I normally just use mysql_real_escape_string on every variable before inserting to my database, so for example:
$first_name = mysql_real_escape_string($first_name); // Bill
$last_name = mysql_real_escape_string($last_name); // O'Rielly
$email = mysql_real_escape_string($email); // [email protected]
$insert = mysql_query("
INSERT INTO `users` (first_name, last_name, email)
VALUES ('$first_name', '$last_name', '$email')
") or die(mysql_error());
But on some forms I could have possibly 20 different variables I want to escape, so I was hoping there was a way I could use an array, run it through a function to escape each one. Then make the original variables ($first_name, $last_name, $email) have the value of the escaped string from the array. I came up with the following, but this is as far as I have gotten.
$form_array = array($first_name, $last_name, $email);
print_r($form_array);
echo("<br />".$last_name."<br />");
function cleanInput($array) {
return array_map('mysql_real_escape_string', $array);
}
$clean_array = cleanInput($form_array);
print_r($clean_array);
echo("<br />".$clean_array[1]."<br />");
Which outputs the following:
Array ( [0] => Bill [1] => O'Rielly [2] => [email protected] )
O'Rielly
Array ( [0] => Bill [1] => O\'Rielly [2] => [email protected] )
O\'Rielly
So, we can see that it's escaping properly, but I'm stumped with the whole making $first_name have the value of $clean_array[0], $last_name have the value of $clean_array[1] etc.
I know of course I could just write:
$first_name = $clean_array[0];
$last_name = $clean_array[1];
But it kinda makes it pointless of having this array/function there at all since I might as well just escape each variable/string separately how I always have done. So I was hoping there was a way I could do some sort of loop in the function to do this dynamically depending on what's in the array.
Because then when it comes to doing validation in the future I can just
$first_name, $last_name etc.Rather then:
$insert = mysql_query("
INSERT INTO `users` (first_name, last_name, email)
VALUES ('$clean_array[0]', '$clean_array[1]', '$clean_array[2]')
") or die(mysql_error());
Is this possible?
Update
From hakre's post about the compact and extract functions, I've now come up with the following:
$array = compact(array("first_name", "last_name", "email"));
echo("<strong>Before:</strong><br />First Name: ".$first_name."<br />Last Name: ".$last_name."<br />Email: ".$email."<br /><br />");
extract(array_map('mysql_real_escape_string', $array), EXTR_OVERWRITE);
echo("<strong>After:</strong><br />First Name: ".$first_name."<br />Last Name: ".$last_name."<br />Email: ".$email."");
Which outputs the following details how I would like them:
Before:
First Name: Bill
Last Name: O'Rielly
Email: [email protected]
After:
First Name: Bill
Last Name: O\'Rielly
Email: [email protected]
I've tried putting extract into a function but it doesn't work the same?
function cleanInput($array) {
$clean_array = extract(array_map('mysql_real_escape_string', $array), EXTR_OVERWRITE);
return $clean_array;
}
$array = compact(array("first_name", "last_name", "email"));
echo("<strong>Before:</strong><br />First Name: ".$first_name."<br />Last Name: ".$last_name."<br />Email: ".$email."<br /><br />");
cleanInput($array);
echo("<strong>After:</strong><br />First Name: ".$first_name."<br />Last Name: ".$last_name."<br />Email: ".$email."");
I'm sure I have to return the extract function, but I've tried a few different things and it's either not giving any output or $last_name is just printing the unescaped value.
You might be interested in compact and extract. Both allow you to handle variables as an array. Array is comfortable, because your can repeat the single action onto all values.
Example:
$vars = array('first_name', 'last_name', 'email');
$first_name = $last_name = $email = 'just some init value';
$array = compact($vars);
foreach($array as &$value)
$value = str_shuffle($value);
unset($value);
extract($array);
printf("First: %s; Last: %s; Email: %s", $first_name, $last_name, $email);
Output:
First: sjivus enta metluoi; Last: i evounes tliuat smj; Email: tleetnumav siuijo s