Hello all, I know what to use to clean data before sending it to the database, but have a question about whether this would work out or not...
I am using XAJAX to send all form values in an array to a function which enters the database and returns a success message. Instead of checking if magic quotes is on or off, and cleaning each post individually based upon that, is it safe to run a foreach on the $aFormData array variable and clean just that? Would that clean each of the posted values?
I can clean each by $aFormData = stripslashes($aFormData['section_title']) and so on, but it just creates a huge block and don't think it is much needed.
Basically, this is what the function is looking like so far...
Code:
function addSectionData ( $aFormData ) {
if(get_magic_quotes_gpc()) {
$secname = stripslashes( $_POST['secname'] );
$description = stripslashes( $_POST['description'] );
$ordering = stripslashes( int( $_POST['ordering'] ) );
$access = stripslashes( int($_POST['access'] ) );
$publishing = stripslashes( int($_POST['publishing'] ) );
} else {
$secname = $_POST['secname'];
$description = $_POST['description'];
$ordering = $_POST['ordering'];
$access = $_POST['access'];
$publishing = $_POST['publishing'];
}
$password = md5( trim ( $aFormData['password'] ) );
// Query down here, not going to continue, not needed
}
I also plan to slap a mysql_real_escape_string (I made a new function to use instead, just to shorten the name) in the actual query.
One final question... do I have to send the password through strip slashing as well?
Thanks for your support :D
Join the friendly bunch on IRC...
Cleaning data before entering database question
Threaded Mode
