|
Also, if you wish to keep a copy of the sanitsed html, you can use a cache like memcached
|
# ? Apr 5, 2008 11:04 |
|
|
# ? May 21, 2024 19:29 |
|
I agree that sanitizing should be the last step before output or very close to it, but that doesn't necessarily have anything to do with string concatenation syntax. In most of my applications, the process that outputs data retrieves all of its input from a store that sanitizes everything it receives.
|
# ? Apr 5, 2008 11:13 |
|
duz posted:And braces allows you to do crazy things like: They were also my only way out of some heredoc trouble with arrays: php:<? $array['john'] = "John Laurence"; //or whatever I'm just looking for a poo poo example $value[1] = 'john'; echo <<<EOF this is $array[$value[1]] and you will love him. EOF; ?> code:
|
# ? Apr 5, 2008 16:48 |
|
MononcQc posted:Adding braces around $array[$value[1]] to get {$array[$value[1]]} was the best way to get the arrays to work properly. PHP
|
# ? Apr 5, 2008 17:29 |
|
Bonus posted:I'm of the opinion that it's generally best to sanitize data as late as possible. So if you're sanitizing it for output, sanitize it right before outputting or when you know that you won't be doing anything with it other than outputting. So would there be anything wrong with sanitizing as late as the MySQL query string? Right now, I'm getting away with processing form inputs with their original $_POST superglobals, then using htmlspecialchars() at the query function argument to keep form inputs from doing anything too powerful, though I don't know if that would leave you wide open on older, less secure versions of PHP. Zorilla fucked around with this message at 02:29 on Apr 6, 2008 |
# ? Apr 6, 2008 02:24 |
|
Nevermind.
Khorne fucked around with this message at 20:14 on Apr 6, 2008 |
# ? Apr 6, 2008 04:52 |
|
Zorilla posted:So would there be anything wrong with sanitizing as late as the MySQL query string? Right now, I'm getting away with processing form inputs with their original $_POST superglobals, then using htmlspecialchars() at the query function argument to keep form inputs from doing anything too powerful, though I don't know if that would leave you wide open on older, less secure versions of PHP. htmlspecialchars() won't stop sql injection. You'll need to you mysql_real_escape_string() to properly clean the string for inserting into the database.
|
# ? Apr 6, 2008 23:36 |
|
Zorilla posted:So would there be anything wrong with sanitizing as late as the MySQL query string? Right now, I'm getting away with processing form inputs with their original $_POST superglobals, then using htmlspecialchars() at the query function argument to keep form inputs from doing anything too powerful, though I don't know if that would leave you wide open on older, less secure versions of PHP. But ideally I think the sanitizing for the database should be coupled with the layer that does the actual insertion. A good example of that is either ADOdb or mysqli where you do stuff like this: php:<? $conn->Execute("SELECT * FROM TABLE WHERE COND=?", array($val)); ?> php:<? $stmt->prepare("SELECT District FROM City WHERE Name=?")) { $stmt->bind_param("s", $city); $stmt->execute(); $stmt->bind_result($district); $stmt->fetch(); ?> And you probably shouldn't sanitize the input in any other way (i.e. htmlspecialchars) before inserting it into the database. You should always have pure data in your database and then sanitize it for output after fetching it from the database. hey mom its 420 fucked around with this message at 00:15 on Apr 7, 2008 |
# ? Apr 7, 2008 00:12 |
|
Incidentally, does anyone else think that the interface for mysqli is loving terrible? Especially the bind_param method. First you have to prepare the statement, then you have to bind parameters to it by giving it variables and strings like "sssd", then execute, bind results to variable, then fetch the data and then loop and output the variables that have the results binded to them repeatedly. Sure, binding results to variables and then the current row being assigned to those variables saves memory by not storing all results in an array but it's not like you're going to be outputting 1 million records on a single page. ADOdb does it way better.
|
# ? Apr 7, 2008 00:26 |
|
Bonus posted:Incidentally, does anyone else think that the interface for mysqli is loving terrible? Especially the bind_param method. First you have to prepare the statement, then you have to bind parameters to it by giving it variables and strings like "sssd", then execute, bind results to variable, then fetch the data and then loop and output the variables that have the results binded to them repeatedly.
|
# ? Apr 7, 2008 00:41 |
|
bt_escm posted:htmlspecialchars() won't stop sql injection. You'll need to you mysql_real_escape_string() to properly clean the string for inserting into the database. Right, I was just trying to prevent users from embedding HTML into pages. One of the things I've noticed is that the query string is already escaped for you (PHP 5.2.0) and attempting to use mysql_real_escape_string() will end up escaping your string twice. I'm guessing my hosting has magic_quotes_gpc turned on. What's the proper way to handle things whether this is on or off? Detect whether magic_quotes_gpc is turned off and only escape the query string manually then? If you haven't guessed, I'm a total beginner and suck at programming anyway.
|
# ? Apr 7, 2008 01:06 |
|
Zorilla posted:Right, I was just trying to prevent users from embedding HTML into pages. For stuff that's to run on servers I can't control, I put this at the start of my script(s) php:<? if (get_magic_quotes_gpc()) { if (!function_exists(stripslashes_array)) { function stripslashes_array($array) { return is_array($array) ? array_map('stripslashes_array', $array) : stripslashes($array); } } $_GET = stripslashes_array($_GET); $_POST = stripslashes_array($_POST); $_REQUEST = stripslashes_array($_REQUEST); } ?>
|
# ? Apr 7, 2008 01:25 |
|
That's pretty much what I just ended up doing:php:<? if (get_magic_quotes_gpc()) { $cleanquery = $query; } else { $cleanquery = stripslashes($query); } ?> Zorilla fucked around with this message at 01:37 on Apr 7, 2008 |
# ? Apr 7, 2008 01:34 |
|
Say, since we're on the subject of escaping, I noticed a little while ago that whenever data comes in through a <textarea>, the string is already escaped. If I run it through mysql_real_escape_string, double escaping will occur. I don't know if it's the browser thats doing this, or if it some kind of magic quotes thing... After I finally realized this, I just stopped escaping all my textarea data. Is this a bad decision?
|
# ? Apr 7, 2008 08:11 |
|
nbv4 posted:Say, since we're on the subject of escaping, I noticed a little while ago that whenever data comes in through a <textarea>, the string is already escaped. If I run it through mysql_real_escape_string, double escaping will occur. I don't know if it's the browser thats doing this, or if it some kind of magic quotes thing... After I finally realized this, I just stopped escaping all my textarea data. Is this a bad decision? Well, the conclusion I think I just came to hours earlier (with some help) is that you should check to see if magic quotes is enabled, then either don't escape if it's on or do escape if it's off. Also, when loading MySQL fields into a textarea, be sure to encode any HTML markup inside them. Web browsers will render anything between textarea tags as plaintext so you probably aren't vulerable to XSS, but it will result in invalid (X)HTML if there is actual markup in there. For instance: Invalid: code:
code:
Zorilla fucked around with this message at 08:29 on Apr 7, 2008 |
# ? Apr 7, 2008 08:14 |
|
Zorilla posted:Well, the conclusion I think I just came to hours earlier (with some help) is that you should check to see if magic quotes is enabled, then either don't escape if it's on or do escape if it's off. While I've never heard of it causing problems, it is recommended to unescape it and use the MySQL extension's escape function if magic quotes is on.
|
# ? Apr 7, 2008 08:38 |
|
Atom posted:While I've never heard of it causing problems, it is recommended to unescape it and use the MySQL extension's escape function if magic quotes is on. I think the PHP documentation says the same thing. In other words, something like this? php:<? // Pretend a MySQL connection is open already $cleanquery = mysql_real_escape_string(stripslashes($query)); $result = mysql_query($cleanquery); ?> Zorilla fucked around with this message at 09:05 on Apr 7, 2008 |
# ? Apr 7, 2008 09:02 |
|
Zorilla posted:I think the PHP documentation says the same thing. In other words, something like this? That's what I usually do if magic quotes is on.
|
# ? Apr 7, 2008 17:42 |
|
I have this one class which is getting so huge, it's almost 2000 lines. I want to split it up into smaller text files to make editing easier, but I'm having trouble doing so. Apparently you can't just do:php:<? class foo extends lol { include "text_file_with_methods.php"; function blah() { ... ?>
|
# ? Apr 7, 2008 18:09 |
|
nbv4 posted:I have this one class which is getting so huge, it's almost 2000 lines. I want to split it up into smaller text files to make editing easier, but I'm having trouble doing so. Apparently you can't just do: Either try and split the class up logically into smaller classes, or leave it as it is if you can't.
|
# ? Apr 7, 2008 18:17 |
|
Inquisitus posted:Either try and split the class up logically into smaller classes, or leave it as it is if you can't. I could do that fairly easily because this huge class is essentially two classes in one anyways, but the only problem is that this classes constructor runs like 20 SQL queries which provide information for pretty much every function in that class. If I split it into two or three classes, I'll have to run those constructors another time or maybe even twice more. I'd really hate to do that for just the convenience of having seperate text files...
|
# ? Apr 7, 2008 18:27 |
|
You can have constructors run the parent's constructors or you can have your queries just use the last used connection.
|
# ? Apr 7, 2008 18:30 |
|
duz posted:You can have constructors run the parent's constructors or you can have your queries just use the last used connection.
|
# ? Apr 7, 2008 18:34 |
nbv4 posted:I'm not worried about that, I'm worried about actually running the queries twice, one for each object. I'm kind of a performance stickler like that. Is there anyway to easily copy a bunch of member variables from one object to another? I admit I'm not really an OOP expert. Not really sure how you are instantiating them, but this should work fine. Or if you are instantiating Bar inside of Foo's construct, $bar->fields = $this->fields, etc. I'm new to oop as well, so hopefully somebody else will weigh in on this too. php:<? $foo = new Foo(); $bar = new Bar(); $foo->fields = $bar->fields;?> php:<? get_class_vars(get_class($this));?> fletcher fucked around with this message at 18:56 on Apr 7, 2008 |
|
# ? Apr 7, 2008 18:51 |
|
nbv4 posted:I'm not worried about that, I'm worried about actually running the queries twice, one for each object. I'm kind of a performance stickler like that. Is there anyway to easily copy a bunch of member variables from one object to another? I admit I'm not really an OOP expert. You don't want to copy member data or do the SQL multiple times -- that defeats the purpose of OOP. Remove functionality from the large object into other classes. It may make sense for the main class to hold instances of these new classes. The new classes could use properties of the main object by receiving a reference to it: php:<? class Foo { var $fighter; var $some_data = 'awesome'; function Foo() { $this->fighter = new FooFighter(); } function attack() { $this->fighter->kungfoo($this); } } class FooFighter { function kungfoo(&$foo) { echo "HIII-YAH! I'm " . $foo->some_data . "!\n"; } } ... $foo = new Foo(); $foo->attack(); // prints "HIII-YAH! I'm awesome!" ?>
|
# ? Apr 7, 2008 21:51 |
|
I've given up trying to fix my comments problem from previous posts. I just don't understand php well enough to do the job myself. Does anyone know of a php news publishing script that can be integrated into an existing site (not a cms script) that includes the comments inside the news posts at all times? In other words, you don't have to view the full story or load a new page to view comments as they are already displayed on the initial post, along with the comment submission form.
|
# ? Apr 7, 2008 22:17 |
|
Is this the right place for Zend questions? I hope so. I've got an IndexController with four actions. indexAction works fine, the other three give me 404 errors. (I have views setup for all four). Is this because mod_rewrite isn't setup properly? Or my .htaccess is badly written?
|
# ? Apr 8, 2008 05:37 |
|
nbv4 posted:I have this one class which is getting so huge, it's almost 2000 lines. I want to split it up into smaller text files to make editing easier, but I'm having trouble doing so. Apparently you can't just do: This is where C#'s "partial class" definitions feature would come in handy. But we don't have that, so here's what I do with my 18000 line class that contains all the DB schema upgrades we've made since version 1: php:<? class DBUpgraderBase { function upgrade_version_1() { ... } function upgrade_version_2() { ... } ... function upgrade_version_99() { ... } } ?> php:<? class DBUpgraderBase1 extends DBUpgraderBase { function upgrade_version_100() { ... } ... function upgrade_version_199() { ... } } ?> php:<? class DBUpgrader extends DBUpgraderBase6 { function upgrade_version_700() { ... } } ?>
|
# ? Apr 8, 2008 05:47 |
|
minato posted:Yeah, I was going to say he should start with a class and then subsequent classes should extend it. I guess this is one way of saying it.
|
# ? Apr 8, 2008 06:39 |
|
genericadmin posted:code I would suggest this. Your problem is a good application for a class factory. Have a class (the factory) that does the expensive sql and add methods on it to get instances of the chunks of your big class that you've created. Have the chunks take a reference to the factory (so they can get at the stored results of the expensive SQL). You run the queries once and can produce different objects that can get at one copy of the results.
|
# ? Apr 8, 2008 07:29 |
|
I've got a client we're doing a web page redesign for and it turns out he would like to be able to edit basically anything that might need changing on the site on his own. Normally, I would just set up some system like Website Baker or CMS Made Simple, but this site in particular has quite a bit of markup I don't want the client to disturb. Plus, the site has some dynamic content with a backend I wrote a month or so ago to edit its contents. I just found out about a system called Cushy CMS, which looks like it would work brilliantly. Unfortunately, it seems to only support static pages and appears to be a service you have to use through their site instead of installing on your web server. And it's in closed beta- not something I want business clients using. Are there any systems out there that are fairly easy to set up like Cushy CMS that would work with PHP pages? The idea is for the site owner to be able to edit snippets of information such as the welcome text or store hours in the backend without having to muck around in HTML. If creating a solution to this is beyond me, it can be contracted out. I'm just looking for recommendations. Zorilla fucked around with this message at 03:04 on Apr 9, 2008 |
# ? Apr 9, 2008 03:02 |
|
How do I search for <br /> with preg_match_all?
|
# ? Apr 9, 2008 04:45 |
|
drcru posted:How do I search for <br /> with preg_match_all? preg_match_all("#<br />#", $string, $m) Or, if you want to be slashy... preg_match_all("/<br \/>/", $string, $m) Or, if you want to be flexible... preg_match_all("#<br(?: /)>#", $string, $m)
|
# ? Apr 9, 2008 05:15 |
|
drcru posted:How do I search for <br /> with preg_match_all? preg_match_all("/<br \/>/i",$in,$out); (case-insensitive, will only match <br /> and not <br>)
|
# ? Apr 9, 2008 05:19 |
|
Can I assume that #\n# will find all new lines?
|
# ? Apr 9, 2008 05:27 |
|
drcru posted:Can I assume that #\n# will find all new lines? Yes. If you have any more questions you should probably just google a regular expressions tutorial.
|
# ? Apr 9, 2008 05:37 |
|
drcru posted:Can I assume that #\n# will find all new lines?
|
# ? Apr 9, 2008 05:43 |
|
gibbed posted:If you're serious about using a regular expression to find newlines, you probably want #\r?\n|\r# instead. You should probably just normalize newlines from the get-go with something like: $str = str_replace(array("\r\n","\r"), "\n", $str); especially since PCRE by default understands \n as the newline character admiraldennis fucked around with this message at 06:21 on Apr 9, 2008 |
# ? Apr 9, 2008 06:19 |
Is it a bad idea to write a backup script in PHP? I just need it to dump the database, tar.gz a folder, delete the oldest backup on the backup server, and upload the new one. It seems like it would be cake to write it in PHP, but should I? Is there a reason I have to write this as a bash script?
|
|
# ? Apr 9, 2008 08:59 |
|
|
# ? May 21, 2024 19:29 |
|
fletcher posted:Is it a bad idea to write a backup script in PHP? I just need it to dump the database, tar.gz a folder, delete the oldest backup on the backup server, and upload the new one. It seems like it would be cake to write it in PHP, but should I? Is there a reason I have to write this as a bash script? Since you already know PHP, writing it PHP would make the most sense. I really don't think it would matter what you write it in.
|
# ? Apr 9, 2008 09:40 |