PHP batch security

[Q695]

Am I missing anything for my variable security statement?

foreach( $_GET as $key => $value){
$_GET["$key"]=mysql_real_escape_string($value) ;
}
foreach( $_POST as $key => $value){
$_POST["$key"]=mysql_real_escape_string($value) ;
}

How would I reverse it on the output side?

[kicken]

You shouldn't be running mysql_real_escape_string on a variable unless it is going into a query. Running it on everything like that causes as many problems (or more) as it solves. As you pointed out, you have to undo it when you want to output the variable to the screen, just as one example.

 

if you want to avoid typing out mysql_real_escape_string a bunch of times, wrap up your escaping into another function with a shorter name. Maybe do a sprintf() like function.

 

untested example:

function prep_query(/*...*/){
   $args = func_get_args();
   foreach ($args as $i=>$v){
     if ($i==0) continue; //skip sql text

     if (get_magic_quotes_gpc()) $v=stripslashes($v);     
     $args[$i] = mysql_real_escape_string($v);
   }

   return call_user_func_array('sprintf', $args);
}

echo prep_query("SELECT * FROM blah WHERE username='%s' AND IsSomething=%d", $_GET['username'], $_GET['something']);

[Q695]

Almost every single variable is used by a database, and i'll tell it to do an exception if the error is being created.

[AbraCadaver]

I would use mysqli or PDO, much easier and you don't have all the looping and other craziness:

$stmt = mysqli_prepare($link, "SELECT `column` FROM `table` WHERE `field`=?");
mysqli_stmt_bind_param($stmt, "s", $_GET['something']);
mysqli_stmt_execute($stmt);

Or something as simple as:

$_GET = array_map('mysql_real_escape_string', $_GET);

[Q695]

It's much easier for what I'm doing to batch it in, because I'm actually using several dozen MySQL queries in the project.  i.e. set it, and forget it, unless the host does it.