Passing variables to a function

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

tzirtzi
Forum Newbie
Posts: 10
Joined: Thu Mar 17, 2011 7:58 am

Passing variables to a function

Post by tzirtzi »

Hello all :)

I'm trying to write a function to make my application of the mysql_real_escape_string() function to all user input more efficient. I want to write a function to which I can pass a list of variables and then it applies mysql_real_escape_string() to all of them. The two things I've tried are:

Code: Select all

function preQueryCleanup($stringnames){
	foreach($stringnames as $stringname){
		$GLOBALS[$stringname]=mysql_real_escape_string($GLOBALS[$stringname]);
	}
}
and

Code: Select all

function preQueryCleanup($stringnames){
	foreach($stringnames as $stringname){
		global ${$stringname};
		${$stringname}=mysql_real_escape_string(${$stringname});
	}
}
but neither of these work - both $GLOBAL[$stringname] and ${$stringname} return nothing. Am I doing something simple wrong here? Am I misunderstanding how these things work? Or is what I'm trying to do impossible?

Thanks in advance,
tzirtzi
internet-solution
Forum Contributor
Posts: 220
Joined: Thu May 27, 2010 6:27 am
Location: UK

Re: Passing variables to a function

Post by internet-solution »

Are Global variables enabled on your server ?
tzirtzi
Forum Newbie
Posts: 10
Joined: Thu Mar 17, 2011 7:58 am

Re: Passing variables to a function

Post by tzirtzi »

I use them successfully elsewhere in the site, so yeah I'm pretty sure they are...

But I will double check that.

Edit: yes, global variables are definitely enabled.
tzirtzi
Forum Newbie
Posts: 10
Joined: Thu Mar 17, 2011 7:58 am

Re: Passing variables to a function

Post by tzirtzi »

Okay, I've refined my understanding of the problem a bit - these functions work if you call them from index.php, they don't work if you call them from within a function.

So it sounds like I've misunderstood how global variables work.

If I declare a variable $X within function A() and then (still from function A()) call function B(), is there any way to make the scope of $X include function B?
tzirtzi
Forum Newbie
Posts: 10
Joined: Thu Mar 17, 2011 7:58 am

Re: Passing variables to a function

Post by tzirtzi »

Just bumping the thread in case anyone might have an answer to my question :)

Edit: more attempted solutions from a different angle - using a function with &$arguments, which I understand to behave a bit like global variables in that things that affect them within the function also affect the original variables. The problem then is that I want to be able to pass the function any number of arguments.
  • Something using func_num_args() and func_get_args() wouldn't work because then the arguments themselves aren't defined when the function is defined so there's no opportunity to specify them as being passed by reference.
  • Something like function preQueryCleanup(&$arg[1],&$arg[1]=null,etc){} doesn't work because you can't use arrays as arguments like this. It wouldn't be entirely satisfactory anyway, as it would be limited to a set number. But at least if it were possible, the code for the function itself could still be a foreach.
  • Something like function preQueryCleanup(&$arg1, &$arg2=null,&$arg3=null, etc.){} would presumably work, but seems incredibly clumsy as the function couldn't be then structured as a foreach loop but would have to be a series of repetitive lines $arg1=mysql_real_escape_string($arg1);...
If anyone could suggest any way of solving one of these alternative approaches, that would equally be great! :)
Bind
Forum Contributor
Posts: 102
Joined: Wed Feb 03, 2010 1:22 am

Re: Passing variables to a function

Post by Bind »

is this what you are trying to do ?

Code: Select all

<?php
function preQueryCleanup($stringnames)
    {
        global $stringname;
        for($i;$i<count($stringnames);$i++)
            {
                $stringnames[$i] = mysql_real_escape_string($stringnames[$i]);
            }
        return $stringnames;
    }
 ?>
tzirtzi
Forum Newbie
Posts: 10
Joined: Thu Mar 17, 2011 7:58 am

Re: Passing variables to a function

Post by tzirtzi »

Thanks for your reply :) However, that's not quite what I want to do. The difference and the reason are easiest to demonstrate with code...

Say I have this function:

Code: Select all

function performQuery($value,$column){
$q='select * from "table" where "'.$column.'" = "'.$value.'"';
$result=mysql_query($q);
return $result;
}
Now I can just put in two lines of code to proof this against sql injection:

Code: Select all

function performQuery($value,$column){
$value=mysql_real_escape_string($value);
$column=mysql_real_escape_string($column);
$q='select * from "table" where "'.$column.'" = "'.$value.'"';
$result=mysql_query($q);
return $result;
}
But (a) I have lots of functions in this format that need to be edited, and (b) some of them take a very large number of arguments - so this crude method would involve adding a lot of repetitive lines of code and seems very inefficient. If instead I were to use a function which applied mysql_real_escape_string() to an array, the result would look like this:

Code: Select all

function performQuery($value,$column){
$safe_strings=preQueryCleanup(array('value' => $value, 'column' => $column));
$value=$safe_strings['value'];
$column=$safe_strings['column'];
$q='select * from "table" where "'.$column.'" = "'.$value.'"';
$result=mysql_query($q);
return $result;
}
As you can see, this doesn't actually gain anything in terms of efficiency. Alternatively I could do this (which would probably make more sense):

Code: Select all

function performQuery($value,$column){
$safe_strings=preQueryCleanup(array('value' => $value, 'column' => $column));
$q='select * from "table" where "'.$safe_strings['column'].'" = "'.$safe_strings['value'].'"';
$result=mysql_query($q);
return $result;
}
Which does gain in efficiency... But requires me to do a lot of going through existing code (much of it not mine, thus rather slow to do) and editing, rather than just inserting new lines at the beginning of each function which contains a mysql query.

So what I'm trying to do is write a function to which I can pass some strings but will then apply mysql_real_escape_string() to the original variables instead of returning them. Were that possible, only a single extra line of code would be needed at the beginning of each function.

Does that make sense?
User avatar
Jonah Bron
DevNet Master
Posts: 2764
Joined: Thu Mar 15, 2007 6:28 pm
Location: Redding, California

Re: Passing variables to a function

Post by Jonah Bron »

Sounds like you're looking for this:

http://php.net/references.pass
tzirtzi
Forum Newbie
Posts: 10
Joined: Thu Mar 17, 2011 7:58 am

Re: Passing variables to a function

Post by tzirtzi »

Yes, indeed. However, as I described above, I couldn't find a way to have both variable-length argument lists and arguments passed by reference. My last resort is just declaring a function with 20 or so optional arguments (in the sense of named arguments with a default value of null) passed by reference. But that seems really messy.
User avatar
Jonah Bron
DevNet Master
Posts: 2764
Joined: Thu Mar 15, 2007 6:28 pm
Location: Redding, California

Re: Passing variables to a function

Post by Jonah Bron »

Hows about this?

Code: Select all

function preQueryCleanup($values) {
    foreach ($values as &$value) {
        $value = mysql_real_escape_string($value);
    }
}

function performQuery($value,$column){
    preQueryCleanup(array(&$value, &$column));
    $q = 'SELECT * FROM `table` WHERE "' . $value . '" = "' . $column . '"';
    $result = mysql_query($q);
    return $result;
}
You might consider using a database library to make all this easier.
tzirtzi
Forum Newbie
Posts: 10
Joined: Thu Mar 17, 2011 7:58 am

Re: Passing variables to a function

Post by tzirtzi »

Thankyou very much, that works perfectly! :D

You suggest using a database library - I'm not quite clear how that would make this easier. Would you mind explaining that for me? :)

Thanks again,
tzirtzi
User avatar
Jonah Bron
DevNet Master
Posts: 2764
Joined: Thu Mar 15, 2007 6:28 pm
Location: Redding, California

Re: Passing variables to a function

Post by Jonah Bron »

They'll handle stuff like this for you, automatically, and just make your code easier and cleaner overall. Plus, you can switch databases at will. Here's a popular one:

http://adodb.sourceforge.net/
User avatar
AbraCadaver
DevNet Master
Posts: 2572
Joined: Mon Feb 24, 2003 10:12 am
Location: The Republic of Texas
Contact:

Re: Passing variables to a function

Post by AbraCadaver »

Jonah Bron wrote:They'll handle stuff like this for you, automatically, and just make your code easier and cleaner overall. Plus, you can switch databases at will. Here's a popular one:

http://adodb.sourceforge.net/
Also, rather than looping, I like:

Code: Select all

$array = array_map('mysql_real_escape_string', $array);
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
User avatar
Jonah Bron
DevNet Master
Posts: 2764
Joined: Thu Mar 15, 2007 6:28 pm
Location: Redding, California

Re: Passing variables to a function

Post by Jonah Bron »

Woop, array_map ftw!
tzirtzi
Forum Newbie
Posts: 10
Joined: Thu Mar 17, 2011 7:58 am

Re: Passing variables to a function

Post by tzirtzi »

Wow. AdoDB looks like it would have saved... well, a huge amount of coding. At this point, I'm not sure it would be worth going back and changing things.. but next time, I definitely will be using it.

Thanks for the heads up on array_map - I'll be using that :).
Post Reply