Jump to content

posting data with a function()

redarrow

By redarrow
in PHP Coding Help

 Share

Recommended Posts

redarrow Advanced Member

redarrow

Posted
Posted

 

I no the code below is wrong, but what the correct way to post[''] variable from set function please.

 

<?php

function post_data($value){


$value=$_POST['value'];

return post_data($value);
}


$name="redarrow";
$surname="redarrow";

$name=post_data('name');
$surname=post_data('surname');


echo" my name is $name\n and my surname is $surname\n";
?>

Link to comment
Share on other sites
redarrow Advanced Member

redarrow

Posted
  • Author
Posted

 

why dosent this work please it not echo the value of the function.

<?php

function post_data($value){

$value=$_POST['value'];

return $value;

}


$name="redarrow";
$surname="redarrow";

$name=post_data($name);

$surname=post_data($surname);


echo" my name is $name\n and my surname is $surname\n";

?>

Link to comment
Share on other sites
redarrow Advanced Member

redarrow

Posted
  • Author
Posted

so is this a valid code to protect the database with the name  $name and

$surname so sorry never touched functions before

 

<?php

function post_data($value){
   
mysql_real_escape_string($_POST['value']);

return $value;

}


$name="redarrow";
$surname="redarrow";

$name=post_data($name);

$surname=post_data($surname);

// this is insert or select from a database.
echo" my name is $name\n and my surname is $surname\n";

?>

Link to comment
Share on other sites
ngreenwood6 Advanced Member

ngreenwood6

Posted
Posted

I think you are confused. I think you are looking for this:

 

<?php

function post_data($value){
   
mysql_real_escape_string($value);

return $value;

}


$name="redarrow";
$surname="redarrow";

$name=post_data($_POST['name']);

$surname=post_data($_POST['surname']);


echo" my name is $name\n and my surname is $surname\n";

?>

 

The post_data function takes the post values and uses them as $value in the function then it cleans it using mysql_real_escape_string in the function and returns the cleaned value as $name. Understand?

Link to comment
Share on other sites
sdi126 Newbie

sdi126

Posted
Posted

This is the function I use to prevent sql injection:

 

function cleanQuery($string)
{
  if(get_magic_quotes_gpc())  // prevents duplicate backslashes
  {
    $string = stripslashes($string);
  }
  if (phpversion() >= '4.3.0')
  {
    $string = mysql_real_escape_string($string);
  }
  else
  {
    $string = mysql_escape_string($string);
  }
  return $string;
}

Link to comment
Share on other sites
redarrow Advanced Member

redarrow

Posted
  • Author
Posted

is this valid now are all the variables posting.

<?php 

function cleanQuery($_POST['string'])
{
  if(get_magic_quotes_gpc())  // prevents duplicate backslashes
  {
    $string = stripslashes($string);
  }
  if (phpversion() >= '4.3.0')
  {
    $string = mysql_real_escape_string($string);
  }
  else
  {
    $string = mysql_escape_string($string);
  }
  return $string;
}
?>

Link to comment
Share on other sites
trq Prolific Member

trq

Posted
Posted

Try....

 

<?php 

function clean_post($string)
{
  $string = $_POST[$string];
  if(get_magic_quotes_gpc())  // prevents duplicate backslashes
  {
    $string = stripslashes($string);
  }
  if (phpversion() >= '4.3.0')
  {
    $string = mysql_real_escape_string($string);
  }
  else
  {
    $string = mysql_escape_string($string);
  }
  return $string;
}
?>

 

You really might want to take a look at how functions and arrays work.

Link to comment
Share on other sites
ngreenwood6 Advanced Member

ngreenwood6

Posted
Posted

ok the part that I think you are failing to comprehend is the function declaration:

 

function cleanQuery($_POST['string'])

 

The variable used inside the () is just a holder variable we will say. so that can be anything that you like $dog like this:

 

function cleanQuery($dog)

 

Inside the {} you will always use $dog to refer to what you want to do with the variable like this:

 

{
mysql_real_escape_string($dog);
return $dog;
}

 

now your function is set up so that whatever you tell it to use as the variable $dog it will do the mysql_real_escape_string on it and return the new value. here is another example:

 

function cleanQuery($dog)
{
mysql_real_escape_string($dog);
return $dog;
}

$name = cleanQuery("hello");

 

guess what the value of $name will be. It will be "hello". This line:

 

cleanQuery("hello")

 

puts the value "hello" through the function and returns it with it ran through mysql_real_escape_string.

 

The last example that may help you understand a little better:

 

function addNumber($value)
{
$sum = $value + 1;

return $sum;
}

$number = 1;

$total = addNumber($number);

 

Just so you know $total would equal 2 in this case. Hopefully that will help you understand.

Link to comment
Share on other sites
redarrow Advanced Member

redarrow

Posted
  • Author
Posted

 

I shorten the code'

<?php

function clean_post($string)
{
  $string = $_POST[$string];
  
  if(get_magic_quotes_gpc())  // prevents duplicate backslashes
  {
    $string = stripslashes($string);
    
  }else
  {
    $string = mysql_escape_string($string);
  }
  return $string;
}
?>

 

why ?

 

not needed.

  if (phpversion() >= '4.3.0')
  {
    $string = mysql_real_escape_string($string);
  }

Link to comment
Share on other sites
redarrow Advanced Member

redarrow

Posted
  • Author
Posted

yep lol.

 

the code i am going to use is this one, now becouse i am using the $_POSt[''] within the function,

i dont need to type it out do i.

 

so this is valid and safe

 

$name=clean_post($name); dont need to do $name=$_POST['name'] because the function covers it.

<?php

function clean_post($string)
{
  $string = $_POST[$string];
  
  if(get_magic_quotes_gpc())  // prevents duplicate backslashes
  {
    $string = stripslashes($string);
    
  }else
  {
    $string = mysql_escape_string($string);
  }
  return $string;
}
?>

Link to comment
Share on other sites
trq Prolific Member

trq

Posted
Posted

Looking at that code Ive realised it has some major flaws. If magic quotes are enabled it strips the quotes making your data vulnerable.

 

This is what should be happening....

 

function clean_post($string) {
  $string = $_POST[$string];

  if(get_magic_quotes_gpc()) {
    $string = stripslashes($string);
  }
  return mysql_escape_string($string);
}

Link to comment
Share on other sites
redarrow Advanced Member

redarrow

Posted
  • Author
Posted

Thank you thorpe what i wanted your the best ever.

 

little example off what i wanted to do.

 

Update the database with the word yes where the word currently is no and via there id.

 

i am currently going to convert the sql  to a function theo.

 

<?php session_start();

function clean_post($string) {
$string = $_POST[$string];

if(get_magic_quotes_gpc()) {
	$string = stripslashes($string);
}
return mysql_escape_string($string);
}

if(isset($_POST['submit'])){

$form=clean_post($form);

foreach($form as $x){

	if($x=='yes'){

		$sql=" update user_account ";
		$sql.=" set option='$x' ";
		$sql.= " where option='no' ";
		$sql.=" and users_id=".$_SESSION['user_id']." ";
		$res=mysql_query($sql,$connection)or die("Database error for update\n".mysql_error());
	}
}
}
?>

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.