micah1701 Posted October 8, 2007 Share Posted October 8, 2007 I don't have magic_quotes on and I can't use addslashes to every variable when the data is posted (because it goes into a session array and is used on a bunch of pages before it ever gets to the point where it needs to be stuffed in a MySQL statement) so the question is: is there a better way to addslashes to all the variables going into my query statement? <?php $var1 = "here's a string"; $var2 = "here's another string" $query = "INSERT INTO table (col1,col2) VALUES ('$var1','$var2')"; echo $query; // returns: ...VALUES ('here's a string','here's another string') <- no good. echo mysql_escape_string($query); // returns: ...VALUES (\'here\'s a string\',\'here\'s another string\') <- also no good. // is there any existing function to get a return of: ...VALUES ('here\'s a string','here\'s another string') ?> i know i could just use addslahses($var1); addslahses($var2); but I have a LOT of variables in the query and I don't want to addslashes to them because I later need to strip the slashes. Thoughts? Quote Link to comment https://forums.phpfreaks.com/topic/72329-solved-help-with-mysql_escape_string/ Share on other sites More sharing options...
MmmVomit Posted October 8, 2007 Share Posted October 8, 2007 Create an array called $sqldata. Make it a practice to only add escaped data to that array. Also make it a practice to only use $sqldata when building queries. Like so. <?php $var1 = "here's a string"; $var2 = "here's another string" // don't use mysql_escape_string. it is deprecated. // use mysql_real_escape_string instead. $sqldata['var1'] = mysql_real_escape_string($var1); $sqldata['var2'] = mysql_real_escape_string($var2); $query = "INSERT INTO table (col1,col2) VALUES ('$sqldata[var1]','$sqldata[var2]')"; ?> Quote Link to comment https://forums.phpfreaks.com/topic/72329-solved-help-with-mysql_escape_string/#findComment-364707 Share on other sites More sharing options...
kenrbnsn Posted October 8, 2007 Share Posted October 8, 2007 Use an array and a loop: <?php $vars = array('colname' => 'varname','colname1' => 'varname1','colname2' => 'varname2','colname3' =>'varname3'); $qtmp = array(); foreach ($vars as $col => $name) $qtmp = $col . " = '" . mysql_real_escape_string($$name) . "'"; $q = "insert into tablename set " . implode(', ',$qtmp); ?> This uses the alternate insert syntax that looks like the update syntax. If the values are coming from a form, just loop through the $_POST or $_GET array. Ken Quote Link to comment https://forums.phpfreaks.com/topic/72329-solved-help-with-mysql_escape_string/#findComment-364708 Share on other sites More sharing options...
micah1701 Posted October 8, 2007 Author Share Posted October 8, 2007 I like both these ideas. most the variables are in a $_SESSION array so I think i'll do a foreach loop through it to create a duplicate array called $SQL_DATA that contains the same information, only escaped with mysql_real_escape_string. Thanks! (i'll leave this "unsolved" for a little bit longer in case someone else wants to share :-) ) Quote Link to comment https://forums.phpfreaks.com/topic/72329-solved-help-with-mysql_escape_string/#findComment-364716 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.