reflection and function parameters

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

reflection and function parameters

Post by alex.barylski »

I am trying to figure out if it's possible to use reflection to automate securing of parameters before sending to mysql_query...

Code: Select all

$method = new ReflectionMethod(__CLASS__, __FUNCTION__);
foreach(new MyIterator($method->getParameters()) as $key => $variable){
	$tmp_name = $variable->getName();
	eval("${tmp_name} = 10;");
}
I want to add something like the above to each and every mysql function in an application BUT I need to re-assign the parameters the mysql_escape_real_string value so their safe to pass to query.

I can't think of a way to accomplish this, so short of telling myself it's impossible, I figured I would throw this out there and see what ya'all might be ale to hack togather. No extensions please. :)
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Is func_get_args() not going to work for you?
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

I tried using that function, but when it comes to re-assigning the value it doesn't seem to work. How would it?

What did you have in mind?
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

Hockey wrote:I tried using that function, but when it comes to re-assigning the value it doesn't seem to work. How would it?

What did you have in mind?
No it should work. I'm not sure Reflection is going to help when you're trying to look at an object which is already instantiated, unless I'm misunderstanding you. func_get_args() is a bit weird I admit -- for example it has a problem foreaching it directly, but assign the result to a variable and you should have something fully mutable.
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

So you can iterate the results of func_get_args() and re-assign them???

I swear I tried that but maybe it was just too late and I missed something. Anyways, I just wanted a semi-automated method of securing arguments before sending to my query.

Each time the schema changed I would have to make sure I added that argument to the list like:

Code: Select all

$name = mysql_escape_real_string($name);
$age = mysql_escape_real_string($age);
$bday = mysql_escape_real_string($bday);
What I found was happening though, was that I would occaionally *miss* a argument altogather or would mistype one like:

Code: Select all

$name = mysql_escape_real_string($name);
$age = mysql_escape_real_string($age);
$bday = mysql_escape_real_string($name); // Bad!!
Ideally I wanted to avoid using loops or anything and simply wanted to call a function with each argument in the parameter list clearly visible for the sake of clarity and explicitness. I eventually devised this as a solution which works and keeps things a little more obvious IMHO.

Code: Select all

/** START: SECURE PARAMETERS **/
 list($udate, $ddate, $sent, $recv, $open, $status, $layout, $subject, $htmlbody) =
_sane($udate, $ddate, $sent, $recv, $open, $status, $layout, $subject, $htmlbody);
/** FINISH: SECURE PARAMETERS **/

Code: Select all

function _sane()
{
  $args = func_get_args();
  return array_map('mysql_real_escape_string', $args);
}
Less automated than if I iterated through the func_get_args() but it's clear.

I'm not sure I see how you mean when you say the arguments become fully mutable???

Can you demonstrate with code so I get what your saying?

Here is what I tried previously but it doesn't work - can't use a reference on the func_*

Code: Select all

$cnt = func_num_args();
for($i=0; $i<$cnt; $i++){
  $tmp =& func_get_arg($i);
  $tmp = mysql_real_escape_string($tmp);
}
How else could you do it?
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

Code: Select all

$args = func_get_args();
$mod = $args;

foreach ($args AS $k => $v)
{
    $mod[$k] = mysql_real_escape_string($v);
}
That's the only way I could think of doing it. Doesn't look too pretty though.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

Wouldn't that be a perfect opportunity to skip mysql_query and use pdo/bind parameters instead?
Post Reply