6

My code is like this 

 public function addQuestions($data){


    $ans = array();
    $ans[1] = $data['ans1'];
    $ans[2] = $data['ans2'];
    $ans[3] = $data['ans3'];
    $ans[4] = $data['ans4'];
    $ans= mysqli_real_escape_string($this->db->link, $data[$ans]);

}

Is this right way to use array in this sql function ??

Improve this question
4
  • mysqli_real_escape_string second parameter is escape string mysqli_real_escape_string ( mysqli $link , string $escapestr ) Commented Aug 12, 2017 at 5:40
  • 2
    It has to be mentioned. You shouldn't be escaping data for sql queries - you should use prepared and parameterized queries. That way you are actually executing safe and secure queries, and you don't mangle data. Win win Commented Aug 12, 2017 at 6:26
  • Since there are a lot of answers recommending to use functions like array_walk and array_map, I would recommend checking out this answer explaining the differences: stackoverflow.com/a/3432266/4796321 Commented Aug 12, 2017 at 7:12
  • Your code and approach are outdated for at least a decade. We're all using parameterized queries and don't have to worry about escaping anything any more. I suggest you do a bit of googling to see what we're talking about. Commented Aug 12, 2017 at 10:18

4 Answers 4

Reset to default
5

Since you wish to do something to each element of array $ans, it would be most appropriate to use array_map(), as follows:

public function addQuestions($data){


    $ans = array();
    $ans[1] = $data['ans1'];
    $ans[2] = $data['ans2'];
    $ans[3] = $data['ans3'];
    $ans[4] = $data['ans4'];

    $escaped_ans = array_map(function( $e ) {
             return mysqli_real_escape_string( $this->db->link, $e);
    }, $ans );
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

Since you have an array, and you want mysqli_real_escape_string on each element of an array, you can use array_walk():

function myescape($val)
{
    return mysqli_real_escape_string($val);
}

... then

array_walk($ans, 'myescape');
Improve this answer

Comments

1

I don't have enough reputation to comment on Milan's post, but beware of array_walk, it won't change your original array. For Milan's code to actually affect your array, the function would have to be

function myescape(&$val) //Note the '&' which calls $val by reference.
{
    $val = mysqli_real_escape_string($val);
}

array_walk($ans, 'myescape');

To answer your question though:

public function addQuestions($data){
    $ans = array('',$data['ans1'],$data['ans2'],$data['ans3'],$data['ans4']);
    //I would recommend using an object/associative array in this case though, just the way $data is already

    $ans_escaped = array_map(function($val) {
        return mysqli_real_escape_string($this->db->link, $val);
    }, $ans);

    //do whatever you need to do with escaped array
}

My advice though, would be to really look into prepared statements. It might just seem like extra work that you don't want to bother with - at first - but once you learn it, you will never want to do it any other way.

Improve this answer

Comments

0

if you use MYSQL PDO you won't need add "mysqli_real_escape_string" because all your variables a safe (from SQL injection) after you bind it

http://php.net/manual/en/pdostatement.bindparam.php

Improve this answer

1 Comment

Either way, the function is redundant if prepared and bound statements are employed

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.