Jump to content

why use a function here?

jeff5656

By jeff5656
in PHP Coding Help

 Share

Recommended Posts

jeff5656 Advanced Member

jeff5656

Posted
Posted

I read on a web site I stumbled across to use a function like this:

function escape($values) {
   if(is_array($values)) {
    $values = array_map('escape', $values);
   } else {    
    /* Quote if not integer */
    if ( !is_numeric($values) || $values{0} == '0' ) {
     $values = "'" .mysql_real_escape_string($values) . "'";
    }
   }
   return $values;    
  } 

 

and then do this:

 

$username = escape($_POST['username']);
mysql_query("SELECT * FROM user WHERE username = $username");

 

My question is, why would anyone want to do all that extra code?  Why couldnt I avoid the function and do this:

$username = mysql_real_escape_string($_POST['username']);

 

That's one line of code instead of like 20!  Am I missing something?

Link to comment
https://forums.phpfreaks.com/topic/174035-why-use-a-function-here/
Share on other sites
Rommeo Advanced Member

Rommeo

Posted
Posted

I think for security reasons he is preparing the username to use.  Removing special chars ..

Yes but that can be accomplished with 1 line and 0 functions:

$username = mysql_real_escape_string($_POST['username']);

For sure you can do it, if you want to write those lines many times.

Benefit of that function is; you can send any values to check ( surname etc. ).

Also easy to edit. If there is a char that you dont want to remove, Instead of removing that char from many files, you just update the function.

.josh Advanced Member

.josh

Posted
Posted

if you are only looking to escape a single variable, then yes, the function is pointless.  The point of the function is that it recursively goes through (multi-dim) arrays and escapes all of the elements.  So for instance, if you have a bunch of posted vars, you can do:

 

$vars = escape($_POST);

 

instead of this:

 

$var1 = mysql_real_escape_string($_POST['var1']);
$var2 = mysql_real_escape_string($_POST['var2']);
$var3 = mysql_real_escape_string($_POST['var3']);
//etc...

 

unfortunately the function is a bit flawed.  It should be passing the values by reference, and also, it should not be wrapping quotes around the value.

Rommeo Advanced Member

Rommeo

Posted
Posted

Ok.  One other question.  Do I have to "call" the unction at the beginning of every page (or put it in an include)?  Wouldn't that slow things down if every page you had to load in all your functions?

Yes. include the file which keeps the function. And whenever you wanna use it, you can just write the function name.

 

and whenever you load the page, you're just including a function file, you are not running all the functions in your functions file. So there won't be any performance problem i think.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.