SitePoint Sponsor

User Tag List

Results 1 to 2 of 2
  1. #1
    SitePoint Wizard Wolf_22's Avatar
    Join Date
    Jul 2005
    Posts
    1,711
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question Data after a foreach iteration...

    I have the following iteration taking place in my code:

    PHP Code:
                foreach($dirty_array as $k=>$v){
                    if(
    $v == ''){
                        
    $clean_array[$k] = 'BLANK';
                    }else{
                        if(
    get_magic_quotes_gpc()){//Check for Magic Quotes...
                            
    $clean_array[$k] = mysql_real_escape_string(stripslashes(strip_tags($v)));//Todo: Sanitize here...
                        
    }else{//If no Magic Quotes...
                            
    $clean_array[$k] = mysql_real_escape_string(strip_tags($v));//Todo: Sanitize here...
                        
    }
                    }
                } 
    As you can tell, I'm trying to use the mysql_real_escape_string to prep for database insertion, but the thing I learned tonight is that a notice pops-up because it expects a string (and not an array). Now that I see what happens with the foreach split, it makes sense that $v would be of type array because I guess it's obviously an array element still, but it's kinda weird to me because I envisioned $v as being a singular scalar value after the iteration. I guess I'm a bit mixed-up.

    I'm sure you get the gist of what I'm trying to do above and I want to know if I should keep going with it. I'm just trying to prep everything in the array to be ready for the database. Should I keep going or am I going about this all wrong? If I'm on the right track, how do I fix the array-to-string notice issue?

  2. #2
    SitePoint Wizard
    Join Date
    Nov 2005
    Posts
    1,191
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    var_dump($dirty_array) one of it's elements is probably an array. $v isn't type array because it is an array element, only if the element is another array itself.

    Personally I'd stripslashes at the beginning of the script (in an init file or something) and then forget about it.
    strip_tags doesn't really belong in the input side, eg from these forums you can see legitimate tags posted and stored, better to do this on the output.
    So that just leaves escaping:
    PHP Code:
    $clean array_map('mysql_real_escape_string'$dirty); 
    You could also take a look at prepared statements and forget all about escaping.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •