DISCLAIMER: I UNDERSTAND THE FUNCTIONS ARE ON TOP OF THE TO-DO-DEPRECATION LIST. ALL WARNINGS ARE JUST PREACHING TO THE CHOIR.
anyway. I have found myself in the employment of a company using the mysql_* functions. That isnt bad enough aparently because the entire thing is without mysql_real_escape_string()
"great". All user input is unsanitzied, so naturally being the new code monkey, my job is to incorporate it into all 4.93g of php scripts. F.M.L. "So", i thought to myself, "what if i just unset the $_REQUEST
array on each page (not sure why but they never used $_POST
or $_GET
once in the entire program, they literally used $_REQUEST
everywhere.) and then reset it with mysql_real_escape_string
?". To me, that sure beats going through 1000000000 lines of code. SO I sat down and wrote the function to do it. Here is where im at:
/*lets say input is dirty and input2 is boy*/
echo "<br><pre>";print_r($_REQUEST);echo "</pre><br>";
$tempString = implode(',', $_REQUEST);
$tempString2 = implode(',', array_keys($_REQUEST));
$tempArray = explode(',', $tempString);
$tempArray2 = explode(',', $tempString2);
$count = count($_REQUEST);
echo "<br><pre>";print_r($tempArray);echo "</pre><br>";
echo "<br>";
echo "<br><pre>";print_r($tempArray2);echo "</pre><br>";
unset($_REQUEST);
$_REQUEST = array();
for($i = 0; $i < $count; $i++){
$_REQUEST[$tempArray2[$i]] = "mysql_real_escape_string(".$tempArray[$i].")";
}
echo "<br><pre>";print_r($_REQUEST);echo "</pre><br>";
As far as i can tell it is working!:
Array
(
[input] => dirty
[input2] => boy
)
Array
(
[0] => dirty
[1] => boy
)
Array
(
[0] => input
[1] => input2
)
Array
(
[input] => mysql_real_escape_string(dirty)
[input2] => mysql_real_escape_string(boy)
)
but frankly it seems too easy. immediate issues i see are
- it only works for
$_REQUEST[]
- You have to hard code it at the top of every page, even if you set it as a global function and include it
- If one thing goes wrong...
- mysql_* functions suck i.e.
mysql_real_escape_string
as a side note, i can't even tell you how many times i have fought to switch everything from PDO, as you can imagine they dont like the amount of time that would require.
SO
I suppose what im bringing this here to you guys for is, a second pair of eyes. do you see any immediate issues with this? any other immediate issues that i missed? If you guys like this, in any way, as im sure there are other people who could use something like this (if you build it they will come), ill go aheaad and through it on github and work it into my shcedule, thanks :)