In our last episode, <11*********************@22g2000hsm.googlegroups.c om>,
the lovely and talented ashore broadcast on comp.lang.php:
Guys, I'm adapting the ..._deep() approach to apply it to $_GET and/
or $_POST arrays as follows, as a lazy way to cleanup input before
posting it to the database - to prevent SQL injections.
function quote_smart_deep($value) { // recursive array-capable
version of quote_smart
$value = is_array($value) ? array_map('quote_smart_deep',
$value) : quote_smart($value);
return $value;
}
Anyone see any reason for this not to work? Thanks, all.
It depends upon what function quote_smart() is. There is a function defined
in an example in the manual called quote_smart(). It will not work unless
you have an open link to a database because it uses
mysql_real_escape_string(). Although the second parameter of
mysql_real_escape_string() will default to the last link opened by
mysql_connect(), if that link does not exist, mysql_real_escape_string()
will fail (and so will any function using it such as the quote_smart()
defined in the example or any similar function you might devise that uses
mysql_real_escape_string()).
If you copy quote_smart() from the example or write your own version using
mysql_real_escape_string(), it is best to invoke it as you compose your
query string after you have established your database connection.
--
Lars Eighner <http://larseighner.com/ <http://myspace.com/larseighner>
Countdown: 469 days to go.
What do you do when you're debranded?
