1

I am attempting to update multiple records using one form, but have run into a problem in attempting to use the addslashes function.

The form looks like this:

<form name="form1" method="post" action="editnewscategorysubmit.php">
<table width="405">
<tr>
<td width="246"><span class="link1">News Category </span></td>
<td width="146" colspan="2"><span class="link1">Delete?</span></td>
</tr>
<tr>
<td>
<input type='text' name='title[]' value='$title' style='width:700px;'>
<input type='hidden' name='id[]' value='$id'>
</td>
<td>
<div style='padding-left:8px;'><a onclick='return confirmSubmit()' href='deletenewscategory.php?id=$id'><img src='images/delete.jpg' border='0'></a></div>
</td>
</tr>                               
<tr>
<td><input name="image" type="image" src="images/submit.png" alt="Submit Form" border="0" /></td>
<td colspan="2">&nbsp;</td>
</tr>
</table>
</form>

The PHP code that processes this looks like this:

$identity = $_REQUEST['id'];
$title = addslashes($_REQUEST['title']);
include 'connection.php';
for($i=0;$i<count($identity);$i++)
{
$query = "update newscategory set title = '$title[$i]' where id = '$identity[$i]'";
$result = mysql_query($query) or die(mysql_error());
}
echo "Success. The news categories were updated.";
include 'return.php';

The warning that is returned is:

Warning: addslashes() expects parameter 1 to be string, array given in /home/u180175506/public_html/editnewscategorysubmit.php on line 71

What I am trying to do is to addslashes (or from what I'm reading, using mysql_real_escape_string is preferred!) to each value prior to updating the table. Is there something I'm missing? Thanks!

Improve this question
2
  • 1
    You shouldn't be using mysql_* functions any more, they were replaced 10 years ago... Commented Oct 6, 2013 at 16:03
  • 1
    I'm fine with you using mysql_ functions (provided you are aware of the caveats) but using addslashes() to escape query parameters is a really, REALLY bad idea. Commented Oct 6, 2013 at 16:18

3 Answers 3

Reset to default
10

Function:

function addslashes_recursive( $data )
{
    if ( is_array( $data ) )
    {
        return array_map( 'addslashes', $data );
    }
    else
    {
        return addslashes( $data );
    }
}

Single line 

$array = array_map( 'addslashes', $array );
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

3

There are multiple ways to run some function over an array. A simple loop:

$stillNotSafeData = array();
foreach ($_REQUEST as $key => $value) {
    if (!is_array($value)) {
        $stillNotSafeData[$key] = addslashes($value);
    } else {
        foreach ($value as $innerKey => $innerValue) {
            $stillNotSafeData[$key][$innerKey] = addslashes($innerValue);
        }
    }
}

Or using array_walk_recursive:

array_walk_recursive($_REQUEST, function(&$item, $key) {
    $item = addslashes($item);
});

But as you already note you should not use addslashes for this. However once you have a valid connection to mysql using the mysql_* functions you can do the same thing using mres.

But you neither should do that. The mysql_* functions has been officailly deprecated for some time now (and will be removed in less than a year from the language core).

Besides the fact it will be removed soon there are also some "edge" cases which get around it: SQL injection that gets around mysql_real_escape_string()

Long story short: stop using the mysql_* functions.

What you really want to do is use either mysqli or PDO. These support prepared statements and bound parameters. This post will help you with this: How can I prevent SQL injection in PHP?

Improve this answer

3 Comments

+1 for the array_walk_recursive solution. Works fine. I use it for the $_POST and $_GET variable when magic quotes are disabled on the server.
magic quotes? in 2019? Please don't use magic quotes and definitely don't try to emulate it. It should have never been a thing. Escape/encode/sanitize your data properly for the specific context you are using it in.
The context is old software.
0 
array_map('addslashes', $_REQUEST['title']);

http://php.net/manual/en/function.array-map.php

Ofcourse there are other ways to apply function to each array element. You can foreach() it, and apply addslashes() to each value, or assign $var to addslashes($title[$i]) in your for loop.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.