Home/ Questions/Q 7789829
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-01T21:24:48+00:00

I have a lot of files which have things like 1- mysql_query(update … $_POST[‘foo’]

  • 0

I have a lot of files which have things like

1- mysql_query("update ... $_POST['foo'] ...");

I want to transform that to this

2- $foo = mysql_real_escape_string($_POST['foo']);
3- mysql_query("update ... $foo ...");

I had the idea to open each file, select the text $_POST['foo'] (form 1-) press a key combination, and then some tool automatically:

  • put on my clipboard mysql_real_escape_string($_POST['foo']); (for adding in 2-)
  • replace the text in 1- with the text in 3-

Then manually write $foo = and press ctrl+v to generate 2-

I’m trying with notepad++ and a plugin called fingertext, and trying to make a macro, but had no success.

Any suggestion?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team
    $_POST = sanitize($_POST);
$_GET = sanitize($_GET);

    function sanitize($input) {
        if (is_array($input)) {
            foreach($input as $var=>$val) {
                $output[$var] = sanitize($val);
            }
        } else {
            if (get_magic_quotes_gpc()) {
                $input = stripslashes($input);
            }
            $output = mysql_real_escape_string($input);
        }
        return $output;
    }

    It’s not perfect, but if you have a lot of unsecure pages and need a quick fix to make them all secure, you can put this after connecting to mysql. also, keep in mind that if your query has unquoted numbers variables, you will have to either validate that they are numbers, or type cast them before using them in your query. mysql_real_escape_string() only works on quoted values (ie blah_column = ‘value’, but not blah_column = value).

    • 0