Is Is Bad Practice to Use Array_Walk with MySQLi_Real_Escape_String

  • Home
  • Languages
  • PHP
  • Is Is Bad Practice to Use Array_Walk with MySQLi_Real_Escape_String

Is is bad practice to use array_walk with mysqli_real_escape_string?

YES, absolutely

The practice is the reincarnation of the infamous "magic quotes" feature, that once was a part of the language, but now thank goodness it is not.

Such an approach will do you no good but only a give a false feeling of security and spoil your data for no reason.

You must use prepared statements for all database interactions that involve PHP variables. This is the only 100% safe solution, and it makes the function in question obsolete.

Here I've got an example for the select query using prepared statements, https://phpdelusions.net/mysqli_examples/prepared_select

With a simple helper function it turns into much simpler and cleaner solution than that escaping-driven mess

mysqli_real_escape_string with array in php?

Since you wish to do something to each element of array $ans, it would be most appropriate to use array_map(), as follows:

public function addQuestions($data){

    $ans = array();
    $ans[1] = $data['ans1'];
    $ans[2] = $data['ans2'];
    $ans[3] = $data['ans3'];
    $ans[4] = $data['ans4'];

    $escaped_ans = array_map(function( $e ) {
             return mysqli_real_escape_string( $this->db->link, $e);
    }, $ans );

Use foreach and mysqli_real_escape_string for many post value

This is extremely wrong way of dealing with POST variables.
Wrong in so many ways.

And surely it is not safe.

depends on the way you are going to use POST data in the query, this code could be corrected or could be unusable and unsafe at all.

As Barmar said, you ought to use prepared statements. Better if you have a prepared statement for the insert data too.

mysql_real_escape_string() for entire $_REQUEST array, or need to loop through it?

To escape all variables in one go:

$escapedGet = array_map('mysql_real_escape_string', $_GET);

To extract all variables into the current namespace (i.e. $foo = $_GET['foo']):

extract($escapedGet);

Please do not do this last step though. There's no need to, just leave the values in an array. Extracting variables can lead to name clashes and overwriting of existing variables, which is not only a hassle and a source of bugs but also a security risk. Also, as @BoltClock says, stick to $_GET or $_POST. Also2, as @zerkms points out, there's no point in mysql_real_escaping variables that are not supposed to be used in a database query, it may even lead to further problems.

Note that really none of this is a particularly good idea at all, you're just reincarnating magic_quotes and global_vars, which were horrible PHP practices from ages past. Use prepared statements with bound parameters via mysqli or PDO and use values through $_GET or filter_input. See http://www.phptherightway.com.

I use mysql_real_escape_string before SQL INSERT, but then have to apply stripslashes to my retrieved data. Is it normal?

oh, what a senseless function. I know it's not your fault but ones who wrote it in their stupid articles and answers.

Get rid of it and use only mysql_real_escape_string to escape strings.

you have mixed up everything.

  • first, no magic quotes stuff should be present in the database escaping function.

    if you want to get rid of magic quotes, do it centralized, at the very top of ALL your scripts, no matter if they deal with the database or not.

  • most of checks in this function are useless. is_bool for example. PHP will convert it the same way, no need to write any code for this.

  • LIKE related escaping is TOTALLY distinct matter, and has nothing to do with safety.

  • is numeric check is completely useless, as it will help nothing.

Also note that escaping strings has nothing to do with security.
I's just a syntax rule - all strings should be escaped. No matter of it's origin or any other stuff. Just a strict rule: every time you place a string into query, it should be quoted and escaped. (And of course, if you only escape it but not quote, it will help nothing)

And only when we talk of the other parts of query, it comes to the SQL injection issue. To learn complete guide on this matter, refer to my earlier answer: In PHP when submitting strings to the database should I take care of illegal characters using htmlspecialchars() or use a regular expression?


Related Topics

What Is the Meaning of []

Yii2 Translation Does Not Work

Stored Procedures, MySQL and PHP

Difference Between Mt_Rand() and Rand()

Increase PHP Script Execution Time

How to Display Special Characters in PHP

Access Active Sessions in PHP

How to Run a .Sh File from PHP

Bubble Sort Implementation in PHP

How to Determine a File's True Extension/Type Programmatically

Mysqli_Select_Db() Expects Parameter 1 to Be MySQLi, String Given

How to Override Built-In PHP Function(S)

How Come Checkbox State Is Not Always Passed Along to PHP Script

Retrieve (Or Simulate) Full Query from Pdo Prepared Statement

PHP MySQL Greek Letters Showing Like? Marks

A PHP Script to Let Users Download a File from My Website Without Revealing the Actual File Link in My Website

How to Create a Facade Class with Laravel

How to Add 24 Hours to a Unix Timestamp in PHP


Leave a reply



Submit