anatak Posted July 17, 2009 Share Posted July 17, 2009 I wanted to addslashes to all the $_POST vars but this code does not work (I think) $t=count($_POST); //echo $t; for($i=0; $i<$t; $i++){ $_POST[$i]=addslashes($_POST[$i]); // echo $i; } The array before slashes is Array ( [brand] => 1....... [submit] => update bike ) The array after slashes is Array ( [brand] => 1 ...... [submit] => update bike [0] => [1] => [2] => [3] => [4] => [5] => [6] => [7] => [8] => [9] => [10] => [11] => [12] => [13] => [14] => [15] => [16] => [17] => [18] => [19] => [20] => [21] => [22] => [23] => [24] => ) So can anyone help me how I could do this or is it a bad idea to addslashes() on all the values even the ones that do not need it like numerical values ? Maybe it will work with the foreach function but I could never get the hang of it since it works in general on a copy of the array and not the array itself (I think) kind regards anatak Quote Link to comment Share on other sites More sharing options...
rhodesa Posted July 17, 2009 Share Posted July 17, 2009 first, let's back up... 1) You shouldn't alter the $_POST variable. It's a PHP global, and it's bad practice. Instead, you should be putting the values into a new variable. 2) Why do you want to do this? If you are using the values in a DB, you should be using the DB's escape function. Quote Link to comment Share on other sites More sharing options...
anatak Posted July 17, 2009 Author Share Posted July 17, 2009 And I am using Mysql db up till now what I did was put all the $_POST vars in a different var and then addslash the new var but since I thought that this way was going to save time I was thinking about doing it this way. Anyway thanks for the don't alter the $_POST vars I ll guess I have to do it the old way then Are you talking about a db function or a php function for the mysql db ? I found this http://us2.php.net/manual/en/function.mysql-real-escape-string.php but that is a php function. and what would be the difference between addslashes and “mysql_real_escape_string()” ? kind regards Quote Link to comment Share on other sites More sharing options...
KevinM1 Posted July 17, 2009 Share Posted July 17, 2009 And I am using Mysql db up till now what I did was put all the $_POST vars in a different var and then addslash the new var but since I thought that this way was going to save time I was thinking about doing it this way. Anyway thanks for the don't alter the $_POST vars I ll guess I have to do it the old way then Are you talking about a db function or a php function for the mysql db ? I found this http://us2.php.net/manual/en/function.mysql-real-escape-string.php but that is a php function. and what would be the difference between addslashes and “mysql_real_escape_string()” ? kind regards Yes, you want to use mysql_real_escape_string(). The difference between that and addslashes() is that addslashes() doesn't add slashes (say that three times fast!) to everything that could compromise your db down the line. It's just a matter of using the right tool for the job. Since there are db-specific functions in the language itself, that should be taken as a hint that you should use those rather than creating a custom solution. After all, they're in the language for a reason. Quote Link to comment Share on other sites More sharing options...
anatak Posted July 17, 2009 Author Share Posted July 17, 2009 I guess I only have to use the mysql_real_escape_string() on string values but of course I have to test to see if the numerical fields only contain numbers. time to write some more test scripting creating a site and scripts 20% time making the site idiot proof 40$ time making the site real idiot proof and hardened against malicious individuals 40% time. Thanks have a nice day/afternoon/evening/night (depending on where you are) anatak Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.