[thelist] MySQL/PHP Associative Array Insert

Bill Haenel mail at webmarketingworx.com
Sun Feb 2 00:02:01 CST 2003


> If there is any chance that a user may have control over the
> variables that are being passed to your queries, for example
> if they are being passed from a GET or POST request, make
> sure to escape any potentially dangerous characters ahead of time.
>
> The PHP documentation for mysql_escape_string():
http://www.php.net/manual/en/function.mysql-escape-string.php

Point taken. Careful, though, as it's easy to end up double escaping
with mysql_escape_string() if magic_quotes_gpc is on (which in my case
it is).

Since we were talking arrays in this thread, you could go quickly
through the values easily with:

<?
if (get_magic_quotes_gpc()) {
	foreach ($item as $k=>$v) {
		$item[$k] = mysql_escape_string($v);
	}
}
?>

...or something like that.
I guess my point would be that this is important, and so it should be
done wisely: mysql_escape_string() should be used appropriately and when
necessary.

BH




More information about the thelist mailing list