Sql injection

lajkonik86

I have never seen this in action but is it possible to simply check all $_POST variables

something like

foreach ($POST as $key => $value {
$POST[$key] = removenastythingsfunction($value);
}

any reason not to do it like this?
maybe add the cookie variable to the fun as well and the get

Rodney_H_

Well, one way to go about it is to escape certain characters that exist within POSTed values/strings when you are inserting them into your DB.

Check out this: http://us2.php.net/manual/en/function.mysql-real-escape-string.php

lajkonik86

my question is actually why do we always see

$sql = SELECT.... removenastything($userinput)

Instead of taking care of all the user input in a foreach loop on the $_POST array

NogDog

If all the inputs in the $_POST array are only going to be used as data to be inserted to the DB, then by all means feel free to apply the SQL sanitizing to the entire array. But this could pose a problem if you also use the values to prefill form fields if there was an input error, or to send an email, etc., you might not want to use the results of a mysql_escape_string() for those purposes. I guess what I'm saying is you'll have to make the call on a case-by-case basis, depending on how you intend to use those values.

bradgrafelman

lajkonik86 wrote:
Instead of taking care of all the user input in a foreach loop on the $_POST array

[man]magic_quotes[/man]

Weedpacket

lajkonik86 wrote:
Instead of taking care of all the user input in a foreach loop on the $POST array

Since $POST is an array, you can also use any of the array functions on it, such as [man]array_walk[/man]; eliminate the need for an explicit loop.

But yeah, as NogDog points out, not everything in the $POST array would need to be sanitised for database input, since not everything in the $POST array goes into the database (how often do you need to record the value of the submit button?)

As bradgrafelman notes, magic_quotes was invented to do exactly what you're asking; but it's for the reasons given by NogDog that magic_quotes is being removed for PHP 6.