I was wondering is it possible to just my_sql_escape string the whole $_POST and $_GET array so you dont miss any variables?
Not sure how to test it or I would’ve myself. Thanks!
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I was wondering is it possible to just my_sql_escape string the whole $_POST and $_GET array so you dont miss any variables?
Not sure how to test it or I would’ve myself. Thanks!
I would use the
array_walk()function. It’s better suited because modifies the POST superglobal so any future uses are sanitized.However, make sure that you don’t rely on this line to completely protect your database from attacks. The best protection is limiting character sets for certain fields. Ex. Email’s don’t have quotes in them (so only allow letters, numbers, @, dashes, etc.) and names don’t have parenthesis in them (so only allow letters and selected special characters)
EDIT: Changed
array_walk()toarray_walk_recursive()thanks to @Johan’s suggestion. Props to him.