Reputation: 463
Disabling Multidimensional Arrays for $_POST Inputs
We have the following code:
$_POST = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING);
$comment = $_POST['comment'];
$comment = mysql_real_escape_string(strip_tags($email));
After running a security scan (Acunetix) we have run into a problem.
If somebody was to modify the input variable $_POST['comment'] and turn it into a longer array (possible called a multidimensional array), we get the following error message:
strip_tags() expects parameter 1 to be string, array given...
How can we disable the user from modifying the variable and just only accept the $_POST['comment'] as a single string?
Upvotes: 2
Views: 86
Answers (1)
Reputation: 34426
One way to do this would be to test the variable to see if it contains an array. Using a conditional check it would look something like this:
if(is_array($_POST['comment'])){
unset($_POST['comment'])
} else {
$comment = mysql_real_escape_string(strip_tags($comment));
}
In this case, based on the OP's comment concerning un-setting the variable if it contains an array, I have used the unset() function in the ternary. If it is just a string then it is passed to the variable $comment.
Upvotes: 1
Related Questions
- How to get the difference between two arrays in JavaScript?
- Loop (for each) over an array in JavaScript
- Differences between a multidimensional array "[,]" and an array of arrays "[][]" in C#?
- Merge/flatten an array of arrays
- How to merge two arrays in JavaScript and de-duplicate items
- Search an array of JavaScript objects for an object with a matching value
- How to compare arrays in JavaScript?
- How can I concatenate two arrays in Java?
- Why is using "for...in" for array iteration a bad idea?
- With arrays, why is it the case that a[5] == 5[a]?