escape all data in an object

Question

I have a object with some data being posted to a php script from a javascript. This data is coming from a for, so the user will will out a form, when they hit enter an Ajax script will take the form database, put it into an object then post it to my php encoding it with JSON.

Now i'm new to stuff like JSON so im not 100% sure what its doing, i've read a bit online and my conclusion is that it encodes the data with a sort of universal encoding that all programming languages have..... Maybe not the best description of it but hey. So this isn't doing the same thing as escaping the data is it?

Any, before i process the data and put in into a database i want to escape it but im not sure of the best way to go about this? is there a way i could escape the hole object? Any tips or tricks for this sort of thing?

Answer 1

Encoding something in JSON is no the same as escaping it. Basically JSON is a serialization format based on Javascript object literals. So on the php side you need to:

1. Decode the json to PHP
2. Validate the vales
3. Escape the values
4. Insert the values into your db

After you decode the JSON you will be left with an array (see json_decode, and pass true as the second arg to make sure its an array and not a mic of stdObject and arrays).

So then you can pull out the data you ned and escape it you normally would any array passed to you through $_POST before insertion.

Answer 2

JSON indeed is "universal" in that it is UTF-8 by default, and multi-byte sequences are escaped in \uuuuu format.

However, if you want to store the entire JSON object in the database as-is, that doesn't take away the need to escape the entire string before you insert it into the database, using the string escaping function of your database (or parametrized queries if your library supports them).

Answer 3

No, jsons are't escaped at all. On PHP side you could use json_decode to retrive a decoded form of the data then you will access all of the original object property as a PHP array.