Warning: mysql_real_escape_string() expects parameter 1 to be string

[TeddyKiller]

I recieve this error..

Warning:  mysql_real_escape_string() expects parameter 1 to be string, array given in /home/jeanie/public_html/inc/functions.php on line 10

 

Now I never use to get this error,and suddenly it's only started to appear. So I'm wondering what the problem is, I do have checkboxes in my form, these are in an array. This could be part the problem. Although how do I fix it?

<tr><td height="34">Interested In:</td><td><input type="checkbox" name="men" value="men" /> Men
<input type="checkbox" name="checkbox[]" value="women" /> Women
<input type="checkbox" name="checkbox[]" value="none" /> None
<input type="checkbox" name="checkbox[]" value="other" /> Other</td></tr>

They are the checkboxes, this is where the function to clean strings gets called (In the form validation)

$_POST = clean($_POST,0,0);

And here is the function clean.

function clean($_POST, $a, $b) {
    if($a == '1') : $_POST = array_map('trim', $_POST); endif;    
    
    if(get_magic_quotes_gpc()) : $_POST = array_map('stripslashes', $_POST); endif;
    $_POST = array_map('mysql_real_escape_string', $_POST);
    
    if($b == '1') : $_POST = array_map('ucwords', $_POST); return $_POST; endif;
    if($b == '2') : $_POST = array_map('strtolower', $_POST); return $_POST; endif; 
    if($b == '3') : $_POST = array_map('strtoupper', $_POST); return $_POST; endif;
    
    return $_POST;
}

 

How can I fix the problem? Thanks

[trq]

How can I fix the problem?

 

Don't pass arrays to mysql_real_escape_string().

[TeddyKiller]

Ok so, whats the best way to do it? I could possibly have them all seperate names, which will work with mysql_real_escape_string()

Then.. what could I do.. to put them back into an array because I have something like this..

$checkbox = implode(', ', $_POST['checkbox']);
$fields[] = "`interested_in` = '". $checkbox . "'";

What happens is.. for each checkbox as checked, to implode it with a comma.

[trq]

The best thing to do would be to get rid of that catch all clean function. This is precisely why such functions aren't flexible enough.

 

Either that or loop through the $_POST array (which by the way is global so doesn't need to be passed to your function) instead of using array_map.

[TeddyKiller]

Either that or loop through the $_POST array (which by the way is global so doesn't need to be passed to your function) instead of using array_map.

What do you mean by loop through? I just don't understand how I'd do a loop with the function..

I do want to keep the function there though.. to save repeating mysql_real_escape_string all the time.

Though if it has to be, I can take the mysql_real_escape_string function bit out, and use the function for string formatting, and just insert mysql_real_escape_string without a function to control it.

 

Would mysql_real_escape_string be alright to use with $_POST['checkbox'] even though thats still an array?

[TeddyKiller]

I made this..

function clean($foo, $a, $b, $c) {
foreach($foo as $arr) {
	if($b == '1') : $arr = trim($arr); endif;	

	if(get_magic_quotes_gpc()) : $arr = stripslashes($arr); endif;
	if($a == '1') : $arr = mysql_real_escape_string($arr); endif;

	if($c == '1') { 
		$arr = ucwords($arr); return $arr; 
	}
	elseif($c == '2') {
		$arr = strtolower($arr); return $arr;
	}
	elseif($c == '3') {
		$arr = strtoupper($arr); return $arr; 
	} else {
		return $arr;
	}
}
}

It doesn't come up with that error now, however.. whats wrong with the implode?

$checkbox = implode(', ', clean($_POST['checkbox'],1,0,1));

Warning: implode() [function.implode]: Invalid arguments passed in /home/jeanie/public_html/editprofile.php on line 191

[KevinM1]

A few things:

 

1. You should have meaningful variable names.  $foo, $a, $b, and $c are horrible variable names, as they provide no context for what they're supposed to be.

 

2. You don't need to pass $_POST into the function.  It's globally available.

 

3. You should take a look at pdo or mysqli.

 

4. If you still want to stay with vanilla MySQL, try:

 

function clean($data, $a, $b, $c) // again, pick better names
{
   if (is_array($data))
   {
      $foreach($data as $key => $value)
      {
         $data[$key] = clean($value, $a, $b, $c);
      }
   }

   if (get_magic_quotes_gpc()) { $data = stripslashes($data); }
   if ($a == '1') { $data = mysql_real_escape_string($data); }
   if ($b == '1') { $data = trim($data); }

   switch ($c)
   {
      case '1':
         $data = ucwords($data);
         break;

      case '2':
         $data = strtolower($data);
         break;

      case '3':
         $data = strtoupper($data);
         break;
   }

   return $data;
}

foreach($_POST as $key => $value)
{
   $_POST[$key] = clean($value, $arg1, $arg2, $arg3);
}

[TeddyKiller]

Thanks. Although I'm confused with this bit..

      $foreach($data as $key => $value)
      {
         $data[$key] = clean($value, $a, $b, $c);
      }

$data[$key] = clean($value, $a, $b, $c); That's just calling clean() all over again? Confused?

Also, tested it out, and it still does give the error.

Warning: mysql_real_escape_string() expects parameter 1 to be string, array given in /home/jeanie/public_html/inc/functions.php on line 17

[KevinM1]

Thanks. Although I'm confused with this bit..

      $foreach($data as $key => $value)
      {
         $data[$key] = clean($value, $a, $b, $c);
      }

$data[$key] = clean($value, $a, $b, $c); That's just calling clean() all over again? Confused?

 

Work it out step by step.

 

If the value you pass into clean() is an array,

  then clean() each value in that array.

 

else

  clean the individual value based on the options ($a, $b, $c) given.

 

It's a recursive function.

 

Also, tested it out, and it still does give the error.

Warning: mysql_real_escape_string() expects parameter 1 to be string, array given in /home/jeanie/public_html/inc/functions.php on line 17

 

What kinds of values are you passing into it?

[TeddyKiller]

I have 4 checkboxes.. All with the name of

checkbox[]

So it's an checkbox array. At the moment, I've changed it.. but the checkboxes value aren't being protected or anything. It's not an huge issue but would be nice if it was possible to mysql_real_escape it.