Jump to content

Function that generates a variable variable?


Sasori7

Recommended Posts

I have a function that get's a quick single item from a query:

function gimme($sql) { 
global $mysqli; 
global $mytable; 
global $sid; 
$query = "SELECT ".$sql." FROM ".$mytable." WHERE sid = ".$sid; $result = $mysqli->query($query); 
$value = $result->fetch_array(MYSQLI_NUM); 
$$sql = is_array($value) ? $value[0] : ""; 
return $$sql; // this is what I've tried so far 
$result->close(); 
}

It works great as:

echo(gimme("name"));

Then I realized that I could use that as a variable ('$name' in this case) elsewhere. However, I can't figure out how get that new, variable variable 'outside' of the function.  As such,

echo($name);

isn't working outside the function.  Is there a way to return a variable variable?  In other words, is there a way to make a function that creates a variable variable that will available outside of the function?

 

Thanks

 

Link to comment
Share on other sites

Forget variable-variables even exist, you pretty much never want to use them.  While your at it, forget that global exists, you shouldn't be using that either, convert those values to extra parameters.

Your function should accept the data it needs as parameters, then return a result.  Your query should also use prepared statements where possible.  Your sid value can be bound as a parameter to protect against injection.  Your column and table names cannot be bound so you need to ensure your safe there via other means.  If all those values are hard-coded by you and not accepted as user input then that's fine.  If they come from user input you need to make changes such as using a whitelist.

function gimme($connection, $table, $column, $sid){
    $sql - 'SELECT '.$column.' FROM '.$table.' WHERE sid=?';
    $stmt = $connection->prepare($sql);
    $stmt->bind_param('s', $sid);
    $stmt->execute();

    $stmt->bind_result($result);
    if ($stmt->fetch()){
        return $result;
    }

    return null;
}

Now with that function, you just call it with the relevant parameters and assign the result to whatever variable you want.

$name = gimme($mysqli, 'users', 'name', $sid);

echo $name;

 

Link to comment
Share on other sites

@kicken's answer is "correct", but I would highly advise against using such a general function. While that function is correctly using a prepared statement and protecting the $sid value, you cannot use prepared variables for table/column names. This leaves open the possibility for that function to open a potential exploit depending on how it is called. A function/method should be secure on its own without having to worry about how it is called. While prevailing logic is to write code once (i.e. don't build duplication functionality) when dealing with data it is typical to have explicit setter/getter functions/methods for scenarios such as this.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.