Jump to content

Smart or Dumb?


The Little Guy

Recommended Posts

I decided to make this code, and place it in an include that is in the header of every file.

 

When a user sends information via POST or GET, it automatically performs mysql_real_escape_string on all the POST / GET values, so when I use them on the db, I don't have to do it for every variable (hope that makes sense).

 

Is this a good idea, or is this a really bad idea?

 

foreach($_GET as $k => $v){
$_GET[$k] = mysql_real_escape_string($_GET[$k]);
}
foreach($_POST as $k => $v){
$_POST[$k] = mysql_real_escape_string($_POST[$k]);
}

Link to comment
https://forums.phpfreaks.com/topic/158327-smart-or-dumb/
Share on other sites

Its probably not the smartest idea. Firstly, mysql_real_escape_string needs a database connection to work. Secondly, who's to say all of your POST & GET data is going to end up within the database.

 

This is allot like having magic quotes enabled, which has been desiabled now by default in php and for good reason.

 

Validate and escape your data as you need to.

Link to comment
https://forums.phpfreaks.com/topic/158327-smart-or-dumb/#findComment-835095
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.