Hi,
I was reading topic about setters and getters (http://www.thescripts.com/forum/thread631267.html) and wanted to ask, how they should be used? I have noticed that a general data validators suck, since the amount of different possibilities how to validate data is endless (like Jerry S said well in the topic, after some time the general data validator gets longer and longer. slower and slower + harder to maintain and more subject to errors.) so i thought, it's more sensible to create datavalidator within one class. but when i was horny all over my code, i bumbed into few problems:
1) should i validate the data both when setting and getting it?
2) when i set the data, should i validate it for database or for object (should i use mysql_real_escape_string when setting the data)?
3) should i set properties always by using set-methods (also e.g. in page constructor)?
4) if i don't use set-methods for properties within class, should the data be validated when setting properties? or should i use set-methods before saving the data to database (in save() method)?
5) should the data be validated in db class?
6) summary: i know i HAVE TO use mysql_real_espcape_string (plus strip_tags function) when i put data into database and stripslashes (plus some str_replace functions) when getting it out from database, but at which point? should i do all datacleaning and validation in page class? should get-methods be used when loading data from database within class with stripslashes etc validation?
I have 2 classes, db-class for database connections etc and page-class for creating pages (don't worry about the lack of errorhandling, i excluded it from this example).
[PHP]
define("DB_HOST", "myhost");
define("DB_USER", "myuser");
define("DB_PASS", "mypass");
define("DB_NAME", "mydb");
// ===============
// CLASS DB
// ===============
class db {
private $connection;
private $sql;
private $lastId;
private static $instance;
private function __construct() {
$this->connect();
}
// singleton method
public static function create() {
if (!isset(self::$instance))
self::$instance = new db();
return self::$instance;
}
public function connect($dbHost=DB_HOST,$dbUser=DB_USER,$dbPass=DB _PASS,$dbName=DB_NAME) {
$this->connection=mysql_connect($dbHost,$dbUser,$dbPass) ;
mysql_select_db($dbName,$this->connection);
}
// for SELECT statements
public function fetch($sql=""){
$result = mysql_query($this->sql,$this->connection);
while ($row = mysql_fetch_array($result, MYSQL_ASSOC))
$data[] = $row;
mysql_free_result($result);
return $data;
}
// for INSERT, UPDATE and DELETE statements
public function execute($sql="") {
mysql_query($sql,$this->connection);
// set lastId property
$lastId = mysql_insert_id();
$this->setLastId($lastId);
}
public function setLastId($lastId) {
$this->lastId = $lastId;
}
public function getLastId() {
return $this->lastId;
}
}
// ===============
// CLASS PAGE
// ===============
class page {
private $id;
private $title;
private $text;
public function __create($id=NULL,$title,$text) {
if ($this->validateId($id)>0) {
$this->id=$id;
$this->title=$title;
$this->text=text;
}
}
public function setId($id) {
$id = $this->escape($id);
$id = $this->validateId($id);
$this->id = $id;
}
public function setTitle($title) {
$title = $this->escape($title);
$title = $this->stripTags($title);
$this->title = $title;
}
public function setText($text) {
$text = $this->escape($text);
$text = $this->stripTags($text);
$this->text = $text;
}
public function getId() {
return $this->id;
}
public function getTitle() {
return $this->title;
}
public function getText() {
return $this->text;
}
public function save($id=NULL) {
$this->setId($id);
$db = db::create();
if ( ($id === NULL) || ($id === 0) ) {
$sql="INSERT INTO page (title,text) VALUES ('$this->title', '$this->text'");
$result = $db->execute($sql);
// set new id for current pageobject
$this->setId($db->getLastId());
}
else {
$sql = "UPDATE page SET title='$this->title', text='$this->text' WHERE id = $this->id";
$db->execute($sql);
}
}
public function load($id=NULL) {
$this->setId($id);
$db = db::create();
$sql = "SELECT * FROM page WHERE id = " .$this->id;
$data= $db->fetch($sql);
if ($data) {
$sizeOfData = sizeof($data);
for ($i=0; $i<$sizeOfData; $i++) {
$this->setId($this->cleanData($data[$i]['id']));
$this->setTitle($this->cleanData($data[$i]['title']));
$this->setText($this->cleanData($data[$i]['text']));
}
}
}
// PAGE CLASS VALIDATORS
private function validateId($id) {
if (!empty($id) && is_numeric($id) && ($id > 0))
return (int) $id;
else
return 0;
}
private function stripTags($input, $allowedTags = "<p><a><img><b><u><i><li><ul><table><td><tr><b r>") {
return strip_tags($input, $allowedTags);
}
// if magic quotes are ON, remove the slashes that it added,
// and add slashes with mysql_real_escape_string-function.
// this is because magic quotes or addslashes-function do not escape
// values \x00, \n, \r, and \x1a (which may be used in SQL injection)
private function escape($input) {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
$input = mysql_real_escape_string($input);
}
else $input = mysql_real_escape_string($input);
return $input;
}
private function cleanData($txt="") {
$txt = stripslashes($txt);
$txt = str_replace('"','\'', $txt);
$txt = str_replace('<br />', '', $txt);
return $txt;
}
}
$page = new page();
$page->setTitle("Foo");
$page->setText("Bar");
$page->save();
$page->load(1);
echo $page->getTitle()."<br>";
echo $page->getText();
[/PHP]