highlawn
asked on
mysql_real_escape_string
When using mysql_real_escape_string on variables garnered from $_GET and $_POST variables, I currently only do this on text - not on numerics or on dates/times etc. Is this correct? Is there any harm on running mysql_real_escape_string on numerics and date/time etc.
What I am considering doing is writing a routine that applies mysql_real_escape_string before any insert/update by looping through all the values. The easiest way would seem to me to do this at the start of each page by calling a routine similar to the below (taken from php.net):
$_GET = array_map('trim', $_GET);
$_POST = array_map('trim', $_POST);
$_COOKIE = array_map('trim', $_COOKIE);
$_REQUEST = array_map('trim', $_REQUEST);
$_GET = array_map('mysql_real_esca pe_string' , $_GET);
$_POST = array_map('mysql_real_esca pe_string' , $_POST);
$_COOKIE = array_map('mysql_real_esca pe_string' , $_COOKIE);
$_REQUEST = array_map('mysql_real_esca pe_string' , $_REQUEST);
Any thoughts?
What I am considering doing is writing a routine that applies mysql_real_escape_string before any insert/update by looping through all the values. The easiest way would seem to me to do this at the start of each page by calling a routine similar to the below (taken from php.net):
$_GET = array_map('trim', $_GET);
$_POST = array_map('trim', $_POST);
$_COOKIE = array_map('trim', $_COOKIE);
$_REQUEST = array_map('trim', $_REQUEST);
$_GET = array_map('mysql_real_esca
$_POST = array_map('mysql_real_esca
$_COOKIE = array_map('mysql_real_esca
$_REQUEST = array_map('mysql_real_esca
Any thoughts?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
$_GET = array_map('trim', $_GET);
$_POST = array_map('trim', $_POST);
$_COOKIE = array_map('trim', $_COOKIE);
$_REQUEST = array_map('trim', $_REQUEST);
$_GET = array_map('mysql_real_esca pe_string' , $_GET);
$_POST = array_map('mysql_real_esca pe_string' , $_POST);
$_COOKIE = array_map('mysql_real_esca pe_string' , $_COOKIE);
$_REQUEST = array_map('mysql_real_esca pe_string' , $_REQUEST);
If you use above code from the FIRST line of the script, ALL user submitted variables are escaped.
Then, for this reason you do not need to worry about the sql injection, just use superglobals (not seperate date, numbers).
$_POST = array_map('trim', $_POST);
$_COOKIE = array_map('trim', $_COOKIE);
$_REQUEST = array_map('trim', $_REQUEST);
$_GET = array_map('mysql_real_esca
$_POST = array_map('mysql_real_esca
$_COOKIE = array_map('mysql_real_esca
$_REQUEST = array_map('mysql_real_esca
If you use above code from the FIRST line of the script, ALL user submitted variables are escaped.
Then, for this reason you do not need to worry about the sql injection, just use superglobals (not seperate date, numbers).
ASKER
Some variety of opinion with regard to the code from php.net and I'll take some time to think that through.
It looks to me like a validation routine is required first and then once happy with the data from the form, to mysql_real_escape_string those bits destined for the database.
Many Thanks