Can you apply mysqli_real_escape_string to the entire POST array?

[blurredvision]

I have quite a large form that returns a few dozen values through the POST array.  The only way I've ever tried to prevent injection attacks is applying the real_escape_string function to individual variables.  Can I simply do this to the entire POST array, then use associative values to input into the database?

[genericnumber1]

Yes... but try to remember that it does apply to the WHOLE post array, even ones you may not want it to apply to.

 

<?php
foreach($_POST as $var => $val)
{
   $_POST[$var] = mysqli_real_escape_string($connection, $val);
}
?>

[cooldude832]

If u made a class to handle processing forms you could have

<?php
class process_form{

public function get_inputs(){
  foreach($_POST as $key=>$value){
       $this->inputs[$key] = $value;
}
public function clean_inputs(){
  foreach($this->$inputs as $key=>$value){
         $inputs[$key] = mysql_real_escape_string($value);
 }
}
?>

 

[cooldude832]

Yes... but try to remember that it does apply to the WHOLE post array, even ones you may not want it to apply to.

 

This is a good reason not to provide blanket alterations to super global arrays ($_GET $_POST $_FILES $_SESSION etc.) because you never know in the future if you don't want to touch one.

[genericnumber1]

Exactly, cooldude I would never implement it how I posted, and I wouldn't think the op would for more than the single form he speaks of. He asked if it could be done, and I told him it could