check type of form-element submitted?

dumbass

Hey,

I'm trying to use something like this to escape quotes on text date from forms to be written to a database:

// escape quotes and apostrophes if magic_quotes_gpc off
	if (!get_magic_quotes_gpc()) {
	  foreach($_POST as $key=>$value) {
		$temp = addslashes($value);
		$_POST[$key] = $temp;
		}
	  }

Problem is this seems to return an empty array for any checkbox or radio button array submitted with the form, causing SQL syntax errors when trying to handle id's for those elements.

Is there a way to check the type of form element in the $_Post array so I can avoid applying the above function to checkboxes/radio buttons?

Or any other advice on escaping quotes across the board when writing to a db would be much appreciated,

Thanks!

bretticus

If radio buttons and checkboxes come through as an array (html input name has brackets on end) just check if value is an array before using addslashes:

<?php
// When PHP get upgraded to 6, don't want code to break.
if ( !function_exists('get_magic_quotes_gpc') ) {
	function get_magic_quotes_gpc()
	{
		return false;
	}
}
// escape quotes and apostrophes if magic_quotes_gpc off
if (!get_magic_quotes_gpc()) {
	foreach($_POST as $key=>$value) {
		if ( !is_array($value) )
			$_POST[$key] = addslashes($value); // or use mysql_real_escape_string()
	}
}
?>

NogDog

Better yet, ensure that magic_quotes_gpc is turned off, and use the applicable escaping mechanism or prepared statements for the DBMS being used. Or, if you cannot turn it off, test to see if it's on, and if so, use [man]stripslashes/man to undo the damage:

function undoMagicQuotes(&$input)
{
   if(function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc())
   {
      if(!function_exists('array_walk_recursive'))
      {
         die("Please upgrade to PHP5 if you want to use this application.");
      }
      array_walk_recursive($input, 
         create_function('&$val,$ix', '$val=stripslashes($val);'));
   }
}

// USAGE:
undoMagicQuotes($_POST);

dumbass

Wow, thanks everyone!

NogDog, when you say "use the applicable escaping mechanism or prepared statements for the DBMS being used", if I'm using MySQL, would this be time for mysql_real_escape_string ()?

Thanks!

bretticus

Yes he is 🙂

However, I was just answering your question w/o imposing too much on the code you already had. I have to give a shout out for PDO. And yes, it does this all for you, regardless of which DBMS you are using. If you want your code to stay current longer, you can't go wrong implementing PDO and prepared statements.

NogDog

dumbass;10888963 wrote:
Wow, thanks everyone!

NogDog, when you say "use the applicable escaping mechanism or prepared statements for the DBMS being used", if I'm using MySQL, would this be time for mysql_real_escape_string ()?

Thanks!

bretticus;10889013 wrote:
Yes he is 🙂

However, I was just answering your question w/o imposing too much on the code you already had. I have to give a shout out for PDO. And yes, it does this all for you, regardless of which DBMS you are using. If you want your code to stay current longer, you can't go wrong implementing PDO and prepared statements.

Yes: mysql_real_escape_string() if using the MySQL interface, prepared statements with place-holders and variable binding if using MySQLi or PDO (or PEAR MDB2, etc.). As to whether to use the MySQL, MySQLi, PDO, MDB2, etc. interface, certain arguments could be made for each (though fewer and fewer for the original MySQL interface as time passes), depending on various criteria such as performance or the ability to use MySQL-specific features. See http://dealnews.com/developers/php-mysql.html just for one example of some of the issues. PDO, MDB2, and other abstraction layers will certainly have the inside track, though, if you have a requirement/desire to support multiple DBMS's.