2 
foreach ($_POST as $key => $value) {
   $_POST[$key] = mysql_real_escape_string($value);
}
foreach ($_GET as $key => $value) {
   $_GET[$key] = mysql_real_escape_string($value);
}

Hi all,

I protect my db for oppsite sql injection with above codes. But when i define "name" for checkbox like Checkbox_IDS[ ] form not post values. How can i solve this issue?

Thank you for help, already now.

Improve this question
2
  • also refer to this site: htmlite.com/mysql002a.php for reserved SQL words that cant be used for table columns Commented Mar 19, 2011 at 0:58
  • I am sorry. My english is not enough. Commented Mar 19, 2011 at 1:02

1 Answer 1

Reset to default
1

By Checkbox_IDS[] you mean that you encounter array variables. In that case you should use array_walk_recursive, which handles non-flat structures. Look at http://www.php.net/manual/de/security.magicquotes.disabling.php#91653 for some similar examples.

In your case you would do the same but with the appropriate escaping function:

function mysql_real_escape_recursive(&$value)
{
    $value = mysql_real_escape_string($value);
}
array_walk_recursive($_POST, "mysql_real_escape_recursive");
array_walk_recursive($_GET, "mysql_real_escape_recursive");

Note that unilateraly quoting everything as if it were strings might not be suitable in all cases. As you will certainly output some of these variables into HTML context, where this undifferentiated SQL escaping is a hindrance.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Plus unilaterally changing the contents of the superglobals can mess up any libraries you may be using which depend on getting "virgin" data.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.