Jump to content

illegal Offset

wes629

By wes629
in PHP

 Share

Recommended Posts

wes629 Newbie

wes629

Posted
Posted

I'm new to PHP so noob question here. I'm receiving an illegal offset warning on line 12 (return statement). I've looked on w3 and php manual but I'm getting nowhere. Help? :fool:

function protect ($string) {
	$link = mysqli_connect("localhost","root","","test");
	return mysqli_real_escape_string($link,$_POST[$string]);
}
Link to comment
Share on other sites
wes629 Newbie

wes629

Posted
  • Author
Posted

okay, you're absolutely right, i didn't have a protect function that had the $_POST variable, which cleared the illegal offset. I guess what i thought is that if I had the $_POST variable in the function, i wouldn't need to put it when i did the protect function. Later on I ended up changing the function to this: 

function protect ($string) {
	$link = mysqli_connect("localhost","root","","test");
	return mysqli_real_escape_string($link, strip_tags(addslashes($string)));
}

because I i wanted to strip or trim the tags to add a little more security. I really appreciate the response. I'm learning a lot from the forums. thanks!

 

Link to comment
Share on other sites
Ingolme w3schools Guru

Ingolme

Posted
Posted

I think this is very inefficient. You're opening a new connection to the MySQL database for every variable you want to escape.

 

If you use prepared statements you won't need to do any kind of escaping and your code will be much more secure.

 

You shouldn't use strip_tags before storing the data either, if you want to prevent people from injecting HTML onto the page, do the escaping after you've pulled the data out of the database. By manipulating the data before storing it you're losing information.

Link to comment
Share on other sites
wes629 Newbie

wes629

Posted
  • Author
Posted

I think this is very inefficient. You're opening a new connection to the MySQL database for every variable you want to escape.

 

If you use prepared statements you won't need to do any kind of escaping and your code will be much more secure.

 

You shouldn't use strip_tags before storing the data either, if you want to prevent people from injecting HTML onto the page, do the escaping after you've pulled the data out of the database. By manipulating the data before storing it you're losing information.

I'm not familiar on prepared statements yet, right now I'm just trying to learn php then I'll get into prepared statements once I understand how everything works... I'm a hands on learner, so I have to break a couple things :happy0046: ...

 

And yes, you're right about creating the new connection every time is very inefficient, but for mysqli_real_escape_string you have to put your mysqli_connection before the string and even when I remove the $link variable from line 11 and 12 i get the "Fatal error: Function name must be a string"

 

Then let's say I remove the $link variable from line 11, then line 12 says undefined index for $link even though it's defined on line 8.

 

...unless I'm missing something?

 

$link = mysqli_connect("localhost","root","","test");

function protect ($string) {
	$link = mysqli_connect("localhost","root","","test");
	return mysqli_real_escape_string($link, $_POST($string));
}
Link to comment
Share on other sites
Ingolme w3schools Guru

Ingolme

Posted
Posted

You don't need to create a protect() function, all you're really doing is wrapping mysqli_real_escape_string() inside another function.

 

Any place where you intended to call protect(). just call mysqli_real_escape_string() instead.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...