I normally just use mysql_real_escape_string
on every variable before inserting to my database, so for example:
$first_name = mysql_real_escape_string($first_name); // Bill
$last_name = mysql_real_escape_string($last_name); // O'Rielly
$email = mysql_real_escape_string($email); // [email protected]
$insert = mysql_query("
INSERT INTO `users` (first_name, last_name, email)
VALUES ('$first_name', '$last_name', '$email')
") or die(mysql_error());
But on some forms I could have possibly 20 different variables I want to escape, so I was hoping there was a way I could use an array, run it through a function to escape each one. Then make the original variables ($first_name
, $last_name
, $email
) have the value of the escaped string from the array. I came up with the following, but this is as far as I have gotten.
$form_array = array($first_name, $last_name, $email);
print_r($form_array);
echo("<br />".$last_name."<br />");
function cleanInput($array) {
return array_map('mysql_real_escape_string', $array);
}
$clean_array = cleanInput($form_array);
print_r($clean_array);
echo("<br />".$clean_array[1]."<br />");
Which outputs the following:
Array ( [0] => Bill [1] => O'Rielly [2] => [email protected] )
O'Rielly
Array ( [0] => Bill [1] => O\'Rielly [2] => [email protected] )
O\'Rielly
So, we can see that it's escaping properly, but I'm stumped with the whole making $first_name
have the value of $clean_array[0]
, $last_name
have the value of $clean_array[1]
etc.
I know of course I could just write:
$first_name = $clean_array[0];
$last_name = $clean_array[1];
But it kinda makes it pointless of having this array/function there at all since I might as well just escape each variable/string separately how I always have done. So I was hoping there was a way I could do some sort of loop in the function to do this dynamically depending on what's in the array.
Because then when it comes to doing validation in the future I can just
$first_name
, $last_name
etc.Rather then:
$insert = mysql_query("
INSERT INTO `users` (first_name, last_name, email)
VALUES ('$clean_array[0]', '$clean_array[1]', '$clean_array[2]')
") or die(mysql_error());
Is this possible?
Update
From hakre's post about the compact
and extract
functions, I've now come up with the following:
$array = compact(array("first_name", "last_name", "email"));
echo("<strong>Before:</strong><br />First Name: ".$first_name."<br />Last Name: ".$last_name."<br />Email: ".$email."<br /><br />");
extract(array_map('mysql_real_escape_string', $array), EXTR_OVERWRITE);
echo("<strong>After:</strong><br />First Name: ".$first_name."<br />Last Name: ".$last_name."<br />Email: ".$email."");
Which outputs the following details how I would like them:
Before:
First Name: Bill
Last Name: O'Rielly
Email: [email protected]
After:
First Name: Bill
Last Name: O\'Rielly
Email: [email protected]
I've tried putting extract
into a function but it doesn't work the same?
function cleanInput($array) {
$clean_array = extract(array_map('mysql_real_escape_string', $array), EXTR_OVERWRITE);
return $clean_array;
}
$array = compact(array("first_name", "last_name", "email"));
echo("<strong>Before:</strong><br />First Name: ".$first_name."<br />Last Name: ".$last_name."<br />Email: ".$email."<br /><br />");
cleanInput($array);
echo("<strong>After:</strong><br />First Name: ".$first_name."<br />Last Name: ".$last_name."<br />Email: ".$email."");
I'm sure I have to return the extract function, but I've tried a few different things and it's either not giving any output or $last_name
is just printing the unescaped value.
You might be interested in compact
and extract
. Both allow you to handle variables as an array. Array is comfortable, because your can repeat the single action onto all values.
Example:
$vars = array('first_name', 'last_name', 'email');
$first_name = $last_name = $email = 'just some init value';
$array = compact($vars);
foreach($array as &$value)
$value = str_shuffle($value);
unset($value);
extract($array);
printf("First: %s; Last: %s; Email: %s", $first_name, $last_name, $email);
Output:
First: sjivus enta metluoi; Last: i evounes tliuat smj; Email: tleetnumav siuijo s