All geek questions in one place

REMOVE IN with a blast ()

I have a form that sends an array of transaction IDs to $_POST['transid'] so that these transaction records can be deleted.

I usually use mysqli_real_escape_string to prevent attacks, but I'm not sure how to do this with an array. Below is my request:

 $query = 'DELETE FROM TRANSACTIONS WHERE (transid) IN ("'.implode('","',$_POST[transid]).'")'

... which gives me something like this:

 $query = 'DELETE FROM TRANSACTIONS WHERE (transid) IN ("123","124","138","145")'

This seems to be in trouble. How can I protect myself from disaster (malicious or otherwise)? Is there an effective way to sanitize an array? Or should I go this other way?

Any thoughts or recommendations would be appreciated.

+4
source share
2 answers

You should probably get rid of $ _POST before you use it for hacking, and to do this you will have to go through it. @ user870018 beat me before hitting the structure, but here is what I would do anyway:

 function sanitize($n) { return your_escape_function_here($n); } $values = implode(",", array_map("sanitize", $_POST[transid])); $query = 'DELETE FROM TRANSACTIONS WHERE (transid) IN ('.$values.')';
+3
source

Use the foreach loop before creating the request;

 foreach ($_POST[transid] as &$x) $x = your_escape_function_here($x);

Or (if you regularly use arrays), create it in a function to keep the overall program a little cleaner;

 function sqlEscapeArray($arr){ foreach ($arr as &$x) $x = your_escape_function_here($x); return $arr; }

Then use it like this:

 $query = 'DELETE FROM TRANSACTIONS WHERE (transid) IN ("'.implode('","',sqlEscapeArray($_POST[transid])).'")';

Of course, replace your_escape_function, well ... your exit function.

+2
source

Source: https://habr.com/ru/post/1502096/

More articles:


All Articles