Clinton Posted June 9, 2008 Share Posted June 9, 2008 I am trying to make it so I don't get those damned SQL Insert Attacks. I tried using the code below but I kept getting fatal errors. Something about it not being able to recall get_post for a second time. I tried using this at first: $username = $_POST['username']; function get_POST($username) { $sret = NULL; if (isset($_POST[$username])) { $sret = $_POST[$username]; $sret = mysql_real_escape_string($sret); } return $sret; } But when I got the error I took out the $username = $_POST['username']; and it still gave me the same error. Any help would be appreciated. Thank you. Quote Link to comment Share on other sites More sharing options...
kenrbnsn Posted June 9, 2008 Share Posted June 9, 2008 Please post the exact error your getting. Ken Quote Link to comment Share on other sites More sharing options...
NorthWestSimulations Posted June 9, 2008 Share Posted June 9, 2008 <?php $username = mysql_real_escape_string($_POST['username']); function get_POST($username) { $sret = NULL; if (isset($_POST[$username])) { $username = $username; } return $sret; } ?> Quote Link to comment Share on other sites More sharing options...
Clinton Posted June 9, 2008 Author Share Posted June 9, 2008 Ok, here is the error: Fatal error: Cannot redeclare get_post() (previously declared in checkuser.php:11) in checkuser.php on line 34 Here's the code: $username = $_POST['username']; function get_POST($username) { $sret = NULL; if (isset($_POST[$username])) { $sret = $_POST[$username]; $sret = mysql_real_escape_string($sret); } return $sret; } $password = $_POST['password']; function get_POST($password) { $sret = NULL; if (isset($_POST[$password])) { $sret = $_POST[$password]; $sret = mysql_real_escape_string($sret); } return $sret; } Quote Link to comment Share on other sites More sharing options...
Clinton Posted June 9, 2008 Author Share Posted June 9, 2008 Hey NW, I did what you said but am still getting that same error: $username = mysql_real_escape_string($_POST['username']); function get_POST($username) { $sret = NULL; if (isset($_POST[$username])) { $sret = $_POST[$username]; $sret = mysql_real_escape_string($sret); } return $sret; } $password = mysql_real_escape_string($_POST['password']); function get_POST($password) { $sret = NULL; if (isset($_POST[$password])) { $sret = $_POST[$password]; $sret = mysql_real_escape_string($sret); } return $sret; } Quote Link to comment Share on other sites More sharing options...
kenrbnsn Posted June 9, 2008 Share Posted June 9, 2008 If you code it like NorthWestSimulations says, you don't need the function. Remove it from your code. Ken Quote Link to comment Share on other sites More sharing options...
Clinton Posted June 9, 2008 Author Share Posted June 9, 2008 Do I ever get the feeling I'm being yelled at? Yes, yes I do. I did it exactly as he said and am still getting that error: $username = mysql_real_escape_string($_POST['username']); function get_POST($username) { $sret = NULL; if (isset($_POST[$username])) { $username = $username; } return $sret; } $password = mysql_real_escape_string($_POST['password']); function get_POST($password) { $sret = NULL; if (isset($_POST[$password])) { $password = $password; } return $sret; } Quote Link to comment Share on other sites More sharing options...
kenrbnsn Posted June 9, 2008 Share Posted June 9, 2008 You are duplicating the code for the function, which you don't need at all: <?php $username = mysql_real_escape_string($_POST['username']); $password = mysql_real_escape_string($_POST['password']); ?> If you want to use a function, do something like: <?php function sanitize($p) { return(mysql_real_escape_string($p)); } $username = sanitize($_POST['username']); $password = sanitize($_POST['password']); ?> Ken Quote Link to comment Share on other sites More sharing options...
wildteen88 Posted June 9, 2008 Share Posted June 9, 2008 EDIT: Ken beat me You only need to declare the get_POST function once. You do not need to keep redeclaring the function everytime your go to use it. use: <?php function get_POST($field_name) { $field_value = NULL; if (isset($_POST[$field_name])) { $field_value = mysql_real_escape_string($_POST[$field_name]); } return $field_value; } $username = get_POST('username'); $password = get_POST('password'); if(!empty($username) && !empty($password)) { // do whatever with the username and passwprd } else { echo 'Username or Password not set!'; } ?> EDIT: Ken beat me Quote Link to comment Share on other sites More sharing options...
Clinton Posted June 9, 2008 Author Share Posted June 9, 2008 I really appreciate the help. Let me just ask one more question, why would I want to use a function vs. not using a function? Quote Link to comment Share on other sites More sharing options...
revraz Posted June 9, 2008 Share Posted June 9, 2008 Because you only have to have the code once in your script and you just call it when needed. Instead of repeating the code over and over. Quote Link to comment Share on other sites More sharing options...
thebadbad Posted June 9, 2008 Share Posted June 9, 2008 I really appreciate the help. Let me just ask one more question, why would I want to use a function vs. not using a function? A user defined function only existing of one function call (like calling mysql_real_escape_string() once) doesn't make much sense (you would just use the built in function itself). But if your function contains a lot of manipulation of the input data (parameter(s)), and you need to run it more than once, the function will save you from repeating a lot of code, like revraz said. Quote Link to comment Share on other sites More sharing options...
Clinton Posted June 9, 2008 Author Share Posted June 9, 2008 You guys.... .... complete me. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.