I just wanna ask whats the difference between trim() and mysql_real_escape_string() functions?

because i see this code below :

$username = trim(mysql_prep($_POST['username']));
$password = trim(mysql_prep($_POST['password']));

and myql_prep is a function being made thats contain this :

function mysql_prep( $value ) {
		$magic_quotes_active = get_magic_quotes_gpc();
		$new_enough_php = function_exists( "mysql_real_escape_string" ); // i.e. PHP >= v4.3.0
		if( $new_enough_php ) { // PHP v4.3.0 or higher
			// undo any magic quote effects so mysql_real_escape_string can do the work
			if( $magic_quotes_active ) { $value = stripslashes( $value ); }
			$value = mysql_real_escape_string( $value );
		} else { // before PHP v4.3.0
			// if magic quotes aren't already on then add slashes manually
			if( !$magic_quotes_active ) { $value = addslashes( $value ); }
			// if magic quotes are active, then the slashes already exist
		}
		return $value;
	}

I hope somebody could explain this to me..

Thank You :)

Recommended Answers

All 10 Replies

trim (PHP 4, PHP 5)
trim — Strip whitespace (or other characters) from the beginning and end of a string

While inserting data from web forms to databases, trim the posted values to remove the spaces from the left and right sides.

mysql_real_escape_string (PHP 4 >= 4.3.0, PHP 5)
mysql_real_escape_string — Escapes special characters in a string for use in a SQL statement

// Query database to check if there are any matching users
$query = "SELECT * FROM users WHERE user='{$_POST['username']}' AND password='{$_POST['password']}'";
mysql_query($query);

// We didn't check $_POST['password'], it could be anything the user wanted! For example:
$_POST['username'] = 'aidan';
$_POST['password'] = "' OR ''='";

// This means the query sent to MySQL would be:
echo $query;

// RESULT: 
SELECT * FROM users WHERE user='aidan' AND password='' OR ''='' 
This could allow anyone to log in without a valid password.

usually trim() is used to remove white spaces from beginning and end of string.and we can also specify the charecterlist which has to be stripped.
But mysql_real_escape_string() escape special charecters in a string.
This is used to avoid sql injection

but why is that sometimes we use the trim() and sometimes not??

i think if i'm not using the trim() function,the code will still runs correctly right?
(correct me if i'm wrong)

Trim trims whitespaces;
So you have a form with a textbox asking for the firstname.
I type [[/B] Json [B]] with my two spaces on either side your trim function removes those whitespaces.

I haven't ever used trim - didn't see the need to.

owh..so i was correct right?

using the trim or not the code will still works...
seems that the trim() function is useless..huh..

no not useless,
you can use it if you feel that you'll have strange people using your forms.

Member Avatar for rajarajan2017

Trim function is very useful to remove the whitespaces. for example if you want to check a value which is stored in the database like "Raja"

In php we difined the value as " Raja" or by mistake a user typed in the textbox as "Raja ". Then when you check with a condition

if ($usertyped==$datafromdatabase) it returns false, but it seems to the user correct
if (" Raja"=="Raja") return false;
if (trim(" Raja")=="Raja") return true;

Hope you understand the function of trim.

trim() is used to remove spaces before and after a string.

mysql_escape_string() is used to escape special characters in strings.

Suppose I use
$b=" Vaibhav ";
$a=trim($b);
echo $a; //This will give me "Vaibhav"

Asking this question I assume you must not be aware of sql injection attacks.
mysql_escape_string() helps against that.

Here are some useful link to learn about sql injection attacks.
http://en.wikipedia.org/wiki/SQL_injection
http://technet.microsoft.com/en-us/library/ms161953.aspx

owh okay.
I now have fully understanding on this.

Thank You all :)

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.