Jump to content
Larry Ullman's Book Forums

'Functionalising' A Bit Of 'Cleansing' Code


Recommended Posts

Hi Larry,

 

I've quite a few forms and I seem to regularly copy and paste this bit of code:

if (empty($_POST['post_title'])) {
	 $errors[] = 'You forgot to enter a post title.';
	} else {
	 if (get_magic_quotes_gpc()) {
	  $post_title = mysqli_real_escape_string($dbc, stripslashes(trim($_POST['post_title']))); }
	 else {
	  $post_title = mysqli_real_escape_string($dbc, trim($_POST['post_title']));
	  }
	}

 

... so I put this function together in a functions.php file:

function validate_text_input($input_name, $err_msg) {
if (empty($_POST[$input_name])) {
 $errors[] = $err_msg;
  } else {
if (get_magic_quotes_gpc()) {
 $input_name = mysqli_real_escape_string($dbc, stripslashes(trim($_POST[$input_name]))); }
else {
 $input_name = mysqli_real_escape_string($dbc, trim($_POST[$input_name]));
 }
}
}

 

... and am including it like this:

include('functions.php');

 

... and calling within the rest of my code like this:

validate_text_input('post_title', 'Please enter a title for your post.');
validate_text_input('post_subtitle', 'Please enter a subtitle for the blog post.');
validate_text_input('post_body', 'Please enter the body of the blog post.');

 

... in my form, that input is like this:

<form name="form" method="post" action="">
  <label for="title">Post Title</label>
  <input type="text" name="post_title" id="post_title" value="<?php if((isset($_POST['post_title'])) && (!empty($errors))) { echo $_POST['post_title']; }?>" />

  <!-- other inputs -->

  <input type="submit" name="submit" value="Add Blog Post" />
</form>

 

Now, if I enter nothing at all in the post_title field and submit, the validation works and I see the error. However, if I do put something in the post_title field and submit, I get this error:

Notice: Undefined variable: post_title in /…/…/…/.../add_blog_post.php on line 42

 

I can't figure out what I'm doing wrong. Maybe I've been looking for it for too long... Is it something to do with the scope of the $input_name variable within the function? If that is the case, how do I fix the problem? I should add that I've only just started using functions.

 

Any suggestions and/or help would be appreciated.

 

Thanks in advance.

Link to comment
Share on other sites

Do you have to quote the values in the $_POST variable?

 

function validate_text_input($input_name, $err_msg) {
if (empty($_POST['$input_name'])) {
 $errors[] = $err_msg;
  } else {
	if (get_magic_quotes_gpc()) {
	 $input_name = mysqli_real_escape_string($dbc, stripslashes(trim($_POST['$input_name']))); }
	else {
	 $input_name = mysqli_real_escape_string($dbc, trim($_POST['$input_name']));
	 }
	}
}

 

Excuse me if this is nonsense, I'm just a beginner!

  • Upvote 1
Link to comment
Share on other sites

Yes, scope issues.

 

mysqli_real_escape_string requires the database connection, so you'll either need to pass the connection into the function or make $dbc global.

 

As it stands you're not returning any values ($errors, $input_name) so they are not accessible outside of the function. Again you could make $errors global and return the sanitized value if $input_name triggers else in your empty conditional.

  • Upvote 1
Link to comment
Share on other sites

Yes, scope issues.

 

mysqli_real_escape_string requires the database connection, so you'll either need to pass the connection into the function or make $dbc global.

 

As it stands you're not returning any values ($errors, $input_name) so they are not accessible outside of the function. Again you could make $errors global and return the sanitized value if $input_name triggers else in your empty conditional.

 

Thanks for this.

 

I didn't want to put the connection in the function as I'd have been opening and closing it every time I called the function, so I'll make $dbc global.

 

I see what you're saying about returning values... I'll do as you advise regarding making $errors global and returning the sanitised $input_name. I'm only just starting out with functions but am quickly seeing their potential...

Link to comment
Share on other sites

Rob, I'm still not getting this to work...

 

I wasn't exactly sure what you meant by this....

... and return the sanitized value if $input_name triggers else in your empty conditional.

 

I altered my function so that it now looks like:

function validate_text_input($input_name, $err_msg) {
global $dbc;
global $errors;
if (empty($_POST[$input_name])) {
 $errors[] = $err_msg;
  } else {
if (get_magic_quotes_gpc()) {
 $input_name = mysqli_real_escape_string($dbc, stripslashes(trim($_POST[$input_name])));
 }
else {
 $input_name = mysqli_real_escape_string($dbc, trim($_POST[$input_name]));
 }
  return $input_name;
  }
}

 

... but the else part of the conditional isn't working for me. I'm still getting this error…

Notice
: Undefined variable: post_title...

 

 

Can you see what I'm doing wrong?.... Thanks in advance if you can help.

Link to comment
Share on other sites

Try changing the function to this:

function validate_text_input($input_name, $err_msg) {
global $dbc;
global $errors;
if (empty($input_name)) { // you're not using $_POST[$input_name] as an argument, just $input_name
 $errors[] = $err_msg;
  } else {
	if (get_magic_quotes_gpc()) {
	 $input_name = mysqli_real_escape_string($dbc, stripslashes(trim($input_name)));
	 }
	else {
	 $input_name = mysqli_real_escape_string($dbc, trim($input_name));
	 }
  return $input_name;
  }
}

And call the function like this:

$postTitle = validate_text_input($_POST['post_title'], 'Please enter a title for your post.');
$postSubtitle = validate_text_input($_POST['post_subtitle'], 'Please enter a subtitle for the blog post.');
$postBody = validate_text_input($_POST['post_body'], 'Please enter the body of the blog post.');

You want to pass the $_POST variables when you call the function, but the function itself will use the name of the argument in the function definition, and you'll want to assign the return values to a variable that you can use for the form output if $errors is empty.

  • Upvote 1
Link to comment
Share on other sites

I've thought a little about this. How about exceptions? You only need to use striplashes() if get_magic_quotes_gpc() is on. No need for the if/else there. mysqli_real_escape_string does return a string, so no need for a variable. Easy readable code is always better. :)

 

$errors = array();

try {
  $postTitle = validate_text_input($_POST['post_title'],[font=monospace] [/font]'Please enter a title for your post.');
  $postSubtitle = validate_text_input($_POST['post_subtitle'],[font=monospace] [/font]'Please enter a subtitle for the blog post.');
  $postBody = validate_text_input($_POST['post_body'],'Please enter the body of the blog post.');
} catch (Exception $e) {
  $errors[] = $e->getMessage();
}

function validate_text_input($input_name, $error) {
  if (empty($input_name)) {
  throw new Exception($error);
  }
  if (get_magic_quotes_gpc()) {
  $input_name = stripslashes(trim($input_name));
  }

  return mysqli_real_escape_string($dbc, trim($input_name));
}

I'm developing a lot of similar funtionality myself at the moment. This is my Integer check:

/**
 * private boolean isInteger()
 *
 * Checks wheter input is a valid integer and a valid string version of integer.
 *
 * @param Type $number		The number to check
 * @return boolean			TRUE on confirmed integer. FALSE else
 */
private function isInteger($number) {
	return ctype_digit($number) && is_int($number);
}

Link to comment
Share on other sites

  • 2 weeks later...
 Share

×
×
  • Create New...