|
Bonus posted:I'm of the opinion that it's generally best to sanitize data as late as possible. So if you're sanitizing it for output, sanitize it right before outputting or when you know that you won't be doing anything with it other than outputting. So would there be anything wrong with sanitizing as late as the MySQL query string? Right now, I'm getting away with processing form inputs with their original $_POST superglobals, then using htmlspecialchars() at the query function argument to keep form inputs from doing anything too powerful, though I don't know if that would leave you wide open on older, less secure versions of PHP. Zorilla fucked around with this message at 02:29 on Apr 6, 2008 |
#
¿
Apr 6, 2008 02:24
|
|
|
|
| # ¿ Apr 30, 2024 10:24 |
|
|
bt_escm posted:htmlspecialchars() won't stop sql injection. You'll need to you mysql_real_escape_string() to properly clean the string for inserting into the database. Right, I was just trying to prevent users from embedding HTML into pages. One of the things I've noticed is that the query string is already escaped for you (PHP 5.2.0) and attempting to use mysql_real_escape_string() will end up escaping your string twice. I'm guessing my hosting has magic_quotes_gpc turned on. What's the proper way to handle things whether this is on or off? Detect whether magic_quotes_gpc is turned off and only escape the query string manually then? If you haven't guessed, I'm a total beginner and suck at programming anyway.
|
|
#
¿
Apr 7, 2008 01:06
|
|
|
That's pretty much what I just ended up doing:php:<?
if (get_magic_quotes_gpc()) {
$cleanquery = $query;
} else {
$cleanquery = stripslashes($query);
}
?>Zorilla fucked around with this message at 01:37 on Apr 7, 2008 |
|
#
¿
Apr 7, 2008 01:34
|
|
|
nbv4 posted:Say, since we're on the subject of escaping, I noticed a little while ago that whenever data comes in through a <textarea>, the string is already escaped. If I run it through mysql_real_escape_string, double escaping will occur. I don't know if it's the browser thats doing this, or if it some kind of magic quotes thing... After I finally realized this, I just stopped escaping all my textarea data. Is this a bad decision? Well, the conclusion I think I just came to hours earlier (with some help) is that you should check to see if magic quotes is enabled, then either don't escape if it's on or do escape if it's off. Also, when loading MySQL fields into a textarea, be sure to encode any HTML markup inside them. Web browsers will render anything between textarea tags as plaintext so you probably aren't vulerable to XSS, but it will result in invalid (X)HTML if there is actual markup in there. For instance: Invalid: code:code:Zorilla fucked around with this message at 08:29 on Apr 7, 2008 |
|
#
¿
Apr 7, 2008 08:14
|
|
|
Atom posted:While I've never heard of it causing problems, it is recommended to unescape it and use the MySQL extension's escape function if magic quotes is on. I think the PHP documentation says the same thing. In other words, something like this? php:<? // Pretend a MySQL connection is open already $cleanquery = mysql_real_escape_string(stripslashes($query)); $result = mysql_query($cleanquery); ?> Zorilla fucked around with this message at 09:05 on Apr 7, 2008 |
|
#
¿
Apr 7, 2008 09:02
|
|
|
minato posted:Yeah, I was going to say he should start with a class and then subsequent classes should extend it. I guess this is one way of saying it.
|
|
#
¿
Apr 8, 2008 06:39
|
|
|
I've got a client we're doing a web page redesign for and it turns out he would like to be able to edit basically anything that might need changing on the site on his own. Normally, I would just set up some system like Website Baker or CMS Made Simple, but this site in particular has quite a bit of markup I don't want the client to disturb. Plus, the site has some dynamic content with a backend I wrote a month or so ago to edit its contents. I just found out about a system called Cushy CMS, which looks like it would work brilliantly. Unfortunately, it seems to only support static pages and appears to be a service you have to use through their site instead of installing on your web server. And it's in closed beta- not something I want business clients using. Are there any systems out there that are fairly easy to set up like Cushy CMS that would work with PHP pages? The idea is for the site owner to be able to edit snippets of information such as the welcome text or store hours in the backend without having to muck around in HTML. If creating a solution to this is beyond me, it can be contracted out. I'm just looking for recommendations. Zorilla fucked around with this message at 03:04 on Apr 9, 2008 |
|
#
¿
Apr 9, 2008 03:02
|
|
|
gibbed posted:Edit: wait why the hell did you put a \r\n in the header() call? Looks like a force of habit from Perl
|
|
#
¿
Apr 15, 2008 00:06
|
|
|
PowderKeg posted:Is there a way to have the php script either blank the form on a successful submit, or redirect everythiong to a full "record successfully entered" page? Because as it stands now people can keep clicking submit and load up my db with dupes. The form should probably submit to the page it's on, then in the PHP on that page, have it redirect to a success page if all goes well after submitting (like here).
|
|
#
¿
Apr 17, 2008 23:04
|
|
|
opblaaskrokodil posted:Otherwise I don't know what the second param is for, since you can't print it out on the current page without loving up sending headers? As far as I know, PHP won't send the HTTP header until it reaches the first HTML templated area or echo statement (or printf or whatever), so he's fine as long as it's not being set after one of these conditions gets met. Still, there's no need to set the header more than once, so the code should probably use elseif statements instead to make sure no more than one of these conditions gets evaluated as true at the same time: php:<?
if ($getclub['private'] == 1) {
die(header(error("club.php?game=$game&clubid=$clubid","You can't join a private club.")));
} elseif ($clubrank > 0) {
die(header(error("club.php?game=$game&clubid=$clubid","You are already a member of this club.")));
} elseif ($getmemberdata4['id']) {
die(header(error("club.php?game=$game&clubid=$clubid","You are already a member of a club.")));
}
?>
|
|
#
¿
Apr 21, 2008 20:28
|
|
|
The variable you're checking for is $_POST["instance"] (or $_GET["instance"] depending on the form action) and its value is probably true if checked and false if not. I'm not 100% on this, so you might want to check by slipping in an echo $_POST["instance"]; in there somewhere and see what displays in your browser. Also, I recommend using HTML templating instead of echo statements wherever possible, as it allows HTML sections to get context highlighted properly in editors such as Notepad++ and you don't have to explicitly state line breaks with "\n". The end result is something like this: php:<? is this a new instance? <input type="checkbox" NAME="instance" /><br /> <?php if ($_POST["instance"] == true) { ?> more input fields<br /> <?php } ?> <input type="submit" name="submit" /><br /> ?> noonches posted:I sounds like Jimix is trying to do it dynamically after the page loads based on user actions. In other words Javascript. Yeah, if you're trying to make form fields appear in real time, just to it on the client side with Javascript. Zorilla fucked around with this message at 21:03 on Apr 21, 2008 |
|
#
¿
Apr 21, 2008 20:44
|
|
|
Or better yet, using event handlers and DOM writing (no idea if this exact code works, but you get the idea):code:Zorilla fucked around with this message at 22:46 on Apr 21, 2008 |
|
#
¿
Apr 21, 2008 21:09
|
|
|
A session question of my own: how do I get them to persist between browser sessions? The top of my login page looks like this: (check_login() retuns true, false, or "admin" depending on outcome of username/password combo) php:<?
session_start();
if (!(@$_POST["submit"])) {
session_destroy();
} else {
$userstatus = check_login(@$_POST["username"], @$_POST["password"]);
if (!$userstatus) {
$error = "Invalid username or password.";
} else {
$_SESSION["loggedin"] = true;
if ($userstatus == "admin") {
$_SESSION["isadmin"] = true;
}
header("Location:index".PAGE_EXT);
}
}
?>And pages you can only access after being logged in look like this: php:<?
session_start();
if (@$_SESSION["loggedin"] != true) {
header("Location:login".PAGE_EXT);
}
?>I've tried setting cookie timeout, but that has no effect. Zorilla fucked around with this message at 04:23 on Apr 22, 2008 |
|
#
¿
Apr 22, 2008 04:21
|
|
|
Snozzberry Smoothie posted:I need to generate XML with a PHP script, but I'm unsure of the best method from a performance perspective. Can anyone give me some advice or point me at a resource that I can read more on the topic? Here's the DOM approach to XML: http://www.ibm.com/developerworks/library/os-xmldomphp/ Or you could do something like this: php:<?php $items = array("stuff", "more stuff", "holy crap here's some more stuff", "boopty boop"); ob_start(); ?> <stuff> <?php foreach ($items as $item) { ?> <item><?php echo $item; ?></item> <?php } ?> </stuff> <?php $xmldata = ob_get_contents(); ob_end_clean(); $file = fopen("items.xml", "w"); fwrite($file, $xmldata); fclose($file); ?> Both methods are probably blazing fast, but this probably has less overhead from not loading any classes - not that it matters for such a tiny task. Zorilla fucked around with this message at 05:26 on Apr 22, 2008 |
|
#
¿
Apr 22, 2008 04:45
|
|
|
noonches posted:You'd need to set a cookie explicitly, a cookie timeout only works on an actual cookie, not a session. Ok, I was trying using $_COOKIE in conjunction with $_SESSION without adjusting the default timeout value of "0" before giving up the first time, then only using $_SESSION when I tried setting cookie timeout the next time, so you can see why things didn't work. Looks like I've got a bit of modifications to do. noonches posted:I usually set a cookie with the value of some fields in the database hashed together, and have a separate login function that sets up the sessions if thats set and correct. If the cookie data is nothing but a hash, how does it carry information about who is logged in between browser sessions? Or are you saying you store this in addition to a username and password cookie? Zorilla fucked around with this message at 05:10 on Apr 22, 2008 |
|
#
¿
Apr 22, 2008 05:03
|
|
|
duz posted:Sessions expire when the browser closes or after 24 minutes of inactivity. What you want are cookies. The cookie will store a unique ID/hash that points to an entry in your database with the session information. Ok, so this sounds like I actually have to create a MySQL table whose purpose is to store hashes that coordinate with remote users' cookies. Am I way off here? Zorilla fucked around with this message at 09:25 on Apr 22, 2008 |
|
#
¿
Apr 22, 2008 09:14
|
|
|
LastCaress posted:Is there a way to apply an external stylesheet file to just a table? I took a stylesheet from google and applied it to a table, but it transforms the style of the whole page :| Also, does anyone want to help me with designing a PvP system? I'll give a forums upgrade. Thanks! Cheap answer: put the table in a separate page and use an inline frame. Non-nerd rage inciting answer: give the table a unique class maybe, then make modifications to the stylesheet in question so that all styles apply to elements inside that table and to nothing outside it. For instance, change: code:code:Zorilla fucked around with this message at 09:30 on Apr 22, 2008 |
|
#
¿
Apr 22, 2008 09:27
|
|
|
LastCaress posted:Well the stylesheet can't possibly have been made by a human unless he took massive amounts of LSD : https://www.bazul.org/rpg/pretty.css Yeah, Google optimizes the hell out of all their content, removing line breaks, spaces, and anything deemed to be dead weight. Have you seen their front page HTML? Standards compliancy be damned! The table you linked to is using legacy color definitions to achieve the look you want anyway. In CSS, you probably just want something like this: code:Zorilla fucked around with this message at 09:55 on Apr 22, 2008 |
|
#
¿
Apr 22, 2008 09:51
|
|
|
LastCaress posted:Wow I'm glad this computer thing makes sense. I did a table.css with that code and added <table summary=' ' width='95%' border='0' class='myclass'> to the php and it works! Sorry for being obtuse some times, but this is the first time I'm playing with html/php/mysql Attributes like border= and width= are becoming deprecated. If you're going to define appearance inline, use the style= attribute, as it allows you to use the same CSS syntax you're using in your stylesheet. In your case, use something like <table class="myclass" style="width: 95%; border: none;"> That's just an example, and there aren't too many instances where you'll need to define styles inline instead of from a stylesheet, so everything I put in style="" should probably just go to table.myclass entry in your CSS. As with anybody messing around with CSS, I recommend installing Firebug so you can see changes to CSS properties in real time. (Get 1.1 Beta; 1.0 has a bug where it won't handle <a> tags properly). Zorilla fucked around with this message at 20:46 on Apr 22, 2008 |
|
#
¿
Apr 22, 2008 20:37
|
|
|
Grigori Rasputin posted:I'm having a problem with strpos() that I'm not sure how best to resolve. I've got a function that cycles through a string and looks for instances of months in the format of 'mon ', i.e. 'apr ', 'may ', etc. PHP has powerful functionality for manipulating date and time formats. What is the end goal of this code?
|
|
#
¿
Apr 23, 2008 01:19
|
|
|
Triple-equals signs always weird me out. Since we're evaluating the success/failure of a variable assignment, is your example the same as this?php:<? $str = 'january is my favorite month'; if (!($i = strpos($str, 'january'))) echo "not found\n"; ?>
|
|
#
¿
Apr 23, 2008 02:09
|
|
|
Or better yet, put something like this in your .htaccess so you don't change PHP settings globally:code:Alternatively, you can adjust php.ini settings during the run of a script with ini_set();
|
|
#
¿
Apr 28, 2008 21:18
|
|
|
It's like some sort of standards compliant tall.gif
|
|
#
¿
May 1, 2008 13:11
|
|
|
awdio posted:
Shouldn't referrer handling be done though .htaccess?
|
|
#
¿
May 3, 2008 00:05
|
|
|
For what you're trying to do, I prefer this. I think I mentioned it before, but I think it's worth mentioning again. It's really useful for templating in conjunction with include() / require(), you can save large chunks of dynamic code into variables like this: index.php php:<?php define("RUNTEMPLATE", TRUE); $pagetitle = "Boop boop"; ob_start(); ?> <div> blablablabla </div> <div> <?php echo "dynamic blablabla"; ?> </div> <?php $body = ob_get_contents(); ob_end_clean(); include(pagetemplate.php); ?> pagetemplate.php php:<?php defined("RUNTEMPLATE") or die("Direct access to this location is not allowed"); ?> <html> <head> <title><?php echo $pagetitle; ?></title> </head> <body> <?php echo $body; ?> </body> </html> Zorilla fucked around with this message at 01:08 on May 8, 2008 |
|
#
¿
May 8, 2008 00:47
|
|
|
Bonus posted:What's a good PHP library for sending out emails? Just one at a time from a form, so no need for mass mailing. PHPMailer is used is just about every content management system out there. Despite a lot of information you'll find on message boards, up-to-date versions support SSL and TLS, so even GMail works with it. There's also Swift Mailer, but its object structure is not nearly as nice and simple as PHPMailer's Zorilla fucked around with this message at 11:26 on May 8, 2008 |
|
#
¿
May 8, 2008 11:14
|
|
|
Evil Angry Cat posted:The problem I've always found with =="" and empty() checks is that accidentally a user could hit the space bar when filling in a certain field which tricks both checks and means they haven't filled a required field in. So I always use Why not use trim() to remove trailing spaces before checking instead?
|
|
#
¿
May 10, 2008 09:24
|
|
|
Dominoes posted:The emails are received, but the person using the form is redirected to the php page with the printed text. How do I direct the user to an HTML page instead? I don't want them to go to the php page, I just want to use the script to process the form data. Probably something like this: php:<?php isset($_POST["submit"]) or header("Location:index.html"); $to = "contact@equilibriumpomade.com"; $subject = "Question/Comment"; $name = $_REQUEST["name"]; $message = $_REQUEST["question"]; $from = $_REQUEST["email"]; $headers = "From: " . $from; ?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <head> <meta http-equiv="content-type" content="text/html; charset=iso-8859-1"> <title>Equilibrium Natural Pomade</title> <meta http-equiv="refresh" content="3;url=index.html"> </head> <body> <?php if (mail($to,$subject,"Name: " . $name . "\r\nMessage: " . $message,$headers)) { ?> Email sent successfully <?php } else { ?> Error: the message could not be sent <?php } ?> </body> </html> You'll still have to load this page and then it will display a message, then it will go back to wherever you want it to go 3 seconds later. If you want to send the email without ever leaving the page you're coming from, you'll probably need to use AJAX. Zorilla fucked around with this message at 02:37 on May 11, 2008 |
|
#
¿
May 11, 2008 02:03
|
|
|
Bonus posted:
JPEG images take up much more space when loaded into RAM because they get decompressed. Plus, I bet you're making multiple copies of it in RAM. Is the 7.5k image fairly large in dimension too? I don't know if it works, but when you're done with a certain instance of an image, you might try using unset() on the variable containing that instance to free up some RAM. Or you could do what I did for my image uploader and raise the php.ini memory limit to 24 MB using ini_set(). Zorilla fucked around with this message at 01:34 on May 12, 2008 |
|
#
¿
May 11, 2008 19:45
|
|
|
Dominoes posted:Thanks, that worked! It actually doesn't wait 3 seconds and redirect to the "url=whatever", it immediately goes to the home page. That's more than adequate for now.
|
|
#
¿
May 12, 2008 00:19
|
|
|
Grigori Rasputin posted:Another day, another PHP question. Is there a way to hide URL arguments like "index.html?pageid=123&type=x" from the user? I figured it would be configurable in php.ini but I haven't stumbled upon anything yet. - Use postdata ($_POST) instead of submitting data through the URL and/or use mod_rewrite to clean up the URL a bit (i.e. site.com/index.html?pageid=123&type=x becomes site.com/123/x). Things like page numbers should probably stay in the URL, but minor stuff like "sort by" settings for viewing data in a table should be sent as postdata and retained as a cookie. - Query strings (URL arguments) are preferred if you want a particular page to be linkable from outside. Use postdata for form submissions though. Zorilla fucked around with this message at 23:21 on May 21, 2008 |
|
#
¿
May 21, 2008 23:15
|
|
|
Either that or when displaying the form, generate a random md5 for the hidden field, then store it in a session variable that gets checked when the form gets posted.
|
|
#
¿
May 24, 2008 09:47
|
|
|
clockworkjoe posted:I got a PHP/wordpress problem. Basically, I created a template for a page with a custom loop. Your if and while loops are overlapping instead of one being nested inside the other. Basically, you're doing this: php:<?php while ($condition) : if ($condition) : // do stuff here endwhile; else : // do something else endif; ?> When you should be doing this: php:<?php if ($condition) : while ($condition) : // do stuff here endwhile; else : // do something else endif; ?> Zorilla fucked around with this message at 00:38 on Jun 2, 2008 |
|
#
¿
Jun 2, 2008 00:32
|
|
|
clockworkjoe posted:How can i rewrite the ELSE to say if there are no posts then do this? or am I off base? Probably something like: php:<?php if ($wp_query->have_posts) : while ($wp_query->have_posts) : $query->the_post(); ?> <!-- post loop stuff goes here --> <?php endwhile; ?> <?php else: ?> <!-- error message about no posts being found goes here --> <?php endif; ?> I think WordPress handles pages with no entires on them automatically, so there's no need to put an "else" section in your template script. I also thought of something else. It looks like your template is calling a specific set of posts. The correct way to do this is make a template that calls a generic set of posts (i.e. have_posts() instead of wp_query->have_posts() ) and then giving your template a special meaning by using a comment block at the top. Then, you manage that page in the WordPress backend and tell it to use that custom template instead of the default one. In other words, get rid of all that special query stuff and put this at the top instead: php:<?php /* Template Name: My Special Template */ ?> Zorilla fucked around with this message at 00:53 on Jun 2, 2008 |
|
#
¿
Jun 2, 2008 00:42
|
|
|
clockworkjoe posted:Where do I put the ('cat=6&showposts=3'.'&paged='.$paged); in that code you posted? The idea is that you shouldn't have to force the template to call a fixed set of posts. I think your script will end up like this: php:<?php /* Template Name: My Special Page */ ?> <?php get_header(); ?> <?php get_sidebar(); ?> <?php if (have_posts()) : while (have_posts()) : the_post(); ?> <ul class="pmeta"> <li>Posted by <?php the_author() ?></li> <li>On <?php the_time('F j, Y') ?></li> <li><br /><?php the_category(', ') ?></li> <?php if (function_exists('the_tags')) : the_tags('<li>Tags ', '</li>'); ?> <li><br /><?php comments_popup_link('No Comments', '1 Comment', '% Comments' ); ?></li> <?php edit_post_link('Edit', '<li>', '</li>'); ?> </ul> <div class="apost"> <h2 id="post-<?php the_ID(); ?>"> <?php if (function_exists('get_cat_icon')) : get_cat_icon('small=false'); ?> <a href="<?php the_permalink() ?>" rel="bookmark" title="Permanent Link to <?php the_title(); ?>"><?php the_title(); ?></a> </h2> <div class="pmain"> <!-- spost --> <?php the_content('Read more...'); ?> <!-- epost --> </div> <?php if ($count==1) : ?> <!-- PLACE YOUR 468x60 ADSENSE CODE (OR BANNER) BELOW --> <script type="text/javascript"> <!-- google_ad_width = 468; google_ad_height = 60; //--> </script> <script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"></script> <!-- PLACE YOUR 468x60 ADSENSE CODE (OR BANNER) ABOVE --> <?php endif; $count = $count + 1;?> </div> <div class="extra"></div> <div class="lead"> <span class="ppre"><?php next_posts_link('« Previous Posts') ?></span> <span class="pnex"><?php previous_posts_link('Next Posts »') ?></span> </div> <?php endwhile; endif; ?> <?php get_footer(); ?> Then go in the WordPress backend and set that category view to use this template instead of the default. There's a pull-down menu somewhere for this, and with that comment block at the top that says "Template Name:", this template (called "My Special Page") will be listed in it. I don't know if this method allows you to limit the view to three posts like you probably want, but there's got to be a better way to do this than through a hardcoded query. You might consider moving your Google AdSense code to header.php as well, assuming Google provides a way to call ads to show up in the middle of the page from a script inside <head>. Zorilla fucked around with this message at 01:28 on Jun 2, 2008 |
|
#
¿
Jun 2, 2008 00:57
|
|
|
It seems weird, I'm sure, but the idea is that category 6 is set to use this template, rather than the template looking for category 6 (which would be backwards). Flexibility is the key here- and you want as much stuff as possible to be customizable through the WordPress backend as possible instead of having to open up a code editor any time you want to make changes. If you find no point-and-click way to limit the view to 3 posts, you could probably replace... while (have_posts()) : ...with... for ($i = 0;$i < 3;$i++) : But I would just recommend setting category 6 to paginate every 3 posts. That way, users can view older articles by clicking "Previous Posts" if they wish. Zorilla fucked around with this message at 01:50 on Jun 2, 2008 |
|
#
¿
Jun 2, 2008 01:30
|
|
|
Ok, if there's no way to do that, then yeah, you'd instead need to use your original query method in the template, create a new Page in the WP backend, and then set it to use this template in the pull-down menu.
|
|
#
¿
Jun 2, 2008 02:06
|
|
|
Just put it back to the way you had it before (except I don't think you needed all those other variable assignments like $temp = $wp_query, as all non-sessioned variables should vanish at the end of a script run. Tell me if I'm totally wrong on this.):php:<?php $wp_query = new WP_Query(); $wp_query->query('cat=6&showposts=3&paged='.$paged); ?> <?php while ($wp_query->have_posts()) : $wp_query->the_post(); ?> <!-- stuff that goes after the post text --> <?php endwhile; ?> Zorilla fucked around with this message at 02:34 on Jun 2, 2008 |
|
#
¿
Jun 2, 2008 02:20
|
|
|
Ok, it seems like you have this under control, though it seems like it would just be easier to use a different variable name than $wp_posts to instantiate a new object rather than copying its old value elsewhere, then restoring it at the end of the script. I'm sure there's a reason for doing that I don't realize, so I probably shouldn't say anything more. I think I just wasted 3/4 of a page telling you how to do something that wouldn't actually work. All you really needed to take away from all this is to make sure your if and while loops are nested properly. Zorilla fucked around with this message at 02:42 on Jun 2, 2008 |
|
#
¿
Jun 2, 2008 02:38
|
|
|
|
| # ¿ Apr 30, 2024 10:24 |
|
|
You have this: <?php endwhile; endif; ?> ...when you should have this (like shown in my example)... <?php endwhile; ?>
|
|
#
¿
Jun 2, 2008 03:17
|
|