MySQL Class

[Wolphie]

Hey,

 

I'm in the middle of working on an in-depth MySQL class to ease to process of MySQL functions and error handing.

My main question is, what would be the best way to secure the query? Without having to secure each individual item that's inserted.

 

I thought about making a function to loop through a POST array, and then sanitize the items.

 

Is there any better way?

 

 

	function sanitize($str) {

	if(!get_magic_quotes_gpc()) {
		foreach($str as $key => $value) {
			$str[$key] = mysql_real_escape_string(htmlspecialchars(htmlentities($value)));
		}
		return $str;
	}
	return false;

}

[soycharliente]

That's pretty much how I do it as well.

<?php
function myEscape($string) {
dbconnect();
$new = get_magic_quotes_gpc() ? stripslashes($string) : $string;
$safe = mysql_real_escape_string($new);
dbclose();
return $safe;
}

foreach ($_POST as $key => $val) {
$_POST[$key] = myEscape($val);
}
?>

[Wolphie]

I've updated my code, so if theres any "unique" fields such as a field allowing HTML or something similar, it can be ignored.

I also intergrated some of your code, hope you don't mind.

 

	function sanitize($str, $spec = '') {

	if(!get_magic_quotes_gpc()) {

		if(!empty($spec)) {

			foreach($spec as $array)
				$spec = $array;

		}	
		foreach($str as $key => $value) {

			if($key == $spec)
				return false;
			else {
				$new = get_magic_quotes_gpc() ? stripslashes($value) : $value;
				$new = htmlspecialchars($new); $new = htmlentities($new);
				$safe = mysql_real_escape_string($new);
				$str[$key] = $safe;
			}		

		}
		return $str;
	}

}

[soycharliente]

I don't mind. I "stole" part of it from someone else in here anyway