Richard Lynch wrote:
On Wed, May 30, 2007 9:55 pm, Jim Lucas wrote:
Greg Donald wrote:
On 5/30/07, Richard Lynch <ceo@xxxxxxxxx> wrote:
You want to use mysql_escape_string, and NOT addslashes and NOT
Magic
Quotes.
function slashes( $var )
{
if( is_array( $var ) )
{
return array_map( 'slashes', $var );
}
else
{
return mysql_real_escape_string( $var );
}
}
Say I wanted to use this on something other than $_GET, $_POST, &
$_COOKIE?
Would it not be better practice to do this the other way around?
function slashes ( $var ) {
if ( is_scalar($var) ) {
return mysql_real_escape_string( $var );
} else {
return array_map( 'slashes', $var );
}
}
This way, even if someone passes something that is not an array, but
still not processable by mysql_real_escape_string(), it won't foul up
the processor.
set_magic_quotes_runtime( 0 );
if( get_magic_quotes_gpc() == 0 )
{
$_GET = isset( $_GET )
? array_map( 'slashes', $_GET )
: array();
$_POST = isset( $_POST )
? array_map( 'slashes', $_POST )
: array();
$_COOKIE = isset( $_COOKIE )
? array_map( 'slashes', $_COOKIE )
: array();
}
Well, if it's not a scalar, and it's not an array, and you call
array_map on it, things could get very ugly very fast...
I'm not sure what other datatypes you might try to pass in, that PHP
won't type-juggle to a string when it goes to
mysql_real_escape_string...
Exactly what "other" data are you planning on calling 'slashes' on?
Things that will work with mysql_real_escape_string()
boolean, integer, double, float, string, NULL
Things that won't work with mysql_real_escape_string()
array, object, resource id
--
Jim Lucas
"Some men are born to greatness, some achieve greatness,
and some have greatness thrust upon them."
Unknown
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
