[SOLVED] mysql_real_escape function leaves me with nothing

[Bisa]

Been trying to secure my form input to prevent sql injections using this function, however, I am unable to get anything returned from it and I do not know why 

 

function secureFormInput($formdata) //Prevents sql insertion
{
//Removes blank spaces at the beginning and at the end of the string
$formdata = trim($formdata);

//If get_magic_quotes_gpc is set, removes the slashes to prepare for mysql_real_escape_string
if(get_magic_quotes_gpc())
	$formdata = stripslashes(formdata);

//Escapes the string and returns the now secured data
return mysql_real_escape_string($formdata, $db_connect);
}

 

any pointers from more experienced ppl out there is appreciated  :-\

[thebadbad]

Maybe because the $db_connect variable is empty?

[Bisa]

I've fed the db variable with mysql_connect(*****) so I doubt that, but could I get this result if the db was offline and I am unable to connect as well?

[rhodesa]

if the db is not connected, you should use mysql_escape_string()

[thebadbad]

I was saying that, because the variable isn't global - thus empty inside the function since it's not declared there or sent along as a parameter.

[wildteen88]

$db_connect wont be available to the your secureFormInput() function by default.

 

Functions do not inherit variables set outside of it. In order for your function to use the $db_connect variable you'll need to add the following at the top of your function

global $db_connect;

 

eg

function secureFormInput($formdata) //Prevents sql insertion
{
    global $db_connect;

[rhodesa]

or if you only have one mysql connection, just leave the $db_connect out, as PHP will use the most recent connection

[discomatt]

 

 

$formdata = stripslashes(formdata);

[rhodesa]

 

 

$formdata = stripslashes(formdata);

 

haha...good catch...that should be

$formdata = stripslashes($formdata);

[discomatt]

$db_connect wont be available to the your secureFormInput() function by default.

 

Functions do not inherit variables set outside of it. In order for your function to use the $db_connect variable you'll need to add the following at the top of your function

global $db_connect;

 

eg

function secureFormInput($formdata) //Prevents sql insertion
{
    global $db_connect;

 

or create a database handling class!

 

<pre><?php


class db {

private $link;

public function __construct( $h, $u, $p, $db ) {
	if( ($this->link = mysql_connect($h, $u, $p)) === FALSE )
		throw new Exception( 'Unable to connect to database!' );
	if( mysql_select_db($db, $this->link) === FALSE )
		throw new Exception( 'Unable to select database!' );
}

public function query( $q ) {
	if( ($r = mysql_query($q)) === FALSE )
		throw new Exception( 'Query failed!<br />'.mysql_error($this->link) );
	else
		return $r;
}

public function clean ( $data ) {
	//Removes blank spaces at the beginning and at the end of the string
	$data = trim($data);

	//If get_magic_quotes_gpc is set, removes the slashes to prepare for mysql_real_escape_string
	if(get_magic_quotes_gpc())
		$data = stripslashes($data);

	//Escapes the string and returns the now secured data
	return mysql_real_escape_string($data, $this->link);
}

}

try {

$db = new db( 'localhost', 'root', '', 'database' );

$val = "zomg ' test ' with ' escapes";

echo $val."\n";

$val = $db->clean( $val );

echo $val."\n";

} catch ( Exception $e ) {
echo $e->getMessage();
}

?></pre>

[Bisa]

thnx for the quick replies, just had some food and my topic is swarmed 

 

My php programming skillz are not mature enough to start using classes, one step at a time but cheers for suggesting it.

 

Nice catch indeed with the (formdata) indeed, thnx

 

then about global, I'm fairly new to php but I found out early on that using globals is not a secure way of handling variables and also might differ from programmer to programmer making code hard to port to others - however, I guess using globals without user input and only in the script itself is of no harm?

[wildteen88]

then about global, I'm fairly new to php but I found out early on that using globals is not a secure way of handling variables and also might differ from programmer to programmer making code hard to port to others - however, I guess using globals without user input and only in the script itself is of no harm?

I think your confusing the globals keyword with register_globals. They are not the same.

 

Defining variables as global in a function is not insecure. register_globals on the other hand is, which is why it is not recommended.

[discomatt]

I'd avoid using the global keyword. Instead, I'd use the $GLOBALS superglobal to make a copy of the database link identifier to use in the function

 

<pre><?php

function clean ( $data ) {
      
// Create a copy of the global resource, this way the function can
// never accidentally overwrite the variable
if( !isset($GLOBALS['link']) )
	return $data;

$link = $GLOBALS['link'];
      
//Removes blank spaces at the beginning and at the end of the string
$data = trim($data);

//If get_magic_quotes_gpc is set, removes the slashes to prepare for mysql_real_escape_string
if(get_magic_quotes_gpc())
   $data = stripslashes($data);

//Escapes the string and returns the now secured data
return mysql_real_escape_string($data, $link);
   }

$link = mysql_connect( 'localhost', 'root', '' );

$val = "zomg ' test ' with ' escapes";

echo $val."\n";

$val = clean( $val );

echo $val."\n";

?></pre>	

[discomatt]

Defining variables as global in a function is not insecure. register_globals on the other hand is, which is why it is not recommended.

 

Neither is using the 'global' keyword. By giving functions the ability to change variables on the global scope you are creating a debugging nightmare. If a function accidentally over-writes $db_connect, it'll break your whole script... and you'll have to check every function that uses $db_connect globally in order to debug the problem.

[Bisa]

cheers, thnx for the help