redarrow Posted February 4, 2009 Share Posted February 4, 2009 I no the code below is wrong, but what the correct way to post[''] variable from set function please. <?php function post_data($value){ $value=$_POST['value']; return post_data($value); } $name="redarrow"; $surname="redarrow"; $name=post_data('name'); $surname=post_data('surname'); echo" my name is $name\n and my surname is $surname\n"; ?> Quote Link to comment Share on other sites More sharing options...
redarrow Posted February 4, 2009 Author Share Posted February 4, 2009 why dosent this work please it not echo the value of the function. <?php function post_data($value){ $value=$_POST['value']; return $value; } $name="redarrow"; $surname="redarrow"; $name=post_data($name); $surname=post_data($surname); echo" my name is $name\n and my surname is $surname\n"; ?> Quote Link to comment Share on other sites More sharing options...
ngreenwood6 Posted February 4, 2009 Share Posted February 4, 2009 try this: <?php function post_data($value){ return $value; } $name="redarrow"; $surname="redarrow"; $name=post_data($name); $surname=post_data($surname); echo" my name is $name\n and my surname is $surname\n"; ?> Quote Link to comment Share on other sites More sharing options...
sdi126 Posted February 4, 2009 Share Posted February 4, 2009 You need to do it as the variable...putting it in quotes is trying to find a form element with the dollar sign in it. $value=$_POST[$value]; Your function should become: function post_data($value){ return $_POST[$value]; } Quote Link to comment Share on other sites More sharing options...
redarrow Posted February 4, 2009 Author Share Posted February 4, 2009 That beautiful but i want to return a post[''] value how that done then cheers. i want to wrap a function around variables to protect the database you get me and thank you. Quote Link to comment Share on other sites More sharing options...
redarrow Posted February 4, 2009 Author Share Posted February 4, 2009 so is this a valid code to protect the database with the name $name and $surname so sorry never touched functions before <?php function post_data($value){ mysql_real_escape_string($_POST['value']); return $value; } $name="redarrow"; $surname="redarrow"; $name=post_data($name); $surname=post_data($surname); // this is insert or select from a database. echo" my name is $name\n and my surname is $surname\n"; ?> Quote Link to comment Share on other sites More sharing options...
ngreenwood6 Posted February 4, 2009 Share Posted February 4, 2009 I think you are confused. I think you are looking for this: <?php function post_data($value){ mysql_real_escape_string($value); return $value; } $name="redarrow"; $surname="redarrow"; $name=post_data($_POST['name']); $surname=post_data($_POST['surname']); echo" my name is $name\n and my surname is $surname\n"; ?> The post_data function takes the post values and uses them as $value in the function then it cleans it using mysql_real_escape_string in the function and returns the cleaned value as $name. Understand? Quote Link to comment Share on other sites More sharing options...
sdi126 Posted February 4, 2009 Share Posted February 4, 2009 This is the function I use to prevent sql injection: function cleanQuery($string) { if(get_magic_quotes_gpc()) // prevents duplicate backslashes { $string = stripslashes($string); } if (phpversion() >= '4.3.0') { $string = mysql_real_escape_string($string); } else { $string = mysql_escape_string($string); } return $string; } Quote Link to comment Share on other sites More sharing options...
redarrow Posted February 4, 2009 Author Share Posted February 4, 2009 but the whole i dear is not to keep typing $_POST[''] that why i added it to the function. so how it done if my code is wrong please. Quote Link to comment Share on other sites More sharing options...
redarrow Posted February 4, 2009 Author Share Posted February 4, 2009 is this valid now are all the variables posting. <?php function cleanQuery($_POST['string']) { if(get_magic_quotes_gpc()) // prevents duplicate backslashes { $string = stripslashes($string); } if (phpversion() >= '4.3.0') { $string = mysql_real_escape_string($string); } else { $string = mysql_escape_string($string); } return $string; } ?> Quote Link to comment Share on other sites More sharing options...
trq Posted February 4, 2009 Share Posted February 4, 2009 Try.... <?php function clean_post($string) { $string = $_POST[$string]; if(get_magic_quotes_gpc()) // prevents duplicate backslashes { $string = stripslashes($string); } if (phpversion() >= '4.3.0') { $string = mysql_real_escape_string($string); } else { $string = mysql_escape_string($string); } return $string; } ?> You really might want to take a look at how functions and arrays work. Quote Link to comment Share on other sites More sharing options...
ngreenwood6 Posted February 4, 2009 Share Posted February 4, 2009 ok the part that I think you are failing to comprehend is the function declaration: function cleanQuery($_POST['string']) The variable used inside the () is just a holder variable we will say. so that can be anything that you like $dog like this: function cleanQuery($dog) Inside the {} you will always use $dog to refer to what you want to do with the variable like this: { mysql_real_escape_string($dog); return $dog; } now your function is set up so that whatever you tell it to use as the variable $dog it will do the mysql_real_escape_string on it and return the new value. here is another example: function cleanQuery($dog) { mysql_real_escape_string($dog); return $dog; } $name = cleanQuery("hello"); guess what the value of $name will be. It will be "hello". This line: cleanQuery("hello") puts the value "hello" through the function and returns it with it ran through mysql_real_escape_string. The last example that may help you understand a little better: function addNumber($value) { $sum = $value + 1; return $sum; } $number = 1; $total = addNumber($number); Just so you know $total would equal 2 in this case. Hopefully that will help you understand. Quote Link to comment Share on other sites More sharing options...
redarrow Posted February 4, 2009 Author Share Posted February 4, 2009 Thanks everybody. i see from thorpe code it php 4 and 5 and 6 cheers. all i need to no how to post with the $_POST[''] syntax from a function but thank you all solved. Quote Link to comment Share on other sites More sharing options...
trq Posted February 4, 2009 Share Posted February 4, 2009 Thanks everybody. i see from thorpe code it php 4 and 5 and 6 cheers. all i need to no how to post with the $_POST[''] syntax from a function but thank you all solved. What? Quote Link to comment Share on other sites More sharing options...
redarrow Posted February 4, 2009 Author Share Posted February 4, 2009 thorpe your code works as what i wanted. and i can see it php 4 and php 5 and php 6 compliant. what i wanted thank you. now i can use the function and dont have to keep witting the $_POST[''] out. Quote Link to comment Share on other sites More sharing options...
ngreenwood6 Posted February 4, 2009 Share Posted February 4, 2009 he still doesnt get it obviously he is not reading my posts. I give up...lost cause lol. Quote Link to comment Share on other sites More sharing options...
trq Posted February 4, 2009 Share Posted February 4, 2009 It was sdi126's code, not mine. Do you actually read the replies? Quote Link to comment Share on other sites More sharing options...
redarrow Posted February 4, 2009 Author Share Posted February 4, 2009 I do read all the replies and understand them and yes i do read and try every example. and i do get it and i am diffidently not a lost cause. Quote Link to comment Share on other sites More sharing options...
redarrow Posted February 4, 2009 Author Share Posted February 4, 2009 I shorten the code' <?php function clean_post($string) { $string = $_POST[$string]; if(get_magic_quotes_gpc()) // prevents duplicate backslashes { $string = stripslashes($string); }else { $string = mysql_escape_string($string); } return $string; } ?> why ? not needed. if (phpversion() >= '4.3.0') { $string = mysql_real_escape_string($string); } Quote Link to comment Share on other sites More sharing options...
ngreenwood6 Posted February 4, 2009 Share Posted February 4, 2009 was there a question? Quote Link to comment Share on other sites More sharing options...
redarrow Posted February 4, 2009 Author Share Posted February 4, 2009 yep lol. the code i am going to use is this one, now becouse i am using the $_POSt[''] within the function, i dont need to type it out do i. so this is valid and safe $name=clean_post($name); dont need to do $name=$_POST['name'] because the function covers it. <?php function clean_post($string) { $string = $_POST[$string]; if(get_magic_quotes_gpc()) // prevents duplicate backslashes { $string = stripslashes($string); }else { $string = mysql_escape_string($string); } return $string; } ?> Quote Link to comment Share on other sites More sharing options...
trq Posted February 4, 2009 Share Posted February 4, 2009 Looking at that code Ive realised it has some major flaws. If magic quotes are enabled it strips the quotes making your data vulnerable. This is what should be happening.... function clean_post($string) { $string = $_POST[$string]; if(get_magic_quotes_gpc()) { $string = stripslashes($string); } return mysql_escape_string($string); } Quote Link to comment Share on other sites More sharing options...
redarrow Posted February 4, 2009 Author Share Posted February 4, 2009 Thank you thorpe what i wanted your the best ever. little example off what i wanted to do. Update the database with the word yes where the word currently is no and via there id. i am currently going to convert the sql to a function theo. <?php session_start(); function clean_post($string) { $string = $_POST[$string]; if(get_magic_quotes_gpc()) { $string = stripslashes($string); } return mysql_escape_string($string); } if(isset($_POST['submit'])){ $form=clean_post($form); foreach($form as $x){ if($x=='yes'){ $sql=" update user_account "; $sql.=" set option='$x' "; $sql.= " where option='no' "; $sql.=" and users_id=".$_SESSION['user_id']." "; $res=mysql_query($sql,$connection)or die("Database error for update\n".mysql_error()); } } } ?> Quote Link to comment Share on other sites More sharing options...
trq Posted February 4, 2009 Share Posted February 4, 2009 According to your code $form is an array. clean_post() expects a string. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.