scotchegg78 Posted October 7, 2008 Share Posted October 7, 2008 Hi Guys I have this which works fine... foreach ($_POST as $key => $input_arr) { $_POST[$key] = mysqli_real_escape_string($this->db_link,addslashes($input_arr)); } but it fails for $_POST variables that are arrays, so i have tried this approach, what am i doing wrong ? foreach ($_POST as $key => $input_arr) { if(is_array($_POST)){ foreach($_POST[$key] as $key2 => $input_arr){ $_POST[$key][$key2] = mysqli_real_escape_string($this->db_link,addslashes($input_arr)); } }else { $_POST[$key] = mysqli_real_escape_string($this->db_link,addslashes($input_arr)); } } Thanks for any help Link to comment https://forums.phpfreaks.com/topic/127366-sql-injection-loop-though-post-variables-to-get-em/ Share on other sites More sharing options...
Orio Posted October 7, 2008 Share Posted October 7, 2008 You've used $input_arr twice. This should work: <?php foreach ($_POST as $key => $input_arr) { if(is_array($input_arr)){ foreach($input_arr as $key2 => $val){ $_POST[$key][$key2] = mysqli_real_escape_string($this->db_link,addslashes($val)); } }else{ $_POST[$key] = mysqli_real_escape_string($this->db_link,addslashes($input_arr)); } } ?> Although I still don't understand why you're using both addslashes() and real_escape_string() on the inputs- that's escaping some characters twice. I hope you're not with magic_quotes enabled as well, because in that case you're escaping the input three times.. Orio. Link to comment https://forums.phpfreaks.com/topic/127366-sql-injection-loop-though-post-variables-to-get-em/#findComment-658882 Share on other sites More sharing options...
DarkWater Posted October 7, 2008 Share Posted October 7, 2008 Yeah, you shouldn't addslashes(). Link to comment https://forums.phpfreaks.com/topic/127366-sql-injection-loop-though-post-variables-to-get-em/#findComment-658886 Share on other sites More sharing options...
scotchegg78 Posted October 7, 2008 Author Share Posted October 7, 2008 Yeah good spot, not sure how i get that in there to be honest. Thanks Orio, Looks like it works now Link to comment https://forums.phpfreaks.com/topic/127366-sql-injection-loop-though-post-variables-to-get-em/#findComment-658893 Share on other sites More sharing options...
Orio Posted October 7, 2008 Share Posted October 7, 2008 Maybe you meant using stripslashes() to remove magic_quotes's effect? Orio. Link to comment https://forums.phpfreaks.com/topic/127366-sql-injection-loop-though-post-variables-to-get-em/#findComment-658894 Share on other sites More sharing options...
waynew Posted October 7, 2008 Share Posted October 7, 2008 I usually just use: $string = "' OR 1 = 1-- LOLOLOL HAX"; if(get_magic_quotes_gpc() == 1){ $string = stripslashes($string); } $string = mysql_real_escape_string($string); Link to comment https://forums.phpfreaks.com/topic/127366-sql-injection-loop-though-post-variables-to-get-em/#findComment-658955 Share on other sites More sharing options...
Orio Posted October 7, 2008 Share Posted October 7, 2008 Yeah I do the same thing, just in a function: <?php function escape_str ($str) { if(get_magic_quotes_gpc()) $str = stripslashes($str); return mysql_real_escape_string($str); } ?> Orio. Link to comment https://forums.phpfreaks.com/topic/127366-sql-injection-loop-though-post-variables-to-get-em/#findComment-658983 Share on other sites More sharing options...
scotchegg78 Posted October 8, 2008 Author Share Posted October 8, 2008 Guys somehting I just noticed, I was using my function above, but then after that doing this.. $this->description = filter_input(INPUT_POST,"description",FILTER_SANITIZE_STRING); The value now in my variable is not the result of my sql inection funciton, its back to the header post ! Of course I can get around it using.. $this->description = filter_var($_POST['description'],FILTER_SANITIZE_STRING); Unless anyone has any better cleaner ideas? cheers Link to comment https://forums.phpfreaks.com/topic/127366-sql-injection-loop-though-post-variables-to-get-em/#findComment-659968 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.