|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
php-general Digest 25 Aug 2005 07:14:00 -0000 Issue 3644
php-general-digest-help
lists.php.net
Date: Thu Aug 25 2005 - 02:14:00 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
php-general Digest 25 Aug 2005 07:14:00 -0000 Issue 3644
Topics (messages 221292 through 221319):
anyone get corrupted response with php-fcgi when zlib.output_compression=On?
221292 by: Xuefer
Re: Error #1136
221293 by: Jim Moseby
Re: enabling OpenSSL and curl for PHP on IIS
221294 by: Marco Tabini
221296 by: Pablo Gosse
221299 by: Edin Kadibasic
221300 by: Pablo Gosse
221301 by: Edin Kadibasic
221302 by: Edin Kadibasic
Re: LDAP problem
221295 by: Björn Bartels
Re: Problem with SimpleXML
221297 by: Jordan Miller
when sending an attachment the file is a temp
221298 by: Ross
syntax for two comparison operators
221303 by: Jordan Miller
221305 by: Philip Hallstrom
explain to what's going with this piece of code.
221304 by: wayne
Re: php vulnerability
221306 by: Chris Shiflett
Newbie: How to universalize a mysql=>xml script
221307 by: Graham Anderson
Easier way to clean GET Variables ?
221308 by: Graham Anderson
221309 by: Jasper Bryant-Greene
221310 by: Robert Cummings
221311 by: Robert Cummings
221312 by: Jasper Bryant-Greene
221319 by: Richard Lynch
make it remember
221313 by: George B
221314 by: Robert Cummings
221315 by: George B
221316 by: George B
221317 by: Robert Cummings
Re: Be careful! Look at what this spammer did.
221318 by: Raj Shekhar
Administrivia:
To subscribe to the digest, e-mail:
php-general-digest-subscribelists.php.net
To unsubscribe from the digest, e-mail:
php-general-digest-unsubscribelists.php.net
To post to the list, e-mail:
php-generallists.php.net
----------------------------------------------------------------------
attached mail follows:
lastest checkout from cvs repo
tag PHP_4_4 and HEAD
when zlib.output_compression=Off, response is fine
when zlib.output_compression=On. <?php echo "1"; echo "2"; ?> result
in a corrupted response. showing empty page in the browser
attached mail follows:
>
> Can you include the SQL statement that is creating the error?
>
> The error basically means you are trying to put more data
> into the dB then
> you have data cells for.
>
> For instance :
>
> Good sql statement:
>
> $sql = "insert into table (name, address, city, state, zip)
> VALUES ('$name',
> '$address', '$city', '$state', '$zip')";
>
> Bad SQL statement :
>
> $sql = " insert into table (name, address, city, state, zip) VALUES
> ('$name', '$address', '$city', '$state', '$zip', '$phone')";
>
> The addition of the phone variable would create an error
> since there is no
> column to hold that data.
>
>
> <?php
Or, you may be doing:
$sql="INSERT INTO tablename VALUES('$name', '$address', '$city', '$state',
'$zip', '$phone')";
...where your table actually has an auto-increment value in addition to the
6 columns above. This will produce the error too. You will need to specify
the columns in that case, as Stephen correctly stated above.
JM
JM
attached mail follows:
On 8/24/05 11:39 AM, "Pablo Gosse" <gossepunbc.ca> wrote:
> Can anyone give any insight into what might be going wrong here?
I think you just need to move your php.ini file to C:\WINDOWS... PHP is
looking for it there.
Cheers,
Marco
attached mail follows:
On Wed, 2005-08-24 at 14:05 -0400, Marco Tabini wrote:
> On 8/24/05 11:39 AM, "Pablo Gosse" <gossepunbc.ca> wrote:
>
> > Can anyone give any insight into what might be going wrong here?
>
> I think you just need to move your php.ini file to C:\WINDOWS... PHP is
> looking for it there.
>
> Cheers,
>
>
> Marco
>
>
I've tried that and that just results in PHP grinding to a halt. Any
requests to PHP pages simply result in "Document contains no data"
errors.
I've tried changing the registry entry for IniFilePath to c:\windows and
moving the php.ini file there, but the same thing results - PHP just
hangs and the pages return nothing.
Other pages on the server work fine.
Any other ideas? We really need to enable OpenSSL and curl and it's
kind of difficult when you can't effect any changes to the php.ini file!
Hoping someone can offer some advice here ...
Cheers and TIA,
Pablo
attached mail follows:
Pablo Gosse wrote:
> I've tried that and that just results in PHP grinding to a halt. Any
> requests to PHP pages simply result in "Document contains no data"
> errors.
Have you added c:\php to your system PATH?
Edin
attached mail follows:
On Wed, 2005-08-24 at 23:30 +0200, Edin Kadibasic wrote:
> Pablo Gosse wrote:
> > I've tried that and that just results in PHP grinding to a halt. Any
> > requests to PHP pages simply result in "Document contains no data"
> > errors.
>
> Have you added c:\php to your system PATH?
>
> Edin
Yup.
c:\php is in the system PATH, just as described here:
http://www.php.net/manual/en/faq.installation.php#faq.installation.findphpini
and I also tried creating the PHPRC environment var as described here:
http://www.php.net/manual/en/faq.installation.php#faq.installation.phprc
to no effect. It's simply not reading the changes. I've even commented
out the openssl and curl lines, and am now just changing the value of
allow_url_fopen to Off, but that's not working.
NOTHING seems to have any effect.
Anyone else have any suggestions? This is very, very strange (and
incredibly frustrating ...)
Cheers and TIA,
Pablo
attached mail follows:
Pablo Gosse wrote:
> to no effect. It's simply not reading the changes. I've even commented
> out the openssl and curl lines, and am now just changing the value of
> allow_url_fopen to Off, but that's not working.
One thing at a time :)
Put php.ini in your windows dir, and it will be read from there.
Both curl and openssl depend on libeay32.dll and ssleay32.dll. Try to
put those in windows/systen32 just to make sure that windows is able to
find them.
Edin
attached mail follows:
Pablo Gosse wrote:
> Hi, Edin. Okay. I did things a little differently, and lo and behold,
> you are correct. ini changes are now taking effect.
>
> And the hanging results I was getting earlier were indeed the system
> looking for the two dll files you mention below.
>
> Eternally grateful. Thanks.
>
> However, I've installed openssl, but there is no ssleay32.dll file on my
> system after the install.
>
>From where am I supposed to acquire the dlls you mention below?
They come bundled with PHP ZIP package.
Edin
attached mail follows:
Hello Mark,
first of all, thank you (all) a lot for your contributions...
>Are you sure you are connecting? As in, do you only try to bind if you
>have
>a successful connection?
(...) I try to bind only when the connection itself is established...
Â
>Have you checked ldap_error?
"Can't contact LDAP server", it says....
>Are you doing an anonymous bind, or using a username and password? Try
>each
>and see what happens
Both methods fail regarding my login-script, again, the test script
works fine on both.
>How about posting some code?
...sorry... here they come, first the testscript and then the extract
from the login script
$ldaphost = $_REQUEST["ldaphost"];
$ldapport = $_REQUEST["ldapport"];
$ds = ldap_connect($ldaphost, $ldapport)
   or die("Could not connect to $ldaphost"."<br />");
if (ldap_get_option($ds, LDAP_OPT_PROTOCOL_VERSION, $version))
  echo "Sie benutzen die Protokollversion $version"."<br />";
else
  echo "Protokollversion konnte nicht bestimmt werden"."<br />";
if (ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3))
  echo "Verwenden von LDAPv3"."<br />";
else
  echo "Kann das Protokoll nicht auf Version 3 setzen"."<br />";
if ($ds) {
$username = $_REQUEST["ldapuser"];
$binddn = 'uid='.$username.', ou=users, ou=OxObjects, dc=dbusiness,
dc=de';
$ldapbind = ldap_bind($ds, $binddn, $_REQUEST["ldappass"]);
if ($ldapbind) {
print "Congratulations! You are authenticated. <br />";
print "".$_REQUEST["ldapuser"];}
else {
print "Nice try, kid. Better luck next time! <br />";
}
}
Here is the login part, as you see it does not differ much from the
testscript...
if (!empty($_REQUEST["IO_username"])) {
   $ldaphost = LDAP_HOST;
   $ldapport = LDAP_PORT;
   $ds = ldap_connect($ldaphost, $ldapport)
         or die("Could not connect to $ldaphost"."\n");
   if (ldap_get_option($ds, LDAP_OPT_PROTOCOL_VERSION, $version))
          echo "Sie benutzen die Protokollversion $version"."\n";
   else
          echo "Protokollversion konnte nicht bestimmt werden"."\n";
   if (ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3))
          echo "Verwenden von LDAPv3"."\n";
   else
          echo "Kann das Protokoll nicht auf Version 3 setzen"."\n";
   if ($ds) {
       $username = $_REQUEST["IO_username"];
       $upasswd = $_REQUEST["IO_password"];
       $binddn  =
'uid='.$username.',ou=users,ou=OxObjects,dc=dbusiness,dc=de';
       $ldapbind = ldap_bind($ds, $binddn, $upasswd);
       if ($ldapbind) {
           print "User is authenticated... \n";
           print "".$binddn."\n";
           $DB_checkuserid->query("SELECT * FROM users_users WHERE
username='".$HTTP_POST_VARS["IO_username"].
                          "' AND
password='".$HTTP_POST_VARS["IO_password"]."';");
           if ($DB_checkuserid->rows == 1) {
               $thisuser = $DB_checkuserid->fetch(0);
               $HTTP_SESSION_VARS["userid"] =
$HTTP_POST_VARS["IO_username"];
               $HTTP_SESSION_VARS["userfullname"] =
$thisuser["fullname"];
               $HTTP_SESSION_VARS["usergroupid"] = $thisuser["groupid"];
           }
       } else {
           var_dump($ds);print " <br />\n";
           var_dump($ldapbind);print " <br />\n";
           print "Error: ".ldap_error($ds)." <br />\n";
         print "DN: ".$binddn." <br />\n";
           print "pwd: ".$upasswd." <br />\n";
           print "Nice try, kid. Better luck next time! <br />";
           die ("LDAP authentication error! Check username and/or
password !");
       }
   } else {
       print "Nice try, kid. Better luck next time! <br />";
       die ("LDAP connection error! Please inform the administrator !");
   }
}
>I have just spent several days trying on and off to work out LDAP, from
>a
>starting position of "what's LDAP?".
I had the same problem with the testscript once, then left it off
several days/some weeks
satisfying my boss with a mySQL-based login. now the testscript works
without doing any changes...
Björn Bartels
-Development/IT-Services-
----------------------------------------------
dbusiness.de gmbh
digital business & printing gmbh
Greifswalder Str. 152
D-10409 Berlin
Fon: [0.30] 4.21.19.95
Fax: [0.30] 4.21.19.74
www.dbusiness.de
infodbusiness.de
ftp://dbusiness.dyndns.org
attached mail follows:
Yes, simplexml can do this easily. See:
http://www.php.net/simplexml
> Example 7. Setting values
>
> Data in SimpleXML doesn't have to be constant. The object allows
> for manipulation of all of its elements.
>
> <?php
> include 'example.php';
> $xml = simplexml_load_string($xmlstr);
>
> $xml->movie[0]->characters->character[0]->name = 'Miss Coder';
>
> echo $xml->asXML();
> ?>
> The above code will output a new XML document, just like the
> original, except that the new XML will change Ms. Coder to Miss Coder.
>
Uros, it looks like you want to change one of the attributes; you
will need to use some of this code to handle the attributes:
> Example 4. Using attributes
>
> So far, we have only covered the work of reading element names and
> their values. SimpleXML can also access element attributes. Access
> attributes of an element just as you would elements of an array.
>
> <?php
> include 'example.php';
>
> $xml = simplexml_load_string($xmlstr);
>
> /* Access the <rating> nodes of the first movie.
> * Output the rating scale, too. */
> foreach ($xml->movie[0]->rating as $rating) {
> switch((string) $rating['type']) { // Get attributes as element
> indices
> case 'thumbs':
> echo $rating, ' thumbs up';
> break;
> case 'stars':
> echo $rating, ' stars';
> break;
> }
> }
> ?>
>
regards,
Jordan
On Aug 24, 2005, at 3:20 AM, Uroš Gruber wrote:
> Hi!
>
> I have XML and I would like to set some values. I almost done the
> whole thing but have some problems when looping through some tags
>
> <foo>
> <bar id="1" name="bar1" />
> <bar id="2" name="bar2" />
> ...
> </foo>
>
> I would like to set value for tag "bar" in some loop and then
> export this back to XML. Is this even possible or it's better to
> use SimpleXML only for read and create new XML from it.
>
> XML is about 20 rows of data and I'm using PHP 5.0.4 with all XML
> included.
>
> regards
>
> Uros
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
>
>
>
attached mail follows:
When sending an attachment using phpmail the file I am trying to send
becomes a temp with a stupid name (php13c9.tmp)
Do you know is going on here?? PHP mailer attachemts are for a 'path to
file' which I am trying to provide via a file browse button ($userfile) in a
form.
Many Thanks,
R
<?php
//$AddAddress =array("rossaztechost.com", "rossblue-fly.co.uk");
if (isset($submitted)){
echo "hello";
require("class.phpmailer.php");
$mail = new PHPMailer();
//$mail->IsSMTP(); // telling the class to use SMTP
$mail->Host = "mail.blue-fly.co.uk"; // SMTP server
$mail->From = "rossblue-fly.co.uk";
$mail->AddAddress ("rossaztechost.com");
$mail->AddAttachment("$userfile");
$mail->Subject = "first mailing";
$mail->Body = "hi ! \n\n this is First mailing I made myself with PHPMailer
!";
$mail->WordWrap = 50;
if(!$mail->Send())
{
echo "Message was not sent";
echo "Mailer Error: " . $mail->ErrorInfo;
}
else
{
echo "Message has been sent";
}
}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Untitled Document</title>
</head>
<body>
<form name="form1" enctype="multipart/form-data" method="post" action="<?
$PHP_SELF; ?>">
<p>
<input name="userfile" type="file" id="userfile">
</p>
<p> </p>
<p>
<input type="submit" name="Submit" value="Submit">
<input type="hidden" name="submitted">
</p>
</form>
</body>
</html>
attached mail follows:
General question,
Is there a technical reason why PHP does not allow comparison
operator expressions like the following:
if (2 < $x <= 4) {}
I prefer this concise way as it is common for mathematics
expressions, and much easier to grasp physically on first glance.
From what I can tell, this expression can currently only be written as:
if ( $x > 2 && $x <= 4) {}
Would adding this syntax to PHP be incredibly difficult or lead to
performance slowdowns?
I think I remember reading that PHP always evaluates expressions from
right to left, so I guess there may be a considerable codebase change
required. Maybe there could be a default function workaround for this
or some other way to automagically process these more concise
expressions without too much of a slowdown?? Just curious.
Jordan
attached mail follows:
> Is there a technical reason why PHP does not allow comparison operator
> expressions like the following:
>
> if (2 < $x <= 4) {}
>
>
> I prefer this concise way as it is common for mathematics expressions, and
> much easier to grasp physically on first glance. From what I can tell, this
> expression can currently only be written as:
>
> if ( $x > 2 && $x <= 4) {}
I'm sure someone who knows more about it than me will chime in with the
real reason, but at first glance how would the interpreter interpret it?
Given 2 < $x <= 4, do you mean:
2 < $x && $x <= 4
or do you mean
(2 < $x) <= 4
where 2 < $x will evaluate to true or false. Doesn't make much sense as a
condition, but it's there...
Also, you could wrap it in a function if you find you use it a lot..
function between($x, $min, $max) {
return( $min < $x && $x < $max );
}
-philip
attached mail follows:
When I run a script from a package I download, it always
bombs out on this section. I think that its getting
the wrong parameters when it tries to make the Connection.
I use PostgreSQL as my DB.Moodle is the name of the database and
the user is moodleuser. I do not have a password on this DB.
//==========================================================================//
/// Check database settings if stage 3 data submitted
/// Try to connect to the database. If that fails then try to create the
database
if ($INSTALL['stage'] == 3) {
print 'DO I GET HERE';
if (empty($INSTALL['dbname'])) {
$INSTALL['dbname'] = 'moodle';
}
/// different format for postgres7 by socket
if ($INSTALL['dbtype'] == 'postgres7' and ($INSTALL['dbhost'] ==
'localhost' || $INSTALL['dbhost'] == '127.0.0.1')) {
__________________________________________________________________
MY QUESTION
This is the part I'm confuse on. Why does it set dbhost to the
parameters for the Connect statements and then zero them out?
________________________________________________________________
$INSTALL['dbhost'] = "user='{$INSTALL['dbuser']}'
password='{$INSTALL['dbpass']}' dbname='{$INSTALL['dbname']}'";
$INSTALL['dbuser'] = '';
$INSTALL['dbpass'] = '';
$INSTALL['dbname'] = '';
if ($INSTALL['prefix'] == '') { /// must have a prefix
$INSTALL['prefix'] = 'mdl_';
}
}
if ($INSTALL['dbtype'] == 'mysql') { /// Check MySQL extension is
present
if (!extension_loaded('mysql')) {
$errormsg = get_string('mysqlextensionisnotpresentinphp',
'install');
$nextstage = 3;
}
}
if (empty($errormsg)) {
$db = &ADONewConnection($INSTALL['dbtype']);
error_reporting(0); // Hide errors
__________________________________________________________
MY QUESTION
This is the other part I'm confuse on.At this point dbhost
has the values from above and the call is passing them again.
___________________________________________________________
if (! $dbconnected = $db->Connect($INSTALL['dbhost'],
$INSTALL['dbuser'],$INSTALL['dbpass'],$INSTALL['dbname'])) {
/// The following doesn't seem to work but we're working on
it
/// If you come up with a solution for creating a database
in MySQL
/// feel free to put it in and let us know
if ($dbconnected = $db->Connect($INSTALL['dbhost'],
$INSTALL['dbuser'],$INSTALL['dbpass'])) {
switch ($INSTALL['dbtype']) { /// Try to create a
database
case 'mysql':
if ($db->Execute("CREATE DATABASE
{$INSTALL['dbname']};")) {
$dbconnected =
$db->Connect($INSTALL['dbhost'],$INSTALL['dbuser'],$INSTALL['dbpass'],
$INSTALL['dbname']);
} else {
$errormsg = get_string('dbcreationerror',
'install');
$nextstage = 3;
}
break;
}
}
}
}
error_reporting(7);
if (($dbconnected === false) and (empty($errormsg)) ) {
$errormsg = get_string('dbconnectionerror', 'install');
$nextstage = 3;
}
}
//==========================================================================//
attached mail follows:
> > Chris is a dude who has helped me and a lot of others dozens of times
> > on this list as he is a regular contributer to this list, he really
> > knows his stuff...if you decide to go with him you'll be getting your
> > money's worth for sure.
> >
> > If you cant afford to hire him, he has some really good security
> > articles on his site that you may want to start on...
> >
> > Cheers,
> > Ryan
> >
> > NOTE: I dont make anything if you go with Chris or not...am not
> > connected to him/his site in any way and i dont get anything for
> > plugging him/his site either :-)
>
> And for the record, netither do I. I just know from talking to him,
> and reading his posts on this list, that he is a professional.
Thanks for the kind words, guys.
I've been quite busy lately, so I'm actually a bit behind on publishing
free articles on my web site (http://shiflett.org/). I'll be publishing
a few more within the next week or two.
Thanks again. :-)
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
attached mail follows:
Hi
I am try to create a generic function that takes any mysql found set
and creates and custom tiered xml list
The below works but seems a bit kludgy :(
Code synopsis: If we are are on a new row and the first value in that
row , <artist>, is different...then do something
Is there a cleaner and more universal way to do this ?
I am attempting to take my php skills to the next level by making my
code more generic and flexible.
Ultimately, I would like to feed it a couple of variables and generate
an xml list with any number of levels ...
FYI, I know the xml is not formed properly....is just for dummy
purposes :)
I am a bit new to all of this so any help is appreciated :)
many thanks
g
The below works and generates the dummy output:
<artist>Akwid</artist>
<trackName>Jamas Imagine</trackName>
<id>38</id>
<trackName>No Hay Manera</trackName>
<id>42</id>
<artist>Azteka</artist>
<trackName>Mexicano Por Fortuna</trackName>
<id>41</id>
<trackName>Sueno Americano</trackName>
<id>33</id>
...
// PHP code
$result = mysql_query($sql);
$numRows = mysql_num_rows($result);
$numFields = mysql_numfields($result);
$i = 0; //use to determing the first row
//get all the keys in the found set
for ($x=0; $x<$numFields; $x++) {
$keyNames[]= mysql_field_name($result, $x);
}
while ($line = mysql_fetch_array($result, MYSQL_ASSOC)) {
foreach($line as $key => $val) {
//are we on the first key in the found set ?
if($key == $keyNames[0]){
// Are we on row 0 or is $val, <artist>, a new value
if($i = 0 OR $val !== $firstVal) {
echo "<$key>$val</$key>"."\n";
$firstVal = $val;
}
// We are not on the first key...so add a tab
}else{
echo "\t"."<$key>$val</$key>"."\n";
}
$i++; //used for checking for first row
}
}
attached mail follows:
Is there a way to loop thru all of these GET requests by:
putting the GET variables into an array
processing the variable strings with trim/striptags/etc in a loop
exploding the variables back out into separate variables
otherwise this gets a bit tedious :(
many thanks in advance
g
$userID = $_GET['userID'];
$playlistName = $_GET['playlistName'];
$language = $_GET['language'];
$query = $_GET['query'];
$mediaID = $_GET['mediaID'];
# did we get $userID in a GET request ?
if(!isset($userID)){
# add a default query here
$userID = "unknown" ;
}
# did we get $playlistName in a GET request ?
if(!isset($playlistName)){
# add a default query here
$playlistName = "Unknown" ;
}
# did we get $language in a GET request ?
if(!isset($language)){
# add a default language here
$language = "spanish" ;
}
# did we get $query in a GET request ?
if(!isset($query)){
$query = "unknown" ;
}
# did we get $mediaID in a GET request ?
if(!isset($mediaID)){
# add a default query here
$mediaID = "unknown" ;
}
$userID = trim(strip_tags($userID));
$playlistName = trim(strip_tags($playlistName));
$language = trim(strip_tags($language));
$query = trim(strip_tags($query));
$mediaID = trim(strip_tags($mediaID));
mysql_real_escape_string($userID);
mysql_real_escape_string($playlistName);
mysql_real_escape_string($language);
mysql_real_escape_string($query);
mysql_real_escape_string($mediaID);
attached mail follows:
Graham Anderson wrote:
> Is there a way to loop thru all of these GET requests by:
> putting the GET variables into an array
> processing the variable strings with trim/striptags/etc in a loop
> exploding the variables back out into separate variables
I just do this:
function process_user_input($value) {
return mysql_real_escape_string(strip_tags(trim($value)));
// Or whatever processing you need
}
$_SAFE_GET = array_map('process_user_input', $_GET);
$_SAFE_POST = array_map('process_user_input', $_POST);
That way you never need to take them out of an array in the first place.
Then you can do things like:
mysql_query("INSERT INTO table (col) VALUES ('{$_SAFE_POST['val']}')");
Jasper
attached mail follows:
On Wed, 2005-08-24 at 23:06, Graham Anderson wrote:
> Is there a way to loop thru all of these GET requests by:
> putting the GET variables into an array
> processing the variable strings with trim/striptags/etc in a loop
> exploding the variables back out into separate variables
>
> otherwise this gets a bit tedious :(
>
> many thanks in advance
> g
>
>
> $userID = $_GET['userID'];
> $playlistName = $_GET['playlistName'];
> $language = $_GET['language'];
> $query = $_GET['query'];
> $mediaID = $_GET['mediaID'];
>
>
> # did we get $userID in a GET request ?
> if(!isset($userID)){
> # add a default query here
> $userID = "unknown" ;
> }
> # did we get $playlistName in a GET request ?
> if(!isset($playlistName)){
> # add a default query here
> $playlistName = "Unknown" ;
> }
> # did we get $language in a GET request ?
> if(!isset($language)){
> # add a default language here
> $language = "spanish" ;
> }
> # did we get $query in a GET request ?
> if(!isset($query)){
> $query = "unknown" ;
> }
> # did we get $mediaID in a GET request ?
> if(!isset($mediaID)){
> # add a default query here
> $mediaID = "unknown" ;
> }
> $userID = trim(strip_tags($userID));
> $playlistName = trim(strip_tags($playlistName));
> $language = trim(strip_tags($language));
> $query = trim(strip_tags($query));
> $mediaID = trim(strip_tags($mediaID));
>
> mysql_real_escape_string($userID);
> mysql_real_escape_string($playlistName);
> mysql_real_escape_string($language);
> mysql_real_escape_string($query);
> mysql_real_escape_string($mediaID);
function getGetVar( $key, $default=null )
{
return isset( $_GET[$key] ) ? $_GET[$key] : $default;
}
function getGetVarProcessed( $key, $process, $default=null )
{
return $process( getGetVar( $key, $default ) );
}
function cleanser( $value )
{
return mysql_real_escape_string( trim( $value ) ) );
}
$userID = getGetVarProcessed( 'userID', 'cleanser', 'unknown' );
$playlistName = getGetVarProcessed( 'playerlistName', 'cleanser',
'unknown' );
$language = getGetVarProcessed( 'language', 'cleanser', 'unknown' );
$query = getGetVarProcessed( 'query', 'cleanser', 'unknown' );
$mediaID = getGetVarProcessed( 'mediaID', 'cleanser', 'unknown' );
Cheers,
Rob
--
.------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`------------------------------------------------------------'
attached mail follows:
On Wed, 2005-08-24 at 23:12, Jasper Bryant-Greene wrote:
> Graham Anderson wrote:
> > Is there a way to loop thru all of these GET requests by:
> > putting the GET variables into an array
> > processing the variable strings with trim/striptags/etc in a loop
> > exploding the variables back out into separate variables
>
> I just do this:
>
> function process_user_input($value) {
> return mysql_real_escape_string(strip_tags(trim($value)));
> // Or whatever processing you need
> }
>
> $_SAFE_GET = array_map('process_user_input', $_GET);
> $_SAFE_POST = array_map('process_user_input', $_POST);
>
> That way you never need to take them out of an array in the first place.
> Then you can do things like:
>
> mysql_query("INSERT INTO table (col) VALUES ('{$_SAFE_POST['val']}')");
Still need to check isset() status unless you've disabled E_NOTICE which
I don't advise since it's sloppy ;)
Cheers,
Rob.
--
.------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`------------------------------------------------------------'
attached mail follows:
Robert Cummings wrote:
> On Wed, 2005-08-24 at 23:12, Jasper Bryant-Greene wrote:
>
>>Graham Anderson wrote:
>>
>>>Is there a way to loop thru all of these GET requests by:
>>>putting the GET variables into an array
>>>processing the variable strings with trim/striptags/etc in a loop
>>>exploding the variables back out into separate variables
>>
>>I just do this:
>>
>>function process_user_input($value) {
>> return mysql_real_escape_string(strip_tags(trim($value)));
>> // Or whatever processing you need
>>}
>>
>>$_SAFE_GET = array_map('process_user_input', $_GET);
>>$_SAFE_POST = array_map('process_user_input', $_POST);
>>
>>That way you never need to take them out of an array in the first place.
>>Then you can do things like:
>>
>>mysql_query("INSERT INTO table (col) VALUES ('{$_SAFE_POST['val']}')");
>
> Still need to check isset() status unless you've disabled E_NOTICE which
> I don't advise since it's sloppy ;)
Yeah, I usually would in a real script. Just slipped my mind when
writing that example.
Jasper
attached mail follows:
On Wed, August 24, 2005 10:06 pm, Graham Anderson wrote:
> Is there a way to loop thru all of these GET requests by:
> putting the GET variables into an array
> processing the variable strings with trim/striptags/etc in a loop
> exploding the variables back out into separate variables
In addition to what everybody has posted...
I really would recommend that on any given page you have something like:
$_EXPECTED = array('userID', 'playlistName', 'language');
$_EXPECTED = array_flip($_EXPECTED);
You can then compare what you $_GET with what you $_EXPECTED in your
loop, and not import any Bad Guy's crap variables:
if (isset($_EXPECTED[$variable])){
//import it
}
else{
//error out, log the hack attempt, Red Alert!, call the President
}
This also helps make the code more self-documenting, since right at
the top of the code you are clearly stating what inputs the script
(which in many respects is like a function, only not) expects to
receive.
If you're going to go ahead and clutter up your "SAFE" data with junk
that some random Bad Guy sent you, it really doesn't seem all that
safe to me...
--
Like Music?
http://l-i-e.com/artists.htm
attached mail follows:
Ok, I am doing a sort of a project right now... It is like a php chat
room that records every message into a database. Now, on the first post
I want it to like set the name, so on first post it would say Name: and
you set your name, then on every other message you post it just says
Posted by and remembers your name from the last entry. Is this anyhow
possible?
attached mail follows:
On Thu, 2005-08-25 at 00:10, George B wrote:
> Ok, I am doing a sort of a project right now... It is like a php chat
> room that records every message into a database. Now, on the first post
> I want it to like set the name, so on first post it would say Name: and
> you set your name, then on every other message you post it just says
> Posted by and remembers your name from the last entry. Is this anyhow
> possible?
Check session... if no name, display name prompt, otherwise don't
display name prompt.
Cheers,
Rob.
--
.------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`------------------------------------------------------------'
attached mail follows:
Robert Cummings wrote:
> On Thu, 2005-08-25 at 00:10, George B wrote:
>
>>Ok, I am doing a sort of a project right now... It is like a php chat
>>room that records every message into a database. Now, on the first post
>>I want it to like set the name, so on first post it would say Name: and
>>you set your name, then on every other message you post it just says
>>Posted by and remembers your name from the last entry. Is this anyhow
>>possible?
>
>
> Check session... if no name, display name prompt, otherwise don't
> display name prompt.
>
> Cheers,
> Rob.
which would I choose.
http://us2.php.net/manual-lookup.php?pattern=sessions
attached mail follows:
Robert Cummings wrote:
> On Thu, 2005-08-25 at 00:10, George B wrote:
>
>>Ok, I am doing a sort of a project right now... It is like a php chat
>>room that records every message into a database. Now, on the first post
>>I want it to like set the name, so on first post it would say Name: and
>>you set your name, then on every other message you post it just says
>>Posted by and remembers your name from the last entry. Is this anyhow
>>possible?
>
>
> Check session... if no name, display name prompt, otherwise don't
> display name prompt.
>
> Cheers,
> Rob.
which would I choose.
http://us2.php.net/manual-lookup.php?pattern=sessions
attached mail follows:
On Thu, 2005-08-25 at 00:19, George B wrote:
> Robert Cummings wrote:
> > On Thu, 2005-08-25 at 00:10, George B wrote:
> >
> >>Ok, I am doing a sort of a project right now... It is like a php chat
> >>room that records every message into a database. Now, on the first post
> >>I want it to like set the name, so on first post it would say Name: and
> >>you set your name, then on every other message you post it just says
> >>Posted by and remembers your name from the last entry. Is this anyhow
> >>possible?
> >
> >
> > Check session... if no name, display name prompt, otherwise don't
> > display name prompt.
> >
> > Cheers,
> > Rob.
> which would I choose.
> http://us2.php.net/manual-lookup.php?pattern=sessions
In brief:
if( isset( $_POST['userName'] ) && !empty( trim( $_POST['userName'] ) )
)
{
//
// Save userName to session.
//
$_SESSION['userName'] = trim( $_POST['userName'] );
}
if( isset( $_POST['message'] ) && !empty( trim( $_POST['message'] ) )
&&
isset( $_SESSION['userName'] ) )
{
//
// Handle submission of message.
//
}
if( !isset( $_SESSION['userName'] ) )
{
//
// Display user name prompt.
//
}
--
.------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`------------------------------------------------------------'
attached mail follows:
Dotan Cohen <dotancohengmail.com> writes:
> I don't really like CAPTCHA's. I'm filtering the content now, which is
> in my opinion better anyway. In my university one of the computer
> science projects (for an assignment!) is to break CAPTCHA's. Jpg-> bmp
> and once it's a bmp the white noise and lines can be removed (think
> photoshop filters), then OCR software extracts the words. It even
> works on squiggly text with the right fonts installed in the OCR. Not
> 100%, but it is easier for the computer to decipher than a handicapped
> person, or a text browser. And I don't want to lock those out.
you might find http://www.videolan.org/pwntcha/ helpful
--
Raj Shekhar (still trying to get over his email backload)
blog : http://rajshekhar.net/blog home : http://rajshekhar.net
Disclaimer : http://rajshekhar.net/disclaimer
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]