cleaning $_POST variables [duplicate]

Answer 1

unchecked checkboxes are not sent to the server.

you may use array_walk_recursive to do what you want

Answer 2

to make the recursion more elegant you could use something like array_map for example:

$_POST = array_map('mysql_real_escape_string',$_POST);

Use filter var if you can though as these kind of approaches are generally bad, just an example though ;)

Answer 3

Use filter_input if possible (php5 +) It keeps it a lot cleaner and as far as im aware you can sanitise and validate everything you could need using it.

You can use filter var array and for example FILTER_SANITIZE_STRING flag to filter the whole post array

filter_var_array($_POST, FILTER_SANITIZE_STRING) //just an example filter

There are loads of different filter options available on the w3schools filter reference

Answer 4

This is the wrong way to go about cleaning input.

Applying blanket mysql escaping to absolutely everything in $_POST and $_GET is going to come back and bite you, if you still want to use the data after you've made a database query but you don't want the escape characters in there.

Use parameterised queries with mysqli or PDO and you will never need to use mysql_real_escape_string().

Answer 5

What you're doing isn't enough. See here.