PHP foreach $_POST

verbazon

I have an online form with a large number of variables being stored in the $_POST array.

$ID = mysql_real_escape_string($_POST['ID']);
$firstname = mysql_real_escape_string($_POST['firstname']);
$lastname = mysql_real_escape_string($_POST['lastname']);
$address = mysql_real_escape_string($_POST['address']);
$city = mysql_real_escape_string($_POST['city']);
$state = mysql_real_escape_string($_POST['state']);
$zipcode = mysql_real_escape_string($_POST['zipcode']);
$birthdate = mysql_real_escape_string($_POST['birthdate']);
$telephone = mysql_real_escape_string($_POST['telephone']);
$email = mysql_real_escape_string($_POST['email']);
$pay_for_insurance = mysql_real_escape_string($_POST['group1'] == 'pay_for_insurance' ? 1 : 0);
$dont_pay_for_insurance = mysql_real_escape_string($_POST['group1'] == 'dont_pay_for_insurance' ? 1 : 0);
$self_employed = mysql_real_escape_string($_POST['group2'] == 'self_employed' ? 1 : 0);
$not_self_employed = mysql_real_escape_string($_POST['group2'] == 'not_self_employed' ? 1 : 0);
$has_health_insurance = mysql_real_escape_string($_POST['group3'] == 'has_health_insurance' ? 1 : 0);
$no_health_insurance = mysql_real_escape_string($_POST['group3'] == 'no_health_insurance' ? 1 : 0);
$has_cobra = mysql_real_escape_string($_POST['group4'] == 'has_cobra' ? 1 : 0);
$no_cobra = mysql_real_escape_string($_POST['group4'] == 'no_cobra' ? 1 : 0);
$current_ins = mysql_real_escape_string($_POST['current_ins']);
$employees = mysql_real_escape_string($_POST['employees']);
$dep1 = mysql_real_escape_string($_POST['dep1']);
$dep2 = mysql_real_escape_string($_POST['dep2']);
$dep3 = mysql_real_escape_string($_POST['dep3']);
$smoker = mysql_real_escape_string($_POST['group5'] == 'smoker' ? 1 : 0);
$non_smoker = mysql_real_escape_string($_POST['group5'] == 'non-smoker' ? 1 : 0);
$health = mysql_real_escape_string($_POST['health'] == 'health' ? 1 : 0);
$life = mysql_real_escape_string($_POST['life'] == 'life' ? 1 : 0);
$dental = mysql_real_escape_string($_POST['dental'] == 'dental' ? 1 : 0);

I also have a custom function that cleans the user input from the form:

function secure($string) {
		$string = strip_tags($string);
		$string = htmlspecialchars($string);
		$string = trim($string);
		$string = stripslashes($string);
		$string = mysql_real_escape_string($string);
	return $string;

}

How can I use a foreach command to post these variables and also have each variable passed through the secure() function, rather than reptitively typing out mysql_real_escape_string as shown above?

Thank you

cahva

foreach ($_POST as $k=>$v) {
    $_POST[$k] = secure($v);
}

If you dont want to go through them all, just create array of $POST keys that you want to secure and then foreach with that:

$sec = array('firstname','lastname','address');
foreach ($sec as $k) {
    $_POST[$k] = secure($_POST[$k]);
}

Ofcourse you have such amount of those so maybe put in array keys that you dont want to secure 🙂

Weedpacket

That first loop of cahva's can be reduced to a single statement:

$_POST = array_map('secure', $_POST);

But quite a few of those mysql_real_escape() calls are pointless. E.g.,

$pay_for_insurance = mysql_real_escape_string($_POST['group1'] == 'pay_for_insurance' ? 1 : 0);

$pay_for_insurance is only ever going to be either 1 or 0, and that doesn't need escaping.

function secure($string) {
        $string = strip_tags($string);
        $string = htmlspecialchars($string);
        $string = trim($string);
        $string = stripslashes($string);
        $string = mysql_real_escape_string($string);
    return $string;

}

You should only need stripslashes() if you're using the deprecated magic quotes feature, and if you're not using that feature you should need stripslashes(). As for htmlspecialchars(), it's better to not use that until you want to display the string as HTML.

And finally, if you're sanitising data so that it can be embedded in a SQL query, the [man]PDO[/man] interface does that automatically (and correctly) with whatever you pass into it.