-2

Usually I use trim() PHP function to check, if data is not empty. Also for MySQL I use mysql_real_escape_string(). Is this enough,or do I need to perform additional checks?

PelnaE
  • 69
  • 1
  • 10
  • **Quick note:** if you check for emptyness BEFORE `trim()`, you can still end up with empty values in your database. Imagine if the data sent only consists of one or more spaces, which is not "empty", but will be after trimming. – kapa Nov 18 '11 at 14:26
  • possible duplicate of [Kohana 3: Example of model with validation](http://stackoverflow.com/questions/2462201/kohana-3-example-of-model-with-validation) - you tagged with oop and kohana, I guess this is what you're looking for. – hakre Nov 18 '11 at 14:27

4 Answers4

3

To check if data is "empty", you can use empty().

Yes, to escape data you use mysql_real_escape_string() for MySQL. By default, trim() is used to trim trailing and leading whitespace, if used without additional parameters.

Is it so hard to check on manual what each function does?

kapa
  • 77,694
  • 21
  • 158
  • 175
Aurimas Ličkus
  • 9,886
  • 4
  • 24
  • 26
1

I usually do this:

$foo = isset($_POST['bar']) ? trim($_POST['bar']) : '';
if (!empty($foo))
   $db->query("UPDATE table SET foo = '".mysql_real_escape_string($foo)."'");
Simone
  • 20,302
  • 14
  • 79
  • 103
0

I tend to use isset($_POST['key1'], $_POST['key2'], $_POST['keyn']) as a starting point for determining if a form has had all required data submitted, along with testing things such as $_SERVER['REQUEST_METHOD'], $_SERVER['SERVER_PORT'], $_SERVER['REQUEST_URI']. Trimming is not harmful, but I just go for the jugular with preg_match($needle, $haystackenter) and make the regular expression non-greedyand non-buffer capturing. In short, why condition input when you can just make the test fail to being with?

The language construct empty() works, but does it really matter if the value doesn't match the pattern you are looking for? As for performance, who can say if someone copied and pasted the Oxford English Dictionary what would happen in either case. 

function ValidatePostKeyAndValue($input, $pattern, $length)
{
    if(isset($input) && 
            preg_match($pattern, $input) && 
            ctype_print($input) && 
            strlen($input) <= $length && 
            is_string($input))
    {
        return true;
    }
    else
    {
        return false;
    }

}

I could do more or less, depending on the situation. Boolean functions are your friends.

As far your $data variable, I think it would be wise to consider if the wildcards _ and % might appear in your data. If so, addcslashes() can be used to target those characters in your string. Over all though, moving to mysqli() will save you from having to use mysql_select_db(). mysqli_connect() does this for you! Well worth the switch.

Anthony Rutledge
  • 6,980
  • 2
  • 39
  • 44
0
if (!empty($_POST['data']) && other controls) {
   // Success
   $data = mysql_real_escape_string($data)
   $sql = "SELECT * FROM users WHERE data = '$data'";
   mysql_query($sql);
}
Utku Yıldırım
  • 2,277
  • 16
  • 20