On 11 Mar 2004 Rob Adams wrote:
> Along the same lines, I've found this helpful when inserting into mysql.
>
> foreach($_POST as $key => $val)
> $$key = mysql_escape_string($val);
I just wrote a cleanup routine which applies a number of
transformations -- it's called at the start of every page (if there's
no post data, it won't do anything). Here's roughly what it does (the
actual code has more nuances):
foreach(array_keys($_POST) as $keyname)
$_POST[$keyname] =
stripslashes(strip_tags(substr(trim($_POST[$keyname]), 0, 255))));
This eliminates HTML and PHP tags, and escape sequences (noe of which I
need to accept), and avoids problems if someone tries to post an
outrageously long . Then I apply mysql_real_escape_string after that
for stuff going into the database.
If anyone sees problems with this, or a better way to do it, I'm open
to feedback!
--
Tom
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
