why doesn't default values for this function work ( 4 Views )

Hi,

I'm having problem with a function that I'll use to validate user input before passing it to MySQL. For strings, I want to make sure that they aren't to long, so I have written this function:

PHP Code:

function secure_string($unsafe_string, $max_length = -1, $errormessage = "Too many characters.") */ { // verify that string isn't longer then $max_length, if $max_length is set if ($max_length > -1) { if (!is_int($max_length)) { error("Variable max_length is not an integer."); } if (strlen($unsafe_string) > $max_length) { error($errormessage); } } ... and the validation will continue here.

When I want to use the max length check I pass a value to the function like this:

PHP Code:

$a_header = secure_string($_POST['a_header'], 60, "Header must not be more then 60 characters.");

But I having to problems:
1) If no max length is passed, and $max_length gets the value -1, the if-loop if ($max_length > -1) is still run.
2) Calls to my own function error doesn't work. Instead of creating a popupwindow with javascript (which works in other places where error() is called) the errormessage is printed like html.

What's wrong?

Best regards,

Anders

(ugur, Kiribati)

Quote:

Originally Posted by thoresson

1) If no max length is passed, and $max_length gets the value -1, the if-loop if ($max_length > -1) is still run.

Have you tried calling the function like this, when you don't want to pass a max length value?

PHP Code:

$a_header = secure_string($_POST['a_header'], '', "Header must not be more then 60 characters.");

Don't know if it makes any difference.

-Helge

(FaTýH, Cyprus)

Sorry. My suggestion above doesn't seem do work.

That means that you also have to specify the max length when you specify the errormessage in your function call (That means not using the default errormessage).

So when calling the function you need to do like:

PHP Code:

$a_header = secure_string($_POST['a_header'], -1, "Header must not be more then 60 characters." );

Or not specify a new errormessage at all. Then you can just do

PHP Code:

secure_string($_POST['a_header']);

Another possibility is to change the order of the functions arguments

PHP Code:

function secure_string($unsafe_string, $errormessage = "Too many characters.", $max_length = -1) // Calling function $a_header = secure_string($_POST['a_header'], "Header must not be more then 60 characters." );

Now, one of these will hopefully work! ;)

-Helge

(BURAK, French Guiana)

Quote:

Originally Posted by thoresson

1) If no max length is passed, and $max_length gets the value -1, the if-loop if ($max_length > -1) is still run.

Can you give an example of how you are calling this function when no max length is passed? If you pass null, that if statement should evaluate to false; if you pass a string though, it will evaluate to true.

Quote:

Originally Posted by thoresson

2) Calls to my own function error doesn't work. Instead of creating a popupwindow with javascript (which works in other places where error() is called) the errormessage is printed like html.

A code example would be helpful here as well, specifically the error() function and the code that calls it.

(hayyam1989, Croatia)

Quote:

Originally Posted by brainpipe

With max_length I call it like this:

PHP Code:


		
			
$a_header = secure_string($_POST['a_header'], 60, "Rubriken får inte vara mer än 60 tecken.");

and without:

PHP Code:


		
			
$a_desc = secure_string($_POST['a_desc']);

Quote:

A code example would be helpful here as well, specifically the error() function and the code that calls it.

My error() looks like this:

PHP Code:


		
			
function error($msg) 

{

    ?>

    <SCRIPT language="JavaScript">

    <!--

    alert("<?=$msg?>");

    history.back();

    -->

    </SCRIPT>

    <?php

    exit;

}

In my secure_string() which looks like this, it doesn't work:

PHP Code:


		
			
function secure_string($unsafe_string, $max_length = -1, $errormessage = "Du har skrivit för många tecken.") 

{

    // verify that string isn't longer then $max_length, if $max_length is set

    if ($max_length > -1)

    {

        if (!is_int($max_length))

        {

            error("Variabeln max_length är inte en siffra.");

        }

        if (strlen($unsafe_string) > $max_length)

        {

            error($errormessage);

        }

    }

    

    // create array containing bad words

    $badwords = array(";","--","select","drop","insert","xp_","delete");

    $goodwords = array(":","-","choose","leave","add"," ","remove");

    

    // check for occurences of $badwords

    for($i=0; $i<7; $i++) 

    {

        $unsafe_string = str_replace("$badwords[$i]", "$goodwords[$i]","$unsafe_string");

    }

    $unsafe_string = AddSlashes($unsafe_string);

    $unsafe_string = htmlentities($unsafe_string);

    $unsafe_string = strip_tags($unsafe_string);

    $unsafe_string = trim($unsafe_string);

    Return $unsafe_string;

}

But in validate_email it works:

PHP Code:


		
			
// validate entered email address



function validate_email($unchecked_email, $errortype = 1, $errormessage = "Du har inte skrivit in en giltlig e-postadress.") 

{

        if(!ereg("(^[a-zA-Z0-9_\.\-]+@[a-zA-Z0-9\-]+\.[a-zA-Z]{2,3}$)", $unchecked_email)) 

        {

            if($errortype == 1) 

            {

                error($errormessage);    

            }

            Return 1;

        }

}

And by the way, are the last steps in secure_string needed or not (to make it secure for mysql, or could I trim it?

PHP Code:


		
			
// create array containing bad words

    $badwords = array(";","--","select","drop","insert","xp_","delete");

    $goodwords = array(":","-","choose","leave","add"," ","remove");

    

    // check for occurences of $badwords

    for($i=0; $i<7; $i++) 

    {

        $unsafe_string = str_replace("$badwords[$i]", "$goodwords[$i]","$unsafe_string");

    }

    $unsafe_string = AddSlashes($unsafe_string);

    $unsafe_string = htmlentities($unsafe_string);

    $unsafe_string = strip_tags($unsafe_string);

    $unsafe_string = trim($unsafe_string);

    Return $unsafe_string;

Thanks.

(berk, Belarus)

I'm not getting the same problem you are with that code. I'd suggest changing the $max_length parameter so it defaults to null:

PHP Code:

function secure_string($unsafe_string, $max_length=null, $errormessage = "Du har skrivit för många tecken." )

Quote:

Originally Posted by thoresson

In my secure_string() which looks like this, it doesn't work:

But in validate_email it works:

I'm at a loss here, I can't see anything that would cause this. Which version of PHP are you running?

Quote:

Originally Posted by thoresson

And by the way, are the last steps in secure_string needed or not (to make it secure for mysql, or could I trim it?

Depends on what you're trying to do. I don't really see a need for strip_tags() here, but if you want to prevent any html from getting into the database (for whatever reason), then use it. You might play with the order in which you're calling those functions just to make sure you're getting the output you want.

(irem, Malaysia)

why doesn't default values for this function work ( 4 Views )

Related Topics ... (or search in 1.720.883 topics !)