Web Design Blog

This is where we store some of our Web Development thoughts, tips and tricks, just because we like to share.
Web Design Blog » MySQL & PHP »

PHP/MySQL- Escape All POST Or GET Variables For MySQL INSERT

I’m quickly going to demonstrate how to escape special characters in a string for all POST/GET variables safe for a MySQL INSERT query when passing values from a HTML form.

So, let’s say we have a form like this on index.php:

Details
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

<form action="insert.php" method="POST">
<fieldset>
<legend>Details<legend>
<div>
<label>First Name:</label>
</div>
<div>
<input type="input" name="first_name" value="Bright" disabled="disabled" />
</div>
<div>
<label>Surname:</label>
</div>
<div>
<input type="input" name="surname" value="Cherry" disabled="disabled" />
</div>
<div>
<label>Email:</label>
</div>
<div>
<input type="input" name="email" value="design@brightcherry.co.uk" disabled="disabled" />
</div>
<div style="margin-top:10px;">
<input disabled="disabled" type="submit" value="Submit" />
</div>
</fieldset>
</form>

The form’s action is insert.php, so whichever method you choose (GET/POST) will get passed to insert.php. Now, before you INSERT the data into a MySQL table, you should ensure the data is safe to INSERT.

The PHP function you should use is mysql_real_escape_string.

You can do the following before inserting the data (assuming the method type is POST):

1
2
3

$_POST['first_name'] = mysql_real_escape_string($_POST['first_name']);
$_POST['surname'] = mysql_real_escape_string($_POST['surname']);
$_POST['email'] = mysql_real_escape_string($_POST['email']);

But that’s not a very efficient method because you’re repeating the same function over and over, and if the form you’re using has a lot more fields, it will quickly become very problematic for a number of reasons.

Here’s a better and more efficient way of cleaning the data:

1
2
3
4

foreach(array_keys($_POST) as $key)
{
  $clean[$key] = mysql_real_escape_string($_POST[$key]);
}

So what’s happening now is that ALL the POST variables are being cleaned in the foreach loop. You’re also renaming the POST values to $clean, but keeping the actual key value the same – so to echo the values you simply do this:

1
2
3

echo $clean['first_name'];
echo $clean['surname'];
echo $clean['email'];

It’s as easy as that :)

16 Feb 2010 / 3 Comments / MySQL & PHP / by Maruf

Related Articles

3 Comments

  1. guru
    15/09/2010
    1

    nice method (with references)
    foreach($_POST as $key=>&$value) {
    $value = mysql_real_escape_string($value);
    }

    or your one:
    foreach(array_keys($_POST) as $key)
    {
    $clean[$key] = mysql_real_escape_string($_POST[$key]);
    }
    Is ugly
    here is cleaner
    :)
    foreach($_POST as $key=>$value) {
    $clean[$key]=mysql_real_escape_string($value);
    }

  2. Richard Cummings
    31/03/2011
    2

    I was looking to escape all post data in one shot. This just did the trick. Thx, Richard

  3. Eric Warnke
    07/04/2012
    3

    I modified this a bit to do something like this:

    foreach (array_keys($_REQUEST) as $key) {
    $$key = mysql_real_escape_string(addslashes($_REQUEST[$key]));
    }

    That’ll create a cleaned POST or GET variable with the name as the key. For example if you posted $_POST['UserName'] you could then use $UserName as a clean variable automatically :)

Leave a Reply

Subscribe to the BrightCherry RSS Feed
Back to top
Privacy Policy  |   Terms & Conditions For BrightCherry.co.uk  |   Web Design Terms & Conditions
© 2012 BrightCherry :)