mysql_real_escape_string() for entire $_REQUEST array, or need to loop through it?

Question

Is there an easier way of safely extracting submitted variables other than the following?

if(isset($_REQUEST[\'kkld\'])) $kkld=mysql_real_escape_string($         


        

Answer 1

As an alternative, I can advise you to use PHP7 input filters, which provides a shortcut to sql escaping. I'd not recommend it per se, but it spares creating localized variables:

 $_REQUEST->sql['kkld']

Which can be used inline in SQL query strings, and give an extra warning should you forget it:

 mysql_query("SELECT x FROM y WHERE z = '{$_REQUEST->sql['kkld']}'");

It's syntactically questionable, but allows you escaping only those variables that really need it. Or to emulate what you asked for, use $_REQUEST->sql->always();