Seems to me you'd be better off then writing code to handle all of
these, with is_array() doing the walk, and erroring out for Object and
Resource
Actually, an object should get type-casted to a string, and there's
even that nifty thing in PHP 5 where you can control what string it
gets changed to... At least, that's what I would expect, as a naive
user, if __to_string or whatever it is is supposed to work.
Ah well.
On Thu, May 31, 2007 6:25 pm, Jim Lucas wrote:
> Richard Lynch wrote:
>> On Wed, May 30, 2007 9:55 pm, Jim Lucas wrote:
>>> Greg Donald wrote:
>>>> On 5/30/07, Richard Lynch <ceo@xxxxxxxxx> wrote:
>>>>> You want to use mysql_escape_string, and NOT addslashes and NOT
>>>>> Magic
>>>>> Quotes.
>>>> function slashes( $var )
>>>> {
>>>> if( is_array( $var ) )
>>>> {
>>>> return array_map( 'slashes', $var );
>>>> }
>>>> else
>>>> {
>>>> return mysql_real_escape_string( $var );
>>>> }
>>>> }
>>> Say I wanted to use this on something other than $_GET, $_POST, &
>>> $_COOKIE?
>>>
>>> Would it not be better practice to do this the other way around?
>>>
>>> function slashes ( $var ) {
>>> if ( is_scalar($var) ) {
>>> return mysql_real_escape_string( $var );
>>> } else {
>>> return array_map( 'slashes', $var );
>>> }
>>> }
>>>
>>> This way, even if someone passes something that is not an array,
>>> but
>>> still not processable by mysql_real_escape_string(), it won't foul
>>> up
>>> the processor.
>>>
>>>> set_magic_quotes_runtime( 0 );
>>>>
>>>> if( get_magic_quotes_gpc() == 0 )
>>>> {
>>>> $_GET = isset( $_GET )
>>>> ? array_map( 'slashes', $_GET )
>>>> : array();
>>>>
>>>> $_POST = isset( $_POST )
>>>> ? array_map( 'slashes', $_POST )
>>>> : array();
>>>>
>>>> $_COOKIE = isset( $_COOKIE )
>>>> ? array_map( 'slashes', $_COOKIE )
>>>> : array();
>>>> }
>>
>> Well, if it's not a scalar, and it's not an array, and you call
>> array_map on it, things could get very ugly very fast...
>>
>> I'm not sure what other datatypes you might try to pass in, that PHP
>> won't type-juggle to a string when it goes to
>> mysql_real_escape_string...
>>
>> Exactly what "other" data are you planning on calling 'slashes' on?
>>
>
> Things that will work with mysql_real_escape_string()
> boolean, integer, double, float, string, NULL
>
> Things that won't work with mysql_real_escape_string()
> array, object, resource id
>
>
> --
> Jim Lucas
>
> "Some men are born to greatness, some achieve greatness,
> and some have greatness thrust upon them."
>
> Unknown
>
>
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
