[SOLVED] addslashes $_POST

[anatak]

I wanted to addslashes to all the $_POST vars

but this code does not work (I think)

$t=count($_POST);
//echo $t;
for($i=0; $i<$t; $i++){
	$_POST[$i]=addslashes($_POST[$i]);
//		echo $i;
}

 

The array before slashes is

Array ( [brand] => 1....... [submit] => update bike )

The array after slashes is

Array ( [brand] => 1 ...... [submit] => update bike [0] => [1] => [2] => [3] => [4] => [5] => [6] => [7] => [8] => [9] => [10] => [11] => [12] => [13] => [14] => [15] => [16] => [17] => [18] => [19] => [20] => [21] => [22] => [23] => [24] => )

 

So can anyone help me how I could do this or is it a bad idea to addslashes() on all the values even the ones that do not need it like numerical values ?

 

Maybe it will work with the foreach function but I could never get the hang of it since it works in general on a copy of the array and not the array itself (I think)

 

kind regards

anatak

[rhodesa]

first, let's back up...

 

1) You shouldn't alter the $_POST variable. It's a PHP global, and it's bad practice. Instead, you should be putting the values into a new variable.

2) Why do you want to do this? If you are using the values in a DB, you should be using the DB's escape function.

[anatak]

And I am using Mysql db

up till now what I did was put all the $_POST vars in a different var and then addslash the new var

but since I thought that this way was going to save time I was thinking about doing it this way.

 

Anyway thanks for the don't alter the $_POST vars I ll guess I have to do it the old way then

 

Are you talking about a db function or a php function for the mysql db ?

I found this

http://us2.php.net/manual/en/function.mysql-real-escape-string.php

but that is a php function.

 

and what would be the difference between addslashes and “mysql_real_escape_string()” ?

 

kind regards

[KevinM1]

And I am using Mysql db

up till now what I did was put all the $_POST vars in a different var and then addslash the new var

but since I thought that this way was going to save time I was thinking about doing it this way.

 

Anyway thanks for the don't alter the $_POST vars I ll guess I have to do it the old way then

 

Are you talking about a db function or a php function for the mysql db ?

I found this

http://us2.php.net/manual/en/function.mysql-real-escape-string.php

but that is a php function.

 

and what would be the difference between addslashes and “mysql_real_escape_string()” ?

 

kind regards

 

Yes, you want to use mysql_real_escape_string().  The difference between that and addslashes() is that addslashes() doesn't add slashes (say that three times fast!) to everything that could compromise your db down the line.  It's just a matter of using the right tool for the job.  Since there are db-specific functions in the language itself, that should be taken as a hint that you should use those rather than creating a custom solution.  After all, they're in the language for a reason.

[anatak]

I guess I only have to use the mysql_real_escape_string() on string values

but of course I have to test to see if the numerical fields only contain numbers.

 

time to write some more test scripting

creating a site and scripts 20% time

making the site idiot proof 40$ time

making the site real idiot proof and hardened against malicious individuals 40% time.

 

Thanks

have a nice day/afternoon/evening/night (depending on where you are)

anatak