11:07 , So you cant modify the $_POST variable itself (just wondering). Like $_POST = array_map('mysql_real_escape_string',$_POST);? Thanks for the recommendation. Second time i've heard of MySQLi to I will look into it and see how difficult it is it transfer over – NoviceCoding Jan 12 '11 at 4:41 ,I was wondering is it possible to just my_sql_escape string the whole $_POST and $_GET array so you dont miss any variables?

I would use the array_walk() function. It's better suited because modifies the POST superglobal so any future uses are sanitized.

array_walk_recursive($_POST, 'mysql_real_escape_string');
load more v
88%

I was wondering is it possible to just my_sql_escape string the whole $_POST and $_GET array so you dont miss any variables?,What is the best way to escape strings for sql inserts, updates? I want to allow special characters including ' and ". Is the best way to search and replace eac...,Somehow this code is allowing someone to see the entire contents of my database. I would've thought that mysql_real_escape_string would prevent that sort of att..., Best way to escape strings for sql inserts? What is the best way to escape strings for sql inserts, updates? I want to allow special characters including ' and ". Is the best way to search and replace eac... boris.schmidt · saved on 5 months ago

I would use the array_walk() function. It's better suited because modifies the POST superglobal so any future uses are sanitized.

array_walk_recursive($_POST, 'mysql_real_escape_string');
72%

I was wondering is it possible to just my_sql_escape string the whole $_POST and $_GET array so you dont miss any variables?,should I use mysqli_real_escape_string for sanitization?,EDIT: Changed array_walk() to array_walk_recursive() thanks to @Johan's suggestion. Props to him.,I would use the array_walk() function. It's better suited because modifies the POST superglobal so any future uses are sanitized.

I would use the array_walk() function. It's better suited because modifies the POST superglobal so any future uses are sanitized.

array_walk_recursive($_POST, 'mysql_real_escape_string');
load more v
65%

I was wondering is it possible to just my_sql_escape string the whole $_POST and $_GET array so you dont miss any variables?,Get answers to millions of questions and give back by sharing your knowledge with others.,I would use the array_walk() function. It's better suited because modifies the POST superglobal so any future uses are sanitized.,Not sure how to test it or I would've myself. Thanks!

I would use the array_walk() function. It's better suited because modifies the POST superglobal so any future uses are sanitized.

array_walk_recursive($_POST, 'mysql_real_escape_string');
load more v
75%

mysql_real_escape_string — Escapes special characters in a string for use in an SQL statement,mysqli_real_escape_string(), mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a. ,Note: mysql_real_escape_string() does not escape % and _. These are wildcards in MySQL if combined with LIKE, GRANT, or REVOKE.

Warning: mysql_real_escape_string(): No such file or directory in /this/test / script.php on line 5
Warning: mysql_real_escape_string(): A link to the server could not be established in /this/test / script.php on line 5

bool(false)
string(41)
"SELECT * FROM actors WHERE last_name = ''"
load more v
40%

Ok, here’s an easy one, I want to apply mysql_real_escape_string to all the elements in an array so that I can use them already escaped without having to do so explicitly to each one.,which doesn’t work because mysql_real_escacpe_string expects a string, not an array.,Have you tried using array_walk_recursive on the array in conjunction with mysql_real_escape_string?,P.S. I would advise against the blunderbuss approach of applying the escaping to every item in the array. Such “protection” leaves much to be desired.

So, for example, the elements are like so:

mysql_real_escape_string($entryArray["title"])
mysql_real_escape_string($entryArray["duration"])

so I had this code:

foreach($entryArray as $escapee) {
   $escapedArray. = mysql_real_escape_string($escapee);
}
load more v
22%

Can you apply mysqli_real_escape_string to the entire POST array? ,I have quite a large form that returns a few dozen values through the POST array.  The only way I've ever tried to prevent injection attacks is applying the real_escape_string function to individual variables.  Can I simply do this to the entire POST array, then use associative values to input into the database?, Yes... but try to remember that it does apply to the WHOLE post array, even ones you may not want it to apply to.,Yes... but try to remember that it does apply to the WHOLE post array, even ones you may not want it to apply to.

< ? php
foreach($_POST as $var => $val) {
      $_POST[$var] = mysqli_real_escape_string($connection, $val);
   } ?
   >
load more v
60%

mysql_real_escape_string makes sure such ambiguities do not occur by escaping characters which have special meaning to an SQL parser:,mysql_real_escape_string() versus Prepared Statements,The mysqli_real_escape_string() function escapes special characters in a string for use in an SQL statement.,http://www.w3schools.com/php/func_mysql_real_escape_string.asp

Say you want to save the string I'm a "foobar" in the database.
Your query will look something like INSERT INTO foos (text) VALUES ("$text").
With the $text variable replaced, this will look like this:

INSERT INTO foos(text) VALUES("I'm a "
   foobar "")

mysql_real_escape_string makes sure such ambiguities do not occur by escaping characters which have special meaning to an SQL parser:

mysql_real_escape_string($text) => I\ 'm a \"foobar\"

This becomes:

INSERT INTO foos(text) VALUES("I\'m a \"foobar\"")

Escaping is a pretty universal thing in programming languages BTW, all along the same lines. If you want to type the above sentence literally in PHP, you need to escape it as well for the same reasons:

$text = 'I\'m a "foobar"';
// or
$text = "I'm a \"foobar\"";
load more v

Other "whole-undefined" queries related to "Mysql_escape_string whole post array?"