Jump to content

for-loop

RON_ron

By RON_ron
in PHP Coding Help

 Share

Recommended Posts

RON_ron Advanced Member

RON_ron

Posted
Posted

I need to send some of the data to my php file via flash. Below in my php file I'm trying to use a for-loop to convert all the variables to php variables to prevent sql injection. How effective is this method? Please help me with your valuable ideas.

 

Thank you.

 

<?php
$conn = mysql_connect("localhost","my_un","my_pw");
mysql_select_db("my_db");

foreach ($_POST as $key => $value) {
   $$key = $value;
   $$key = mysql_real_escape_string($$key); }

$result = mysql_query("SELECT * FROM my_db2 WHERE username = '$username'");

if (mysql_num_rows ($result) > 0){
$register = "Retry.";
echo($register);
} else {
mysql_query("INSERT INTO my_db3 (username, password, surname, firstname, company) VALUES ('$username', '$password', '$surname', '$firstname', '$company')");
$register = "Successful.";
echo($register);
}
?>

Link to comment
https://forums.phpfreaks.com/topic/220432-for-loop/
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

Also, blindly converting external variables into program variables is exactly what register_globals did and a lot of web sites were taken over because not only does that set the variables you are expecting but allows a hacker to set any of your other program variables to values he wants.

 

You should just put the result back into the $_POST array and use the $_POST variables in your code or use some other name of your choice, such as $mypost -

 

$_POST = array_map('mysql_real_escape_string',$_POST); // escape the $_POST array and put the results back into the $_POST array

 

or

 

$mypost = array_map('mysql_real_escape_string',$_POST); // escape the $_POST array and put the results back into an array name of your choice

 

If you are passing a form array element in the $_POST array, you would need to write your own recursive function to use in the array_map() statement so that any sub/nested arrays are also escaped.

Link to comment
https://forums.phpfreaks.com/topic/220432-for-loop/#findComment-1142091
Share on other sites
RON_ron Advanced Member

RON_ron

Posted
  • Author
Posted

Something like this?

 

<?php
$conn = mysql_connect("localhost","my_un","my_pw");
mysql_select_db("my_db");

foreach ($_POST as $key => $value) {
   $$key = $value;
   $$key = mysql_real_escape_string($$key); }

$result = mysql_query("SELECT * FROM my_db2 WHERE username = '$username'");

$mypost = array_map('mysql_real_escape_string',$_POST);

if (mysql_num_rows ($result) > 0){
$register = "Retry.";
echo($register);
} else {
mysql_query("INSERT INTO my_db3 (username, password, surname, firstname, company) VALUES ('$username', '$password', '$surname', '$firstname', '$company')");
$register = "Successful.";
echo($register);
}
?>

Link to comment
https://forums.phpfreaks.com/topic/220432-for-loop/#findComment-1142094
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.