Creating functions

[HDFilmMaker2112]

First time I'm looking into creating my own functions, so I'm making sure I'm getting this right:

 

If I have the following:

<?php

function formSanitize($formValue){
$formValue = stripslashes($formValue);
$formValue = mysql_real_escape_string($formValue);
}

?>

 

Then if I just use this:

<?php
$product_name=formSanitize($_POST['product_name']);
?>

 

It should do the same this as this:

 

$product_name=$_POST['product_name'];
$product_name = stripslashes($product_name);
$product_name = mysql_real_escape_string($product_name);

[KevinM1]

Don't forget to return your result from your function.

 

http://us2.php.net/manual/en/functions.returning-values.php

[xyph]

Your function needs to RETURN a value if you want to use it to define.

 

function formSanitize($formValue){
$formValue = stripslashes($formValue);
$formValue = mysql_real_escape_string($formValue);
return $formValue
}

 

Or, in one line

 

function formSanitize($formValue){
    return mysql_real_escape_string( stripslashes($formValue) );
}

[HDFilmMaker2112]

Alright, thanks. One more question... should the function go before or after it's used? I'm assuming before, but double checking.

[xyph]

Doesn't matter.

[Pikachu2000]

You shouldn't apply stripslashes() without first checking to see if magic_quotes_gpc() is enabled. It will strip slashes out that are actually supposed to be there if you use it in that manner.

 

function formSanitize($formValue){
if( function_exists(get_magic_quotes_gpc()) && get_magic_quotes_gpc() ) {
	$formValue = stripslashes($formValue);
}
$formValue = mysql_real_escape_string($formValue);
return $formValue;
}

[HDFilmMaker2112]

You shouldn't apply stripslashes() without first checking to see if magic_quotes_gpc() is enabled. It will strip slashes out that are actually supposed to be there if you use it in that manner.

 

function formSanitize($formValue){
if( function_exists(get_magic_quotes_gpc()) && get_magic_quotes_gpc() ) {
	$formValue = stripslashes($formValue);
}
$formValue = mysql_real_escape_string($formValue);
return $formValue;
}

 

If I do that I get this:

 

Is your name O\'reilly?

abssagasdfasdf \' \ asdfjkla\\ asdala\?

 

 

From this:

 

<?php
function sanitize($formValue){
if( function_exists(get_magic_quotes_gpc()) && get_magic_quotes_gpc() ) {	
$formValue = stripslashes($formValue);
}
//$formValue = mysql_real_escape_string($formValue);
return $formValue;
}


$string="Is your name O\'reilly?";
$string=sanitize($string);

echo $string;

$string2="abssagasdfasdf \' \ asdfjkla\\\ asdala\?";
$string2=sanitize($string2);

echo "<br />";
echo $string2;

?>

 

It's only removing one slash.

[xyph]

You don't want it to remove slashes that were entered intentionally though.

 

You want to remove slashes that were automatically added.

[HDFilmMaker2112]

But once mysql_real_escape_string($formValue); is used, wouldn't that add another backslash to "O\'reilly" resulting in "O\\'reilly"?

[xyph]

When you grab the data out of the database, you will get "O\'reilly" which is what your original input is.

 

What's the issue? PHP will only turn "O'reilly" into "O\'reilly" if get_magic_quotes_gpc() returns 1. Your script checks for this

[KevinM1]

The escape only lasts until the data is inserted into the db.  It's removed after insertion, so, like xyph said, you won't see an extra slash when retrieving the data back from the db.

[HDFilmMaker2112]

Alright made a test table and test code:

<?php
function sanitize($formValue){
if( function_exists(get_magic_quotes_gpc()) && get_magic_quotes_gpc() ) {	
$formValue = stripslashes($formValue);
}
$formValue = mysql_real_escape_string($formValue);
return $formValue;
}


$string="Is your name O\'reilly?";
$string=sanitize($string);


$sql="INSERT INTO $tbl_name (test123) VALUES ('$string')";
mysql_query($sql) or die("Problem with the query: $sql<br />" . mysql_error());
echo "Inserted: $string <br /><br />";


$sql2="SELECT * FROM $tbl_name";
$result2=mysql_query($sql2);
while($row2=mysql_fetch_array($result2)){
extract($row2);
echo $test123;
}

?>

 

That echo's out:

 

Inserted: Is your name O\\\'reilly?

 

Is your name O\'reilly?

 

So how would I remove the \ from the data pulled from database?

[jcbones]

You wouldn't put the escape into the string when typing it in, would you?

 

So the string should be:

$string = "Is your name 0'reilly?";

[HDFilmMaker2112]

You wouldn't put the escape into the string when typing it in, would you?

 

So the string should be:

$string = "Is your name 0'reilly?";

 

The issue is, what I'm coding will eventually be out for other people to use; It's cart software. They might think they have to escape stuff when they type it in the admin panel.

[jcbones]

Well, how do you propose removing one's they *think* they need, vs ones the *know* they want?

[KevinM1]

You wouldn't put the escape into the string when typing it in, would you?

 

So the string should be:

$string = "Is your name 0'reilly?";

 

The issue is, what I'm coding will eventually be out for other people to use; It's cart software. They might think they have to escape stuff when they type it in the admin panel.

 

Why would your users think that?  There are really only two scenarios:

 

1. Your users don't know what escaping is.

 

2. Your users expect the software will do the escaping for them, which is what professional software should do.

 

The thought of an end user deciding to manually escape their own data is ridiculous.