Using str_replace in a loop

Shawazi

When I run this code it echoes nothing. I want to make all \ into \ so I can put it into the db from a form. I am going to need to do the same for ". I hate " ' \ in forms. What is the problem?

while (list($key, $value) = each($_POST)) 
{ 
    $_POST[$key] = str_replace("\\", "\\\\", $_POST[$value]);
    echo "$_POST[$key]<br>";
}

PS: the first one is really two slashes and the second one is four slashes. Apparently this forum isn't guarded against the problem I want to fix.

trex005

I might be wrong... but it looks to me like you want to use addslashes (look it up at php.net)

God Bless,
Travis Harris

Shawazi

yeah I think I will use that instead of do things like

"$data" with addslashes instead of \"$data\" with stripslashes which leaves the problem I am facing now. Thx for that tidbit but the remaing question is how do I loop through all of my variables in the form so I don't need to do each addslashes individually?

Shawazi

ah i needed to just say echo $key instead of $_POST[$key]

Weedpacket

Originally posted by Shawazi
ah i needed to just say echo $key instead of $POST[$key]

No! It's $POST['key']

Shawazi

either or works... I'm using this code right now

foreach($_POST as $key => $value) 
{
	$$key = addslashes($$key);
}

leatherback

Not sure but eh..

dont you mean:

foreach($_POST as $key => $value)  

{ 
    $$key = addslashes($value); 
}

Shawazi

it depends if there are double quotes cause if $a = 1 and $b = 2

this script:

foreach($_POST as $key => $value)   

{  

    $$key = addslashes($value);  

}

would make

$a = addslashes(1)
$b = addslashes(2)

and my code makes

$a = addslashes($a) where $a is 1 anyway
$b = addslashes($b) and this is 2

your code works if its addslashes("$value"), cause without them PHP expects a variable name.

I don't know if I made much sense but you can relate it to this simple concept

$result = mysql_query("yada yada yada")
$row = mysql_fetch_array($result) works but
$row = mysql_fetch_array("$result") does not

swr

Originally posted by Shawazi
$$key = addslashes($$key);

That depends on register_globals being enabled. If register_globals is off (which is the recommended setting, for security reasons) then your code won't work anymore.

Use this instead:

$_POST[$key] = addslashes($value);

Also, you might want to check the magic_quotes_gpc setting, and if it is enabled, skip the addslashes stuff, because PHP will have done it for you already.

My preferred way to handle form variables is to have a function that fetches them. So I type getvar('username') to the the username variable. Then I can do whatever I need in the getvar function (addslashes, check for nulls, etc). That is the most future-proof way to do it. If the PHP configuration changes with new and intersting input mangling, only that one function needs to be changed to make all of my code work.