acctman Posted May 19, 2015 Share Posted May 19, 2015 I'm trying to use htmlspecialchars() to escape apostrophe foreach(htmlspecialchars($_POST) as $key=>$val) { but it's not escaping / working. Am I placing it in the wrong place? thanks in advance if(isset($_POST['save_your_application']) || isset($_POST['save_progress'])) { $errors = 0; $detailsArray = array(); $insertArray = array(); foreach($_POST as $key=>$val) { $stringDivide = explode("_", $key); // Break up key name $type = end($stringDivide); // Get the TYPE of field $fullKey = $key; //$key = substr($key, 0, -4); // Get the field name (deleting the TYPE from the end) // IF FIELD IS A NUMBER if(strcmp($type, "num") == 0) { $array = array(); $array['key'] = $key; $array['value'] = (int)$val; if($val == "") $array['value'] = NULL; $array['type'] = $type; $insertArray[] = $array; } // IF FIELD IS TEXT elseif(strcmp($type, "txt") == 0) { $array = array(); $array['key'] = $key; $array['value'] = $val; $array['type'] = $type; $insertArray[] = $array; } $detailsArray[$fullKey] = $val; } if(isset($_POST['save_progress']) && $_POST['save_progress'] == 1) { $status = 3; } else { $status = 2; } if(isset($_POST['other_user'])) { $userID = $_POST['other_user']; } elseif(isset($_GET['other_user'])) { $userID = $_GET['us']; } else { $userID = $_SESSION['ID']; } // THIS IS WHERE WE SEND STUFF TO DB applicationSubmit($userID,$insertArray,$status); if($userID == $_SESSION['ID'] && $status == 2) { send_email($_SESSION['ID'],"has completed their application."); } if(isset($_POST['save_your_application'])) $sent = 2; else $sent = 1; } else { if(isset($_GET['other_user'])) { $userID = $_GET['other_user']; } else { $userID = $_SESSION['ID']; } $application = getUserApplication($userID); $detailsArray = array(); if(is_array($application)) { foreach($application as $key=>$val) { if(is_numeric($key)) {} else { if(strcmp($key, "id") == 0 || strcmp($key, "fk_userid") == 0 || strcmp($key, "status") == 0 || strcmp($key, "submit_date") == 0 ) { $detailsArray[$key] = $val; } else { $detailsArray[$key] = decrypt_app($val,$GLOBALS['SITE_CONFIGURATION']['KEY_APP']); } } } } //$detailsArray['status'] = getApplicationStatus($_SESSION['ID']); //print_r($detailsArray); } Quote Link to comment Share on other sites More sharing options...
requinix Posted May 19, 2015 Share Posted May 19, 2015 It's not anywhere in that code. Where did you try to put it? What was that code? Quote Link to comment Share on other sites More sharing options...
Ch0cu3r Posted May 20, 2015 Share Posted May 20, 2015 Passing $_POST to htmlspecialchars will never work. That is because htmlspecialchars is expecting a string value, not an array - $_POST is a superglobal array containing the values submitted by your form. If you want to apply htmlspecialchars to all the values in $_POST then use array_map. Alternatively apply htmlspecialchars to $val inside the foreach loop. Quote Link to comment Share on other sites More sharing options...
rwhite35 Posted May 20, 2015 Share Posted May 20, 2015 depending on how your $_POST is organized - assuming its two dimensional and not a multi-dimensional array of array, you could use the following to process your input. $postArray = array(); foreach ($_POST as $key=>$value) { $postArray{$key} = filter_var($_POST[$key],FILTER_SANITIZE_FULL_SPECIAL_CHARS); //same as calling htmlspecialchars } This will create a array with sanitized values. Prototype would be something like Array ( [save_progress]=>value, [other_user]=>value, [save_application]=>value...) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.