Apply FILTER_SANITIZE or real_escape_string to all fields of a json

Asked

Viewed 266 times

0

Good I have to apply one FILTER_SANITIZE_SPECIAL_CHARS on dodos the fields of a json.

Currently receives json like this:

// Recebo o json
$json = filter_input(INPUT_POST, 'json', FILTER_DEFAULT);

// Decodifica o Json
$obj = json_decode($json);

// Aqui eu tenho que aplicar o `FILTER_SANITIZE_SPECIAL_CHARS`

The json var_dump:

{
 "Autenticacao": {
    "login": "100",
    "senha": "123"
 },
 "operacao": {
    "nome": "hugo",
    "endereco": "rua sei la",
    "numero": "123"
 }
}

How to navigate the fields login,senha,nome,endereco and numero applying the FILTER_SANITIZE_SPECIAL_CHARS?

Edith ----------------------------

I tried with the real_escape_string as follows:

foreach ($obj as &$main) {
            foreach ($main as &$value) {
                $value = $conexao->real_escape_string($value);
            }
        }

But I’m having this mistake:

mysqli::real_escape_string() expects parameter 1 to be string, object given in 
  • as it is for all fields apply a double foreach , and then filter the strings

  • tas to pass an object as parameter

  • @13dev I understand, I have to navigate inside the object to apply the real_escape_string, right?

  • yes of course tries to do print_r() in the $value to access correctly.

2 answers

2


Using two foreachs and add the & ("E" commercial) the value variables of foreach to create a reference:

foreach ($obj as &$main) {
    foreach ($main as &$value) {
        $value = filter_var($value, FILTER_SANITIZE_SPECIAL_CHARS);
    }
}

See what happens if you use INT in one of the fields and boolean in the other in jsfiddle: https://ideone.com/5hVH3d, code:

<?php

$obj = json_decode('{
 "Autenticacao": {
    "login": 100000000000,
    "senha": "123"
 },
 "operacao": {
    "nome": false,
    "endereco": "rua sei la",
    "numero": "123"
 }
}');

foreach ($obj as &$main) {
    foreach ($main as &$value) {
        $value = filter_var($value, FILTER_SANITIZE_SPECIAL_CHARS);
    }
}

var_dump($obj);

The name field becomes an empty string and the login field becomes a string in number format, but it is no longer "int", see the result of var_dump($obj); the fields were changed directly in the $obj:

object(stdClass)#2 (2) {
  ["Autenticacao"]=>
  object(stdClass)#1 (2) {
    ["login"]=>
    string(12) "100000000000" <--------- AQUI
    ["senha"]=>
    string(3) "123"
  }
  ["operacao"]=>
  &object(stdClass)#3 (3) {
    ["nome"]=>
    string(0) "" <--------- AQUI
    ["endereco"]=>
    string(10) "rua sei la"
    ["numero"]=>
    &string(3) "123"
  }
}

The change affected directly the variable $obj due to e-comerical, according to the PHP documentation:

With mysql and real_escape

You can do it like this:

<?php
$mysqli = new mysqli("localhost", "usuario", "senha", "banco");

...

foreach ($obj as &$main) {
    foreach ($main as &$value) {
        $value = $mysqli->real_escape_string($value);
    }
}

If it is procedural:

<?php
$mysqli = mysqli_connect("localhost", "usuario", "senha", "banco");

...

foreach ($obj as &$main) {
    foreach ($main as &$value) {
        $value = mysqli_real_escape_string($mysqli, $value);
    }
}
  • ok, but how do I change the object that is with json? In case the $obj.

  • @Hugoborges with the commercial E, as this in the example ($obj as &$main) and ($main as &$value)

  • @Hugoborges edited the answer to better understand.

  • Very good, thank you. it is possible to do using the real_escape_string? I edited my question.

  • @Hugoborges would be better to use prepared_statment: http://php.net/manual/en/mysqli.quickstart.prepared-statements.php

  • @Hugoborges edited the answer, see examples with real_escape

  • Your way is making that mistakeWarning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in I’m trying to use the mysqli_real_escape_string($value)

  • @Hugoborges corrected, I edited the question

Show 3 more comments

2

For this question I decided to do a small function, which only works if the json is only 1 degree but solves the situation well.

OBS the variable is passed by reference which means it will be changed, $json = saveJson($obj);

OBS The current filter is FILTER_SANITIZE_STRING , choose one that fits your needs

function saveJson(&$json)
{
    foreach($json as $key => $object)
    {
        foreach($object as $key1 => $o)
        {
            $json->$key->$key1 = filter_var($o, FILTER_SANITIZE_STRING);
        } 
    }
}
  • Very good, thanks. is it possible to do using real_escape_string? I edited my question.

  • @Hugoborges Try to use Prepared statements so you avoid using real_escape_string()

Browser other questions tagged

You are not signed in. Login or sign up in order to post.