php-general Digest 20 Dec 2004 09:29:10 -0000 Issue 3180
Topics (messages 204679 through 204690):
Current Member Check
204679 by: Brad Ciszewski
204680 by: Brad Ciszewski
204681 by: Chris Shiflett
204682 by: Jason Wong
Performance of magic_quotes_gpc ??
204683 by: Michael Gale
204684 by: Robert Cummings
204686 by: Jed Smith
204687 by: Jordi Canals
204688 by: Michael Gale
I really need help...
204685 by: JoShQuNe \(TR\)
Uncompressing files on server
204689 by: Josh
mailto code for php
204690 by: agent98.ihug.co.nz
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[EMAIL PROTECTED]
----------------------------------------------------------------------
--- Begin Message ---
Hi everyone, I am having some issues with this script. I am making a form
which registers a user. However, i want to check that the email address isnt
already registered in the database. Below is the syntax which i used. Please
help me figure out what I did wrong.
*connects to database*
$email = $_POST["email"];
$checkEmail = mysql_query("SELECT *
FROM memberInformation
WHERE email = '$email'");
Thanks in advance!!
Brad Ciszewski
www.BradTechnologies.com Web Services
--- End Message ---
--- Begin Message ---
i appologize i forgot to add the rest:
if($checkEmail != "0"){
echo("<center><font color=\"#990000\">The email address has already been
registerd with an account.</font></center>");
include("../includes/footer.php");
exit;
}
Thanx!
Brad Ciszewski
www.BradTechnologies.com Web Services
"Brad Ciszewski" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> Hi everyone, I am having some issues with this script. I am making a form
> which registers a user. However, i want to check that the email address
isnt
> already registered in the database. Below is the syntax which i used.
Please
> help me figure out what I did wrong.
>
> *connects to database*
>
> $email = $_POST["email"];
>
> $checkEmail = mysql_query("SELECT *
> FROM memberInformation
> WHERE email = '$email'");
>
> Thanks in advance!!
>
> Brad Ciszewski
> www.BradTechnologies.com Web Services
--- End Message ---
--- Begin Message ---
--- Brad Ciszewski <[EMAIL PROTECTED]> wrote:
> Please help me figure out what I did wrong.
>
> *connects to database*
>
> $email = $_POST["email"];
>
> $checkEmail = mysql_query("SELECT *
> FROM memberInformation
> WHERE email = '$email'");
Please read this:
http://php.net/manual/security.database.sql-injection.php
Chris
=====
Chris Shiflett - http://shiflett.org/
PHP Security - O'Reilly HTTP Developer's Handbook - Sams
Coming Soon http://httphandbook.org/
--- End Message ---
--- Begin Message ---
On Monday 20 December 2004 03:54, Chris Shiflett wrote:
> --- Brad Ciszewski <[EMAIL PROTECTED]> wrote:
> > Please help me figure out what I did wrong.
> >
> > *connects to database*
> >
> > $email = $_POST["email"];
> >
> > $checkEmail = mysql_query("SELECT *
> > FROM memberInformation
> > WHERE email = '$email'");
>
> Please read this:
>
> http://php.net/manual/security.database.sql-injection.php
After you've digested that, you should study the examples in manual > MySQL
functions to see how to connect, query, and obtain results from MySQL, and
how to check for errors.
--
Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *
------------------------------------------
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-general
------------------------------------------
/*
question = ( to ) ? be : ! be;
-- Wm. Shakespeare
*/
--- End Message ---
--- Begin Message ---
Hello,
I am working on a ticket tracking system and using htmlentities and
htmlspecialchars on text that gets inserted into the database.
code I have:
--snip--
if ((isset($_POST['tentry_body'])) AND strlen($_POST['tentry_body']) > 5) {
$query .= " tentry_body = '" .
htmlentities(htmlspecialchars($_POST['tentry_body'])) . "'";
} else {
$status="<li class=error>ERROR with entry -- appears to be empty
!!!!!</li>\n";
$check=1;
}
--snip--
In the archives people suggest that using mysql_escape_string should be
used, I then found that you could globally enable magic_quotes_gpc.
What is the best method ? Does magic_quotes have a large performance
issue ??
Would it not just be safer to turn it on ??
Thanks.
Michael.
--- End Message ---
--- Begin Message ---
On Sun, 2004-12-19 at 18:31, Michael Gale wrote:
> Hello,
>
> I am working on a ticket tracking system and using htmlentities and
> htmlspecialchars on text that gets inserted into the database.
>
> code I have:
>
> --snip--
> if ((isset($_POST['tentry_body'])) AND strlen($_POST['tentry_body']) > 5) {
> $query .= " tentry_body = '" .
> htmlentities(htmlspecialchars($_POST['tentry_body'])) . "'";
> } else {
> $status="<li class=error>ERROR with entry -- appears to be empty
> !!!!!</li>\n";
> $check=1;
> }
> --snip--
>
> In the archives people suggest that using mysql_escape_string should be
> used, I then found that you could globally enable magic_quotes_gpc.
>
> What is the best method ? Does magic_quotes have a large performance
> issue ??
>
> Would it not just be safer to turn it on ??
Learn to write secure code for yourself. Magic quotes are an illusion.
Cheers,
Rob.
--
.------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`------------------------------------------------------------'
--- End Message ---
--- Begin Message ---
They do not do the same thing.
mysql_escape_string() is what you're after, if you're inserting data from user input into an SQL
statement, regardless!
Jed
--
_
(_)___ Jed Smith, Code Monkey
| / __| [EMAIL PROTECTED] | [EMAIL PROTECTED]
| \__ \ +1 541 606-4145
_/ |___/ Signed mail preferred (PGP 0x703F9124)
|__/ http://personal.jed.bz/keys/jedsmith.asc
--- End Message ---
--- Begin Message ---
Hi, a couple of comments:
> --snip--
> htmlentities(htmlspecialchars($_POST['tentry_body'])) . "'";
> --snip--
Why are you using both htmlentities and htmlspecialchars? Think that
html only converts some entities while htmlentities converts all ...
so, for your purposes, apliying only one could do the job.
>
> In the archives people suggest that using mysql_escape_string should be
> used, I then found that you could globally enable magic_quotes_gpc.
>
magic_quotes_gpc is a generic way to getting the user data escaped,
but is not the recommended way. It's better to have magic_quotes_gpc
disabled and use a database specific method for scaping. If you use
mysql, I would recommend mysql_real_escape_string.
(mysql_escape_string is deprecated since 4.3.0)
Best regards,
Jordi.
--- End Message ---
--- Begin Message ---
Hello,
Thanks for all of the responses ... I am going to use
mysql_real_escape_string.
Michael.
Jordi Canals wrote:
Hi, a couple of comments:
--snip--
htmlentities(htmlspecialchars($_POST['tentry_body'])) . "'";
--snip--
Why are you using both htmlentities and htmlspecialchars? Think that
html only converts some entities while htmlentities converts all ...
so, for your purposes, apliying only one could do the job.
In the archives people suggest that using mysql_escape_string should be
used, I then found that you could globally enable magic_quotes_gpc.
magic_quotes_gpc is a generic way to getting the user data escaped,
but is not the recommended way. It's better to have magic_quotes_gpc
disabled and use a database specific method for scaping. If you use
mysql, I would recommend mysql_real_escape_string.
(mysql_escape_string is deprecated since 4.3.0)
Best regards,
Jordi.
--- End Message ---
--- Begin Message ---
I really need help to solve this problem. Help me to solve, please do
not say to ask someone else.
My problem is i have .txt file size of 3-5 kb with long rows. I have a
mysql table and a column
type of longtext, name "html". What I have to do is: I have to open
.txt and read inside and
insert the content to "html". My purpose is this but the problem is: I
easily upload .txt to
server, and read inside, BUT i can not enter it's content to "html". I
followed the program up to
mysql query row its working correctly but when i write
mysql_query("INSERT INTO abc
(col1,col2,html) VALUES ('$col1','$col2','$file_contents')") or
die("ERROR!"); it dies and give
error. My observations: I put $file_contents instead of ERROR! message
i saw the content, i set
the type of "html" column to longblob, nothing changed: ERROR!, i made
another .php file which
uses a form, i copied .txt's content manually into <textarea>, it
succesfully inserted. Then i
made 3 steps program; i uploaded .txt in first step then in second step
i inserted the content to
a <textarea> as it's value and at the third step i tried to add to
mysql, message was: ERROR!
again. I tought it may be because of touching the <textarea>'s content
and i clicked <textarea>
and pressed SPACE BAR :) really but of course nothing changed. One more
thing i tried to insert by
mysql_query("UPDATE abc SET html='$file_contents' WHERE col1='$col1'
and col2='$col2'"); but still
it answered "I can not enter this variable to "html"". When i delete
the long rows it achieves but
i need them and i need to this automatically by selecting the file and
inserting to mysql. Please
please help me if you can. Below i've added the codes of program. I
will go insane if i can not
solve it. I am thinking about learning Perl to do that. Thank you very
much...
<?php
$html="<html>
<head>
<title>HTML document</title>
<style>input,textarea,td {font-family:verdana;font-size:10px;border:1px
#2D7BA2
solid;background:#BECCE7} </style>
</head>
<body>
<form action='admin.php' method='POST' ENCTYPE='multipart/form-data'>
<table align='Center'>
<tr>
<td>Marka:</td>
<td><input name='alan1' type='Text' size=30 value='$alan1'></td>
</tr>
<tr>
<td>�r�n Grubu:</td>
<td><input name='alan2' type='Text' size=30 value='$alan2'></td>
</tr>
<tr>
<td>Alt �r�n Grubu:</td>
<td><input name='alan3' type='Text' size=30 value='$alan3'></td>
</tr>
<tr>
<td>Resmin t�r�:</td>
<td><input name='tur' type='Radio' value='jpg' checked>JPG <input
name='tur' type='Radio'
value='gif'>GIF</td>
</tr>
<tr>
<td>Dosya:</td>
<td><input name='file' type='File'></td>
</tr>
<tr>
<td colspan=2 align='Center'><input type='Submit' value='Yolla'></td>
</tr>
</table>
</form>
";
if(empty($HTTP_POST_VARS)){echo $html;}
else {
$absolute_path = "../beyazesya/Del";
$size_limit = "var";
$limit_size = "150000";
$limit_ext = "var";
$ext_count = "2";
$extensions = array(".jpg", ".gif");
$geri = "<br><br><a href='#'
onclick='javascript:history.go(-1)'>Geri</a>";
$endresult = 'DOSYA BA�ARIYLA G�NDER�LD�..';
if ($file_name == "") {
$endresult='DOSYA SE�MED�N�Z.. $geri';
}else{
if (($size_limit == "var") && ($limit_size < $file_size)) {
$endresult = 'DOSYA �OK B�Y�K, EN FAZLA 150KB OLAB�L�R $geri';
} else {
$ext = strrchr($file_name,'.');
if (($limit_ext == "var") && (!in_array($ext,$extensions))) {
$endresult = 'DOSYA T�R� YALNIZCA .ZIP VEYA .RAR OLAB�L�R.. $geri';
}else{
[EMAIL PROTECTED]($file, "$absolute_path/file.txt") or die("DOSYA
KOPYALANAMADI.. $geri");
$dosyam="../beyazesya/Del/file.txt";
$fp=fopen($dosyam,"r") or die("Cant open file");
while(!feof($fp)){
$buf = fgets($fp,8192);
$buffer=$buffer.$buf;
}
$buffer=eregi_replace("\t","",$buffer);
$buffer=trim($buffer);
$f_a=$file_name;
$model=str_replace(".txt","",$f_a);
$resim="$model.$tur";
mysql_connect("xxx","yyy","zzz");
mysql_select_db("aaa");
$bb=mysql_query("SELECT * FROM beyaz WHERE alan1='$alan1' AND
alan2='$alan2' AND alan3='$alan3'
AND model='$model'");
$say_bb=mysql_num_rows($bb);
if($say_bb<1)
{
$b=mysql_query("INSERT INTO beyaz (alan1,alan2,alan3,resim,model,html)
VALUES
('$alan1','$alan2','$alan3','$resim','$model','$buffer')") or
die("ERROR!");
if($b) {echo "$html";
$yazili=mysql_query("SELECT * FROM beyaz WHERE alan1='$alan1' AND
alan2='$alan2' AND
alan3='$alan3'");
echo "<table align=center><tr><td>";
$top_yaz=mysql_num_rows($yazili);
echo "Toplam: <b>$top_yaz</b><hr>";
while($read=mysql_fetch_row($yazili))
{
echo "$read[4]<br>";
}
echo "</td></tr></table>";
}}
else echo "(this record is done before)";
fclose ($fp);
unlink("../beyazesya/Del/file.txt");
$buffer=0;
}}}}
?>
</body>
</html>
__________________________________
Do you Yahoo!?
Send holiday email and support a worthy cause. Do good.
http://celebrity.mail.yahoo.com
--- End Message ---
--- Begin Message ---
I have some PHP files from a content management system. I uploaded the
compressed files to the server, but how do I un-compress them now? I am
using Filezilla. Can it be done, or do I have to uncompress the file on my
computer and then upload?
thanks
--- End Message ---
--- Begin Message ---
here is a website http://www.business-broker.co.nz/ under
"tell a friend" is the page i need help.
There is a "your email" box where you get a reply saying
thanks for telling your friend about us msg which is ok but
where we have problem is the your "friends email" box where
we want a mailto command to send to the friend. We have no
luck there could you please let us know the code we should
use and where to use it if possible please it would help my
sanity very much and where does it go is it in the .lib or
the .php file
thanks for the help
marc gander
[EMAIL PROTECTED]
--- End Message ---
