0

I just wanna ask whats the difference between trim() and mysql_real_escape_string() functions?

because i see this code below :

$username = trim(mysql_prep($_POST['username']));
$password = trim(mysql_prep($_POST['password']));

and myql_prep is a function being made thats contain this :

function mysql_prep( $value ) {
		$magic_quotes_active = get_magic_quotes_gpc();
		$new_enough_php = function_exists( "mysql_real_escape_string" ); // i.e. PHP >= v4.3.0
		if( $new_enough_php ) { // PHP v4.3.0 or higher
			// undo any magic quote effects so mysql_real_escape_string can do the work
			if( $magic_quotes_active ) { $value = stripslashes( $value ); }
			$value = mysql_real_escape_string( $value );
		} else { // before PHP v4.3.0
			// if magic quotes aren't already on then add slashes manually
			if( !$magic_quotes_active ) { $value = addslashes( $value ); }
			// if magic quotes are active, then the slashes already exist
		}
		return $value;
	}

I hope somebody could explain this to me..

Thank You :)

5
Contributors
10
Replies
17
Views
7 Years
Discussion Span
Last Post by samsons17
Featured Replies
  • Trim function is very useful to remove the whitespaces. for example if you want to check a value which is stored in the database like "Raja" In php we difined the value as " Raja" or by mistake a user typed in the textbox as "Raja ". Then when you … Read More

0

trim (PHP 4, PHP 5)
trim — Strip whitespace (or other characters) from the beginning and end of a string

While inserting data from web forms to databases, trim the posted values to remove the spaces from the left and right sides.

mysql_real_escape_string (PHP 4 >= 4.3.0, PHP 5)
mysql_real_escape_string — Escapes special characters in a string for use in a SQL statement

// Query database to check if there are any matching users
$query = "SELECT * FROM users WHERE user='{$_POST['username']}' AND password='{$_POST['password']}'";
mysql_query($query);

// We didn't check $_POST['password'], it could be anything the user wanted! For example:
$_POST['username'] = 'aidan';
$_POST['password'] = "' OR ''='";

// This means the query sent to MySQL would be:
echo $query;

// RESULT: 
SELECT * FROM users WHERE user='aidan' AND password='' OR ''='' 
This could allow anyone to log in without a valid password.
0

usually trim() is used to remove white spaces from beginning and end of string.and we can also specify the charecterlist which has to be stripped.
But mysql_real_escape_string() escape special charecters in a string.
This is used to avoid sql injection

0

but why is that sometimes we use the trim() and sometimes not??

i think if i'm not using the trim() function,the code will still runs correctly right?
(correct me if i'm wrong)

0

Trim trims whitespaces;
So you have a form with a textbox asking for the firstname.
I type [[/B] Json [B]] with my two spaces on either side your trim function removes those whitespaces.

I haven't ever used trim - didn't see the need to.

0

owh..so i was correct right?

using the trim or not the code will still works...
seems that the trim() function is useless..huh..

0

no not useless,
you can use it if you feel that you'll have strange people using your forms.

1

Trim function is very useful to remove the whitespaces. for example if you want to check a value which is stored in the database like "Raja"

In php we difined the value as " Raja" or by mistake a user typed in the textbox as "Raja ". Then when you check with a condition

if ($usertyped==$datafromdatabase) it returns false, but it seems to the user correct
if (" Raja"=="Raja") return false;
if (trim(" Raja")=="Raja") return true;

Hope you understand the function of trim.

Edited by rajarajan07: n/a

0

trim() is used to remove spaces before and after a string.

mysql_escape_string() is used to escape special characters in strings.

Suppose I use
$b=" Vaibhav ";
$a=trim($b);
echo $a; //This will give me "Vaibhav"

Asking this question I assume you must not be aware of sql injection attacks.
mysql_escape_string() helps against that.

Here are some useful link to learn about sql injection attacks.
http://en.wikipedia.org/wiki/SQL_injection
http://technet.microsoft.com/en-us/library/ms161953.aspx

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.