PHP - GetSQLValueString Function

Question

PHP - GetSQLValueString Function

I see the GetSQLValueString function, and I don’t know what it is connected with, can someone give me some idea?
thank you

function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") { $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue; $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue); switch ($theType) { case "text": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "long": case "int": $theValue = ($theValue != "") ? intval($theValue) : "NULL"; break; case "double": $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL"; break; case "date": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "defined": $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue; break; } return $theValue; }

Function Used Here:

 if (isset($_POST['username'])) { $loginUsername=$_POST['username']; $password=$_POST['password']; $MM_fldUserAuthorization = ""; $MM_redirectLoginSuccess = "main.php"; $MM_redirectLoginFailed = "login_form.php"; $MM_redirecttoReferrer = false; mysql_select_db($database_connection1, $connection1); $LoginRS__query=sprintf("SELECT username, password FROM member WHERE username=%s AND password=%s", GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text")); ...

+4

php

Charles Yeung Dec 16 '10 at 6:51

source share

4 answers

In my opinion, this function probably avoids some data in order to pass it to MySQL. The function also processes null values and optionally places some quotation marks.

it should be used in this way

 GetSQLValueString("a value that I want to escape's", 'text');

see SQL injection problem to see why this function exists

+1

Raagez Dec 16 '10 at 6:54

source share

This function returns a specific row of data of a data type. This is used to avoid sql injection.

0

Shameer Dec 16 '10 at 7:47

source share

I think your problem is related to mysqli_ problem. You need to change all mysql _ to mysqli _ and add the database connection as the first parameter. In my case, the database connection is $ conn_vote . Keep in mind that I added the $ conn parameter as a function parameter:

  function GetSQLValueString($conn_vote, $theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") { $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue; $theValue = function_exists("mysqli_real_escape_string") ? mysqli_real_escape_string($conn_vote, $theValue) : mysqli_escape_string($conn_vote, $theValue);`enter code here` switch ($theType) { case "text": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "long": case "int": $theValue = ($theValue != "") ? intval($theValue) : "NULL"; break; case "double": $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL"; break; case "date": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "defined": $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue; break; } return $theValue; } }

`

0

Antonio Sciortino Feb 24 '18 at 16:15

source share

Dan grossman · Accepted Answer · 2010-12-16T06:54:33+0000

Your function escapes the string using MySQL's built-in string output function, and then if it's a non-numeric value, surrounding it in single quotes. This function was written to insert variable data into SQL queries.

 $sql = "SELECT * FROM users WHERE username = " . GetSQLValueString($_GET['username'], 'text'); $result = mysql_query($sql);

PHP - GetSQLValueString Function

More articles: