CODEWITHSUNDEEP
php
Alex S
Alex S

Reputation: 26061

Sanitizing form data in PHP

Is it possible to sanitize all input sent by one method in PHP by simply doing

$var = mysql_real_escape_string($_POST);

and then access elements of $var as I would have of $_POST ?

Upvotes: 1

Views: 2562

Answers (5)

Joshua Woodward
Joshua Woodward

Reputation: 11

this function will remove html tags from anything you pass to it

function strip_html(&$a){
    if(is_array($a)){
        foreach($a as $k=>$v){
            $a[$k]=preg_replace('/<[^<]+?>/','',$v);
        }
    }else{
            $a=preg_replace('/<[^<]+?>/','',$a);
    }
    return;
}

Upvotes: 1

Zubair1
Zubair1

Reputation: 2780

@Shadow:

Array_Map will work with single dimension array but it wont work with multi-dimension arrays. So, this will work.

$cleanData = array_map('mysql_real_escape_string', $_POST);

but if that $_POST array were to have another array, like this: $array = $_POST['myArray']['secondArray'];

If you have an array such as above, array map will throw an error when you try to run a function that only takes a String as an argument, because it wont be handle to an array when its expecting just a string.

The solution provided on the below page is much more handy, and does it recursively for every element inside the array.

PHP -Sanitize values of a array

Upvotes: 0

xenon
xenon

Reputation: 1425

What I find handy is to encapsulate the request data (Post, Get, Cookie etc) in to an Object and then to add a filter method which u can pass an array of function names to. This way you can use it like this:

$array = array('trim','mysql_real_escape_string');
$request->filter($array);

Body of the method works using a loop an array_map like in Mark's example. I wouldn't run the mysql_real_escape_string over my entire $_POST though, only on the necessary fields ( the ones that are getting queried or inserted )

Upvotes: 0

superUntitled
superUntitled

Reputation: 22567

As a side note, I would recommend using a function to sanitize your results:

function escape($txt) {
    if (get_magic_quotes_gpc())
        $txt = stripslashes($txt);

    if (!is_numeric($txt))
        $txt = "'" . mysql_real_escape_string($txt) . "'";

   return $txt;
}

Upvotes: 1

Mark Biek
Mark Biek

Reputation: 150949

I don't think you can call mysql_real_escape_string on an array.

But this would work

$cleanData = array_map('mysql_real_escape_string', $_POST);

array_map works by calling the function named in quotes on every element of the array passed to it and returns a new array as the result.

Like superUntitled, I prefer to have a custom function that uses the built-in sanitizing functions as appropriate. But you could still use a custom function with array_map to achieve the same result.

Upvotes: 9

Related Questions