PHP - GetSQLValueString function

Question

I see a function GetSQLValueString and I don't know what is it dealing with, could someone give me some idea?
Thanks you

function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;

  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}

The function used here:

if (isset($_POST['username'])) {
  $loginUsername=$_POST['username'];
  $password=$_POST['password'];
  $MM_fldUserAuthorization = "";
  $MM_redirectLoginSuccess = "main.php";
  $MM_redirectLoginFailed = "login_form.php";
  $MM_redirecttoReferrer = false;
  mysql_select_db($database_connection1, $connection1);

  $LoginRS__query=sprintf("SELECT username, password FROM member WHERE username=%s AND password=%s",
    GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text")); 
...

Just for info, this function is generated automatically by Dreamweaver (and maybe other Adobe products?) when inserting its ready-made objects like login forms etc. — chris, Jun 23 '12 at 09:33

score 6 · Accepted Answer · answered Dec 16 '10 at 06:54

6

Your function escapes the string using MySQL's built-in string escaping function, then if it is a non-numeric value, surrounding it in single quotes. This function was written for inserting variable data into SQL queries.

$sql = "SELECT * FROM users WHERE username = " . GetSQLValueString($_GET['username'], 'text');
$result = mysql_query($sql);

answered Dec 16 '10 at 06:54

Dan Grossman

51,866
10
112
101

Thanks for the ideas, I understand it now. But if we don't use this function, what is the disadvantage? – Charles Yeung Dec 16 '10 at 07:01
@Charles: see the SQL injection link on my question. Basically if you don't use some evil hacker can get some data from your database delete some table/rows and a lot more .... – RageZ Dec 16 '10 at 07:17

score 1 · Answer 2 · answered Dec 16 '10 at 06:54

From my understanding this function is probably to escape some data to pass it to MySQL. The function also handles null values and put some quotes if needed.

it should be used this way

GetSQLValueString("a value that I want to escape's", 'text');

see the SQL injection problem to understand why this function exists

score 1 · Answer 3 · answered Feb 24 '18 at 16:15

I guess your problem is related to the mysqli_ issue. You need to change all mysql_ to mysqli_ and add the connection to the database as first parameter. In my case the connection to the database is $conn_vote. Be aware that I added $conn as function's parameter :

 function GetSQLValueString($conn_vote, $theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
    {
      $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;

      $theValue = function_exists("mysqli_real_escape_string") ? mysqli_real_escape_string($conn_vote, $theValue) : mysqli_escape_string($conn_vote, $theValue);`enter code here`

      switch ($theType) {
        case "text":
          $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
          break;    
        case "long":
        case "int":
          $theValue = ($theValue != "") ? intval($theValue) : "NULL";
          break;
        case "double":
          $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
          break;
        case "date":
          $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
          break;
        case "defined":
          $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
          break;
      }
      return $theValue;
    }
    }

`

score 0 · Answer 4 · answered Aug 21 '21 at 20:33

just replace these lines

$theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
$theValue = function_exists("mysqli_real_escape_string") ? mysqli_real_escape_string($theValue) : mysql_escape_string($theValue);

with

global $Data;
$theValue = function_exists("mysqli_real_escape_string") ? mysqli_real_escape_string($Data, $theValue) : mysql_escape_string($theValue);

score -1 · Answer 5 · answered Dec 16 '10 at 07:47

-1

This function return data type specific quoted string. This is used to avoid sql injection.

answered Dec 16 '10 at 07:47

Shameer

3,036
1
21
27

PHP - GetSQLValueString function

5 Answers5

Linked