mysql_escape_string whole post array?

Question

I was wondering is it possible to just my_sql_escape string the whole $_POST and $_GET array so you dont miss any variables?

Not sure how to test it or I would've myself. Thanks!

Answer 1

I would use the array_walk() function. It's better suited because modifies the POST superglobal so any future uses are sanitized.

array_walk_recursive( $_POST, 'mysql_real_escape_string' );

However, make sure that you don't rely on this line to completely protect your database from attacks. The best protection is limiting character sets for certain fields. Ex. Email's don't have quotes in them (so only allow letters, numbers, @, dashes, etc.) and names don't have parenthesis in them (so only allow letters and selected special characters)

EDIT: Changed array_walk() to array_walk_recursive() thanks to @Johan's suggestion. Props to him.

Answer 2

$escaped_POST = array_map('mysql_real_escape_string', $_POST);

Though, I would recommend using MySQLi instead.

Answer 3

you can use

foreach(array_keys($_POST) as $key)
{

  $clean[$key] = mysql_real_escape_string($_POST[$key]);

}

and after this to access post data use echo $clean['name'];