Jump to content

for-loop


RON_ron

Recommended Posts

I need to send some of the data to my php file via flash. Below in my php file I'm trying to use a for-loop to convert all the variables to php variables to prevent sql injection. How effective is this method? Please help me with your valuable ideas.

 

Thank you.

 

<?php
$conn = mysql_connect("localhost","my_un","my_pw");
mysql_select_db("my_db");

foreach ($_POST as $key => $value) {
   $$key = $value;
   $$key = mysql_real_escape_string($$key); }

$result = mysql_query("SELECT * FROM my_db2 WHERE username = '$username'");

if (mysql_num_rows ($result) > 0){
$register = "Retry.";
echo($register);
} else {
mysql_query("INSERT INTO my_db3 (username, password, surname, firstname, company) VALUES ('$username', '$password', '$surname', '$firstname', '$company')");
$register = "Successful.";
echo($register);
}
?>

Link to comment
Share on other sites

Also, blindly converting external variables into program variables is exactly what register_globals did and a lot of web sites were taken over because not only does that set the variables you are expecting but allows a hacker to set any of your other program variables to values he wants.

 

You should just put the result back into the $_POST array and use the $_POST variables in your code or use some other name of your choice, such as $mypost -

 

$_POST = array_map('mysql_real_escape_string',$_POST); // escape the $_POST array and put the results back into the $_POST array

 

or

 

$mypost = array_map('mysql_real_escape_string',$_POST); // escape the $_POST array and put the results back into an array name of your choice

 

If you are passing a form array element in the $_POST array, you would need to write your own recursive function to use in the array_map() statement so that any sub/nested arrays are also escaped.

Link to comment
Share on other sites

Something like this?

 

<?php
$conn = mysql_connect("localhost","my_un","my_pw");
mysql_select_db("my_db");

foreach ($_POST as $key => $value) {
   $$key = $value;
   $$key = mysql_real_escape_string($$key); }

$result = mysql_query("SELECT * FROM my_db2 WHERE username = '$username'");

$mypost = array_map('mysql_real_escape_string',$_POST);

if (mysql_num_rows ($result) > 0){
$register = "Retry.";
echo($register);
} else {
mysql_query("INSERT INTO my_db3 (username, password, surname, firstname, company) VALUES ('$username', '$password', '$surname', '$firstname', '$company')");
$register = "Successful.";
echo($register);
}
?>

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.