0

I normally just use mysql_real_escape_string on every variable before inserting to my database, so for example:

    $first_name = mysql_real_escape_string($first_name); // Bill
    $last_name  = mysql_real_escape_string($last_name);  // O'Rielly
    $email      = mysql_real_escape_string($email);      // [email protected]

    $insert = mysql_query("
                  INSERT INTO `users` (first_name, last_name, email)
                  VALUES ('$first_name', '$last_name', '$email')
              ") or die(mysql_error());

But on some forms I could have possibly 20 different variables I want to escape, so I was hoping there was a way I could use an array, run it through a function to escape each one. Then make the original variables ($first_name, $last_name, $email) have the value of the escaped string from the array. I came up with the following, but this is as far as I have gotten.

    $form_array = array($first_name, $last_name, $email);

    print_r($form_array);
    echo("<br />".$last_name."<br />");

    function cleanInput($array) {
        return array_map('mysql_real_escape_string', $array);
    }

    $clean_array = cleanInput($form_array); 

    print_r($clean_array);
    echo("<br />".$clean_array[1]."<br />");

Which outputs the following:

    Array ( [0] => Bill [1] => O'Rielly [2] => [email protected] ) 
    O'Rielly
    Array ( [0] => Bill [1] => O\'Rielly [2] => [email protected] ) 
    O\'Rielly

So, we can see that it's escaping properly, but I'm stumped with the whole making $first_name have the value of $clean_array[0], $last_name have the value of $clean_array[1] etc.

I know of course I could just write:

    $first_name = $clean_array[0];
    $last_name = $clean_array[1];

But it kinda makes it pointless of having this array/function there at all since I might as well just escape each variable/string separately how I always have done. So I was hoping there was a way I could do some sort of loop in the function to do this dynamically depending on what's in the array.

Because then when it comes to doing validation in the future I can just

  • Assign all $_POST data to variables
  • Put them variables in an array
  • Run the array through the function and all original $_POST variables now have the escaped value from the function
  • Use the insert method mentioned at the start using the original names of the variables $first_name, $last_name etc.

Rather then:

    $insert = mysql_query("
                  INSERT INTO `users` (first_name, last_name, email)
                  VALUES ('$clean_array[0]', '$clean_array[1]', '$clean_array[2]')
              ") or die(mysql_error());

Is this possible?

Update

From hakre's post about the compact and extract functions, I've now come up with the following:

    $array = compact(array("first_name", "last_name", "email"));
    echo("<strong>Before:</strong><br />First Name: ".$first_name."<br />Last Name: ".$last_name."<br />Email: ".$email."<br /><br />");

    extract(array_map('mysql_real_escape_string', $array), EXTR_OVERWRITE);
    echo("<strong>After:</strong><br />First Name: ".$first_name."<br />Last Name: ".$last_name."<br />Email: ".$email."");

Which outputs the following details how I would like them:

Before:

First Name: Bill

Last Name: O'Rielly

Email: [email protected]

After:

First Name: Bill

Last Name: O\'Rielly

Email: [email protected]

I've tried putting extract into a function but it doesn't work the same?

    function cleanInput($array) {

        $clean_array = extract(array_map('mysql_real_escape_string', $array), EXTR_OVERWRITE);
        return $clean_array;

    }

    $array = compact(array("first_name", "last_name", "email"));
    echo("<strong>Before:</strong><br />First Name: ".$first_name."<br />Last Name: ".$last_name."<br />Email: ".$email."<br /><br />");

    cleanInput($array);
    echo("<strong>After:</strong><br />First Name: ".$first_name."<br />Last Name: ".$last_name."<br />Email: ".$email."");

I'm sure I have to return the extract function, but I've tried a few different things and it's either not giving any output or $last_name is just printing the unescaped value.

Improve this question

2 Answers 2

Reset to default
2

You might be interested in compact and extract. Both allow you to handle variables as an array. Array is comfortable, because your can repeat the single action onto all values.

Example:

$vars = array('first_name', 'last_name', 'email');

$first_name = $last_name = $email = 'just some init value';

$array = compact($vars);

foreach($array as &$value)
    $value = str_shuffle($value);
unset($value);

extract($array);

printf("First: %s; Last: %s; Email: %s", $first_name, $last_name, $email);

Output:

First:  sjivus enta metluoi; Last: i evounes tliuat smj; Email: tleetnumav siuijo s
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Only just read quickly through the documentation on these as I'm a little busy at the minute but this looks like what I'm after! I'll get back in touch once I've had a mess around later, thank you!
hakre, I've had a fiddle around with compact and extract and I've got a working example, but not 100% how I want it, I've updated my question with what I've got so far, would you be able to have a look and if you could give me a little more insight on where to go from here? +1 for showing me those 2 functions!
You're using it wrong because a function has it's own variable table. Compact and extract are offering some basic variable handling functionality. You should use them wisely to make them do what you want. I didn't meant that these solve your problem or the design issue you face completely.
1 
function dbSet($fields, $source = array()) {
  $set = '';
  if (!$source) $source = &$_POST;

  foreach ($fields as $field) {
    if (isset($source[$field])) {
      $set.="`$field`='".mysql_real_escape_string($source[$field])."', ";
    }
  }
  return substr($set, 0, -2); 
}

this piece of code is called a function. And functions, although only very few PHP users have an idea of them, is a very, very powerful thing. It can make your code short and readable, and save you hours of typing.

So, having this function in your configuration file, you'll have to type as little as

$fields = explode(" ","name surname lastname address zip fax phone");
$query  = "INSERT INTO table SET ".dbSet($fields);

note the $fileds array. I hope it's self-explanatory though

Well, after some clarification in comments, I can extend my answer.

The best way to get rid of constant escaping is to get rid if it. Either create your own or make use of some existing DB abstraction library which will do all escaping for you.

Say a code to check for existing username would be looks like

$username_exists=$db->getOne("SELECT id FROM users WHERE name=?",$_POST['name']);
if ($username_exists) // do stuff.

where $_POST['name'] would be properly formatted either by utilizing native prepared statements or proper escaping/casting/whitelisting.

So, no need to care about manual escaping at all.
That is also the exact point of the function I posted at first.

Improve this answer

4 Comments

Doesn't that do what mine already does? Except you just insert it slightly differently to the DB? Sorry if I've misunderstood it! Its just I want to have each variable to go through the function but be returned with the escaped value under the original name of that variable. Cause I want to be able to then go on and perform other checks with each variable individually, which is why I want them separated.
you cannot do any checks after escaping. escaping should be the the very last operation before inserting data to the database.
Sorry I should of explained, what I meant was I want to do checks such as a query to see if the email is already in use by another member, things like that, which is why it's required that I can somehow separate them. Because I don't want to check all of them like first and last names as they can be duplicates, but emails, usernames etc cannot. So surely for my email check query it needs to be escaped before hand?
I have added to my answer a possible solution. Hoewever, you can still keep your way by utilizing the idea of whitelisted field names.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.