SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Guru
    Join Date
    Nov 2008
    Posts
    622
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    mysql_real_escape_string with paypal inc class

    hi all

    i would like to know if i use the below link code for paypal payment

    http://www.phpwebcommerce.com/source...paypal.inc.php

    Do i need to use mysql_real_escape_string with the above $_post values

    or paypal uses it on their server at the time of transaction

    vineet

  2. #2
    dooby dooby doo silver trophybronze trophy
    spikeZ's Avatar
    Join Date
    Aug 2004
    Location
    Manchester UK
    Posts
    13,804
    Mentioned
    157 Post(s)
    Tagged
    3 Thread(s)
    mysql_real_escape_string would only be needed if you were storing the information in a mysql database.
    Mike Swiffin - Community Team Advisor
    Only a woman can read between the lines of a one word answer.....

  3. #3
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    I think there are many ways to improve that code, using arrays more efficiently (code as arrays).

    For one, it contains rows of repetitive code like this:
    PHP Code:
    $paypal['firstname'] = isset($_POST['firstname']) ? $_POST['firstname']: "";
    $paypal['lastname']  = isset($_POST['lastname']) ? $_POST['lastname']: "";
    // ad nauseum 
    Could be rewritten simply as (remove my comments to see how short it could be)

    PHP Code:
    // these are the required paypal fields (you would have to add them all)
    $original = array('firstname','lastname','address');

    // then you could assign an empty string to each one
    $pp array_fill_keys($original'');

    // var_dump($pp) // have a look and check by uncommenting this line

    // here is an example of some incoming POST vars:
    // 2 you ARE expecting, and will use

    $_POST['firstname'] = 'Joe';
    $_POST['lastname'] = 'Bloggs';

    // imagine $_POST['address'] is missing

    ... nothing hereits missing ;)

    // one you DONT want to use, say ...

    unset($_POST['submit']);

    // then merge them

    $paypal array_merge($pp$_POST);

    var_dump$paypal);

    // gives:
    array
      
    'firstname' => string 'Joe' (length=3)
      
    'lastname' => string 'Bloggs' (length=6)
      
    'address' => string '' (length=0
    address is pre-filled in with '', see?

    There are other similar things you can do to eliminate all those hardcoded keys which appear in that code.

    Getting back to your original question, Mike is right of course, you do not need to prepare it for insertion into a db, you have no idea what PP are going to do with those values - that is their responsibility, unless they instruct you to do otherwise of course.

    Your responsibility is to Escape Output (from FIEO, Filter Input Escape Output) ready for the next environment the vars are heading.

    Where this code falls down again is that it (seemingly) does not Escape Output when subsequently echoing those vars into a HTML page, that is where you should be using one of the PHP escape mechanisms prior using htmlentities() htmlspecialchars()etc.

    So, good question, and yes, you should be escaping your data, but not there and not using mysql_real_escape_string (which counters SQL injection attacks) but as you dump the vars back onto a page (to counter XSS attacks in html).

  4. #4
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    Sorry, I meant to point you to this link loops are good as further reading on the benefits of using your PHP code as arrays, which I apologise to everyone else here for adding (yet) again.

    Its just one of those articles that for some coders, at the right time can cause a 'light bulb' moment, and from then on ought to really cause you to grind your teeth when you see reams of repetitive hard-coded arrays.

  5. #5
    SitePoint Guru
    Join Date
    Nov 2008
    Posts
    622
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    thanks cups

    although i will not be storing those values in database but i will keep your suggestions in mind while implementing the code

    vineet


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •