Jump to content


Using array_map for incoming form data?

  • Please log in to reply
2 replies to this topic

#1 extrovertive

  • Members
  • PipPipPip
  • Advanced Member
  • 235 posts

Posted 31 August 2006 - 01:49 AM

I noticed some ppl use:

$cu_s_number = mysql_real_escape_string($_POST['cu_s_number']);
$cu_s_sample = mysql_real_escape_string($_POST['cu_s_sample']);
$cu_s_wt = mysql_real_escape_string($_POST['cu_s_wt']);
$cu_s_tare = mysql_real_escape_string($_POST['cu_s_tare']);
$cu_s_poste = mysql_real_escape_string($_POST['cu_s_post']);
$cu_s_diff_value = mysql_real_escape_string($_POST['cu_s_diff_value']);

However, within a form, if I would like to escape all the data, is this more efficient or is there a problem with this version below?

array_pop($_POST); //remove the submit variable
$_POST = array_map("mysql_real_escape_string", $_POST);

  foreach($_POST as $variable=>$value)
     $$variable = $value;


#2 Kris

  • Staff Alumni
  • Advanced Member
  • 2,755 posts
  • LocationThe Internet

Posted 31 August 2006 - 06:38 AM

I don't see a problem with your second script, but if you are looping through the post array anyway, why not just escape it there? Less typing involved...
if(isset($_POST['submit'])) {
    array_pop($_POST); //remove the submit variable
    foreach($_POST as $variable=>$value) {
        $$variable = mysql_real_escape_string($value);

#3 Jenk

  • Members
  • PipPipPip
  • Advanced Member
  • 778 posts

Posted 31 August 2006 - 07:57 AM

Why remove the submit variable?!

Why remove anything from $_POST in fact?

Also, extracting variables frmo user input is not a wise idea. This is why regsiter_globals is frowned upon.

It is best practice to explicitly use the data you require, $_POST can contain as many fields as the user wishes. You will also have problems if the user submits an array within $_POST if you use that snippet.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users