mysql_real_escape_string() for entire $_REQUEST array, or need to loop through it?

Question

Is there an easier way of safely extracting submitted variables other than the following?

if(isset($_REQUEST[\'kkld\'])) $kkld=mysql_real_escape_string($         


        

Answer 1

To sanitize or validate any INPUT_GET, INPUT_POST, INPUT_COOKIE, INPUT_SERVER, or INPUT_ENV, you can use

• filter_input_array — Gets external variables and optionally filters them

Filtering can be done with a callback, so you could supply mysql_real_escape_string.

This method does not allow filtering for $_REQUEST, because you should not work with $_REQUEST when the data is available in any of the other superglobals. It's potentially insecure.

The method also requires you to name the input keys, so it's not a generic batch filtering. If you want generic batch filtering, use array_map or array_walk or array_filter as shown elsewhere on this page.

Also, why are you using the old mysql extension instead of the mysqli (i for improved) extension. The mysqli extension will give you support for transactions, multiqueries and prepared statements (which eliminates the need for escaping) All features that can make your DB code much more reliable and secure.