ManicMax Posted August 10, 2009 Share Posted August 10, 2009 Hello I have written this function and want to use it within mysql_query's but am unsure whether this will work. I don't fully understand the rules when concerning single quotes within single quotes. function clean($var,$name){ if(!get_magic_quotes_gpc()) { $$name=mysql_real_escape_string($var); }else { $$name=$var; } mysql_query(SELECT * FROM users WHERE email='clean('$_POST[email]','email')' AND pass='clean('$_POST[pass]','pass')') Link to comment https://forums.phpfreaks.com/topic/169607-syntax-correct/ Share on other sites More sharing options...
MatthewJ Posted August 10, 2009 Share Posted August 10, 2009 <?php function clean($var,$name){ if(!get_magic_quotes_gpc()) { $$name=mysql_real_escape_string($var); }else { $$name=$var; } mysql_query("SELECT * FROM users WHERE email='".clean('$_POST[email]','email')."' AND pass='".clean('$_POST[pass]','pass')."'"); ?> Link to comment https://forums.phpfreaks.com/topic/169607-syntax-correct/#findComment-894813 Share on other sites More sharing options...
Mark Baker Posted August 10, 2009 Share Posted August 10, 2009 Well the function is missing a closing }; and it doesn't return anything, so it's not much use at all.... and there's no logical reason why you should pass in $name. function clean($var) { if (!get_magic_quotes_gpc()) { return mysql_real_escape_string($var); } else { return $var; } } And you're not calling it correctly, but that's because you're not quoting your SQL query mysql_query("SELECT * FROM users WHERE email='".clean($_POST['email'])."' AND pass='".clean($_POST['pass'])."'"); Link to comment https://forums.phpfreaks.com/topic/169607-syntax-correct/#findComment-894815 Share on other sites More sharing options...
ManicMax Posted August 10, 2009 Author Share Posted August 10, 2009 thanks for the quick replys. The reason to send $name in my function is so if the $var is $_POST you can name the output $email instead of $_POST everytime. Link to comment https://forums.phpfreaks.com/topic/169607-syntax-correct/#findComment-894817 Share on other sites More sharing options...
Mark Baker Posted August 10, 2009 Share Posted August 10, 2009 The reason to send $name in my function is so if the $var is $_POST you can name the output $email instead of $_POST everytime. But you're not naming the output because (without a return) you're not creating any output from the function.... and when a function returns a value, it isn't "named" in any way, it's simply a value returned by that function. Link to comment https://forums.phpfreaks.com/topic/169607-syntax-correct/#findComment-894826 Share on other sites More sharing options...
ManicMax Posted August 10, 2009 Author Share Posted August 10, 2009 O well how can I name the output ? Link to comment https://forums.phpfreaks.com/topic/169607-syntax-correct/#findComment-894838 Share on other sites More sharing options...
Mark Baker Posted August 10, 2009 Share Posted August 10, 2009 O well how can I name the output ?You can't name the output. You can assign the output to a variable. function clean($var) { if (!get_magic_quotes_gpc()) { return mysql_real_escape_string($var); } else { return $var; } } $email = clean($_POST['email']); $myVar = clean($_POST['username']); Link to comment https://forums.phpfreaks.com/topic/169607-syntax-correct/#findComment-894865 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.