What does trim() do and what is %$variable%?

[slyte33]

So i've asked some people on how I would make a forum search for all values based on what a user enters into a textbox, drawing data from a Mysql database, but they tell me something about trim()?

 

I've used an example code and I have this:

 

(let's say i'm using this for... finding a players username in a database on a game)

 

$trimmed = trim($_POST['username']);

 

  $query = $db->execute("select username, id from `players` where `username`like '%$trimmed%'");

 

   

    foreach($query as $member) {

    echo $member[username];

        }

 

 

Yes, it will work, but what exactly does the '%$trimmed%' and 'trim($_POST['username']);' do?

[genericnumber1]

trim (with 1 parameter) strips all white space from the edges of the first parameter. The % in %string% is just a wildcard for the LIKE sql keyword. Google "SQL LIKE" for more information.

 

PS. The code you posted is vulnerable to SQL injection.

[rajivgonsalves]

well as the name goes it trims off white spaces or any specified character from both sides that is right and left side more info at

 

http://php.net/manual/en/function.trim.php

 

for the %% that is in mysql it searches for any records that contain the specified value anywhere in the string for instance

 

example

if your post username was "  test  "

 

1) it would become "test" after trimming

2) then username like "%test%" would match any usernames which are for instance

  a) test

  b) test_test

  c) left_test

  d) tothetesttoday

 

and so on

 

hope my explanation was understandable 

 

 

 

 

 

[slyte33]

trim (with 1 parameter) strips all white space from the edges of the first parameter. The % in %string% is just a wildcard for the LIKE sql keyword. Google "SQL LIKE" for more information.

 

PS. The code you posted is vulnerable to SQL injection.

 

Thank you

How do you stop the injection? mysql_escape?

[genericnumber1]

mysql_real_escape_string is the method I always suggest (if you use the mysql_* family of functions). There's a lot of good information posted around about avoiding sql injection

[slyte33]

Hmm, i'm using ADODB, if you've ever heard of it, and I *think* it stops all of the sql injections and stops forms from directing to you site(thus changing hidden fields easily).

But im not too sure.

[genericnumber1]

Unless you use prepared statements (you don't above) you're not protected no matter what database you use.

[slyte33]

The only thing is, i use something like this on everything:

 

$query=$db->execute("update players set gold=? where id=?", array($player[gold] + $gold, $player[id]));

 

so i don't think injection could work, or else it'll say input Array does not match, am i right?

 

 

[genericnumber1]

Well, depending on what $db->execute does, it could be prepared statements or just a normal string replacement. To me it looks like those are probably prepared statements, but I'm not familiar with the class you're using to interface with your database.