Jump to content

for-loop


RON_ron

Recommended Posts

I need to send some of the data to my php file via flash. Below in my php file I'm trying to use a for-loop to convert all the variables to php variables to prevent sql injection. How effective is this method? Please help me with your valuable ideas.

 

Thank you.

 

<?php
$conn = mysql_connect("localhost","my_un","my_pw");
mysql_select_db("my_db");

foreach ($_POST as $key => $value) {
   $$key = $value;
   $$key = mysql_real_escape_string($$key); }

$result = mysql_query("SELECT * FROM my_db2 WHERE username = '$username'");

if (mysql_num_rows ($result) > 0){
$register = "Retry.";
echo($register);
} else {
mysql_query("INSERT INTO my_db3 (username, password, surname, firstname, company) VALUES ('$username', '$password', '$surname', '$firstname', '$company')");
$register = "Successful.";
echo($register);
}
?>

Link to comment
https://forums.phpfreaks.com/topic/220432-for-loop/
Share on other sites

Also, blindly converting external variables into program variables is exactly what register_globals did and a lot of web sites were taken over because not only does that set the variables you are expecting but allows a hacker to set any of your other program variables to values he wants.

 

You should just put the result back into the $_POST array and use the $_POST variables in your code or use some other name of your choice, such as $mypost -

 

$_POST = array_map('mysql_real_escape_string',$_POST); // escape the $_POST array and put the results back into the $_POST array

 

or

 

$mypost = array_map('mysql_real_escape_string',$_POST); // escape the $_POST array and put the results back into an array name of your choice

 

If you are passing a form array element in the $_POST array, you would need to write your own recursive function to use in the array_map() statement so that any sub/nested arrays are also escaped.

Link to comment
https://forums.phpfreaks.com/topic/220432-for-loop/#findComment-1142091
Share on other sites

Something like this?

 

<?php
$conn = mysql_connect("localhost","my_un","my_pw");
mysql_select_db("my_db");

foreach ($_POST as $key => $value) {
   $$key = $value;
   $$key = mysql_real_escape_string($$key); }

$result = mysql_query("SELECT * FROM my_db2 WHERE username = '$username'");

$mypost = array_map('mysql_real_escape_string',$_POST);

if (mysql_num_rows ($result) > 0){
$register = "Retry.";
echo($register);
} else {
mysql_query("INSERT INTO my_db3 (username, password, surname, firstname, company) VALUES ('$username', '$password', '$surname', '$firstname', '$company')");
$register = "Successful.";
echo($register);
}
?>

Link to comment
https://forums.phpfreaks.com/topic/220432-for-loop/#findComment-1142094
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.