peppericious1 Posted December 15, 2011 Share Posted December 15, 2011 Hi Larry, I've quite a few forms and I seem to regularly copy and paste this bit of code: if (empty($_POST['post_title'])) { $errors[] = 'You forgot to enter a post title.'; } else { if (get_magic_quotes_gpc()) { $post_title = mysqli_real_escape_string($dbc, stripslashes(trim($_POST['post_title']))); } else { $post_title = mysqli_real_escape_string($dbc, trim($_POST['post_title'])); } } ... so I put this function together in a functions.php file: function validate_text_input($input_name, $err_msg) { if (empty($_POST[$input_name])) { $errors[] = $err_msg; } else { if (get_magic_quotes_gpc()) { $input_name = mysqli_real_escape_string($dbc, stripslashes(trim($_POST[$input_name]))); } else { $input_name = mysqli_real_escape_string($dbc, trim($_POST[$input_name])); } } } ... and am including it like this: include('functions.php'); ... and calling within the rest of my code like this: validate_text_input('post_title', 'Please enter a title for your post.'); validate_text_input('post_subtitle', 'Please enter a subtitle for the blog post.'); validate_text_input('post_body', 'Please enter the body of the blog post.'); ... in my form, that input is like this: <form name="form" method="post" action=""> <label for="title">Post Title</label> <input type="text" name="post_title" id="post_title" value="<?php if((isset($_POST['post_title'])) && (!empty($errors))) { echo $_POST['post_title']; }?>" /> <!-- other inputs --> <input type="submit" name="submit" value="Add Blog Post" /> </form> Now, if I enter nothing at all in the post_title field and submit, the validation works and I see the error. However, if I do put something in the post_title field and submit, I get this error: Notice: Undefined variable: post_title in /…/…/…/.../add_blog_post.php on line 42 I can't figure out what I'm doing wrong. Maybe I've been looking for it for too long... Is it something to do with the scope of the $input_name variable within the function? If that is the case, how do I fix the problem? I should add that I've only just started using functions. Any suggestions and/or help would be appreciated. Thanks in advance. Link to comment Share on other sites More sharing options...
phpRob Posted December 15, 2011 Share Posted December 15, 2011 Which line is line 42? 1 Link to comment Share on other sites More sharing options...
phpRob Posted December 15, 2011 Share Posted December 15, 2011 Do you have to quote the values in the $_POST variable? function validate_text_input($input_name, $err_msg) { if (empty($_POST['$input_name'])) { $errors[] = $err_msg; } else { if (get_magic_quotes_gpc()) { $input_name = mysqli_real_escape_string($dbc, stripslashes(trim($_POST['$input_name']))); } else { $input_name = mysqli_real_escape_string($dbc, trim($_POST['$input_name'])); } } } Excuse me if this is nonsense, I'm just a beginner! 1 Link to comment Share on other sites More sharing options...
rob Posted December 16, 2011 Share Posted December 16, 2011 Yes, scope issues. mysqli_real_escape_string requires the database connection, so you'll either need to pass the connection into the function or make $dbc global. As it stands you're not returning any values ($errors, $input_name) so they are not accessible outside of the function. Again you could make $errors global and return the sanitized value if $input_name triggers else in your empty conditional. 1 Link to comment Share on other sites More sharing options...
peppericious1 Posted December 16, 2011 Author Share Posted December 16, 2011 Yes, scope issues. mysqli_real_escape_string requires the database connection, so you'll either need to pass the connection into the function or make $dbc global. As it stands you're not returning any values ($errors, $input_name) so they are not accessible outside of the function. Again you could make $errors global and return the sanitized value if $input_name triggers else in your empty conditional. Thanks for this. I didn't want to put the connection in the function as I'd have been opening and closing it every time I called the function, so I'll make $dbc global. I see what you're saying about returning values... I'll do as you advise regarding making $errors global and returning the sanitised $input_name. I'm only just starting out with functions but am quickly seeing their potential... Link to comment Share on other sites More sharing options...
peppericious1 Posted December 16, 2011 Author Share Posted December 16, 2011 Rob, I'm still not getting this to work... I wasn't exactly sure what you meant by this.... ... and return the sanitized value if $input_name triggers else in your empty conditional. I altered my function so that it now looks like: function validate_text_input($input_name, $err_msg) { global $dbc; global $errors; if (empty($_POST[$input_name])) { $errors[] = $err_msg; } else { if (get_magic_quotes_gpc()) { $input_name = mysqli_real_escape_string($dbc, stripslashes(trim($_POST[$input_name]))); } else { $input_name = mysqli_real_escape_string($dbc, trim($_POST[$input_name])); } return $input_name; } } ... but the else part of the conditional isn't working for me. I'm still getting this error…Notice: Undefined variable: post_title... Can you see what I'm doing wrong?.... Thanks in advance if you can help. Link to comment Share on other sites More sharing options...
Paul Swanson Posted December 16, 2011 Share Posted December 16, 2011 Try changing the function to this: function validate_text_input($input_name, $err_msg) { global $dbc; global $errors; if (empty($input_name)) { // you're not using $_POST[$input_name] as an argument, just $input_name $errors[] = $err_msg; } else { if (get_magic_quotes_gpc()) { $input_name = mysqli_real_escape_string($dbc, stripslashes(trim($input_name))); } else { $input_name = mysqli_real_escape_string($dbc, trim($input_name)); } return $input_name; } } And call the function like this: $postTitle = validate_text_input($_POST['post_title'], 'Please enter a title for your post.'); $postSubtitle = validate_text_input($_POST['post_subtitle'], 'Please enter a subtitle for the blog post.'); $postBody = validate_text_input($_POST['post_body'], 'Please enter the body of the blog post.'); You want to pass the $_POST variables when you call the function, but the function itself will use the name of the argument in the function definition, and you'll want to assign the return values to a variable that you can use for the form output if $errors is empty. 1 Link to comment Share on other sites More sharing options...
peppericious1 Posted December 16, 2011 Author Share Posted December 16, 2011 Excellent, Paul. Works like a charm. I really appreciate your help. Thanks, too, for the explanation - makes total sense now. Link to comment Share on other sites More sharing options...
Antonio Conte Posted December 21, 2011 Share Posted December 21, 2011 I've thought a little about this. How about exceptions? You only need to use striplashes() if get_magic_quotes_gpc() is on. No need for the if/else there. mysqli_real_escape_string does return a string, so no need for a variable. Easy readable code is always better. $errors = array(); try { $postTitle = validate_text_input($_POST['post_title'],[font=monospace] [/font]'Please enter a title for your post.'); $postSubtitle = validate_text_input($_POST['post_subtitle'],[font=monospace] [/font]'Please enter a subtitle for the blog post.'); $postBody = validate_text_input($_POST['post_body'],'Please enter the body of the blog post.'); } catch (Exception $e) { $errors[] = $e->getMessage(); } function validate_text_input($input_name, $error) { if (empty($input_name)) { throw new Exception($error); } if (get_magic_quotes_gpc()) { $input_name = stripslashes(trim($input_name)); } return mysqli_real_escape_string($dbc, trim($input_name)); } I'm developing a lot of similar funtionality myself at the moment. This is my Integer check: /** * private boolean isInteger() * * Checks wheter input is a valid integer and a valid string version of integer. * * @param Type $number The number to check * @return boolean TRUE on confirmed integer. FALSE else */ private function isInteger($number) { return ctype_digit($number) && is_int($number); } Link to comment Share on other sites More sharing options...
peppericious1 Posted December 31, 2011 Author Share Posted December 31, 2011 Neat, Antonio, thanks! Link to comment Share on other sites More sharing options...
Recommended Posts