extrovertive Posted August 31, 2006 Share Posted August 31, 2006 I noticed some ppl use:[code=php:0]$cu_s_number = mysql_real_escape_string($_POST['cu_s_number']);$cu_s_sample = mysql_real_escape_string($_POST['cu_s_sample']);$cu_s_wt = mysql_real_escape_string($_POST['cu_s_wt']);$cu_s_tare = mysql_real_escape_string($_POST['cu_s_tare']);$cu_s_poste = mysql_real_escape_string($_POST['cu_s_post']);$cu_s_diff_value = mysql_real_escape_string($_POST['cu_s_diff_value']);[/code]However, within a form, if I would like to escape all the data, is this more efficient or is there a problem with this version below?[code=php:0]if(isset($_POST['submit'])){array_pop($_POST); //remove the submit variable$_POST = array_map("mysql_real_escape_string", $_POST); foreach($_POST as $variable=>$value) { $$variable = $value; }}[/code] Quote Link to comment Share on other sites More sharing options...
zq29 Posted August 31, 2006 Share Posted August 31, 2006 I don't see a problem with your second script, but if you are looping through the post array anyway, why not just escape it there? Less typing involved...[code]<?phpif(isset($_POST['submit'])) { array_pop($_POST); //remove the submit variable foreach($_POST as $variable=>$value) { $$variable = mysql_real_escape_string($value); }}?>[/code] Quote Link to comment Share on other sites More sharing options...
Jenk Posted August 31, 2006 Share Posted August 31, 2006 Why remove the submit variable?!Why remove anything from $_POST in fact? Also, extracting variables frmo user input is not a wise idea. This is why regsiter_globals is frowned upon.It is best practice to explicitly use the data you require, $_POST can contain as many fields as the user wishes. You will also have problems if the user submits an array within $_POST if you use that snippet. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.