Applying quote_smart() to Arrays

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Guys, I'm adapting the ..._deep() approach to apply it to $_GET  and/
or $_POST arrays as follows, as a lazy way to cleanup input before
posting it to the database - to prevent SQL injections.

    function quote_smart_deep($value) {        // recursive array-capable
version of quote_smart
        $value = is_array($value) ? array_map('quote_smart_deep',
$value) : quote_smart($value);
        return $value;

Anyone see any reason for this not to work?  Thanks, all.


Re: Applying quote_smart() to Arrays

the lovely and talented ashore broadcast on comp.lang.php:

Quoted text here. Click to load it

It depends upon what function quote_smart() is.  There is a function defined
in an example in the manual called quote_smart().  It will not work unless
you have an open link to a database because it uses
mysql_real_escape_string(). Although the second parameter of
mysql_real_escape_string() will default to the last link opened by
mysql_connect(), if that link does not exist, mysql_real_escape_string()
will fail (and so will any function using it such as the quote_smart()
defined in the example or any similar function you might devise that uses

If you copy quote_smart() from the example or write your own version using
mysql_real_escape_string(), it is best to invoke it as you compose your
query string after you have established your database connection.

Lars Eighner     < <
                         Countdown: 469 days to go.
                    What do you do when you're debranded?

Re: Applying quote_smart() to Arrays

ashore wrote:
Quoted text here. Click to load it

If you're working with a mysql database, use mysql_real_escape_string()  
on strings.  That's what it's there for (in part, anyway).

And verify that numeric values are actually numeric.

Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.

Site Timeline