Jump to content

Creating functions


Recommended Posts

First time I'm looking into creating my own functions, so I'm making sure I'm getting this right:

 

If I have the following:

<?php

function formSanitize($formValue){
$formValue = stripslashes($formValue);
$formValue = mysql_real_escape_string($formValue);
}

?>

 

Then if I just use this:

<?php
$product_name=formSanitize($_POST['product_name']);
?>

 

It should do the same this as this:

 

$product_name=$_POST['product_name'];
$product_name = stripslashes($product_name);
$product_name = mysql_real_escape_string($product_name);

Link to comment
Share on other sites

Your function needs to RETURN a value if you want to use it to define.

 

function formSanitize($formValue){
$formValue = stripslashes($formValue);
$formValue = mysql_real_escape_string($formValue);
return $formValue
}

 

Or, in one line

 

function formSanitize($formValue){
    return mysql_real_escape_string( stripslashes($formValue) );
}

Link to comment
Share on other sites

You shouldn't apply stripslashes() without first checking to see if magic_quotes_gpc() is enabled. It will strip slashes out that are actually supposed to be there if you use it in that manner.

 

function formSanitize($formValue){
if( function_exists(get_magic_quotes_gpc()) && get_magic_quotes_gpc() ) {
	$formValue = stripslashes($formValue);
}
$formValue = mysql_real_escape_string($formValue);
return $formValue;
}

Link to comment
Share on other sites

You shouldn't apply stripslashes() without first checking to see if magic_quotes_gpc() is enabled. It will strip slashes out that are actually supposed to be there if you use it in that manner.

 

function formSanitize($formValue){
if( function_exists(get_magic_quotes_gpc()) && get_magic_quotes_gpc() ) {
	$formValue = stripslashes($formValue);
}
$formValue = mysql_real_escape_string($formValue);
return $formValue;
}

 

If I do that I get this:

 

Is your name O\'reilly?

abssagasdfasdf \' \ asdfjkla\\ asdala\?

 

 

From this:

 

<?php
function sanitize($formValue){
if( function_exists(get_magic_quotes_gpc()) && get_magic_quotes_gpc() ) {	
$formValue = stripslashes($formValue);
}
//$formValue = mysql_real_escape_string($formValue);
return $formValue;
}


$string="Is your name O\'reilly?";
$string=sanitize($string);

echo $string;

$string2="abssagasdfasdf \' \ asdfjkla\\\ asdala\?";
$string2=sanitize($string2);

echo "<br />";
echo $string2;

?>

 

It's only removing one slash.

Link to comment
Share on other sites

When you grab the data out of the database, you will get "O\'reilly" which is what your original input is.

 

What's the issue? PHP will only turn "O'reilly" into "O\'reilly" if get_magic_quotes_gpc() returns 1. Your script checks for this

Link to comment
Share on other sites

Alright made a test table and test code:

<?php
function sanitize($formValue){
if( function_exists(get_magic_quotes_gpc()) && get_magic_quotes_gpc() ) {	
$formValue = stripslashes($formValue);
}
$formValue = mysql_real_escape_string($formValue);
return $formValue;
}


$string="Is your name O\'reilly?";
$string=sanitize($string);


$sql="INSERT INTO $tbl_name (test123) VALUES ('$string')";
mysql_query($sql) or die("Problem with the query: $sql<br />" . mysql_error());
echo "Inserted: $string <br /><br />";


$sql2="SELECT * FROM $tbl_name";
$result2=mysql_query($sql2);
while($row2=mysql_fetch_array($result2)){
extract($row2);
echo $test123;
}

?>

 

That echo's out:

 

Inserted: Is your name O\\\'reilly?

 

Is your name O\'reilly?

 

So how would I remove the \ from the data pulled from database?

Link to comment
Share on other sites

You wouldn't put the escape into the string when typing it in, would you?

 

So the string should be:

$string = "Is your name 0'reilly?";

 

The issue is, what I'm coding will eventually be out for other people to use; It's cart software. They might think they have to escape stuff when they type it in the admin panel.

Link to comment
Share on other sites

You wouldn't put the escape into the string when typing it in, would you?

 

So the string should be:

$string = "Is your name 0'reilly?";

 

The issue is, what I'm coding will eventually be out for other people to use; It's cart software. They might think they have to escape stuff when they type it in the admin panel.

 

Why would your users think that?  There are really only two scenarios:

 

1. Your users don't know what escaping is.

 

2. Your users expect the software will do the escaping for them, which is what professional software should do.

 

The thought of an end user deciding to manually escape their own data is ridiculous.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.