Applying quote_smart() to Arrays

Applying quote_smart() to Arrays

am 09.10.2007 02:06:05 von 3ashore

Guys, I'm adapting the ..._deep() approach to apply it to $_GET and/
or $_POST arrays as follows, as a lazy way to cleanup input before
posting it to the database - to prevent SQL injections.

function quote_smart_deep($value) { // recursive array-capable
version of quote_smart
$value = is_array($value) ? array_map('quote_smart_deep',
$value) : quote_smart($value);
return $value;
}

Anyone see any reason for this not to work? Thanks, all.

-AS

Re: Applying quote_smart() to Arrays

am 09.10.2007 05:45:54 von Lars Eighner

In our last episode, <1191888365.432460.71220@22g2000hsm.googlegroups.com>,
the lovely and talented ashore broadcast on comp.lang.php:

> Guys, I'm adapting the ..._deep() approach to apply it to $_GET and/
> or $_POST arrays as follows, as a lazy way to cleanup input before
> posting it to the database - to prevent SQL injections.

> function quote_smart_deep($value) { // recursive array-capable
> version of quote_smart
> $value = is_array($value) ? array_map('quote_smart_deep',
> $value) : quote_smart($value);
> return $value;
> }

> Anyone see any reason for this not to work? Thanks, all.

It depends upon what function quote_smart() is. There is a function defined
in an example in the manual called quote_smart(). It will not work unless
you have an open link to a database because it uses
mysql_real_escape_string(). Although the second parameter of
mysql_real_escape_string() will default to the last link opened by
mysql_connect(), if that link does not exist, mysql_real_escape_string()
will fail (and so will any function using it such as the quote_smart()
defined in the example or any similar function you might devise that uses
mysql_real_escape_string()).

If you copy quote_smart() from the example or write your own version using
mysql_real_escape_string(), it is best to invoke it as you compose your
query string after you have established your database connection.

--
Lars Eighner
Countdown: 469 days to go.
What do you do when you're debranded?

Re: Applying quote_smart() to Arrays

am 09.10.2007 13:42:14 von Jerry Stuckle

ashore wrote:
> Guys, I'm adapting the ..._deep() approach to apply it to $_GET and/
> or $_POST arrays as follows, as a lazy way to cleanup input before
> posting it to the database - to prevent SQL injections.
>
> function quote_smart_deep($value) { // recursive array-capable
> version of quote_smart
> $value = is_array($value) ? array_map('quote_smart_deep',
> $value) : quote_smart($value);
> return $value;
> }
>
> Anyone see any reason for this not to work? Thanks, all.
>
> -AS
>

If you're working with a mysql database, use mysql_real_escape_string()
on strings. That's what it's there for (in part, anyway).

And verify that numeric values are actually numeric.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================