Richard Lynch wrote:
> On Wed, May 30, 2007 9:55 pm, Jim Lucas wrote:
>> Greg Donald wrote:
>>> On 5/30/07, Richard Lynch <EMAIL REMOVED> wrote:
>>>> You want to use mysql_escape_string, and NOT addslashes and NOT
>>>> Magic
>>>> Quotes.
>>> function slashes( $var )
>>> {
>>> if( is_array( $var ) )
>>> {
>>> return array_map( 'slashes', $var );
>>> }
>>> else
>>> {
>>> return mysql_real_escape_string( $var );
>>> }
>>> }
>> Say I wanted to use this on something other than $_GET, $_POST, &
>> $_COOKIE?
>>
>> Would it not be better practice to do this the other way around?
>>
>> function slashes ( $var ) {
>> if ( is_scalar($var) ) {
>> return mysql_real_escape_string( $var );
>> } else {
>> return array_map( 'slashes', $var );
>> }
>> }
>>
>> This way, even if someone p***es something that is not an array, but
>> still not processable by mysql_real_escape_string(), it won't foul up
>> the processor.
>>
>>> set_magic_quotes_runtime( 0 );
>>>
>>> if( get_magic_quotes_gpc() == 0 )
>>> {
>>> $_GET = isset( $_GET )
>>> ? array_map( 'slashes', $_GET )
>>> : array();
>>>
>>> $_POST = isset( $_POST )
>>> ? array_map( 'slashes', $_POST )
>>> : array();
>>>
>>> $_COOKIE = isset( $_COOKIE )
>>> ? array_map( 'slashes', $_COOKIE )
>>> : array();
>>> }
>
> Well, if it's not a scalar, and it's not an array, and you call
> array_map on it, things could get very ugly very fast...
>
> I'm not sure what other datatypes you might try to p*** in, that PHP
> won't type-juggle to a string when it goes to
> mysql_real_escape_string...
>
> Exactly what "other" data are you planning on calling 'slashes' on?
>

Things that will work with mysql_real_escape_string()
boolean, integer, double, float, string, NULL

Things that won't work with mysql_real_escape_string()
array, object, resource id


--
Jim Lucas

"Some men are born to greatness, some achieve greatness,
and some have greatness thrust upon them."

Unknown