First, you’ll need a MySQL result set. To do that you’ll need to select something from your database and loop through it like so:

$result = mysql_query("SELECT * FROM my_table");

while($row = mysql_fetch_assoc($result)) {

// inside the loop

}

The problem is, if you want to loop through the same result set again, you will get an error because the internal pointer is currently at the end of the result. You will need to put the pointer back at the beginning of the result set so that you can loop through it again.

You can do it with a helpful php function named mysql_data_seek.

mysql_data_seek($result, 0); // set the pointer of the result set back to the beginning.

while($row2 = mysql_fetch_assoc($result)) {

// inside the loop

}

This demonstrates how, as a PHP website developer, you can reset the pointer of a MySQL result set, which will allow you to iterate through the result set for a second time.

Gaining Understanding

This article will provide information related to securing your input variables to keep your site and database secure. This is not an entire run-down related to internet security. The first step in understanding how to secure your input variables, is to understand why they need to be secure. As a developer, you should realize that user input should never be trusted, no matter what the situation is. This, combined with an understanding of how PHP and MySQL work, will give you the tools necessary to secure all of your PHP scripts and forms.

Lets get started by creating a simple HTML form.

<form action="" method="post">

<input type="text" name="fName" maxlength="20" /><br />

<input type="text" name="email" maxlength="50" /><br />

<input type="text" name="age" maxlength="3" /><br />

<input type="submit" value="addUser" /><br />

</form>

Right off the bat you should notice that we are limited the number of characters that the user can enter in the input boxes. This is to ensure that the user does not enter a long string that would most likely be for the sole purpose of attempting an SQL Injection attack (look for a follow-up post related to this soon). However, we still need to check the length of values on the server-side with PHP to ensure that the attacker is not submitting a form from another machine.

PHP Sanitization Functions

Some essential built-in PHP functions that you need to know when getting started with PHP input sanitation are:

• mysql_real_escape_string (you need to have an active MySQL connection to use this)
• strip_tags
• htmlspecialchars
• htmlentities
• html_entity_decode
• add_slashes
• preg_match (once you gain an understanding of regular expressions.. tutorial coming soon)

Your Custom Functions

When sanitizing variables, I find it best to create a specific function for each type of variable that I am sanitizing. For example, a function named sanitizeName will be created for the users’ names and so on. Lets make some functions to sanitize each of our inputs. First we’ll start with the users age, then their name, and finally their email address.

if (isset($_POST['name']))
{
 $name = sanitizeName($_POST['name']);

 if ($name == false)
 {
 echo 'Please input a valid name!';
 }
 else
 {
 // insert MySQL Query Here
 }
}

function sanitizeName($name)
{
 if (strlen($name) > 50)
 {
 return false;
 }
 else if (empty($name))
 {
 return false;
 }
 else
 {
 $name = strip_tags($name);
 $name = mysql_real_escape_string($name);
 return $name;
 }

}

So first things first, the script checks to see if the POST was submitted. If so, it runs the variable through the sanitizeName function. The function first checks to see if the name is longer than 50 characters. If it is, it returns a false value, signifying it is not valid. Next, it check to make sure that the variable actually has data inside of it. If not, it also returns a false value. Finally, it actually sanitizes the input to ensure that it is safe to place into the database. The following functions work in the same way.

if (isset($_POST['age']))
{
 $age = sanitizeAge($_POST['age']);
 function sanitizeAge($age)
 {
 $age = mysql_real_escape_string(intval(strip_tags($age)));

 return $age;
 }
}

This function is very similar to the previous one, however you might notice the intval() function, which ensures that the value being checked is turned into an integer, since an age should always be an integer. intval() is pretty good at ensuring that there are no unwanted values in the variable, the strip_tags and mysql_real_escape_string functions are just for good measure.

For validating email addresses there are numerous regular expressions available on the internet, however there is also a built-in PHP function that does a a pretty good job at this.

if (isset($_POST['email']))
{
 $email = sanitizeEmail($_POST['email']);
 function sanitizeEmail($email)
 {
$email = filter_var($email, FILTER_VALIDATE_EMAIL);
    return $email;
 }
}

The filter_validate_email function is criticized by some, but for 99% of sites, it will function perfectly. If you want a perfect solution, you should look into learning about how regular expressions work. I’m going to write a feature on them soon.

I hope this article has helped you learn some techniques and functions that you can use to filter your input variables. I hope you don’t just copy these functions and throw them into your scripts, but instead learn about how each PHP function can be best used and integrated into your project.