0

This is a small segment, that is built using PHP and database for for simplicity and testing purposed, here is a text example.

The idea is the form will submit, then PHP will handle results. However I am trying to use mysql_real_escape_string for each post for security (maybe there is a better way?)

Anyways, here is the problem. When I keep the foreach loop in place, the two post array variables of qty[] and optname[] both come back as NULL (outputted via the var_export($_POST) for testing purposes. This is what outputs WITH foreach mysql_real_escape_string loop:

array (
  'update' => 'Yes',
  'qty' => NULL,
  'optname' => NULL,
)

If I remove the foreach loop everything works fine, this is what I get and is what I need for php to process results, this is what I get with foreach mysql_real_escape_string loop commented out:

array (
  'update' => 'Yes',
  'qty' => 
  array (
    1 => '2',
    2 => '2',
    3 => '2',
    4 => '2',
  ),
  'optname' => 
  array (
    1 => '1|4',
    2 => '1|4',
    3 => '1|4',
    4 => '1|4',
  ),
)

But the data is not being checked/cleaned before sql queries occur. How can I check each post variable using a loop but keep the POST variables intact??

Here is the code that can be pasted in any local host and tested.

<?php
foreach ($_POST as $key=>$value) { $_POST[$key] = mysql_real_escape_string($value); }

echo '<pre>';
var_export($_POST);
echo '</pre>';  
?>
<form name="updateQty" id="updateQty" method="post" />
  <input type="hidden" name="update" id="update" value="Yes" />

  <input type="text" name="qty[1]" id="qty[]" class="field" value="2" />
  <input type="hidden" name="optname[1]" id="optname[]" value="1|4" />

  <input type="text" name="qty[2]" id="qty[]" class="field" value="2" />
  <input type="hidden" name="optname[2]" id="optname[]" value="1|4" />

  <input type="text" name="qty[3]" id="qty[]" class="field" value="2" />
  <input type="hidden" name="optname[3]" id="optname[]" value="1|4" />

  <input type="text" name="qty[4]" id="qty[]" class="field" value="2" />
  <input type="hidden" name="optname[4]" id="optname[]" value="1|4" />

  <input type="submit">
</form>

Thanks!

Improve this question
3
  • 2
    Customary; please, don't use mysql_* functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use pdo or mysqli.
    – hjpotter92
    Commented Apr 6, 2013 at 20:08
  • I will look into mysqli and pdo and see - is there a benefit or downfall to either? which one is most similar to the mysql_*?
    – John
    Commented Apr 6, 2013 at 20:25
  • mysqli is similar to mysql, but unusable. So, you have to use PDO. anyway, without understanding none of these libraries will do any good
    – Your Common Sense
    Commented Apr 6, 2013 at 20:27

3 Answers 3

Reset to default
2

I am trying to use mysql_real_escape_string for security

That's what you're doing wrong. this function has nothing to do with security at all.
As a matter of fact, what you're really trying to do is to revive an already deprecated and removed magic quotes feature, spoiling your data without making it secure.

At the very least you have to use this function this way

$var = "'".mysql_real_escape_string($value)."'";

adding quotes to escaped value (while removing them from the query of course). and you have to make it right before query building, not anywhere else.

Improve this answer
1
  • +1 escaping at the input stage is utterly the wrong thing - injections are not an input issue. Do it at the moment of injection into the parent string context (here: SQL), or, better, use alternative methods that don't involve string injection (here: parameterised queries in mysqli or PDO).
    – bobince
    Commented Apr 7, 2013 at 14:51
1 
foreach ($_POST as $key=>$value) {
    if(is_array($value)){
        foreach ($value as $k => $v) {
            $_POST[$key][$k] = mysql_real_escape_string($v); 
        }
    } else {
        $_POST[$key] = mysql_real_escape_string($value); 
    }
}

In your case your POST values are arrays so you must loop them too..

As @hjpotter92 comment its not good to use old mysql functions. They wont work in future versions...

Improve this answer
1
  • It's not "old mysql functions" shouldn't be used but the very code you posted. This very approach makes your application vulnerable, no matter which functions you are using, old or new.
    – Your Common Sense
    Commented Apr 7, 2013 at 4:35
0

One of the easier way(untested) would be to try array_walk_recursive().

function MyEscape( &$string, $key ) {
    if( !is_array($string) )
        $string = mysql_real_escape_string( $string );
}
array_walk_recursive($_POST, 'MyEscape');
Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.