php-general Digest 10 Nov 2005 11:53:23 -0000 Issue 3786
Topics (messages 225477 through 225505):
Re: Select and $_POST
225477 by: Matt Babineau
225480 by: Ben Ramsey
225483 by: Terence
225484 by: Chris Shiflett
225485 by: Curt Zirzow
225488 by: Chris Shiflett
225499 by: M
Re: Richard Lynch's Email Address ...
225478 by: GamblerZG
225479 by: Robert Cummings
225481 by: GamblerZG
225482 by: Ben Ramsey
Gotta learn asp.net...
225486 by: Joseph Szobody
225487 by: Esteamedpw.aol.com
Error in reading and writing bytes
225489 by: kumar kumar
225490 by: kumar kumar
225494 by: Curt Zirzow
Re: php5 / php4 - MySQL/SQLite
225491 by: Oliver Grätz
mod_rewrite, apache2, php5RC1 and osx bsd
225492 by: Dan Rossi
225495 by: Curt Zirzow
225496 by: Dan Rossi
Re: php session variables limited to 1 character -- please help
225493 by: GamblerZG
Re: T_PAAMAYIM_NEKUDOTAYIM
225497 by: Jochem Maas
225498 by: George Pitcher
post and variables
225500 by: Ross
225501 by: Ross
225502 by: Adrian Bruce
225503 by: Richard Davey
225504 by: Jochem Maas
undefined index and php
225505 by: Ross
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[email protected]
----------------------------------------------------------------------
--- Begin Message ---
$query = "SELECT * FROM login WHERE username = '".$_POST['username']."' AND
pass = '". $_POST['pass']."'";
> What is the correct syntax for
>
> $query = "SELECT * FROM login where
> username='$_POST['username']' AND pass ='$_POST['pass']'";
>
>
> Thought this would work.
>
> R.
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--- End Message ---
--- Begin Message ---
On 11/9/05 6:21 PM, Ross wrote:
What is the correct syntax for
$query = "SELECT * FROM login where username='$_POST['username']' AND pass
='$_POST['pass']'";
Thought this would work.
R.
The correct syntax in this case is actually:
$query = "SELECT * FROM login where username='{$_POST['username']}' AND
pass='{$_POST['pass']}'";
Note the curly braces.
BUT! Never do this!
For example, consider if someone typed in their username like this:
foo' AND 1=1 --
The "--" in most database engines starts a comment, so the query would
end up being:
SELECT * FROM login where username='foo' AND 1=1 --' AND pass=''
Everything after the "--" is ignored. There doesn't have to be a user
named "foo" because 1 will always equal 1, so the user is instantly
logged in.
Instead, filter your input (data received) and escape your output (in
this case, data going to the database), and try something like this:
<?php
$clean = array();
$sql = array();
if (ctype_alnum($_POST['username']))
{
$clean['username'] = $_POST['username'];
}
if (ctype_alnum($_POST['pass']))
{
$clean['pass'] = $_POST['pass'];
}
if (isset($clean['username']))
{
$sql['username'] = mysql_real_escape_string($clean['username']);
}
if (isset($clean['pass']))
{
$sql['pass'] = mysql_real_escape_string($clean['pass']);
}
$query = "SELECT * FROM login where username='{$sql['username']}' AND
pass='{$sql['pass']}'";
?>
Everything in $_POST should be treated as tainted data. Everything in
$clean can be treated as valid and untainted. This ensures that the
username and password received only contain values that you expect. You
can modify the filtering to suit your needs. Then, it ensures that data
sent to the database in the SQL statement is always escaped so that it
doesn't try to do something it shouldn't.
This, of course, assumes you're using MySQL, but there are other
escaping functions for other databases. Just look in the PHP manual.
--
Ben Ramsey
http://benramsey.com/
--- End Message ---
--- Begin Message ---
Ross wrote:
What is the correct syntax for
$query = "SELECT * FROM login where username='$_POST['username']' AND pass
='$_POST['pass']'";
Thought this would work.
R.
Search for "SQL Injection" and see why what you're doing is very
dangerous. Google is your friend.
--- End Message ---
--- Begin Message ---
Ross wrote:
$query = "SELECT * FROM login where username='$_POST['username']' AND
pass ='$_POST['pass']'";
You have to use curly braces in order to interpolate an array:
$string = "...{$array['foo']} ...";
By the way, my favorite username is this:
chris' --
That's what all my friends call me. :-)
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--- End Message ---
--- Begin Message ---
On Wed, Nov 09, 2005 at 11:21:36PM -0000, Ross wrote:
>
> What is the correct syntax for
>
> $query = "SELECT * FROM login where username='$_POST['username']' AND pass
> ='$_POST['pass']'";
>
<?php
if (get_magic_quotes_gpc()) {
$_POST['username'] = stripslashes($_POST['username']);
$_POST['pass'] = stripslashes($_POST['pass']);
}
/* where dbdriver is mysql[_real] or pg, etc.. */
$username = dbdriver_escape_string($_POST['username']);
$pass = dbdriver_escape_string($pass);
$query = "SELECT * FROM login
WHERE username = '$username' AND pass = '$pass'";
Curt.
--
--- End Message ---
--- Begin Message ---
Ben Ramsey wrote:
$clean = array();
$sql = array();
Glad to see someone spreading this habit. :-) Thanks, Ben.
if (ctype_alnum($_POST['pass']))
{
$clean['pass'] = $_POST['pass'];
}
I think it's fine to cheat a bit with the password and trust the output
format of md5():
$clean['pass'] = md5($_POST['pass']);
Of course, it is best to use a salt:
$salt = 'SHIFLETT';
$clean['pass'] = md5($salt . md5($_POST['pass'] . $salt));
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--- End Message ---
--- Begin Message ---
Chris Shiflett wrote:
Ben Ramsey wrote:
$clean = array();
$sql = array();
Glad to see someone spreading this habit. :-) Thanks, Ben.
if (ctype_alnum($_POST['pass']))
{
$clean['pass'] = $_POST['pass'];
}
I think it's fine to cheat a bit with the password and trust the output
format of md5():
$clean['pass'] = md5((ini_get('magic_quotes_gpc') ?
stripslashes($_POST['pass']) : $_POST['pass']));
or users with quotes in their password won't be able to log in.
$clean['pass'] = md5($_POST['pass']);
Of course, it is best to use a salt:
$salt = 'SHIFLETT';
$clean['pass'] = md5($salt . md5($_POST['pass'] . $salt));
Chris
--- End Message ---
--- Begin Message ---
I'm using this, but I'm not sure whether it's bug-free:
preg_match('/^([.0-9a-z_+-]+)@([0-9a-z-]+\.)+[0-9a-z]{2,6}$/i', $email);
Note: IIRC, PEAR function will invalidate all adresses in museum TLD.
--- End Message ---
--- Begin Message ---
On Wed, 2005-11-09 at 19:05, GamblerZG wrote:
> I'm using this, but I'm not sure whether it's bug-free:
> preg_match('/^([.0-9a-z_+-]+)@([0-9a-z-]+\.)+[0-9a-z]{2,6}$/i', $email);
>
> Note: IIRC, PEAR function will invalidate all adresses in museum TLD.
Email validation is like MD5 checksum... who the hells cares if it
doesn't work 0.0001% of the time? Unless you're being paid large sums of
money to get it perfect, or a life depends on it's accuracy... go with
the simplified solution.
Cheers,
Rob.
--
.------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`------------------------------------------------------------'
--- End Message ---
--- Begin Message ---
James Benson wrote:
Would it not be better something like valid_email()
email_validate()?
Anyway, I agree that PHP needs such function.
--- End Message ---
--- Begin Message ---
On 11/9/05 7:20 PM, GamblerZG wrote:
James Benson wrote:
Would it not be better something like valid_email()
email_validate()?
Anyway, I agree that PHP needs such function.
Check out http://pecl.php.net/package/filter
<?php
$clean['email'] = input_get(INPUT_POST, 'email', FL_EMAIL);
?>
I've been playing around with this for a while, and it should be noted
that it's still in beta and should not be used in a production
environment, but it's a promising step. The e-mail regex that's used
isn't perfect, and it won't support RFC-compliant addresses, but I hope
to put a little bit of work into it to help out with this.
In the meantime, check out PEAR::Mail, which includes Mail_RFC822 that
can be used to validate e-mail addresses. Also, if your PHP is compiled
--with-imap, then you can use imap_rfc822_parse_adrlist() to validate
e-mail addresses.
--
Ben Ramsey
http://benramsey.com/
--- End Message ---
--- Begin Message ---
*sigh* I'm a hardcore PHP programmer.. I've been using it for over five
years now, and would consider myself fairly advanced. I have a project where
I'm being forced to do some ASP.NET development, which I've never touched. I
need to learn it fast.
I'm thinking there must be some other folks around here who have been in
similar situations. I'm looking for some pointers on good learning
resources, specifically for someone who is an experienced PHP programmer,
but who knows nothing about .NET. What helped you most in adapting your PHP
skills for .NET?
Hope this is an appropriate question here.
Joseph
--- End Message ---
--- Begin Message ---
VTC.com has some ASP tutorials... you can get their Monthly "University"
program for $30.00 a month?
--- End Message ---
--- Begin Message ---
Hi
i am new to PHP .I am facing some problems .
Here is the code below
Here the applet will send the files thru http . files
from 30 bytes to 2 GB.
<?php
$logfile = "C:/temp/log1.txt";
$log = fopen($logfile,"a+");
fwrite($log, "Executing PHP Script \r\n");
$save_path = $_REQUEST['DATADIR'];
$filepath = $_REQUEST['FILEPATH'];
$filename = $_REQUEST['FILENAME'];
$fname = "$save_path$filepath$filename";
$tdir =$save_path.$filepath;
mkMDir($tdir);
function mkMDir($dir,$dirmode=0777)
{
if (!empty($dir)) {
if (!file_exists($dir)) {
preg_match_all('/([^\/]*)\/?/i', $dir,$tmp);
$default="";
foreach ($tmp[0] as $key=>$val) {
$default=$default.$val;
if(!file_exists($default))
if (!mkdir($default,$dirmode)) {
return -1;
}
}
}else if (!is_dir($dir)){
return -2;
}
}
return 0;
}
$fp = fopen($fname,"w");
$getdata = fopen("php://input", "r");
fwrite($log, "$fname Uploaded Successfully \r\n");
while (strlen($data = fread($getdata,8192)) > 0) {
fwrite($fp,$data);
}
fclose($fp);
fclose($getdata);
fclose($log);
?>
I tried this one its working for bigger files , but
its not working for small files less than 7 MB i am
unable to track the error or reason.and some times its
writing the less amount of bytes(60MB) then the
original one(90MB).
If possible please go thru this code and suggest me
the changes.
Thanking you
With Regards
Kumar
__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
--- End Message ---
--- Begin Message ---
Hi
i am new to PHP .I am facing some problems .
Here is the code below
Here the applet will send the files thru http . files
from 30 bytes to 2 GB.
<?php
$logfile = "C:/temp/log1.txt";
$log = fopen($logfile,"a+");
fwrite($log, "Executing PHP Script \r\n");
$save_path = $_REQUEST['DATADIR'];
$filepath = $_REQUEST['FILEPATH'];
$filename = $_REQUEST['FILENAME'];
$fname = "$save_path$filepath$filename";
$tdir =$save_path.$filepath;
mkMDir($tdir);
function mkMDir($dir,$dirmode=0777)
{
if (!empty($dir)) {
if (!file_exists($dir)) {
preg_match_all('/([^\/]*)\/?/i', $dir,$tmp);
$default="";
foreach ($tmp[0] as $key=>$val) {
$default=$default.$val;
if(!file_exists($default))
if (!mkdir($default,$dirmode)) {
return -1;
}
}
}else if (!is_dir($dir)){
return -2;
}
}
return 0;
}
$fp = fopen($fname,"w");
$getdata = fopen("php://input", "r");
fwrite($log, "$fname Uploaded Successfully \r\n");
while (strlen($data = fread($getdata,8192)) > 0) {
fwrite($fp,$data);
}
fclose($fp);
fclose($getdata);
fclose($log);
?>
I tried this one its working for bigger files , but
its not working for small files less than 7 MB i am
unable to track the error or reason.and some times its
writing the less amount of bytes(60MB) then the
original one(90MB).
If possible please go thru this code and suggest me
the changes.
Thanking you
With Regards
Kumar
__________________________________
Yahoo! FareChase: Search multiple travel sites in one click.
http://farechase.yahoo.com
--- End Message ---
--- Begin Message ---
On Wed, Nov 09, 2005 at 08:23:04PM -0800, kumar kumar wrote:
> Hi
> i am new to PHP .I am facing some problems .
> Here is the code below
>
> Here the applet will send the files thru http . files
> from 30 bytes to 2 GB.
>
> <?php
> ....
>
> $getdata = fopen("php://input", "r");
> ...
>
> while (strlen($data = fread($getdata,8192)) > 0) {
> fwrite($fp,$data);
> }
> ...
>
> I tried this one its working for bigger files , but
> its not working for small files less than 7 MB i am
> unable to track the error or reason.and some times its
> writing the less amount of bytes(60MB) then the
> original one(90MB).
This is a 2 part question with a 4 part answer.
First, it works for large files but not for files less than 7MB.
This is because php will automatically read the stdin for you base
on your php ini settings:
max_post_size
max_upload_size
Second, even if you increase that size, sometimes there is a limit
on how much data can be sent to the webserver, but usually you will
get a error response before the upload actually happens in most
cases.
Third, php by default has a time limit on how long it is going to
run. By default it is 30 seconds, you can use the set_time_limit()
to adjust as needed. Also, there is also timeout that can occur
within the webserver as well. If for some reason there is a lag in
the connection, the webserver will just assume the client is AWOL
and drop the connection. I'd hate to see this happen at 89MB
transfer point.
Fourth, as why the 90MB file ends up being 60MB, your loop is all
wrong:
while (strlen($data = fread($getdata,8192)) > 0) {
You are making a big mistake by assuming what strlen() of the fread
should be, you should loop based on when it hasn't reach end of file:
while(! feof($getdata) ) {
$data = fread($getdata, 8192);
...
}
With those 4 points being made I do wonder why you havn't used any
of the other already existing transfer methods, like ftp or sftp.
It seems like a lot of work your trying to do over http, a
protocol that wasn't really designed for large file transfers.
Curt.
--
--- End Message ---
--- Begin Message ---
Danny schrieb:
> Let me open a discussion about php5 / php4
Fine. Let's keep it short ;-)
> Why upgrade?
Because you want support for proper OOP.
Most of the other changes can be like SQLite can also be used with PHP4.
> It worth?
If you see the benefits of interfaces, object overloading, autoloaders,
interceptors and/or exceptions: yes. If you want to do some simple
stuff:no. If you are starting to implement a large project: big yes.
> Benefits?
Example: I have a simple object-layer for my databases and relations. If
I have a table MEETING and a table USER and I have a reference table for
the USERS_IN_MEETING, then I can now
$m=new DB_Meeting(12); // simply by id, other criteria possible
foreach ($m->allAttendees as $user)
{
mail($user['email'],'Invitation','Meeting: '.$m['description']);
}
That's it! No queries, no nothing. And thanks to interceptors I could
implement this in very few lines of code.
> Code programming changes?
I doubt any of my new PHP5 code can be backported or properly simulated
in PHP4. If you really get into it, there are big changes on the
horizon. But if you want to keep programming the way you did: Nobody
keeps you from continuing this way with PHP5.
> Is there and end-of-life for php4, in the near/medium future?
I don't believe in that. There will certainly be no new features for the
PHP4 branch, but it will get security updates for quite some time and
hosting companies will continue to feature it for years to come.
> What about MySQL and SQLite. What is the future of both? I would like to
> open a discussion about the future of both related to php no matter the
> version of it...
SQLite: This is no comparison to MySQL because I think it fits totally
different problems. It's easier to use than MySQL because you don't have
to connect to a server. You can simply deploy the database as a file
with your application. But it is not as good when it comes to high
concurrency (meaning a lot of visitors). So:
- SQLite for small projects that are used by few users.
- MySQL for big web sites.
MySQL: Even if you stay with PHP4, please consider switching to the
mysqli objects. One benefit: They are more like the SQLite API so you
can get some synergy when learning both of them.
For PHP5: PHP5.1 will feature the first final version of PDO. PDO allows
to use MySQL and SQLite via one interface.
OLLi
____________
Kajiggers!
--- End Message ---
--- Begin Message ---
Hi there, ive been having issues with mod_rewrite and apache2 with PHP
5.1RC1. I have googled the php bugs and people have been experiencing
the same issue however the php people cant see to reproduce the bug.
Its most definately doing it for me, here is a rewrite rule i have
setup, if i [L] to a php script, it either tries to download the faked
url file or hangs. I reverted back to 5.1.0b2 and it works fine ??
What do i do ?
RewriteRule ^(.*)/(.*)/(.*)/(.*)/(.*)/(.+\.(video))$ ../../phpscript.php
--- End Message ---
--- Begin Message ---
On Thu, Nov 10, 2005 at 03:36:07PM +1100, Dan Rossi wrote:
> Hi there, ive been having issues with mod_rewrite and apache2 with PHP
> 5.1RC1. I have googled the php bugs and people have been experiencing
> the same issue however the php people cant see to reproduce the bug.
> Its most definately doing it for me, here is a rewrite rule i have
> setup, if i [L] to a php script, it either tries to download the faked
> url file or hangs. I reverted back to 5.1.0b2 and it works fine ??
> What do i do ?
>
> RewriteRule ^(.*)/(.*)/(.*)/(.*)/(.*)/(.+\.(video))$ ../../phpscript.php
Well this is a really ugly Rewrite, i must say.
One thing to note is well 5.1RC4 has been available in Oct:
http://downloads.php.net/ilia/
Curt.
--
--- End Message ---
--- Begin Message ---
On 10/11/2005, at 4:18 PM, Curt Zirzow wrote:
On Thu, Nov 10, 2005 at 03:36:07PM +1100, Dan Rossi wrote:
Hi there, ive been having issues with mod_rewrite and apache2 with PHP
5.1RC1. I have googled the php bugs and people have been experiencing
the same issue however the php people cant see to reproduce the bug.
Its most definately doing it for me, here is a rewrite rule i have
setup, if i [L] to a php script, it either tries to download the faked
url file or hangs. I reverted back to 5.1.0b2 and it works fine ??
What do i do ?
RewriteRule ^(.*)/(.*)/(.*)/(.*)/(.*)/(.+\.(video))$
../../phpscript.php
Well this is a really ugly Rewrite, i must say.
Say what you like however it had been working, and for the application
it works, i dont think you get what its trying to do but anyway , im
faking a url with session id's and ecrypted keys and sending the
matches to the get request of that file so its hidden.
One thing to note is well 5.1RC4 has been available in Oct:
http://downloads.php.net/ilia/
Thats not available from the main site downloads. I also forgot to
meantion i had downloaded the latest from php snaps and still the same
problem, so obviouslly it has been overlooked.
--- End Message ---
--- Begin Message ---
Somewhere in your script you reference a string as an array. Like this:
$var = $string[0]; // returns the first char
--- End Message ---
--- Begin Message ---
Jay Blanchard wrote:
[snip]
I was working with objects, and suddenly i got this error:
*Parse error*: syntax error, unexpected T_PAAMAYIM_NEKUDOTAYIM in *
D:\Apache\Apache(re)\Apache2\htdocs\Include.php* on line *11*
is this like a bug in PHP or is it a valid error?
thanks in advance
[/snip]
It means that you have two colons not being used correctly
its a good thing this mailinglist is not about the practice
of medicine ;-)
http://www.php.net/manual/en/keyword.paamayim-nekudotayim.php
--- End Message ---
--- Begin Message ---
> >
> > It means that you have two colons not being used correctly
>
> its a good thing this mailinglist is not about the practice
> of medicine ;-)
>
If it was, I suppose you would recommend 'colonic irrigation' then? Twice,
perhaps?
George
--- End Message ---
--- Begin Message ---
Thanks fpr all the feedback on the password but I have another one...
How do I use $_POST with variables. Cant find an example of this anywhere on
php.net
if ($_POST['$table_name== 1']) {
//do something
}
Ta,
ross
--- End Message ---
--- Begin Message ---
Sorry I got confused. I am using variable variables.
Disregard.
""Ross"" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> Thanks fpr all the feedback on the password but I have another one...
>
> How do I use $_POST with variables. Cant find an example of this anywhere
> on php.net
>
>
> if ($_POST['$table_name== 1']) {
>
> //do something
>
> }
>
> Ta,
>
> ross
--- End Message ---
--- Begin Message ---
if (($_POST['$table_name']) == 1){
//do something
}
what you have is essentialll looking for a posted value called '$table_name==
1'!
Ross wrote:
Thanks fpr all the feedback on the password but I have another one...
How do I use $_POST with variables. Cant find an example of this anywhere on
php.net
if ($_POST['$table_name== 1']) {
//do something
}
Ta,
ross
--- End Message ---
--- Begin Message ---
Hi Ross,
Thursday, November 10, 2005, 10:39:48 AM, you wrote:
> How do I use $_POST with variables. Cant find an example of this
> anywhere on php.net
> if ($_POST['$table_name== 1']) {
if ($_POST['form_element_name'] == 'whatever')
There are many examples of this all over the web. You need to look
harder. Try Google for "beginners guide to PHP".
Cheers,
Rich
--
Zend Certified Engineer
PHP Development Services
http://www.corephp.co.uk
--- End Message ---
--- Begin Message ---
Ross wrote:
Sorry I got confused. I am using variable variables.
Disregard.
""Ross"" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
Thanks fpr all the feedback on the password but I have another one...
How do I use $_POST with variables. Cant find an example of this anywhere
on php.net
if ($_POST['$table_name== 1']) {
$tablename = 'yourtable';
if (isset($_POST[ $tablename ]) && $_POST[ $tablename ] == 1) {
echo $tablename, ' has been selected';
}
//do something
}
Ta,
ross
--- End Message ---
--- Begin Message ---
Before someone advises me to 'google' my question. I have and can't find a
PHP.net example either.
I have turned off registered globals and am updating my scripts so they work
but I keep getting an undefined index problem using $_POST
I tried this to set the value...
if (!isset($_POST['heading'])) {
$_POST ['heading'] = "";
}
because the following line give the notice 'undefined index' BEFORE the
submit button has been pressed..
<? $heading_insert= stripslashes($_POST['heading']);?>
R.
--- End Message ---
