mysql_real_escape_string help?

[Mr Chris]

Hello All,

 

Wondering if someone can help.  I have a piece of code which I use on all data I post to my database which uses mysql_real_escape_string on all my forms for security purposes that I found on t'internet:

 

if(!get_magic_quotes_gpc()){
	$_GET		= array_map('mysql_real_escape_string', $_GET);
	$_POST		= array_map('mysql_real_escape_string', $_POST);
	$_REQUEST	= array_map('mysql_real_escape_string', $_REQUEST);
	$_COOKIE	= array_map('mysql_real_escape_string', $_COOKIE);
} 

 

However, ever since i've installed this i'm having problems with other elements, such as deleting records from a MYSQL database like so:

 

<?php
$msg = "";
if(isset($_POST['Submit'])){
    $total = $_POST['total'];
    $news_ids = $_POST['nws_id'];
    foreach($news_ids as $id){
        mysql_query("DELETE FROM news WHERE news_id='$id'");
    }
$msg = count($news_ids) . " News Item(s) deleted!";
}
$result = mysql_query("SELECT *, DATE_FORMAT(published, '%d-%m-%Y') as formatted_date from news order by news_id desc;");
$num = mysql_num_rows($result);
$n = 0;
?>

 

Yet if I delete the piece of code above code it works fine, but I don't understand why the above code effects this?  Anyone plese help me understand?

 

Thanks

[kickstart]

Hi

 

What format is the id in? As it is surrounding by quotes I would assume it is character rather than numeric.

 

Is there code anywhere which is already escaping the input?

 

All the best

 

Keith

[Mr Chris]

Thanks id is an int values in MYSQL, however i've tried it without the '' and it still does not delete ie:

 

DELETE FROM news WHERE news_id='$id

[kickstart]

Hi

 

Try it like this and see what the generated sql is:-

 

<?php
$msg = "";
if(isset($_POST['Submit'])){
    $total = $_POST['total'];
    $news_ids = $_POST['nws_id'];
    foreach($news_ids as $id){
         $sql = "DELETE FROM news WHERE news_id=$id";
         echo "$sql<br />";
        mysql_query($sql);
    }
$msg = count($news_ids) . " News Item(s) deleted!";
}
$result = mysql_query("SELECT *, DATE_FORMAT(published, '%d-%m-%Y') as formatted_date from news order by news_id desc;");
$num = mysql_num_rows($result);
$n = 0;
?>

 

All the best

 

Keith

[Mr Chris]

Many Thanks,

 

I get no message, but get these errors:

 

Warning: mysql_real_escape_string() expects parameter 1 to be string, array given in /var/www/*******/httpdocs/******.php on line 37

Warning: mysql_real_escape_string() expects parameter 1 to be string, array given in  /var/www/*******/httpdocs/******.php  on line 38

Warning: Invalid argument supplied for foreach() argument supplied for foreach() in /var/www/*******/httpdocs/*********/list.php on line 19

 

So I may be being thick here, but what do I have to do to allow deletion?

[trq]

Having that catch-all at the top of your program is always going to be problematic because as you have discovered, one of either $_GET, $_POST, $_REQUEST or $_COKKIES indexes contains an array not a string.

 

Also, who's to say $_POST data is always going to the database?

 

My advice, drop it, validate and clean your data as required.

[kickstart]

Hi

 

I would agree with the above.

 

If you really want to do it then you need a recursive function that runs mysql_real_escape_string on each array member unless that array member is an array itself in which case the function calls itself with that array as a parameter.

 

All the best

 

Keith