view raw
Ted Wilmont Ted Wilmont - 1 year ago 59
PHP Question

Disabling Multidimensional Arrays for $_POST Inputs

We have the following code:

$comment = $_POST['comment'];
$comment = mysql_real_escape_string(strip_tags($email));

After running a security scan (Acunetix) we have run into a problem.

If somebody was to modify the input variable
and turn it into a longer array (possible called a multidimensional array), we get the following error message:

strip_tags() expects parameter 1 to be string, array given...

How can we disable the user from modifying the variable and just only accept the
as a single string?


One way to do this would be to test the variable to see if it contains an array. Using a ternary statement if would look something like this:

is_array($_POST['comment']) ? unset($_POST['comment']) : $comment = mysql_real_escape_string(strip_tags($comment));

In this case, based on the OP's comment concerning un-setting the variable if it contains an array, I have used the unset() function in the ternary. If it is just a string then it is passed to the variable $comment.