<?PHP questions that don\\'t need their own thread ?>

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cavern of COBOL > <?PHP questions that don\\'t need their own thread ?>

«‹›223 »

Rat Supremacy: Jul 15, 2007; The custom title is an image and/or line of text that appears below your name in the forums

I always use the colon and it works fine.

# ? Jan 3, 2010 14:34

Adbot: ADBOT LOVES YOU

# ? May 16, 2024 16:07

Yossarko: Jan 22, 2004

When using mysql_connect, is there any way to connect without having my password in the PHP files in clear text ?

I'd like to maybe MD5 the password, and when mysql_connect'ing tell it to compare it with an MD5'd version of the database password.

I want to do this in PHP (in my sqlconfig.php) and not in a .vhost or anything.

# ? Jan 4, 2010 10:17

Standish: May 21, 2001

Yossarko posted:

When using mysql_connect, is there any way to connect without having my password in the PHP files in clear text ?

I'd like to maybe MD5 the password, and when mysql_connect'ing tell it to compare it with an MD5'd version of the database password.

Pointless. Sure, your password can't be stolen if someone gains read access to your PHP source, but they can steal the MD5'ed password, which is just as good as the password itself for the purposes of logging into the DB.

(Also I wouldn't use MD5 for any new security-related code, best practice is to use SHA-2.)

Standish fucked around with this message at 11:00 on Jan 4, 2010

# ? Jan 4, 2010 10:57

Rat Supremacy: Jul 15, 2007; The custom title is an image and/or line of text that appears below your name in the forums

Yossarko posted:

When using mysql_connect, is there any way to connect without having my password in the PHP files in clear text ?

I'd like to maybe MD5 the password, and when mysql_connect'ing tell it to compare it with an MD5'd version of the database password.

I want to do this in PHP (in my sqlconfig.php) and not in a .vhost or anything.

If you could tell the MySQL server to authenticate like that, then having the MD5 of the password would be as good as having having the plaintext one.

Just keep your config files in a non-web accessible directory.

# ? Jan 4, 2010 11:19

Hammerite: Mar 9, 2007; And you don't remember what I said here, either, but it was pompous and stupid.; Jade Ear Joe

Yossarko posted:

When using mysql_connect, is there any way to connect without having my password in the PHP files in clear text ?

I'd like to maybe MD5 the password, and when mysql_connect'ing tell it to compare it with an MD5'd version of the database password.

I want to do this in PHP (in my sqlconfig.php) and not in a .vhost or anything.

Like haywire said, the best you can do is to keep the password in a file that isn't directly accessible to your site's visitors, i.e. outside of the root web directory.

It should be 1) somewhere visitors to the site can't get to, 2) in a file with extension .php

(the reason for 2 is in case something goes horribly wrong and visitors can somehow get to the file, they won't see the actual file content, because when they visit the page it should be parsed as PHP. This way, in order for a visitor to see the password, two things have to go wrong: the file has to be directly accessible and PHP has to be broken somehow.)

# ? Jan 4, 2010 13:53

Little Brittle: Nov 1, 2004; Come visit me dawg

I need to download a text file every 10 minutes from a remote server. What is the best way to grab the file, while ensuring that the file is not being currently written? Right now, I'm grabbing the file via PHP FTP commands and processing it.

# ? Jan 4, 2010 23:08

DarkLotus: Sep 30, 2001; Lithium Hosting
Personal, Reseller & VPS Hosting
30-day no risk Free Trial &
90-days Money Back Guarantee!

Little Brittle posted:

I need to download a text file every 10 minutes from a remote server. What is the best way to grab the file, while ensuring that the file is not being currently written? Right now, I'm grabbing the file via PHP FTP commands and processing it.

you can use curl, it is probably the best option for using PHP to grab anything from a remote server. You could run something on the remote server to send you the file. This would allow you to lock it while sending.

# ? Jan 5, 2010 00:11

Little Brittle: Nov 1, 2004; Come visit me dawg

DarkLotus posted:

you can use curl, it is probably the best option for using PHP to grab anything from a remote server. You could run something on the remote server to send you the file. This would allow you to lock it while sending.

I'm familiar with CURL, but I don't have access to the remote server. It is ran by a vendor and all they offer is this text file that updates at 10 minute intervals. I just want to find a way to be sure I don't grab an incomplete file.

# ? Jan 5, 2010 10:15

DoctorScurvy: Nov 11, 2005; More of a passing curiosity, really

Little Brittle posted:

I'm familiar with CURL, but I don't have access to the remote server.

If you don't have access to the remote server, then how on earth are you getting the file now?

# ? Jan 5, 2010 11:07

Hanpan: Dec 5, 2004

Hope this is the right place to post this, I could really use a hand with my .htaccess file.

I have a directory structure like so:

code:

index.php
apps
media
- css
- images
system 
- admin
- <framework files here>

My .htaccess file is currently setup to rewrite index.php to allow for clean urls, like so:

code:

RewriteEngine On
RewriteCond $1 !^(index\.php|media|jscript)
RewriteRule ^/?(.*)$ index.php/$1 [L,QSA]

What I'd like to do is make it so that the url http://localhost/website/admin/ look in the system/admin folder and allows for standard .php files without rewritting.

I managed to get this to work by using the following:

code:

RewriteEngine On
RewriteCond $1 !^(index\.php|media|jscript|admin|system)
RewriteRule ^/?(.*)$ index.php/$1 [L,QSA]
RewriteRule ^/?(admin.*)$ system/$1 [L,QSA]

But this obviously allows people to browse the system folder. Apart from adding a blank index.html file to the system folder, is there a way I can rewrite anything http://localhost/website/system/ back to the index page, but at the same time allow for http://localhost/website/admin/ ?

Any help would be greatly appreciated.

# ? Jan 5, 2010 11:51

DoctorScurvy: Nov 11, 2005; More of a passing curiosity, really

I don't quite understand what you want to do, but if you use the line

code:

IndexIgnore *

in your top level .htaccess it will stop people from being able to see the list of files in any of your folders. If you put an index.php in the system folder that returns a 404 error message to the browser, nobody who is actively looking will even be able to tell that the system folder exists.

# ? Jan 5, 2010 12:10

Hanpan: Dec 5, 2004

DoctorScurvy posted:

I don't quite understand what you want to do, but if you use the line
code:
IndexIgnore *
in your top level .htaccess it will stop people from being able to see the list of files in any of your folders. If you put an index.php in the system folder that returns a 404 error message to the browser, nobody who is actively looking will even be able to tell that the system folder exists.

Oh I forgot about IndexIgnore, I'll certainly throw that in there.

What I am trying to do is basically route anything http://localhost/website/system/admin to the url http://localhost/website/admin/ in a horrible attempt to hide the fact that the admin folder resides inside a system folder.

# ? Jan 5, 2010 12:22

Rat Supremacy: Jul 15, 2007; The custom title is an image and/or line of text that appears below your name in the forums

Little Brittle posted:

I need to download a text file every 10 minutes from a remote server. What is the best way to grab the file, while ensuring that the file is not being currently written? Right now, I'm grabbing the file via PHP FTP commands and processing it.

Grab the file every 5 minutes and see which is longest?

# ? Jan 5, 2010 15:08

LifeSizePotato: Mar 3, 2005

I have a webpage that's suddenly giving me problems. I'm pretty sure this is correct code, but I wanted to run it by here before I contact the host to see if there's something wrong with their PHP settings.

Anyway, it's a page that works as a template and includes an html file as defined in the url. I'm not really a programmer so forgive me if I'm using inadequate terminology. So, for example, the page ends up being https://www.website.com/template.php?id=23 , where "23" is actually an included html file, "23.html"

Here's the code on template.php:

<?php include ('./pages/'.$id.'.html'); ?>

I have several files in /pages/ that are just numbers, like 16.html and 50.html. Isn't that enough? The error I always get:

Warning: main(./pages/.html): failed to open stream: No such file or directory
Failed opening './pages/.html' for inclusion (include_path='.:/hsphere/shared/apache/libexec/php4ext/php/')

If I make an empty file named .html and put it in the pages directory, that blank loads fine but nothing else will. Then, even a url like template.php?id=10 will just load the blank .html file. So, it seems like it's not realizing that $id is supposed to be supplied by the url, like template.php?id=23 .

On another page, I have a randomizer that works with basically the same concept and functions fine:

<?php
srand((double)microtime()*1000000);
$num = rand(1,25);

include ('./pages/random/'.$num.'.html');

?>

Do I need to define "id" within the <?php ?> tags on the page, as is done with the randomizer code? I thought that by having ?id=XX in the url, it is defining the id that way. If it's not the code, what would I tell the webhost to look at in its PHP settings?

# ? Jan 5, 2010 19:39

Golbez: Oct 9, 2002; 1 2 3!
If you want to take a shot at me get in line, line
1 2 3!
Baby, I've had all my shots and I'm fine

LifeSizePotato posted:

I have a webpage that's suddenly giving me problems. I'm pretty sure this is correct code, but I wanted to run it by here before I contact the host to see if there's something wrong with their PHP settings.

Anyway, it's a page that works as a template and includes an html file as defined in the url. I'm not really a programmer so forgive me if I'm using inadequate terminology. So, for example, the page ends up being https://www.website.com/template.php?id=23 , where "23" is actually an included html file, "23.html"

Here's the code on template.php:

<?php include ('./pages/'.$id.'.html'); ?>

I have several files in /pages/ that are just numbers, like 16.html and 50.html. Isn't that enough? The error I always get:

Warning: main(./pages/.html): failed to open stream: No such file or directory
Failed opening './pages/.html' for inclusion (include_path='.:/hsphere/shared/apache/libexec/php4ext/php/')

If I make an empty file named .html and put it in the pages directory, that blank loads fine but nothing else will. Then, even a url like template.php?id=10 will just load the blank .html file. So, it seems like it's not realizing that $id is supposed to be supplied by the url, like template.php?id=23 .

On another page, I have a randomizer that works with basically the same concept and functions fine:

<?php
srand((double)microtime()*1000000);
$num = rand(1,25);

include ('./pages/random/'.$num.'.html');

?>

Do I need to define "id" within the <?php ?> tags on the page, as is done with the randomizer code? I thought that by having ?id=XX in the url, it is defining the id that way. If it's not the code, what would I tell the webhost to look at in its PHP settings?

Parameters in the URL are inside the $_GET array. So for that, you would replace $id with $_GET['id']. And then of course there's all the attendant security issues with that.

# ? Jan 5, 2010 20:16

thedaian: Dec 11, 2005; Blistering idiots.

Golbez posted:

Parameters in the URL are inside the $_GET array. So for that, you would replace $id with $_GET['id']. And then of course there's all the attendant security issues with that.

To clarify this a bit, and explain WHY it stopped working: Your host did in fact change some php settings, namely, turning 'register globals' OFF, which means that you have to define variables that come in via the URL or through forms (via GET[] or POST[] respectively).

The way you have things set up now, there's a huge potential for a security breach, if someone manages to so something like https://www.example.com/template.php?id=hackers.php they could cause the server to run hackers.php, or feasibly any file and thus gain access to the code and server itself, which would mean your site is hosed.

# ? Jan 5, 2010 20:46

Munkeymon: Aug 14, 2003; Motherfucker's got an
armor-piercing crowbar! Rigoddamndicu𝜆ous.

Golbez posted:

And then of course there's all the attendant security issues with that.

Assuming the pattern holds and all of them are ##.html, he could use

php:

<?
echo file_get_contents('./pages/'.abs(intval($_GET['id'])).'.html', FILE_TEXT);
?>

and that should prevent anything malicious from going on in PHP itself (although I think at this point a rewrite rule would actually be the better solution).

Munkeymon fucked around with this message at 20:51 on Jan 5, 2010

# ? Jan 5, 2010 20:48

LifeSizePotato: Mar 3, 2005

Can I put in an .htaccess file "register globals on"?

So would it be better to use the $_GET methodology, or are you saying that that's the bad way?

^^^^^^^^^^^^^^^^^^^^^
EDIT: I tried that code, but I get the error:

Warning: file_get_contents(./pages/83009.html): failed to open stream: No such file or directory in /hsphere/local/home/etc

So it looks like it's getting the gist of what I want to do, but it's thinking that file_get_contents is part of the file name?

LifeSizePotato fucked around with this message at 20:57 on Jan 5, 2010

# ? Jan 5, 2010 20:50

Hammerite: Mar 9, 2007; And you don't remember what I said here, either, but it was pompous and stupid.; Jade Ear Joe

LifeSizePotato posted:

Can I put in an .htaccess file "register globals on"?

I don't know. I don't think so, as (from my understanding) .htaccess controls the behaviour of Apache, which is separate from PHP. It might be possible to change this behaviour by editing php.ini, if your webhost allows you to do that. I don't know whether this behaviour can be changed that way or not.

My understanding is that register globals is heavily discouraged, because it represents a security risk - on any page where you use a variable and you've forgotten to make sure it's initialised first, a user can cause a script to behave differently to how you expect.

It seems odd to me that your host disabled a setting like that without notifying its customers via email or something. Are you using a commercial host?

quote:

So would it be better to use the $_GET methodology, or are you saying that that's the bad way?

Replacing the code you quoted in template.php with the following should do you ok

code:

<?php 
if ( isset($_GET['id']) ) {
    $id = (int)$_GET['id'];
    include ('./pages/'.$id.'.html');
} else {
    include ( your default error page goes here );
}
?>

(You should make sure that you get familiar with security issues related to unvalidated user input.)

# ? Jan 5, 2010 21:01

Munkeymon: Aug 14, 2003; Motherfucker's got an
armor-piercing crowbar! Rigoddamndicu𝜆ous.

LifeSizePotato posted:

Can I put in an .htaccess file "register globals on"?

So would it be better to use the $_GET methodology, or are you saying that that's the bad way?

^^^^^^^^^^^^^^^^^^^^^
EDIT: I tried that code, but I get the error:

Warning: file_get_contents(./pages/83009.html): failed to open stream: No such file or directory in /hsphere/local/home/etc

So it looks like it's getting the gist of what I want to do, but it's thinking that file_get_contents is part of the file name?

It's telling you it can't find './pages/83009.html' - try adding the option FILE_USE_INCLUDE_PATH. The end of the line should look like this instead (note the pipe) , FILE_TEXT | FILE_USE_INCLUDE_PATH);

Edit: if you're counting on PHP tags in the HTMl to get processed, then forget file_get_contents and go back to using include (without the echo), but be aware that it's a security risk if users can write anything to these HTML files!

Munkeymon fucked around with this message at 21:11 on Jan 5, 2010

# ? Jan 5, 2010 21:08

LifeSizePotato: Mar 3, 2005

Hammerite posted:

code:
<?php 
if ( isset($_GET['id']) ) {
    $id = (int)$_GET['id'];
    include ('./pages/'.$id.'.html');
} else {
    include ( your default error page goes here );
}
?>
(You should make sure that you get familiar with security issues related to unvalidated user input.)

This worked! I did discover that it's not registering an initial zero in the filenames, though. Since a lot of the document filenames are based on dates, I have some like 083008 (August 30, 2008) and it was trying to load 83008. That was causing some of the errors, so I guess I'll need to rename those files.

# ? Jan 5, 2010 21:33

DoctorScurvy: Nov 11, 2005; More of a passing curiosity, really

LifeSizePotato posted:

On another page, I have a randomizer that works with basically the same concept and functions fine:

<?php
srand((double)microtime()*1000000);
$num = rand(1,25);

include ('./pages/random/'.$num.'.html');

?>

Do I need to define "id" within the <?php ?> tags on the page, as is done with the randomizer code? I thought that by having ?id=XX in the url, it is defining the id that way. If it's not the code, what would I tell the webhost to look at in its PHP settings?

With modern php (version 4.2.0 and up) you don't need to worry about using srand.

readfile('./pages/random/'.rand(1,25).'.html');

The reason I use readfile instead of include is that this will prevent any php code in the html file from being run. You just want to spit out the page content without running it as if it were a php script, right?

# ? Jan 5, 2010 22:42

LifeSizePotato: Mar 3, 2005

DoctorScurvy posted:

With modern php (version 4.2.0 and up) you don't need to worry about using srand.

readfile('./pages/random/'.rand(1,25).'.html');

The reason I use readfile instead of include is that this will prevent any php code in the html file from being run. You just want to spit out the page content without running it as if it were a php script, right?

That's right. The actual pages it calls are really just simple text for the most part, like articles, and the template's CSS formats it.

# ? Jan 5, 2010 23:05

Little Brittle: Nov 1, 2004; Come visit me dawg

DoctorScurvy posted:

If you don't have access to the remote server, then how on earth are you getting the file now?

I meant I don't have admin rights on the remote server, I only have FTP access. Running scripts on the remote server is not in the cards.

# ? Jan 6, 2010 01:48

KuruMonkey: Jul 23, 2004

In that case as far I as know you can't do anything more than download, and inspect the filesize for any obvious discrepancy like 1/3 the size you expect or some such.

If its a standardised format you're expecting each time, validating the file is complete and in the right format is another option.

Other than that you're relying on whatever they use at the far end using sensible exclusive locking while it writes the file. Which if its a 'proper' program, not some hacked up PHP or PERL it will be, and if its well hacked up PHP or PERL it also will be.

If its seriously just a chucked together badly written script writing this and its not locking at their end, then all you can do is suffer through

# ? Jan 6, 2010 02:47

Plorkyeran: Mar 22, 2007; To Escape The Shackles Of The Old Forums, We Must Reject The Tribal Negativity He Endorsed

Just keep downloading it over and over until the file is the same twice in a row then sleep for ten minutes :v:

# ? Jan 6, 2010 03:24

DaTroof: Nov 16, 2000; CC LIMERICK CONTEST GRAND CHAMPION
There once was a poster named Troof
Who was getting quite long in the toof

Little Brittle posted:

I'm familiar with CURL, but I don't have access to the remote server. It is ran by a vendor and all they offer is this text file that updates at 10 minute intervals. I just want to find a way to be sure I don't grab an incomplete file.

Is this a problem you've already experienced, or are you just worried about the possibility? If it's actually possible for you to download an incomplete version of the file while the provider's in the middle of writing it, the provider is doing something hilariously wrong.

# ? Jan 6, 2010 05:07

waffle iron: Jan 16, 2004

When you do a GET on any file, a sane web server will open the file and hold onto that file descriptor and fread()s the gently caress out of it. Saving over a file on a sane OS will unlink that filename and then save a new file with that filename. There is probably no way you'd ever get an incorrect/incomplete file unless the people providing this service are brain dead.

# ? Jan 7, 2010 02:42

Little Brittle: Nov 1, 2004; Come visit me dawg

DaTroof posted:

Is this a problem you've already experienced, or are you just worried about the possibility? If it's actually possible for you to download an incomplete version of the file while the provider's in the middle of writing it, the provider is doing something hilariously wrong.

waffle iron posted:

When you do a GET on any file, a sane web server will open the file and hold onto that file descriptor and fread()s the gently caress out of it. Saving over a file on a sane OS will unlink that filename and then save a new file with that filename. There is probably no way you'd ever get an incorrect/incomplete file unless the people providing this service are brain dead.

This is what I was hoping to hear. I'm more of a frontend guy and don't know too much about filesystems. I guess my worries were completely unfounded if the service provider did things correctly.

# ? Jan 7, 2010 09:30

Rat Supremacy: Jul 15, 2007; The custom title is an image and/or line of text that appears below your name in the forums

Generally it is a pretty bad idea to include directly from the $_GET because it opens your site to a whole host of security issues.

# ? Jan 7, 2010 20:40

Hammerite: Mar 9, 2007; And you don't remember what I said here, either, but it was pompous and stupid.; Jade Ear Joe

SERIOUSLY CONFUSED BY QUOTE AND EDIT

# ? Jan 7, 2010 21:48

Hammerite: Mar 9, 2007; And you don't remember what I said here, either, but it was pompous and stupid.; Jade Ear Joe

Oh ok. I wouldn't go to that trouble. You could instead do the following

code:

if ( isset($_GET['id']) ) {
    $mystring = '';
    $id = (string)$_GET['id'];
    $numbers = array('0','1','2','3','4','5','6','7','8','9');
    for ( $i=0; $i<strlen($id); $i++ ) {
        if ( in_array($id[$i],$numbers) ) { $mystring .= $id[$i]; }
    }
    if ( strlen($mystring) ) {
        include ('./pages/'.$id.'.html'); // *
    } else {
        include ( your default error page goes here );
    }
} else {
    include ( your default error page goes here );
}

NB. I have reinvented the wheel with the above code, because I couldn't remember how to match start and end characters of a string using a regex (there is some worry to do with unintentionally matching new lines I think), and I couldn't be bothered to work out the right google search terms to look it up.

* It occurred to me also that there should really be a line of code here that checks whether the requested page actually exists, and just gives an error page in response if it doesn't. Otherwise what will happen if the file isn't there is PHP will give an error message of its own, which will look much more crude to your users.

Hammerite fucked around with this message at 21:53 on Jan 7, 2010

# ? Jan 7, 2010 21:49

Lumpy: Apr 26, 2002; La! La! La! Laaaa!; College Slice

Hammerite posted:

Oh ok. I wouldn't go to that trouble. You could instead do the following
code:
if ( isset($_GET['id']) ) {
    $mystring = '';
    $id = (string)$_GET['id'];
    $numbers = array('0','1','2','3','4','5','6','7','8','9');
    for ( $i=0; $i<strlen($id); $i++ ) {
        if ( in_array($id[$i],$numbers) ) { $mystring .= $id[$i]; }
    }
    if ( strlen($mystring) ) {
        include ('./pages/'.$id.'.html'); // *
    } else {
        include ( your default error page goes here );
    }
} else {
    include ( your default error page goes here );
}
NB. I have reinvented the wheel with the above code, because I couldn't remember how to match start and end characters of a string using a regex (there is some worry to do with unintentionally matching new lines I think), and I couldn't be bothered to work out the right google search terms to look it up.

* It occurred to me also that there should really be a line of code here that checks whether the requested page actually exists, and just gives an error page in response if it doesn't. Otherwise what will happen if the file isn't there is PHP will give an error message of its own, which will look much more crude to your users.

Are you really casting it to a string then checking against an array of strings that happen to also be the digits 0 - 9 to check to see if the input is a number? :wtf:

# ? Jan 8, 2010 01:02

Hammerite: Mar 9, 2007; And you don't remember what I said here, either, but it was pompous and stupid.; Jade Ear Joe

Lumpy posted:

Are you really casting it to a string then checking against an array of strings that happen to also be the digits 0 - 9 to check to see if the input is a number?

That's right. The reason I'm doing something so convoluted is because I wasn't sure what behaviour PHP exhibits if you ask it whether a non-numeric single-character string is equal in value to integer zero. i.e. I wasn't sure whether for example 'X' == 0 or '.' == 0 evaluate to true or false. I wanted to make sure only digits can get through. While the code I posted is rather stupid, I believe it's secure. I didn't want to post insecure code for the guy. As I mentioned, if I could have been bothered to look up the right way to do it with a regex I would have done that instead.

# ? Jan 8, 2010 02:04

spiritual bypass: Feb 19, 2008; Grimey Drawer

'x' == 0 evaluates to false. Also, isNumeric() is a good function.

# ? Jan 8, 2010 02:13

KuruMonkey: Jul 23, 2004

1:
(int)$_GET['id'];
this will force the value to be an int
leading zeros will be an issue if you do this

2:
=== tests for equal value and SAME TYPE
this is why if($x === FALSE) is better than if(!$x)
huge amounts of the PHP library use this to allow the functions to return
either data or boolean FALSE, so you should know how to test for that explicitly

3:
define('VALID_CHARS', '0123456789');
$suspect_data = 'whatever it may be';
if(str_replace(explode('', VALID_CHARS), '', $suspect_data) !== '')
{
// the suspect data contains invalid characters!
}

is a general 'accept only these characters, but any length and any permutation'
recipe. simply replace all the valid chars and if ANYTHING is left, its invalid

Edit: made typing boo boos

Edit 2: also from 4.30 upwards, ctype_digit, ctype_alpha and ctype_alnum are available (my friggery above is really only suitable for weird subsets of characters, not for 'is all digits' etc

lastly; its actually is_numeric not isNumeric

KuruMonkey fucked around with this message at 02:34 on Jan 8, 2010

# ? Jan 8, 2010 02:17

Lumpy: Apr 26, 2002; La! La! La! Laaaa!; College Slice

Hammerite posted:

That's right. The reason I'm doing something so convoluted is because I wasn't sure what behaviour PHP exhibits if you ask it whether a non-numeric single-character string is equal in value to integer zero. i.e. I wasn't sure whether for example 'X' == 0 or '.' == 0 evaluate to true or false. I wanted to make sure only digits can get through. While the code I posted is rather stupid, I believe it's secure. I didn't want to post insecure code for the guy. As I mentioned, if I could have been bothered to look up the right way to do it with a regex I would have done that instead.

php:

<?
if(preg_match('/^\d+$/', $_GET['id']) )
{
  // hooray!
} 
?>

# ? Jan 8, 2010 03:27

Hammerite: Mar 9, 2007; And you don't remember what I said here, either, but it was pompous and stupid.; Jade Ear Joe

Lumpy posted:

php:

<?
if(preg_match('/^\d+$/', $_GET['id']) )
{
  // hooray!
} 
?>

I could find out about ^ and $ in regular characters on the internet, but I vaguely recalled that in some implementations / in some modes, they'll match at newlines as well as at the start and end of the string. I might have been mistaken in that recollection, but at any rate I was unsure of the safety of using them in that way. And it's better to have code that looks ridiculous but is secure than to have code that is insecure.

Also, yes I should just have used is_Numeric or whatever it is called. Thanks for the heads-up.

Also - explode() doesn't work if the first argument is an empty string, you need to use str_split() for that

# ? Jan 8, 2010 03:54

Hammerite: Mar 9, 2007; And you don't remember what I said here, either, but it was pompous and stupid.; Jade Ear Joe

OK, so it turns out /\A\d+\Z/ would have satisfied my paranoia.

# ? Jan 8, 2010 03:59

Adbot: ADBOT LOVES YOU

# ? May 16, 2024 16:07

KuruMonkey: Jul 23, 2004

Hammerite posted:

Also - explode() doesn't work if the first argument is an empty string, you need to use str_split() for that

Well gently caress me; you're right. [puzzled look] I'm sure I've used that before. More than once.

# ? Jan 8, 2010 10:24

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cavern of COBOL > <?PHP questions that don\\'t need their own thread ?>

«‹›223 »