Sasori7 Posted February 3, 2020 Share Posted February 3, 2020 I have a function that get's a quick single item from a query: function gimme($sql) { global $mysqli; global $mytable; global $sid; $query = "SELECT ".$sql." FROM ".$mytable." WHERE sid = ".$sid; $result = $mysqli->query($query); $value = $result->fetch_array(MYSQLI_NUM); $$sql = is_array($value) ? $value[0] : ""; return $$sql; // this is what I've tried so far $result->close(); } It works great as: echo(gimme("name")); Then I realized that I could use that as a variable ('$name' in this case) elsewhere. However, I can't figure out how get that new, variable variable 'outside' of the function. As such, echo($name); isn't working outside the function. Is there a way to return a variable variable? In other words, is there a way to make a function that creates a variable variable that will available outside of the function? Thanks Quote Link to comment Share on other sites More sharing options...
kicken Posted February 3, 2020 Share Posted February 3, 2020 Forget variable-variables even exist, you pretty much never want to use them. While your at it, forget that global exists, you shouldn't be using that either, convert those values to extra parameters. Your function should accept the data it needs as parameters, then return a result. Your query should also use prepared statements where possible. Your sid value can be bound as a parameter to protect against injection. Your column and table names cannot be bound so you need to ensure your safe there via other means. If all those values are hard-coded by you and not accepted as user input then that's fine. If they come from user input you need to make changes such as using a whitelist. function gimme($connection, $table, $column, $sid){ $sql - 'SELECT '.$column.' FROM '.$table.' WHERE sid=?'; $stmt = $connection->prepare($sql); $stmt->bind_param('s', $sid); $stmt->execute(); $stmt->bind_result($result); if ($stmt->fetch()){ return $result; } return null; } Now with that function, you just call it with the relevant parameters and assign the result to whatever variable you want. $name = gimme($mysqli, 'users', 'name', $sid); echo $name; Quote Link to comment Share on other sites More sharing options...
Psycho Posted February 3, 2020 Share Posted February 3, 2020 @kicken's answer is "correct", but I would highly advise against using such a general function. While that function is correctly using a prepared statement and protecting the $sid value, you cannot use prepared variables for table/column names. This leaves open the possibility for that function to open a potential exploit depending on how it is called. A function/method should be secure on its own without having to worry about how it is called. While prevailing logic is to write code once (i.e. don't build duplication functionality) when dealing with data it is typical to have explicit setter/getter functions/methods for scenarios such as this. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.