The Little Guy Posted May 15, 2009 Share Posted May 15, 2009 I decided to make this code, and place it in an include that is in the header of every file. When a user sends information via POST or GET, it automatically performs mysql_real_escape_string on all the POST / GET values, so when I use them on the db, I don't have to do it for every variable (hope that makes sense). Is this a good idea, or is this a really bad idea? foreach($_GET as $k => $v){ $_GET[$k] = mysql_real_escape_string($_GET[$k]); } foreach($_POST as $k => $v){ $_POST[$k] = mysql_real_escape_string($_POST[$k]); } Link to comment https://forums.phpfreaks.com/topic/158327-smart-or-dumb/ Share on other sites More sharing options...
trq Posted May 16, 2009 Share Posted May 16, 2009 Its probably not the smartest idea. Firstly, mysql_real_escape_string needs a database connection to work. Secondly, who's to say all of your POST & GET data is going to end up within the database. This is allot like having magic quotes enabled, which has been desiabled now by default in php and for good reason. Validate and escape your data as you need to. Link to comment https://forums.phpfreaks.com/topic/158327-smart-or-dumb/#findComment-835095 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.