Q695 Posted May 15, 2013 Share Posted May 15, 2013 Am I missing anything for my variable security statement? foreach( $_GET as $key => $value){ $_GET["$key"]=mysql_real_escape_string($value) ; } foreach( $_POST as $key => $value){ $_POST["$key"]=mysql_real_escape_string($value) ; } How would I reverse it on the output side? Quote Link to comment https://forums.phpfreaks.com/topic/278010-php-batch-security/ Share on other sites More sharing options...
kicken Posted May 15, 2013 Share Posted May 15, 2013 You shouldn't be running mysql_real_escape_string on a variable unless it is going into a query. Running it on everything like that causes as many problems (or more) as it solves. As you pointed out, you have to undo it when you want to output the variable to the screen, just as one example. if you want to avoid typing out mysql_real_escape_string a bunch of times, wrap up your escaping into another function with a shorter name. Maybe do a sprintf() like function. untested example: function prep_query(/*...*/){ $args = func_get_args(); foreach ($args as $i=>$v){ if ($i==0) continue; //skip sql text if (get_magic_quotes_gpc()) $v=stripslashes($v); $args[$i] = mysql_real_escape_string($v); } return call_user_func_array('sprintf', $args); } echo prep_query("SELECT * FROM blah WHERE username='%s' AND IsSomething=%d", $_GET['username'], $_GET['something']); Quote Link to comment https://forums.phpfreaks.com/topic/278010-php-batch-security/#findComment-1430135 Share on other sites More sharing options...
Q695 Posted May 15, 2013 Author Share Posted May 15, 2013 Almost every single variable is used by a database, and i'll tell it to do an exception if the error is being created. Quote Link to comment https://forums.phpfreaks.com/topic/278010-php-batch-security/#findComment-1430144 Share on other sites More sharing options...
AbraCadaver Posted May 15, 2013 Share Posted May 15, 2013 I would use mysqli or PDO, much easier and you don't have all the looping and other craziness: $stmt = mysqli_prepare($link, "SELECT `column` FROM `table` WHERE `field`=?"); mysqli_stmt_bind_param($stmt, "s", $_GET['something']); mysqli_stmt_execute($stmt); Or something as simple as: $_GET = array_map('mysql_real_escape_string', $_GET); Quote Link to comment https://forums.phpfreaks.com/topic/278010-php-batch-security/#findComment-1430308 Share on other sites More sharing options...
Q695 Posted May 18, 2013 Author Share Posted May 18, 2013 It's much easier for what I'm doing to batch it in, because I'm actually using several dozen MySQL queries in the project. i.e. set it, and forget it, unless the host does it. Quote Link to comment https://forums.phpfreaks.com/topic/278010-php-batch-security/#findComment-1430844 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.