Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 1 of 2 12 LastLast
Results 1 to 15 of 19
  1. #1
    Senior Coder
    Join Date
    Apr 2005
    Location
    Colorado, United States
    Posts
    1,208
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Automatic $_POST Variable Escaping

    On a few of my sites, I use a small snippit of code to automatically escape all $_POST variables (also $_GET variables) to be safe to use in MySQL queries. It's made up of two parts. The first is the code that checks to see if $_POST (or $_GET) is empty; second is the escaping function which either uses array_walk_recursive() or array_map() depending on your PHP version.

    Also, a word of warning. mysql_real_escape_string() requires an active MySQL connection to function, so be sure to place the variable check snippit after your database connection string.

    Variable check:
    PHP Code:
    if (!empty($_POST) && is_array($_POST)) {
        
    recurse_escape_mysql($_POST);

    recurse_escape_mysql():
    PHP Code:
    function recurse_escape_mysql(&$var$key NULL){
        if (
    function_exists('array_walk_recursive')) {
            if(
    is_array($var)){ 
                
    array_walk_recursive($var'recurse_escape_mysql');
            } else {
                if (
    get_magic_quotes_gpc()) {
                    
    $var stripslashes($var); 
                }
                
    $var mysql_real_escape_string($var);
            }
        } else {
            if(
    is_array($var)){ 
                
    $var array_map('recurse_escape_mysql'$var); 
            } else {
                if (
    get_magic_quotes_gpc()) {
                    
    $var stripslashes($var);
                }
                
    $var mysql_real_escape_string($var);
            } 
            return 
    $var;
        }

    Last edited by Velox Letum; 01-04-2006 at 04:25 AM.
    "$question = ( to() ) ? be() : ~be();"

  • #2
    Senior Coder missing-score's Avatar
    Join Date
    Jan 2003
    Location
    UK
    Posts
    2,194
    Thanks
    0
    Thanked 0 Times in 0 Posts
    PHP Code:
    function cleanVar( &$var ){
        if( 
    is_array$var ) ){
            
    $var array_map"cleanVar"$var );
        } else {
            
    $var stripslashes$var );
        }
        return 
    $var;
    }

    if( 
    set_magic_quotes_gpc() ){
        
    cleanVar$_POST );
        
    cleanVar$_GET );
        
    cleanVar$_COOKIE );

    is what I use

  • #3
    Senior Coder
    Join Date
    Apr 2005
    Location
    Colorado, United States
    Posts
    1,208
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Hmm, array_walk_recursive() works fine for PHP5, but since array_map() works on PHP4 I'll adapt your code a bit to make a wrapper. =)
    "$question = ( to() ) ? be() : ~be();"

  • #4
    Senior Coder missing-score's Avatar
    Join Date
    Jan 2003
    Location
    UK
    Posts
    2,194
    Thanks
    0
    Thanked 0 Times in 0 Posts
    PHP Code:
    function array_walk_recursive( &$input$funcname$userdata NULL ){

        foreach( 
    $input as $key => $data ){

            if( 
    is_array$data ) ){

                
    array_walk_recursive$input[$key], $funcname$userdata );

            } else {

                if( 
    is_array$funcname ) ){

                    
    $obj $funcname[0];
                    
    $method $funcname[1];
                    
                    
    $obj->$method$data$key$userdata );
                
                } else {
                
                    
    $funcname$data$key$userdata );
                    
                }
            
            }
        
        }


    array_walk_recursive for PHP4 servers... if you use the code above, but put it inside:

    PHP Code:
    if( !function_exists'array_walk_recursive' ) ){  /*   CODE ABOVE HERE   */ 
    You can safely use it in PHP4 and PHP5 environments.

  • #5
    Senior Coder
    Join Date
    Apr 2005
    Location
    Colorado, United States
    Posts
    1,208
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Indeed...I was writing one earlier, but took a break. I did some testing and I found with smaller arrays array_map() actually performed faster than array_walk_recursive(), but then once it started getting larger arrays array_walk_recursive() was faster.
    "$question = ( to() ) ? be() : ~be();"

  • #6
    Senior Coder missing-score's Avatar
    Join Date
    Jan 2003
    Location
    UK
    Posts
    2,194
    Thanks
    0
    Thanked 0 Times in 0 Posts
    hmm... interesting. Obviously, the code posted above is not going to be as efficient as the built in function becuase like all PHP functions, they are embedded into the PHP core and will pretty much always than custom coded functions or wrappers. Useful for PHP 4 though, I wrote another function for backwards compatability that emulated http_build_query.

  • #7
    Senior Coder
    Join Date
    Apr 2005
    Location
    Colorado, United States
    Posts
    1,208
    Thanks
    0
    Thanked 0 Times in 0 Posts
    You should post an array_walk_recursive() wrapper that checks if array_walk_recursive() exists, if not use the PHP4 code above here in the forum, I know I was puzzling a bit over making a PHP4 array_walk_recursive() emulation...I see now that I did manage it, but mine isn't nearly as pretty.
    "$question = ( to() ) ? be() : ~be();"

  • #8
    Regular Coder Element's Avatar
    Join Date
    Jul 2004
    Location
    Lynnwood, Washington, US
    Posts
    855
    Thanks
    2
    Thanked 2 Times in 2 Posts
    Just to pop in here, about functoin checking, can you check if the function exists within the function, lets say you make a function like file() anf file() exists, inside the function it would find that file() already exists and then just uses file() instead of the custom function. (file() is an example, not what I'm doing, just a general question.)

    like maybe:

    PHP Code:

    function file ($handle) {
      if(
    function_exists("file")) {
        
    $return file($handle); 
      } else { 
    // ... 

  • #9
    Senior Coder
    Join Date
    Apr 2005
    Location
    Colorado, United States
    Posts
    1,208
    Thanks
    0
    Thanked 0 Times in 0 Posts
    No, you can't redelcare functions (to my knowledge). You can declare them if they don't exist though.
    "$question = ( to() ) ? be() : ~be();"

  • #10
    Senior Coder missing-score's Avatar
    Join Date
    Jan 2003
    Location
    UK
    Posts
    2,194
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Personally i prefer to redeclare the function if the existing function doesnt exist only once, as if you use the function alot there could be performance decrease for PHP5.

    However, I have written a simple wrapper function here called "recursive_array_walk", which functions exactly the same as array_walk_recursive(). I also added in the same error checking and triggered errors as the real function:

    PHP Code:
    function recursive_array_walk( &$input$funcname$userdata NULL ){

        if( !
    function_exists'array_walk_recursive' ) ){

            if( !
    is_array$input ) ){

                
    trigger_error'The argument should be an array'E_USER_WARNING );        
                return 
    false;
            
            }

             foreach( 
    $input as $key => $data ){
        
                  if( 
    is_array$data ) ){
        
                        if( 
    false === recursive_array_walk$input[$key], $funcname$userdata ) ){
                        
                            return 
    false;
                        
                        }
        
                  } else {
        
                        if( 
    is_array$funcname ) ){
        
                             
    $obj $funcname[0];
                             
    $method $funcname[1];
                             
                             if( 
    method_exists$obj$method ) ){
                             
                                 
    $obj->$method$data$key$userdata );
                                 
                             } else {
                             
                                 
    trigger_error'Unable to call ' get_class($obj) . "::$method() - function does not exist"E_USER_WARNING );
                                 return 
    false;
                                
                             }
                        
                        } else {
                        
                             if( 
    function_exists$funcname ) ){
                             
                                 
    $funcname$data$key$userdata );
                             
                             } else {
                             
                                  
    trigger_error"Unable to call $funcname() - function does not exist"E_USER_WARNING );
                                 return 
    false;
                             
                             }
                             
                        }
                  
                  }
             
             }
             
        } else {
        
            return 
    array_walk_recursive$input$funcname$userdata );
            
        }



  • #11
    Senior Coder missing-score's Avatar
    Join Date
    Jan 2003
    Location
    UK
    Posts
    2,194
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Velox Letum
    No, you can't redelcare functions (to my knowledge). You can declare them if they don't exist though.
    No, you cant redeclare functions

    If you want to do it like this, do it like I did... give the function a similar name, or create your own class for handling wrapper functions, like so:

    PHP Code:

    class My {

       function 
    file$file$bool_use_include_path false ){
          if( 
    function_exists'file' ) ){
             return 
    file$file$bool_use_include_path );
          } else {
             
    // Do whatever else you want to do...
          
    }
       }

    }

    // and then call

    $file My::file"filename.php" ); 
    You should only use this for functions you expect not to be available...

  • #12
    Senior Coder
    Join Date
    Aug 2003
    Location
    One step ahead of you.
    Posts
    2,815
    Thanks
    0
    Thanked 3 Times in 3 Posts
    Quote Originally Posted by missing-score
    No, you cant redeclare functions
    http://www.php.net/manual/en/ref.runkit.php
    I'm not sure if this was any help, but I hope it didn't make you stupider.

    Experience is something you get just after you really need it.
    PHP Installation Guide Feedback welcome.

  • #13
    Senior Coder missing-score's Avatar
    Join Date
    Jan 2003
    Location
    UK
    Posts
    2,194
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by marek_mar
    WOW

    Heheh, cheers, I'll be playing with this now

  • #14
    Senior Coder
    Join Date
    Aug 2003
    Location
    One step ahead of you.
    Posts
    2,815
    Thanks
    0
    Thanked 3 Times in 3 Posts
    PHP will surprise you with lots of things.
    I just remembered that as I now hava a non-windows server I could play with that too...
    Last edited by marek_mar; 01-04-2006 at 10:18 AM.
    I'm not sure if this was any help, but I hope it didn't make you stupider.

    Experience is something you get just after you really need it.
    PHP Installation Guide Feedback welcome.

  • #15
    Senior Coder
    Join Date
    Apr 2005
    Location
    Colorado, United States
    Posts
    1,208
    Thanks
    0
    Thanked 0 Times in 0 Posts
    O_O! Me too. Brings a whole new meaning to a transparent wrapper. I really like the sandboxing too, being able to execute other code (such as user code) in a separate thread, that way it can't affect your script...nice. That'd be especially useful for a script that might analyze your code and see where the bottlenecks are.
    "$question = ( to() ) ? be() : ~be();"


  •  
    Page 1 of 2 12 LastLast

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •