1

I'm using PHP to write a script that will give me a MySQL query that I will then use directly from MySQL Workbench.

I fetch the data from a .csv and then I loop them to write the SQL syntax with PHP.

My problem is a way to escape every string inside the array to prevent that I get a corrupted query.

How can I run mysqli_real_escape on an entire array?

Improve this question
0

2 Answers 2

Reset to default
4

First, try to use PDO instead. With prepared statements, your variables are sent separately from the query and you don't have to worry about manually escaping the parameters.

Second, if you REALLY need to do this, use mysqli_real_escape_string with array map. Something like this should work

$escapedArray = array_map(function($val) use ($mysqli) {
        return is_string($val) ? $mysqli->real_escape_string($val) : $val;
}, $unescapedArray);

Or procedurally like this

$escapedArray = array_map(function($val) use ($mysqli) {
        return is_string($val) ? mysqli_real_escape_string($mysqli, $val) : $val;
}, $unescapedArray);

The reason for this is simple. If any element of the array is not a string, escaping it will return null, so you return the element as is.

EDIT: For nested arrays, you will have to use array_walk_recursive, instead of array_map.

array_walk_recursive($varArray, function(&$val) use($mysqli) {
    $val = !is_string($val) ?: mysqli_real_Escape_string($mysqli, $val);
});
Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

You fell into the same trap I did: he needs to generate SQL for a script that somebody else will use. PDO is out of the question, alas.
Which is why I also posted an alternative. :)
by golly gosh you did! Any reason not to use a straightforward foreach loop?
It doesn't escape anything... it returns the same strings :( With bot the examples.
@FezVrasta It will escape only special characters, and will NOT work with nested arrays.
|
2

You could use array_map. Something like:

$safeArray = array_map ('mysqli_real_escape_string', $originalArray);
Improve this answer

6 Comments

I was about to bring the smack down. Put that i after mysql please.
It gives me: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in
@FezVrasta: You can create a connection to some database that has the same collation and other features of the target database that your customer is using, and then pass in that connection argument.
You're quite right - it would have worked with mysql_real_escape_string but not with the mysqli version. There is a work-around here: stackoverflow.com/questions/6726800/sanitizing-an-array using a global to reference the mysqli link. But Ashwin's answer seems neater.
ok but how can I pass the second parameter? I have to use the example of @Ashwin Mukhija
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.