NYCPHP Meetup

[nycphp-talk] Is there something wrong with this SQL query in PHP?

John Campbell jcampbell1 at gmail.com
Wed Aug 15 12:58:26 EDT 2007


I think the function arrray_walk_recursive, and array_map are very
useful for dealing with escaping.  For instance:

if(get_magic_quotes_gpc()) {
array_walk_recursive($_POST,"stripslashes");
array_walk_recursive($_GET,"stripslashes");
array_walk_recursive($_COOKIE,"stripslashes");
}

You also probably don't want to load up your code with
"mysql_real_escape_string()," so here is an alternative.  This is a
good method for fixing bad code because it can be implemented without
a major rewrite.

$sql  = prepare("SELECT * FROM users WHERE username='%s' AND
password='%s' ",$POST['username'],$POST['password']);

function prepare() {
  $args_array = func_get_args();
  for ($i=1;$i<count($args_array);$i++) {
    $args_array[$i] = mysql_real_escape_string($args_array[$i]);
  }
  return call_user_func_array("sprintf",$args_array);
}

-John



More information about the talk mailing list