Is this secure?

Garethp · August 20, 2009

Ok, so I've been using this for a small while to make typing in variables ALOT quicker, but is it secure? If not, can I make it more secure?

foreach($Array as $k=>$v)
{
$k = mysql_escape_string($k);
$v = mysql_escape_string($v);
$$k = $v;
}

markwillis82 · August 20, 2009

I would use mysql_real_escape_string - and also instead of creating many new variables (potentially hundreds), you could put them into a "safe" array

foreach($Array as $k=>$v)
   {
   $k = mysql_real_escape_string($k);
   $v = mysql_real_escape_string($v);
   $safe_input[$k] = $v;
   }

Garethp · August 20, 2009

That's a good idea, thanks.

What's the difference between real and not real?

markwillis82 · August 20, 2009

mysql_escape_string is deprecated in php 5.3

mysql_real_escape_string is the better function

Garethp · August 20, 2009

Can I use it without connecting to a database?

markwillis82 · August 20, 2009

You would need to make a database connection first - You can try without but I might throw a warning error.

Alternativly you could use str_replace and arrays of "find" and "replace"

Recommended Posts