2

I've got a function called myFoo that performs some operations on the string that is passed to it (in this case, and for simplicity, it just prints it out).

I'd like this function to operate in this way:

  • When called with a variable, as in myFoo($myBar);, I would like it to sanitize the variable, before printing it out.

  • When called with a string, as in myFoo("My name is Bar");, I want it to skip the string sanitization bit.

The function myFoo is shown below:

public function myFoo($bar) {
    // Determine if $bar was a string, or a variable
    if([$bar was passed as a variable]) {
        // Sanitize it
        $bar = filter_var($bar,FILTER_SANITIZE_STRING);
    }
    // Otherwise, just print it out without sanitization

    // Print it
    echo $bar;
}

What should I write in the if statement in order to determine if the parameter was a direct string or a string variable? Is this even possible? Thanks!

Update - Further explanation

I probably should've clarified my intentions earlier on .. here goes: So I actually meant to use this in order to translate all of the text on my PHP website (across all of the pages). So, instead of writing something like this:

<html>
<head><title>Welcome to the ACME Co. Homepage</title></head>
<body><h1>Welcome to the ACME Co. Homepage</h1>
...

.. I would instead write this: 

<html>
<head><title><?= _("Welcome to the ACME Co. Homepage"); ?></title></head>
<body><h1><?= _("Welcome to the ACME Co. Homepage"); ?></h1>
...

The _ method would determine the language setting, and output the string in the correct language. I guess I just wanted to skip the overhead from sanitizing every single thing on the page, as opposed to just sanitizing user input (especially since this function is called very frequently)

FloatingRock
  • 6,741
  • 6
  • 42
  • 75
  • what do you mean by sanitization ? – Charaf JRA Aug 30 '13 at 20:19
  • 1
    As far as I know this is not possible. For instance, try var_dumping `$bar` as both a direct string and a var param, it's 100% identical. The most you can do is test the variable type (isInt, isDouble etc) inside the function – Sterling Archer Aug 30 '13 at 20:20
  • @FaceOfJock Clean the input before displaying it in HTML form (or storing to the DB). Here's [more](http://stackoverflow.com/questions/129677/whats-the-best-method-for-sanitizing-user-input-with-php) – FloatingRock Aug 30 '13 at 20:25
  • @RUJordan yes, I tried the `var_export` too and it didn't differentiate between the two instances :( – FloatingRock Aug 30 '13 at 20:34

1 Answers1

2

You can't tell the difference. When calling a function with a variable argument, the function receives the value of the variable as the parameter. So in both cases, the function just sees a string.

You could add a second argument that says whether the value should be sanitized:

public function myFoo($bar, $sanitize = true) {
    if ($sanitize) {
        $bar = filter_var($bar, FILTER_SANITIZE_STRING);
    }
    echo $bar;
}

Then you can call it:

myFoo("My name is Bar", false);
Barmar
  • 741,623
  • 53
  • 500
  • 612
  • I wonder if there would be a situation where it would be bad to run `filter_var()` on a string? If not, he could always just do `if( is_string( $bar ) { $bar = filter_var( $bar, FILTER_SANITIZE_STRING ); }` within the function and skip the second argument. – Jason Aug 30 '13 at 20:24
  • 1
    If the string contains special characters and you want to keep them, running sanitive will remove them. – Barmar Aug 30 '13 at 20:26
  • If you want to keep them, why run the method at all? – Jason Aug 30 '13 at 20:28
  • So I actually meant to use this in order to translate all of the text in my PHP file. So, instead of putting this page label `

    Welcome to the ACME Co. Homepage

    `, I would write this: `

    _("Welcome to the ACME Co. Homepage

    `. The `_` method would determine the language setting, and output the string in the correct language. I guess I just wanted to skip the overhead from sanitizing every single thing on the page, as opposed to just sanitizing user input (**especially** since this function is called *very* frequently)     – FloatingRock Aug 30 '13 at 20:29
  • 1
    If you'll usually be using it with literal strings, change the default value to `false`. Then when you use variables, write `_($var, true)`. – Barmar Aug 30 '13 at 20:34
  • @Barmar looks like a winner to me! Can't find anything wrong with that, and I don't know why I didn't think of something so basic. I need some sleep! – FloatingRock Aug 30 '13 at 20:36
  • 1
    Yeah, makes sense. Magento does this heavily, although it's specifically used to define text within elements, and doesn't use any tags. – Jason Aug 30 '13 at 20:42