alexi02's Blog

The third PHP code of the week is isset and empty which allow you to determine if a variable has a value or not.

isset checks to see if the variable has a value. This function is mostly used for POST and GET variables. If used with POST or GET, it allows you to not have to do the processing for the variables unless they have a value present.

empty is basically the opposite of isset, it checks to see that the variable is empty.

Below are some examples:

[php]if ( isset ($HTTP_POST_VARS[‘username’]) ) {
// execute code if POST var is set
}

if ( empty ($HTTP_POST_VARS[‘username’]) ) {
// execute code if POST var is not set
}[/php]

The next PHP code of the week we’ll cover mysql_connect, mysql_select_db, mysql_query and mysql_close.

The second PHP code of the week are htmlspecialchars, intval and str_replace which can all be used to process user form input before you use that input in your code.

htmlspecialchars basically converts the HTML characters like single and double quotes, less than, more than and ampersand signs to entities; which means that using this function we can prevent the users text from containing HTML characters.

echo htmlspecialchars(“<a href=’test’>Test</a>”);

This example will output in the browsers source code:
[php]<a href=’test’>Test</a>[/php]

intval is a way we can convert anything to an integer since we are expecting an integer. This means we can covert a string containing a number to a integer. We can be sure that we will only receive a number and nothing else.

[php]echo intval(‘035’);[/php]

The example will output 35. If the string contains any other characters other than digits it will return 0 (unless the digits are at the start of the string).

A full example of htmlspecialchars and intval would be:

[php]$sort_order = htmlspecialchars($HTTP_POST_VARS[‘order’]);
$form_status = intval($HTTP_POST_VARS[‘status’]);[/php]

str_replace is used to protect us from SQL injections into our database. If you aren’t protected from SQL injections, this means a user could perform any SQL query that you have access to.

For example, you could be updating a users email address in your database and the user types into the email address field.

[php]’; DROP some_table; some_fake_query_here(‘[/php]

The original query is below.

[php]UPDATE userdata SET email_address = ‘$form_email’ WHERE user_id = ‘$user_id’;[/php]

So what is going on you say? Below is what the resulting SQL statement looks like after the form has been processed.

[php]UPDATE userdata SET email_address = ”; DROP some_table; some_fake_query_here(” WHERE user_id = ‘5234’;[/php]

So what happens is the first query is processed we try not to break this query or all other queries would then fail. The second query to drop the table is successful and the table is therefore dropped and the last query fails.

So if we want to protect ourselfs from an SQL injection we use this code below.

[php]str_replace(“\'”, “””, $variable_name);[/php]

If form fields that a user submits contain a quote they are automatically re-written as \’. What our code will do is make it database friendly. It converts \’ to ” which for the database means it will be represented as a single quote. We have therefore solved the SQL injection issue.

On the next PHP code of the week we will cover isset and empty which are other functions which should be considered when processing forms.

Over the following weeks I will be covering PHP code which stands out to myself and some code which I use regularly. These PHP codes will be mentioned every week with an explanation on their uses. The section is called “PHP code of the week“.

We begin with our first PHP code of the week: HTTP_POST_VARS and HTTP_GET_VARS. Without these two functions we wouldn’t be able to get data from forms or simplify the way we specify user input in our code.

HTTP_POST_VARS is the function we call when we want to retrieve variable input from a form that the user has submitted. Say we have a field in the form called username. To retrieve the value of username we would write it as:

[php]$username = $HTTP_POST_VARS[‘username’];[/php]

So we have the username fields value being assigned to a local variable $username.

HTTP_GET_VARS is commonly used when searching forums, looking up user names, etc so you have most likely seen it been used. It is a simple way to input values into your code and is done by placing a question mark (?) and variable name and the value after the file we are requesting.

[php]http://www.test.com/view_user.php?userid=5[/php]

In the above case, we can see that we are requesting the view_user.php file and are wanting to find more information on the userid number 5.

The inside code would look like:

[php]$user_id = $HTTP_GET_VARS[‘userid’];[/php]

That’s pretty simple, we have the userid variable being assigned to the local variable $user_id.

Using HTTP_GET_VARS you are also able to retrieve more than one variable by placing a ampersand sign after each value. Such as:

[php]http://www.test.com/view_user.php?userid=5&findtopics=1&findposts=2[/php]

So there you go, you now know how to retrieve user data.

If you are requesting the values and say the user didn’t input anything in the POST/GET request, 0 (false) is assigned to the local variables.

Note: These examples aren’t recommended to be placed directly into code as there are security issues. You should use functions such as htmlspecialchars, intval and str_replace before touching the variables. These functions will be covered in the next PHP code of the week.