mysql_real_escape_string with paypal inc class

vinpkl · October 22, 2012, 12:28pm

hi all

i would like to know if i use the below link code for paypal payment

http://www.phpwebcommerce.com/source/include/paypal/paypal.inc.php

Do i need to use mysql_real_escape_string with the above $_post values

or paypal uses it on their server at the time of transaction

vineet

SpikeZ · October 22, 2012, 12:32pm

mysql_real_escape_string would only be needed if you were storing the information in a mysql database.

Cups · October 22, 2012, 1:59pm

I think there are many ways to improve that code, using arrays more efficiently (code as arrays).

For one, it contains rows of repetitive code like this:


$paypal['firstname'] = isset($_POST['firstname']) ? $_POST['firstname']: "";
$paypal['lastname']  = isset($_POST['lastname']) ? $_POST['lastname']: "";
// ad nauseum

Could be rewritten simply as (remove my comments to see how short it could be)


// these are the required paypal fields (you would have to add them all)
$original = array('firstname','lastname','address');

// then you could assign an empty string to each one
$pp = array_fill_keys($original, '');

// var_dump($pp) // have a look and check by uncommenting this line

// here is an example of some incoming POST vars:
// 2 you ARE expecting, and will use

$_POST['firstname'] = 'Joe';
$_POST['lastname'] = 'Bloggs';

// imagine $_POST['address'] is missing

... nothing here, its missing ;)

// one you DONT want to use, say ...

unset($_POST['submit']);

// then merge them

$paypal = array_merge($pp, $_POST);

var_dump( $paypal);

// gives:
array
  'firstname' => string 'Joe' (length=3)
  'lastname' => string 'Bloggs' (length=6)
  'address' => string '' (length=0)

address is pre-filled in with ‘’, see?

There are other similar things you can do to eliminate all those hardcoded keys which appear in that code.

Getting back to your original question, Mike is right of course, you do not need to prepare it for insertion into a db, you have no idea what PP are going to do with those values - that is their responsibility, unless they instruct you to do otherwise of course.

Your responsibility is to Escape Output (from FIEO, Filter Input Escape Output) ready for the next environment the vars are heading.

Where this code falls down again is that it (seemingly) does not Escape Output when subsequently echoing those vars into a HTML page, that is where you should be using one of the PHP escape mechanisms prior using htmlentities() [URL=“http://php.net/manual/en/function.htmlspecialchars.php”]htmlspecialchars()etc.

So, good question, and yes, you should be escaping your data, but not there and not using mysql_real_escape_string (which counters SQL injection attacks) but as you dump the vars back onto a page (to counter XSS attacks in html).

Cups · October 22, 2012, 3:09pm

Sorry, I meant to point you to this link loops are good as further reading on the benefits of using your PHP code as arrays, which I apologise to everyone else here for adding (yet) again.

Its just one of those articles that for some coders, at the right time can cause a ‘light bulb’ moment, and from then on ought to really cause you to grind your teeth when you see reams of repetitive hard-coded arrays.

vinpkl · October 22, 2012, 5:43pm

thanks cups

although i will not be storing those values in database but i will keep your suggestions in mind while implementing the code

vineet