Making Safe Variables

Sun, 22 Nov 2009 13:36:19 -0800

Hey all;

Just a small PHP function I came up with today.

I'm writing a rather involved PHP site that deals with a lot of checks against a MySQL database, dumping data to a browser, or dealing with form information. I'm going in and out of the PHP code to draw the site. I was getting annoyed with having to write out mysql_real_escape_string($VariableName) or htmlspecialchars($VariableName) whenever I wanted to deal with some data, especially when having several checks against the SQL statement, so I came up with a small function that'll take some data and convert it to a type of output I want. It makes things a LITTLE more neater in my oppinion if used properly.

You could use this at the beginning of your PHP script to get the $_GET/$_POST data properly formatted for wherever you're going to send the data out to.

function MakeSafe($Unsafe,$OriginalName="") {
  if ($OriginalName!="") $NewVar[$OriginalName]=$Unsafe;
  $NewVar["MySQL"]=mysql_real_escape_string($Unsafe)
;
  $NewVar["HTML"]=htmlspecialchars($Unsafe);
  $NewVar["URLEncode"]=urlencode($Unsafe);
  $NewVar["URLDecode"]=urldecode($Unsafe);
  return $NewVar;
}

When I want to use a variable in multiple places:

<?
// Generate the variable lists
$OutputVar=MakeSafe($UnsafeVarible);

echo $OutputVar["HTML"];
$Sql="select * from tbl_example where ExField='".$OutputVar["MySQL"]."'";
?>

<a href='<?echo $OutputVar["URLEncode"]?>'>Linky Linky</a>

To make better sense of where this would come in useful, lets say we're adding a user to a database with the country they were born in:

<?
// Assume we pulled this from a database query:
$OriginalUserName="Donnald O'Brian <CAN>";

// No more assumptions
$UserName=MakeSafe($OriginalUserName);
$SqlToAddUser="insert into tbl_users Name='".$UserName["MySQL"]."'";
echo "<a href='viewuser.php?UN=".$UserName["URLEncode"]."'>
".$UserName["HTML"]."</a>";
?>

Just thought I'd share. Makes things a LITTLE bit easier.

PS: Not sure if its just the preview or what, but those code blocks don't seem to work right. :/

Re: Making Safe Variables

Fri, 27 Nov 2009 00:45:48 -0800

: Hey all;
:
: Just a small PHP function I came up with today.
:
: I'm writing a rather involved PHP site that deals with a lot of
: checks against a MySQL database, dumping data to a browser, or
: dealing with form information. I'm going in and out of the PHP code
: to draw the site. I was getting annoyed with having to write out
: mysql_real_escape_string($VariableName) or
: htmlspecialchars($VariableName) whenever I wanted to deal with some
: data, especially when having several checks against the SQL
: statement, so I came up with a small function that'll take some data
: and convert it to a type of output I want. It makes things a LITTLE
: more neater in my oppinion if used properly.
:
: You could use this at the beginning of your PHP script to get the
: $_GET/$_POST data properly formatted for wherever you're going to
: send the data out to.
:
:

: 
: function MakeSafe($Unsafe,$OriginalName="") {
:   if ($OriginalName!="") $NewVar[$OriginalName]=$Unsafe;
:   $NewVar["MySQL"]=mysql_real_escape_string($Unsafe)
;
:   $NewVar["HTML"]=htmlspecialchars($Unsafe);
:   $NewVar["URLEncode"]=urlencode($Unsafe);
:   $NewVar["URLDecode"]=urldecode($Unsafe);
:   return $NewVar;
: }
:

:
:
: When I want to use a variable in multiple places:
:

: 
: <?
: // Generate the variable lists
: $OutputVar=MakeSafe($UnsafeVarible);
: 
: echo $OutputVar["HTML"];
: $Sql="select * from tbl_example where ExField='".$OutputVar["MySQL"]."'";
: ?>
: 
: <a href='<?echo $OutputVar["URLEncode"]?>'>Linky Linky</a>
:

:
:
: To make better sense of where this would come in useful, lets say
: we're adding a user to a database with the country they were born in:
:
:

: 
: <?
: // Assume we pulled this from a database query:
: $OriginalUserName="Donnald O'Brian <CAN>";
: 
: // No more assumptions
: $UserName=MakeSafe($OriginalUserName);
: $SqlToAddUser="insert into tbl_users Name='".$UserName["MySQL"]."'";
: echo "<a href='viewuser.php?UN=".$UserName["URLEncode"]."'>
".$UserName["HTML"]."</a>";
: ?>
:

:
:
: Just thought I'd share. Makes things a LITTLE bit easier.
:
: PS: Not sure if its just the preview or what, but those code blocks
: don't seem to work right. :/

<html>the quick tcho a sdf</html>

'Making Safe Variables' Thread RSS Feed

Making Safe Variables

Re: Making Safe Variables