Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

PHP - GetSQLValueString function

Tags:

php

I see a function GetSQLValueString and I don't know what is it dealing with, could someone give me some idea?
Thanks you

function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;

  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}

The function used here:

if (isset($_POST['username'])) {
  $loginUsername=$_POST['username'];
  $password=$_POST['password'];
  $MM_fldUserAuthorization = "";
  $MM_redirectLoginSuccess = "main.php";
  $MM_redirectLoginFailed = "login_form.php";
  $MM_redirecttoReferrer = false;
  mysql_select_db($database_connection1, $connection1);

  $LoginRS__query=sprintf("SELECT username, password FROM member WHERE username=%s AND password=%s",
    GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text")); 
...
like image 411
Charles Yeung Avatar asked Feb 25 '23 14:02

Charles Yeung

2 Answers

Your function escapes the string using MySQL's built-in string escaping function, then if it is a non-numeric value, surrounding it in single quotes. This function was written for inserting variable data into SQL queries.

$sql = "SELECT * FROM users WHERE username = " . GetSQLValueString($_GET['username'], 'text');
$result = mysql_query($sql);
like image 182
Dan Grossman Avatar answered Feb 28 '23 02:02

Dan Grossman

From my understanding this function is probably to escape some data to pass it to MySQL. The function also handles null values and put some quotes if needed.

it should be used this way

GetSQLValueString("a value that I want to escape's", 'text');

see the SQL injection problem to understand why this function exists

like image 30
RageZ Avatar answered Feb 28 '23 03:02

RageZ
Sign in to Comment

Related questions

Showing time elapsed with php
Can't Upload File on IIS
autoload functions in php [duplicate]
MySQL select random row with JOIN from two tables
How do I search part of a string in MongoDB?
PHP Date format
Will it make any diffrence to my script if i use && instead of AND?
Is fopen() limited by the filesystem?
How to get related values in Yii?
Is it possible that REMOTE_ADDR could be blank?
Detect HTML5 Geolocation Support Using PHP
PHP scandir results: sort by folder-file, then alphabetically
php mail() -> junk, sometimes not even received?
How to call stored procedure by using PHP and SQL Server 2008
get current controller
$_FILES['']['size'] - does PHP check file size on server side?
HTTP Post From ActiveMQ using Camel
how to name an uploaded file in zend framework
PHP: How to tell Eclipse/Netbeans that an object is of a certain class, to enable Intellisense
PHP read a text file from a directory of zip files

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!