A community in which webmasters can ask for help with topics such as PHP coding , MySQL , IT jobs, web design, IT security.
Current location:homephp forumphp talk in 2009 yearis this at least mildly secure php code? - page 1
User InfoPosts
is this at least mildly secure php code?#1
I have a BUNCH of $_POST variables being sent in via a long form and instead of hard coding each one with a mysql_escape_string() is it ok for me to do the following? I don(t know if this is actually safe and/or viable code.

foreach ($_POST as &$post_item){
$post_item = mysql_escape_string($post_item);
}


I(m fairly certain that because i(m using the &, it(s passing it in by reference, not value, so i(m actually changing the value in the $_POST.

Also, should I use mysql_real_escape_string() instead?

EDIT: I am using PDO and prepare() along with the above method. Does this take care of it for me?

posted date: 2009-04-16 21:32:00


Re: is this at least mildly secure php code?#2
I had made out the solution of this problem. click to view my topic...

hope that hepls.

posted date: 2009-04-16 21:32:01


Re: is this at least mildly secure php code?#3
Why not use array_map()?array_map(mysql_real_escape_string, $_POST);But in reality you should be using parametrized/prepared statements.mysql_real_escape_string() takes the current database character set into account, mysql_escape_string() does not. So the former is the better alternative in comparison.Edit (following up the OP(s edit to the question):Since you already do PDO prepared statements, there is no need to modify your values. PDO takes care of everything, that(s the whole point of it (If you really put all data in parameters, that is - just concatenating strings to build SQL statements leads to disaster with PDO or without). Escaping the values beforehand would lead to escaped values in the database.

posted date: 2009-04-16 21:37:00


Re: is this at least mildly secure php code?#4
Yes, you should be using mysql_real_escape_string(), if you(re going to go that route. But the correct way to make sure the variables are safe to send to the database is using Parameterized Queries which are provided in PHP through either the mysqli functions or PDO.

posted date: 2009-04-16 21:41:00


Re: is this at least mildly secure php code?#5
In addition to the previous comments, another benefit to using parameterised queries is that the database will be able to do better optimisations and probably use a cached query plan so you will get better performance.

posted date: 2009-04-16 21:47:00


Re: is this at least mildly secure php code?#6
In PHP5 nothing is passed by value. Everything is passed by reference.

posted date: 2009-04-16 21:53:00


Re: is this at least mildly secure php code?#7
see edit, i am using pdo

posted date: 2009-04-16 21:55:00


Re: is this at least mildly secure php code?#8
I think in fact only objects and resources are by default passed by reference

posted date: 2009-04-16 23:05:00


Re: is this at least mildly secure php code?#9
If you are using PDO and prepared statements you should not use mysql_real_escape_string at all.

posted date: 2009-04-16 23:09:00


select page: « 1 »
Copyright ©2008-2017 www.momige.com, all rights reserved.