gvp16 Posted January 11, 2012 Share Posted January 11, 2012 Im bug fixing a script (not my own) and the use of " and ' hasn't been filtered out before an insert query is ran. there are about 4 scripts of 30 $_POST["something"] input elements that need to be checked, and i was wondering can i just do a find and replace on $_POST rather than each element? Thanks. Quote Link to comment Share on other sites More sharing options...
trq Posted January 11, 2012 Share Posted January 11, 2012 Given the right tools of course you can. I don't see what this has to do with php. Quote Link to comment Share on other sites More sharing options...
gvp16 Posted January 11, 2012 Author Share Posted January 11, 2012 well everything is written in php... and im not entirely sure how to go about it so i was hoping for some advice, eg. can i simply do str_replace(" ' ", """,$_POST"); ? Quote Link to comment Share on other sites More sharing options...
trq Posted January 11, 2012 Share Posted January 11, 2012 There might be some misunderstanding here. I thought you where actually looking to wrap calls to $_POST['something'] with some sanitising functionality within your code itself. eg; Search your code base and replace the calls. You need to use the search and replace in your text editor or better still, a tool like sed if your on a *nix based system. Quote Link to comment Share on other sites More sharing options...
gvp16 Posted January 11, 2012 Author Share Posted January 11, 2012 I think were getting our wires crossed, im looking to avoid doing sanitation on over 90 separate $_POST[""] elements that have been used in a query. rather than do $name = str_replace(" ' ", """,$_POST["name"]); $address= str_replace(" ' ", """,$_POST["address"]); $town= str_replace(" ' ", """,$_POST["town"]); and so on.... I was wondering if it was possible to do it on the $_POST array, so something like foreach $_POST as $var{ str_replace(" ' ", """,$var); } $name = $_POST["name"]; $address=$_POST["address"]; $town= $_POST["town"]; and then proceed to do the query Quote Link to comment Share on other sites More sharing options...
trq Posted January 11, 2012 Share Posted January 11, 2012 You could use array_map. You should also be using mysql_real_escape_string instead of that str_replace that you attempting to use. Why would you want to store html entities in your data? Quote Link to comment Share on other sites More sharing options...
gvp16 Posted January 11, 2012 Author Share Posted January 11, 2012 i dont really, but i thought it would be better than removing the punctuation all together, i thought about using addslashes, but again i would have to add it to far to many elements, and then use stripslashes to display data correctly. I will take a look into what you recommended, thanks for you help. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.