mysql_real_escape_string and arrays

[RLJ]

Hi all,

 

I use mysql_real_escape_string on user inputs before using them in a MySQL query. However, some of my queries use arrays or imploded arrays, for example a query of the form: SELECT .. FROM .. WHERE .. IN ..

 

It seems like in these cases I can't use mysql_real_escape_string, am I correct in thinking this? If so, what can I use instead to ensure the best possible security against SQL injections?

 

Thanks!

[Muddy_Funster]

You could try running stripslashes() on the array output before using the mysql_real_escape_string()

[Pikachu2000]

Do not arbitrarily apply stripslashes(). You can use array_map() to escape the elements of a single-dimensional array, or you can use a loop if you need to handle some data types/values in the array differently from others.

 

$array = array_map('mysql_real_escape_string', $array);

[RLJ]

Thanks!

 

Just one more question though, because now I'm running into difficulties with my query. This is basically what I have:

<?php
$EXPfields = array_map('mysql_real_escape_string', $_SESSION['EXPfields']); $EXPfields = implode("', '", $EXPfields); 
$EXPvalues = array_map('mysql_real_escape_string', $_SESSION['EXPvalues']); $EXPvalues = implode("', '", $EXPvalues);

$insert = mysql_query   ("INSERT INTO tablename (ID,'".$EXPfields."') VALUES ('$ID','".$EXPvalues."')");
?>

 

But this gives me an SQL syntax error. I've been looking over my code again and again, but I can't spot the mistake. Help pls!!

[AbraCadaver]

You don't want ' quotes ' around the columns you want ` backticks `

[RLJ]

yup, that works. Thanks!