mysql_real_escape_string() for entire $_REQUEST array, or need to loop through it?

php mysql mysql-real-escape-string

22,877

Solution 1

To escape all variables in one go:

$escapedGet = array_map('mysql_real_escape_string', $_GET);

To extract all variables into the current namespace (i.e. $foo = $_GET['foo']):

extract($escapedGet);

Please do not do this last step though. There's no need to, just leave the values in an array. Extracting variables can lead to name clashes and overwriting of existing variables, which is not only a hassle and a source of bugs but also a security risk. Also, as @BoltClock says, stick to $_GET or $_POST. Also2, as @zerkms points out, there's no point in mysql_real_escaping variables that are not supposed to be used in a database query, it may even lead to further problems.

Note that really none of this is a particularly good idea at all, you're just reincarnating magic_quotes and global_vars, which were horrible PHP practices from ages past. Use prepared statements with bound parameters via mysqli or PDO and use values through $_GET or filter_input. See http://www.phptherightway.com.

Solution 2

You can also use a recursive function like this to accomplish that

function sanitate($array) {
   foreach($array as $key=>$value) {
      if(is_array($value)) { sanitate($value); }
      else { $array[$key] = mysql_real_escape_string($value); }
   }
   return $array;
}
sanitate($_POST);

Solution 3

To sanitize or validate any INPUT_GET, INPUT_POST, INPUT_COOKIE, INPUT_SERVER, or INPUT_ENV, you can use

filter_input_array — Gets external variables and optionally filters them

Filtering can be done with a callback, so you could supply mysql_real_escape_string.

This method does not allow filtering for $_REQUEST, because you should not work with $_REQUEST when the data is available in any of the other superglobals. It's potentially insecure.

The method also requires you to name the input keys, so it's not a generic batch filtering. If you want generic batch filtering, use array_map or array_walk or array_filter as shown elsewhere on this page.

Also, why are you using the old mysql extension instead of the mysqli (i for improved) extension. The mysqli extension will give you support for transactions, multiqueries and prepared statements (which eliminates the need for escaping) All features that can make your DB code much more reliable and secure.

22,877

Author by

ajo

Updated on April 25, 2020

Comments

ajo about 4 years

Is there an easier way of safely extracting submitted variables other than the following?

if(isset($_REQUEST['kkld'])) $kkld=mysql_real_escape_string($_REQUEST['kkld']);
if(isset($_REQUEST['info'])) $info=mysql_real_escape_string($_REQUEST['info']);
if(isset($_REQUEST['freq'])) $freq=mysql_real_escape_string($_REQUEST['freq']);

(And: would you use isset() in this context?)

Gromski over 13 years

@ajo Data itself is never dangerous, it's the context you use it in that may make it dangerous. mysql_real_escape only protects you when using data in SQL queries. If you're not using the data in SQL queries it will (may) only change the data, it won't make it any more or less save. If you echo the data into an HTML page, mysql_real_escaping it won't help, you'd need to use htmlentities instead... Context is important!
Gromski over 13 years

Well, there was this comment of ajo I was responding to, before he deleted it... I'll leave my comment here anyway.
wired00 about 11 years

I know by now everyone should be using PDO or prepared statements, but wouldn't this fall over when a $_REQUEST or $_POST variable is an array? for example, when submitting multiple checkbox values with same name
Gromski about 11 years

@wired00 Yes, sure. Such wholesale escaping actually never was a great idea to begin with, but in the limited case of the OP it served a purpose. It should only be applied if you know what you're doing though (as always).
wired00 about 11 years

cool thanks for the clarification. Yeah I assumed in the OP case its fine, because he is using a $_GET anyways. Just wanted to confirm for my own case. We have a TONNE of legacy code which is unviable to convert to PDO, so having to use mysqli_real_escape_string()
Gromski about 11 years

@wired If you're using mysqli, use prepared statements! Or was that a typo?
wired00 about 11 years

not a typo we are using mysqli_ but as I mentioned there is FAR too much legacy code to convert everything over. So we only have the option of using mysqli_real_escape_string() against variables. I know full well that we need either use prepared statements or PDO Anyway thats the matter of another discussion :)
Your Common Sense about 10 years

don't you think this magic_quotes reincarnation is not that good as it seemed to be four years ago? ;)
Gromski about 10 years

@You Oh, certainly. :)
e-motiv over 5 years

The keys of a get or post parameters need to be escaped too if you gonna use them in your query! Let's not forget!