Data after a foreach iteration

Wolf_22 · March 14, 2010, 3:14am

I have the following iteration taking place in my code:

			foreach($dirty_array as $k=>$v){
				if($v == ''){
					$clean_array[$k] = 'BLANK';
				}else{
					if(get_magic_quotes_gpc()){//Check for Magic Quotes...
						$clean_array[$k] = mysql_real_escape_string(stripslashes(strip_tags($v)));//Todo: Sanitize here...
					}else{//If no Magic Quotes...
						$clean_array[$k] = mysql_real_escape_string(strip_tags($v));//Todo: Sanitize here...
					}
				}
			}

As you can tell, I’m trying to use the mysql_real_escape_string to prep for database insertion, but the thing I learned tonight is that a notice pops-up because it expects a string (and not an array). Now that I see what happens with the foreach split, it makes sense that $v would be of type array because I guess it’s obviously an array element still, but it’s kinda weird to me because I envisioned $v as being a singular scalar value after the iteration. I guess I’m a bit mixed-up.

I’m sure you get the gist of what I’m trying to do above and I want to know if I should keep going with it. I’m just trying to prep everything in the array to be ready for the database. Should I keep going or am I going about this all wrong? If I’m on the right track, how do I fix the array-to-string notice issue?

hash · March 14, 2010, 3:41am

var_dump($dirty_array) one of it’s elements is probably an array. $v isn’t type array because it is an array element, only if the element is another array itself.

Personally I’d stripslashes at the beginning of the script (in an init file or something) and then forget about it.
strip_tags doesn’t really belong in the input side, eg from these forums you can see legitimate tags posted and stored, better to do this on the output.
So that just leaves escaping:


$clean = array_map('mysql_real_escape_string', $dirty);

You could also take a look at prepared statements and forget all about escaping.