Automatic $_POST Variable Escaping

On a few of my sites, I use a small snippit of code to automatically escape all $_POST variables (also $_GET variables) to be safe to use in MySQL queries. It's made up of two parts. The first is the code that checks to see if $_POST (or $_GET) is empty; second is the escaping function which either uses array_walk_recursive() or array_map() depending on your PHP version.

Also, a word of warning. mysql_real_escape_string() requires an active MySQL connection to function, so be sure to place the variable check snippit after your database connection string.

Variable check:
if (!empty($_POST) && is_array($_POST)) {
recurse_escape_mysql($_POST);
}


recurse_escape_mysql():

function recurse_escape_mysql(&$var, $key = NULL){
if (function_exists('array_walk_recursive')) {
if(is_array($var)){
array_walk_recursive($var, 'recurse_escape_mysql');
} else {
if (get_magic_quotes_gpc()) {
$var = stripslashes($var);
}
$var = mysql_real_escape_string($var);
}
} else {
if(is_array($var)){
$var = array_map('recurse_escape_mysql', $var);
} else {
if (get_magic_quotes_gpc()) {
$var = stripslashes($var);
}
$var = mysql_real_escape_string($var);
}
return $var;
}
}

function cleanVar( &$var ){
if( is_array( $var ) ){
$var = array_map( "cleanVar", $var );
} else {
$var = stripslashes( $var );
}
return $var;
}

if( set_magic_quotes_gpc() ){
cleanVar( $_POST );
cleanVar( $_GET );
cleanVar( $_COOKIE );
}


is what I use :)

Hmm, array_walk_recursive() works fine for PHP5, but since array_map() works on PHP4 I'll adapt your code a bit to make a wrapper. =)

function array_walk_recursive( &$input, $funcname, $userdata = NULL ){

foreach( $input as $key => $data ){

if( is_array( $data ) ){

array_walk_recursive( $input[$key], $funcname, $userdata );

} else {

if( is_array( $funcname ) ){

$obj = $funcname[0];
$method = $funcname[1];

$obj->$method( $data, $key, $userdata );

} else {

$funcname( $data, $key, $userdata );

}

}

}

}

array_walk_recursive for PHP4 servers... if you use the code above, but put it inside:

if( !function_exists( 'array_walk_recursive' ) ){ /* CODE ABOVE HERE */ }

You can safely use it in PHP4 and PHP5 environments.

Indeed...I was writing one earlier, but took a break. I did some testing and I found with smaller arrays array_map() actually performed faster than array_walk_recursive(), but then once it started getting larger arrays array_walk_recursive() was faster.

hmm... interesting. Obviously, the code posted above is not going to be as efficient as the built in function becuase like all PHP functions, they are embedded into the PHP core and will pretty much always than custom coded functions or wrappers. Useful for PHP 4 though, I wrote another function for backwards compatability that emulated http_build_query.

You should post an array_walk_recursive() wrapper that checks if array_walk_recursive() exists, if not use the PHP4 code above here in the forum, I know I was puzzling a bit over making a PHP4 array_walk_recursive() emulation...I see now that I did manage it, but mine isn't nearly as pretty.

Just to pop in here, about functoin checking, can you check if the function exists within the function, lets say you make a function like file() anf file() exists, inside the function it would find that file() already exists and then just uses file() instead of the custom function. (file() is an example, not what I'm doing, just a general question.)

like maybe:



function file ($handle) {
if(function_exists("file")) {
$return = file($handle);
} else { // ...

No, you can't redelcare functions (to my knowledge). You can declare them if they don't exist though.

Personally i prefer to redeclare the function if the existing function doesnt exist only once, as if you use the function alot there could be performance decrease for PHP5.

However, I have written a simple wrapper function here called "recursive_array_walk", which functions exactly the same as array_walk_recursive(). I also added in the same error checking and triggered errors as the real function:

function recursive_array_walk( &$input, $funcname, $userdata = NULL ){

if( !function_exists( 'array_walk_recursive' ) ){

if( !is_array( $input ) ){

trigger_error( 'The argument should be an array', E_USER_WARNING );
return false;

}

foreach( $input as $key => $data ){

if( is_array( $data ) ){

if( false === recursive_array_walk( $input[$key], $funcname, $userdata ) ){

return false;

}

} else {

if( is_array( $funcname ) ){

$obj = $funcname[0];
$method = $funcname[1];

if( method_exists( $obj, $method ) ){

$obj->$method( $data, $key, $userdata );

} else {

trigger_error( 'Unable to call ' . get_class($obj) . "::$method() - function does not exist", E_USER_WARNING );
return false;

}

} else {

if( function_exists( $funcname ) ){

$funcname( $data, $key, $userdata );

} else {

trigger_error( "Unable to call $funcname() - function does not exist", E_USER_WARNING );
return false;

}

}

}

}

} else {

return array_walk_recursive( $input, $funcname, $userdata );

}

}

No, you can't redelcare functions (to my knowledge). You can declare them if they don't exist though.
No, you cant redeclare functions :)

If you want to do it like this, do it like I did... give the function a similar name, or create your own class for handling wrapper functions, like so:



class My {

function file( $file, $bool_use_include_path = false ){
if( function_exists( 'file' ) ){
return file( $file, $bool_use_include_path );
} else {
// Do whatever else you want to do...
}
}

}

// and then call

$file = My::file( "filename.php" );



You should only use this for functions you expect not to be available...

No, you cant redeclare functions :)

http://www.php.net/manual/en/ref.runkit.php

http://www.php.net/manual/en/ref.runkit.php
WOW :eek: :eek: :eek: :eek: :eek:

Heheh, cheers, I'll be playing with this now ;)

PHP will surprise you with lots of things. :cool:
I just remembered that as I now hava a non-windows server I could play with that too...

O_O! Me too. Brings a whole new meaning to a transparent wrapper. I really like the sandboxing too, being able to execute other code (such as user code) in a separate thread, that way it can't affect your script...nice. That'd be especially useful for a script that might analyze your code and see where the bottlenecks are.

I love PHP because its always simpler than you might expect ...

<?php
if(!function_exists('glob')){
function glob($pattern){
//write your own glob routine here//
}
}
?>

does not cause the errors you may at first expect!

the recursive cleaner I use... (GPC_ON is set in config if the server has magic_quotes runtime or GPC turned on)

<?php
function clean(&$arr){
foreach($arr as $k=>$v){
if(!is_array($v)){
if(defined('GPC_ON')){
$arr[$k]=stripslashes($v);
}
$arr[$k]=mysql_real_escape_string($v);
}else{
clean($arr[$k]);
}
}
}
clean($_POST);
?>

the recursive cleaner I use... (GPC_ON is set in config if the server has magic_quotes runtime or GPC turned on)

This a nice, simple function. I like it...much more simple than my wrapper. I never knew there was a constant I could use to detect runtime or gpc either.

I never knew there was a constant I could use to detect runtime or gpc either.

sorry I was not clear AFAIK there isn't , its one I set myself in a global config file with calls to get_magic_quotes_runtime() and get_magic_quotes_gpc()

sorry I was not clear AFAIK there isn't , its one I set myself in a global config file with calls to get_magic_quotes_runtime() and get_magic_quotes_gpc()

Ahh okay. Smart, that. =)