PHP / MYSQL: Sanitizing user input - is this a bad idea?

Posted by Greg on Stack Overflow See other posts from Stack Overflow or by Greg
Published on 2009-11-28T06:43:42Z Indexed on 2010/06/07 9:22 UTC
Read the original article Hit count: 327

Filed under:
|
|

I have one "go" script that fetches any other script requested and this is what I wrote to sanitize user input:

foreach ($_REQUEST as $key => $value){
	if (get_magic_quotes_gpc()) 
	$_REQUEST[$key] = mysql_real_escape_string(stripslashes($value));  
	else
	$_REQUEST[$key] = mysql_real_escape_string($value); 
}

I haven't seen anyone else use this approach. Is there any reason not to?

EDIT - amended for to work for arrays:

function mysql_escape($thing) {
  if (is_array($thing)) {
	$escaped = array();
	foreach ($thing as $key => $value) {
	  $escaped[$key] = mysql_escape($value);
	}		   
	return $escaped;
  }
  // else
  if (get_magic_quotes_gpc()) $thing = stripslashes($thing);
  return mysql_real_escape_string($thing);
}

foreach ($_REQUEST as $key => $value){
	$_REQUEST[$key] = mysql_escape($value); 
}

© Stack Overflow or respective owner

Related posts about php

Related posts about mysql