Apply FILTER_SANITIZE or real_escape_string to all fields of a json

Question

Apply FILTER_SANITIZE or real_escape_string to all fields of a json

Asked 7 years, 4 months ago

Viewed 266 times

0

Good I have to apply one FILTER_SANITIZE_SPECIAL_CHARS on dodos the fields of a json.

Currently receives json like this:

// Recebo o json
$json = filter_input(INPUT_POST, 'json', FILTER_DEFAULT);

// Decodifica o Json
$obj = json_decode($json);

// Aqui eu tenho que aplicar o `FILTER_SANITIZE_SPECIAL_CHARS`

The json var_dump:

{
 "Autenticacao": {
    "login": "100",
    "senha": "123"
 },
 "operacao": {
    "nome": "hugo",
    "endereco": "rua sei la",
    "numero": "123"
 }
}

How to navigate the fields login,senha,nome,endereco and numero applying the FILTER_SANITIZE_SPECIAL_CHARS?

Edith ----------------------------

I tried with the real_escape_string as follows:

foreach ($obj as &$main) {
            foreach ($main as &$value) {
                $value = $conexao->real_escape_string($value);
            }
        }

But I’m having this mistake:

mysqli::real_escape_string() expects parameter 1 to be string, object given in

as it is for all fields apply a double foreach , and then filter the strings

– 13dev

2017/08/09 at 17:22
tas to pass an object as parameter

– 13dev

2017/08/09 at 18:32
@13dev I understand, I have to navigate inside the object to apply the real_escape_string, right?

– Hugo Borges

2017/08/09 at 18:36
yes of course tries to do print_r() in the $value to access correctly.

– 13dev

2017/08/09 at 18:41

2 answers

2

Using two foreachs and add the & ("E" commercial) the value variables of foreach to create a reference:

foreach ($obj as &$main) {
    foreach ($main as &$value) {
        $value = filter_var($value, FILTER_SANITIZE_SPECIAL_CHARS);
    }
}

See what happens if you use INT in one of the fields and boolean in the other in jsfiddle: https://ideone.com/5hVH3d, code:

<?php

$obj = json_decode('{
 "Autenticacao": {
    "login": 100000000000,
    "senha": "123"
 },
 "operacao": {
    "nome": false,
    "endereco": "rua sei la",
    "numero": "123"
 }
}');

foreach ($obj as &$main) {
    foreach ($main as &$value) {
        $value = filter_var($value, FILTER_SANITIZE_SPECIAL_CHARS);
    }
}

var_dump($obj);

The name field becomes an empty string and the login field becomes a string in number format, but it is no longer "int", see the result of var_dump($obj); the fields were changed directly in the $obj:

object(stdClass)#2 (2) {
  ["Autenticacao"]=>
  object(stdClass)#1 (2) {
    ["login"]=>
    string(12) "100000000000" <--------- AQUI
    ["senha"]=>
    string(3) "123"
  }
  ["operacao"]=>
  &object(stdClass)#3 (3) {
    ["nome"]=>
    string(0) "" <--------- AQUI
    ["endereco"]=>
    string(10) "rua sei la"
    ["numero"]=>
    &string(3) "123"
  }
}

The change affected directly the variable $obj due to e-comerical, according to the PHP documentation:

With mysql and real_escape

You can do it like this:

<?php
$mysqli = new mysqli("localhost", "usuario", "senha", "banco");

...

foreach ($obj as &$main) {
    foreach ($main as &$value) {
        $value = $mysqli->real_escape_string($value);
    }
}

If it is procedural:

<?php
$mysqli = mysqli_connect("localhost", "usuario", "senha", "banco");

...

foreach ($obj as &$main) {
    foreach ($main as &$value) {
        $value = mysqli_real_escape_string($mysqli, $value);
    }
}

ok, but how do I change the object that is with json? In case the $obj.

– Hugo Borges

2017/08/09 at 17:34
@Hugoborges with the commercial E, as this in the example ($obj as &$main) and ($main as &$value)

– Guilherme Nascimento

2017/08/09 at 17:34
@Hugoborges edited the answer to better understand.

– Guilherme Nascimento

2017/08/09 at 17:40
Very good, thank you. it is possible to do using the real_escape_string? I edited my question.

– Hugo Borges

2017/08/09 at 18:24
@Hugoborges would be better to use prepared_statment: http://php.net/manual/en/mysqli.quickstart.prepared-statements.php

– Guilherme Nascimento

2017/08/09 at 19:02
@Hugoborges edited the answer, see examples with real_escape

– Guilherme Nascimento

2017/08/09 at 19:18
Your way is making that mistakeWarning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in I’m trying to use the mysqli_real_escape_string($value)

– Hugo Borges

2017/08/10 at 12:19
@Hugoborges corrected, I edited the question

– Guilherme Nascimento

2017/08/10 at 14:13

Show 3 more comments

Browser other questions tagged php

You are not signed in. Login or sign up in order to post.

by 13dev • **2,415** points · Answer 1 · 2017-08-09T17:42:40+00:00

For this question I decided to do a small function, which only works if the json is only 1 degree but solves the situation well.

OBS the variable is passed by reference which means it will be changed, $json = saveJson($obj);

OBS The current filter is FILTER_SANITIZE_STRING , choose one that fits your needs

function saveJson(&$json)
{
    foreach($json as $key => $object)
    {
        foreach($object as $key1 => $o)
        {
            $json->$key->$key1 = filter_var($o, FILTER_SANITIZE_STRING);
        } 
    }
}