RON_ron Posted December 2, 2010 Share Posted December 2, 2010 I need to send some of the data to my php file via flash. Below in my php file I'm trying to use a for-loop to convert all the variables to php variables to prevent sql injection. How effective is this method? Please help me with your valuable ideas. Thank you. <?php $conn = mysql_connect("localhost","my_un","my_pw"); mysql_select_db("my_db"); foreach ($_POST as $key => $value) { $$key = $value; $$key = mysql_real_escape_string($$key); } $result = mysql_query("SELECT * FROM my_db2 WHERE username = '$username'"); if (mysql_num_rows ($result) > 0){ $register = "Retry."; echo($register); } else { mysql_query("INSERT INTO my_db3 (username, password, surname, firstname, company) VALUES ('$username', '$password', '$surname', '$firstname', '$company')"); $register = "Successful."; echo($register); } ?> Link to comment https://forums.phpfreaks.com/topic/220432-for-loop/ Share on other sites More sharing options...
trq Posted December 2, 2010 Share Posted December 2, 2010 Using variable variables is inefficient and makes your code allot harder to read. They are better avoided. Link to comment https://forums.phpfreaks.com/topic/220432-for-loop/#findComment-1142089 Share on other sites More sharing options...
PFMaBiSmAd Posted December 2, 2010 Share Posted December 2, 2010 Also, blindly converting external variables into program variables is exactly what register_globals did and a lot of web sites were taken over because not only does that set the variables you are expecting but allows a hacker to set any of your other program variables to values he wants. You should just put the result back into the $_POST array and use the $_POST variables in your code or use some other name of your choice, such as $mypost - $_POST = array_map('mysql_real_escape_string',$_POST); // escape the $_POST array and put the results back into the $_POST array or $mypost = array_map('mysql_real_escape_string',$_POST); // escape the $_POST array and put the results back into an array name of your choice If you are passing a form array element in the $_POST array, you would need to write your own recursive function to use in the array_map() statement so that any sub/nested arrays are also escaped. Link to comment https://forums.phpfreaks.com/topic/220432-for-loop/#findComment-1142091 Share on other sites More sharing options...
RON_ron Posted December 2, 2010 Author Share Posted December 2, 2010 Something like this? <?php $conn = mysql_connect("localhost","my_un","my_pw"); mysql_select_db("my_db"); foreach ($_POST as $key => $value) { $$key = $value; $$key = mysql_real_escape_string($$key); } $result = mysql_query("SELECT * FROM my_db2 WHERE username = '$username'"); $mypost = array_map('mysql_real_escape_string',$_POST); if (mysql_num_rows ($result) > 0){ $register = "Retry."; echo($register); } else { mysql_query("INSERT INTO my_db3 (username, password, surname, firstname, company) VALUES ('$username', '$password', '$surname', '$firstname', '$company')"); $register = "Successful."; echo($register); } ?> Link to comment https://forums.phpfreaks.com/topic/220432-for-loop/#findComment-1142094 Share on other sites More sharing options...
trq Posted December 2, 2010 Share Posted December 2, 2010 No. Read the previous two replies. Link to comment https://forums.phpfreaks.com/topic/220432-for-loop/#findComment-1142108 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.