Jump to content

mysql_real_escape_string help?

Mr Chris

By Mr Chris
in PHP Coding Help

 Share

Recommended Posts

Mr Chris Advanced Member

Mr Chris

Posted
Posted

Hello All,

 

Wondering if someone can help.  I have a piece of code which I use on all data I post to my database which uses mysql_real_escape_string on all my forms for security purposes that I found on t'internet:

 

if(!get_magic_quotes_gpc()){
	$_GET		= array_map('mysql_real_escape_string', $_GET);
	$_POST		= array_map('mysql_real_escape_string', $_POST);
	$_REQUEST	= array_map('mysql_real_escape_string', $_REQUEST);
	$_COOKIE	= array_map('mysql_real_escape_string', $_COOKIE);
}

 

However, ever since i've installed this i'm having problems with other elements, such as deleting records from a MYSQL database like so:

 

<?php
$msg = "";
if(isset($_POST['Submit'])){
    $total = $_POST['total'];
    $news_ids = $_POST['nws_id'];
    foreach($news_ids as $id){
        mysql_query("DELETE FROM news WHERE news_id='$id'");
    }
$msg = count($news_ids) . " News Item(s) deleted!";
}
$result = mysql_query("SELECT *, DATE_FORMAT(published, '%d-%m-%Y') as formatted_date from news order by news_id desc;");
$num = mysql_num_rows($result);
$n = 0;
?>

 

Yet if I delete the piece of code above code it works fine, but I don't understand why the above code effects this?  Anyone plese help me understand?

 

Thanks

Link to comment
https://forums.phpfreaks.com/topic/210842-mysql_real_escape_string-help/
Share on other sites
kickstart Member

kickstart

Posted
Posted

Hi

 

Try it like this and see what the generated sql is:-

 

<?php
$msg = "";
if(isset($_POST['Submit'])){
    $total = $_POST['total'];
    $news_ids = $_POST['nws_id'];
    foreach($news_ids as $id){
         $sql = "DELETE FROM news WHERE news_id=$id";
         echo "$sql<br />";
        mysql_query($sql);
    }
$msg = count($news_ids) . " News Item(s) deleted!";
}
$result = mysql_query("SELECT *, DATE_FORMAT(published, '%d-%m-%Y') as formatted_date from news order by news_id desc;");
$num = mysql_num_rows($result);
$n = 0;
?>

 

All the best

 

Keith

Mr Chris Advanced Member

Mr Chris

Posted
  • Author
Posted

Many Thanks,

 

I get no message, but get these errors:

 

Warning: mysql_real_escape_string() expects parameter 1 to be string, array given in /var/www/*******/httpdocs/******.php on line 37

Warning: mysql_real_escape_string() expects parameter 1 to be string, array given in  /var/www/*******/httpdocs/******.php  on line 38

Warning: Invalid argument supplied for foreach() argument supplied for foreach() in /var/www/*******/httpdocs/*********/list.php on line 19

 

So I may be being thick here, but what do I have to do to allow deletion?

trq Prolific Member

trq

Posted
Posted

Having that catch-all at the top of your program is always going to be problematic because as you have discovered, one of either $_GET, $_POST, $_REQUEST or $_COKKIES indexes contains an array not a string.

 

Also, who's to say $_POST data is always going to the database?

 

My advice, drop it, validate and clean your data as required.

kickstart Member

kickstart

Posted
Posted

Hi

 

I would agree with the above.

 

If you really want to do it then you need a recursive function that runs mysql_real_escape_string on each array member unless that array member is an array itself in which case the function calls itself with that array as a parameter.

 

All the best

 

Keith

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.