acctman Posted May 19, 2015 Share Posted May 19, 2015 I'm trying to use htmlspecialchars() to escape apostrophe foreach(htmlspecialchars($_POST) as $key=>$val) { but it's not escaping / working. Am I placing it in the wrong place? thanks in advance if(isset($_POST['save_your_application']) || isset($_POST['save_progress'])) { $errors = 0; $detailsArray = array(); $insertArray = array(); foreach($_POST as $key=>$val) { $stringDivide = explode("_", $key); // Break up key name $type = end($stringDivide); // Get the TYPE of field $fullKey = $key; //$key = substr($key, 0, -4); // Get the field name (deleting the TYPE from the end) // IF FIELD IS A NUMBER if(strcmp($type, "num") == 0) { $array = array(); $array['key'] = $key; $array['value'] = (int)$val; if($val == "") $array['value'] = NULL; $array['type'] = $type; $insertArray[] = $array; } // IF FIELD IS TEXT elseif(strcmp($type, "txt") == 0) { $array = array(); $array['key'] = $key; $array['value'] = $val; $array['type'] = $type; $insertArray[] = $array; } $detailsArray[$fullKey] = $val; } if(isset($_POST['save_progress']) && $_POST['save_progress'] == 1) { $status = 3; } else { $status = 2; } if(isset($_POST['other_user'])) { $userID = $_POST['other_user']; } elseif(isset($_GET['other_user'])) { $userID = $_GET['us']; } else { $userID = $_SESSION['ID']; } // THIS IS WHERE WE SEND STUFF TO DB applicationSubmit($userID,$insertArray,$status); if($userID == $_SESSION['ID'] && $status == 2) { send_email($_SESSION['ID'],"has completed their application."); } if(isset($_POST['save_your_application'])) $sent = 2; else $sent = 1; } else { if(isset($_GET['other_user'])) { $userID = $_GET['other_user']; } else { $userID = $_SESSION['ID']; } $application = getUserApplication($userID); $detailsArray = array(); if(is_array($application)) { foreach($application as $key=>$val) { if(is_numeric($key)) {} else { if(strcmp($key, "id") == 0 || strcmp($key, "fk_userid") == 0 || strcmp($key, "status") == 0 || strcmp($key, "submit_date") == 0 ) { $detailsArray[$key] = $val; } else { $detailsArray[$key] = decrypt_app($val,$GLOBALS['SITE_CONFIGURATION']['KEY_APP']); } } } } //$detailsArray['status'] = getApplicationStatus($_SESSION['ID']); //print_r($detailsArray); } Link to comment https://forums.phpfreaks.com/topic/296407-using-htmlspecialchars/ Share on other sites More sharing options...
requinix Posted May 19, 2015 Share Posted May 19, 2015 It's not anywhere in that code. Where did you try to put it? What was that code? Link to comment https://forums.phpfreaks.com/topic/296407-using-htmlspecialchars/#findComment-1512259 Share on other sites More sharing options...
Ch0cu3r Posted May 20, 2015 Share Posted May 20, 2015 Passing $_POST to htmlspecialchars will never work. That is because htmlspecialchars is expecting a string value, not an array - $_POST is a superglobal array containing the values submitted by your form. If you want to apply htmlspecialchars to all the values in $_POST then use array_map. Alternatively apply htmlspecialchars to $val inside the foreach loop. Link to comment https://forums.phpfreaks.com/topic/296407-using-htmlspecialchars/#findComment-1512275 Share on other sites More sharing options...
rwhite35 Posted May 20, 2015 Share Posted May 20, 2015 depending on how your $_POST is organized - assuming its two dimensional and not a multi-dimensional array of array, you could use the following to process your input. $postArray = array(); foreach ($_POST as $key=>$value) { $postArray{$key} = filter_var($_POST[$key],FILTER_SANITIZE_FULL_SPECIAL_CHARS); //same as calling htmlspecialchars } This will create a array with sanitized values. Prototype would be something like Array ( [save_progress]=>value, [other_user]=>value, [save_application]=>value...) Link to comment https://forums.phpfreaks.com/topic/296407-using-htmlspecialchars/#findComment-1512286 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.