ltrim and mysql_real_escape_string problem

[Walker33]

I've been using mysql_real_escape_string to allow for Irish names for a login, and I just added ltrim and rtrim to the code to eliminate accidental spaces at the beginning and end.  Everything worked except the $memlname variable.  When I pulled the mysql_real_escape_string snippet from the code, the ltrim and rtrim worked for $memlname variable.  Not sure what I'm doing wrong.  Any help would be greatly appreciated.

 

<?php

//this allows for accidental extra spaces at beginning and end of name

$memfname = ltrim($memfname);

$memlname = ltrim($memlname);

$mememail = ltrim($mememail);

$mempass = ltrim($mempass);

 

$memfname = rtrim($memfname);

$memlname = rtrim($memlname);

$mememail = rtrim($mememail);

$mempass = rtrim($mempass);

 

//this allows for Irish names like O'Sullivan, O'Donnell, etc.

$memlname = mysql_real_escape_string($_POST['memlname']);

?>

 

[Ken2k7]

Instead of using ltrim and rtrim, why not just use trim? In your mysql_real_escape_string function, shouldn't you be using $memlname instead?

 

I think you misunderstand what mysql_real_escape_string does. It makes it so your values are "SQL-safe". Otherwise, quotes can break up your input query string and cause an error.

[Walker33]

thanks.  Came across ltrim and rtrim befor trim.  You're right, cleaner with trim.

 

I was using mysql_real_escape_string to stop a single quote ' from breaking up the input query and causing the error, as in O'Malley, O'Sullivan, etc.  To this point, it seems to have worked.  Am I misunderstanding something?

 

I took your advice and changed ($_POST['memlname'] to simply ($memlname) and now all is working as it should.  If you care to explain why this is, I'm always eager to learn.  Thanks for the help!

 

New code:

 

//this allows for accidental extra spaces at beginning and end of name
$memfname = trim($memfname);
$memlname = trim($memlname);
$mememail = trim($mememail);
$mempass = trim($mempass);

//this allows for Irish names like O'Sullivan, O'Donnell, etc.
$memlname = mysql_real_escape_string($memlname);

[Ken2k7]

Explain why what is?

[Walker33]

Explain why ($_POST['memlname']) didn't work, but ($memlname) does work?  When I used the same trim code, but

 

$memlname = mysql_real_escape_string($_POST['memlname']);

 

the $memlname variable would not allow whitespace.  When I took your suggestion and used:

 

$memlname = mysql_real_escape_string($memlname);

 

instead, then $memlname variable would allow the whitespace at beginning and end.  Why is that?  Thanks.

[Ken2k7]

You trimmed the value of $_POST['memlname'] and store that value into the variable $memlname. However, the value of $_POST['memlname'] doesn't change. So the obvious choice is to use the trimmed value rather than the original one. If you had used $_POST['memlname'] instead of $memlname, there's no point in trimming it. Those lines of code would have no purpose. It's like this:

 

$a = 5;
$b = 4;

$c = 4 + 5;
echo $c;

 

I assigned the variables $a and $b to be 5 and 4 respectively. Then when I initialized $c, I chose to inline the numbers 4 and 5 rather than using the variables. So in that code, the first 2 lines are useless. Same with your situation.

 

Does that help?

[Walker33]

Yes, that helps quite a bit.  Thanks for taking the time to explain it to me.  Appreciate it.