Page 1 of 2
Passing variables to a function
Posted: Thu Mar 17, 2011 8:05 am
by tzirtzi
Hello all
I'm trying to write a function to make my application of the mysql_real_escape_string() function to all user input more efficient. I want to write a function to which I can pass a list of variables and then it applies mysql_real_escape_string() to all of them. The two things I've tried are:
Code: Select all
function preQueryCleanup($stringnames){
foreach($stringnames as $stringname){
$GLOBALS[$stringname]=mysql_real_escape_string($GLOBALS[$stringname]);
}
}
and
Code: Select all
function preQueryCleanup($stringnames){
foreach($stringnames as $stringname){
global ${$stringname};
${$stringname}=mysql_real_escape_string(${$stringname});
}
}
but neither of these work - both $GLOBAL[$stringname] and ${$stringname} return nothing. Am I doing something simple wrong here? Am I misunderstanding how these things work? Or is what I'm trying to do impossible?
Thanks in advance,
tzirtzi
Re: Passing variables to a function
Posted: Thu Mar 17, 2011 8:12 am
by internet-solution
Are Global variables enabled on your server ?
Re: Passing variables to a function
Posted: Thu Mar 17, 2011 8:36 am
by tzirtzi
I use them successfully elsewhere in the site, so yeah I'm pretty sure they are...
But I will double check that.
Edit: yes, global variables are definitely enabled.
Re: Passing variables to a function
Posted: Thu Mar 17, 2011 11:27 am
by tzirtzi
Okay, I've refined my understanding of the problem a bit - these functions work if you call them from index.php, they don't work if you call them from within a function.
So it sounds like I've misunderstood how global variables work.
If I declare a variable $X within function A() and then (still from function A()) call function B(), is there any way to make the scope of $X include function B?
Re: Passing variables to a function
Posted: Fri Mar 18, 2011 4:45 am
by tzirtzi
Just bumping the thread in case anyone might have an answer to my question
Edit: more attempted solutions from a different angle - using a function with &$arguments, which I understand to behave a bit like global variables in that things that affect them within the function also affect the original variables. The problem then is that I want to be able to pass the function any number of arguments.
- Something using func_num_args() and func_get_args() wouldn't work because then the arguments themselves aren't defined when the function is defined so there's no opportunity to specify them as being passed by reference.
- Something like function preQueryCleanup(&$arg[1],&$arg[1]=null,etc){} doesn't work because you can't use arrays as arguments like this. It wouldn't be entirely satisfactory anyway, as it would be limited to a set number. But at least if it were possible, the code for the function itself could still be a foreach.
- Something like function preQueryCleanup(&$arg1, &$arg2=null,&$arg3=null, etc.){} would presumably work, but seems incredibly clumsy as the function couldn't be then structured as a foreach loop but would have to be a series of repetitive lines $arg1=mysql_real_escape_string($arg1);...
If anyone could suggest any way of solving one of these alternative approaches, that would equally be great!

Re: Passing variables to a function
Posted: Fri Mar 18, 2011 8:20 am
by Bind
is this what you are trying to do ?
Code: Select all
<?php
function preQueryCleanup($stringnames)
{
global $stringname;
for($i;$i<count($stringnames);$i++)
{
$stringnames[$i] = mysql_real_escape_string($stringnames[$i]);
}
return $stringnames;
}
?>
Re: Passing variables to a function
Posted: Mon Mar 21, 2011 11:37 am
by tzirtzi
Thanks for your reply

However, that's not quite what I want to do. The difference and the reason are easiest to demonstrate with code...
Say I have this function:
Code: Select all
function performQuery($value,$column){
$q='select * from "table" where "'.$column.'" = "'.$value.'"';
$result=mysql_query($q);
return $result;
}
Now I can just put in two lines of code to proof this against sql injection:
Code: Select all
function performQuery($value,$column){
$value=mysql_real_escape_string($value);
$column=mysql_real_escape_string($column);
$q='select * from "table" where "'.$column.'" = "'.$value.'"';
$result=mysql_query($q);
return $result;
}
But (a) I have lots of functions in this format that need to be edited, and (b) some of them take a very large number of arguments - so this crude method would involve adding a lot of repetitive lines of code and seems very inefficient. If instead I were to use a function which applied mysql_real_escape_string() to an array, the result would look like this:
Code: Select all
function performQuery($value,$column){
$safe_strings=preQueryCleanup(array('value' => $value, 'column' => $column));
$value=$safe_strings['value'];
$column=$safe_strings['column'];
$q='select * from "table" where "'.$column.'" = "'.$value.'"';
$result=mysql_query($q);
return $result;
}
As you can see, this doesn't actually gain anything in terms of efficiency. Alternatively I could do this (which would probably make more sense):
Code: Select all
function performQuery($value,$column){
$safe_strings=preQueryCleanup(array('value' => $value, 'column' => $column));
$q='select * from "table" where "'.$safe_strings['column'].'" = "'.$safe_strings['value'].'"';
$result=mysql_query($q);
return $result;
}
Which does gain in efficiency... But requires me to do a lot of going through existing code (much of it not mine, thus rather slow to do) and editing, rather than just inserting new lines at the beginning of each function which contains a mysql query.
So what I'm trying to do is write a function to which I can pass some strings but will then apply mysql_real_escape_string() to
the original variables instead of returning them. Were that possible, only a single extra line of code would be needed at the beginning of each function.
Does that make sense?
Re: Passing variables to a function
Posted: Mon Mar 21, 2011 11:59 am
by Jonah Bron
Sounds like you're looking for this:
http://php.net/references.pass
Re: Passing variables to a function
Posted: Mon Mar 21, 2011 12:31 pm
by tzirtzi
Yes, indeed. However, as I described above, I couldn't find a way to have both variable-length argument lists and arguments passed by reference. My last resort is just declaring a function with 20 or so optional arguments (in the sense of named arguments with a default value of null) passed by reference. But that seems really messy.
Re: Passing variables to a function
Posted: Mon Mar 21, 2011 1:05 pm
by Jonah Bron
Hows about this?
Code: Select all
function preQueryCleanup($values) {
foreach ($values as &$value) {
$value = mysql_real_escape_string($value);
}
}
function performQuery($value,$column){
preQueryCleanup(array(&$value, &$column));
$q = 'SELECT * FROM `table` WHERE "' . $value . '" = "' . $column . '"';
$result = mysql_query($q);
return $result;
}
You might consider using a database library to make all this easier.
Re: Passing variables to a function
Posted: Tue Mar 22, 2011 10:09 am
by tzirtzi
Thankyou very much, that works perfectly!
You suggest using a database library - I'm not quite clear how that would make this easier. Would you mind explaining that for me?
Thanks again,
tzirtzi
Re: Passing variables to a function
Posted: Tue Mar 22, 2011 1:22 pm
by Jonah Bron
They'll handle stuff like this for you, automatically, and just make your code easier and cleaner overall. Plus, you can switch databases at will. Here's a popular one:
http://adodb.sourceforge.net/
Re: Passing variables to a function
Posted: Tue Mar 22, 2011 1:32 pm
by AbraCadaver
Jonah Bron wrote:They'll handle stuff like this for you, automatically, and just make your code easier and cleaner overall. Plus, you can switch databases at will. Here's a popular one:
http://adodb.sourceforge.net/
Also, rather than looping, I like:
Code: Select all
$array = array_map('mysql_real_escape_string', $array);
Re: Passing variables to a function
Posted: Tue Mar 22, 2011 1:46 pm
by Jonah Bron
Woop, array_map ftw!
Re: Passing variables to a function
Posted: Tue Mar 22, 2011 6:36 pm
by tzirtzi
Wow. AdoDB looks like it would have saved... well, a huge amount of coding. At this point, I'm not sure it would be worth going back and changing things.. but next time, I definitely will be using it.
Thanks for the heads up on array_map - I'll be using that

.