php-general Digest 8 Jun 2012 18:26:47 -0000 Issue 7846
Topics (messages 318192 through 318200):
Re: Read dynamic variable from HTML form into PHP
318192 by: ioannes.btinternet.com
Re: A problem about sessions
318193 by: Tazio Ceri
Your Amazon.com order confirmation.
318194 by: digital-no-reply.amazon.com
318195 by: Dan McCullough
SQL Injection
318196 by: Ethan Rosenberg
318197 by: Adam Richardson
318198 by: Jen Rasmussen
318199 by: Govinda
318200 by: Jim Lucas
Administrivia:
To subscribe to the digest, e-mail:
php-general-digest-subscr...@lists.php.net
To unsubscribe from the digest, e-mail:
php-general-digest-unsubscr...@lists.php.net
To post to the list, e-mail:
php-gene...@lists.php.net
----------------------------------------------------------------------
--- Begin Message ---
There are essentially 2 ways:
1. All POSTed data is present in the $_POST superglobal array. So you
could just loop over that, ignore the fields you already knew were there,
and the data remaining is then essentially the data you seek. The keys in
the $_POST array are the fieldnames you are looking for.
2. There's a special trick in PHP, when you name a field "name[]" in HTML
and then POST it to a PHP script, it will turn into an array field. So
<input name="a[]" value="1"> <input name="a[]" value="2"> will then end up
in:
$_POST = [
'a' => [
0 => '1',
1 => '2'
]
]
If you had not added the square-brackets, you would have:
<input name="a" value="1"> <input name="a" value="2"> ending up in:
$_POST = [
'a' => '2'
]
Thus not ever seeing the value '1'.
<form>
checkbox field name="input_1" value="y"
checkbox field name="input_2" value="y"
field name input_n
..
</form>
<?
//checkboxes return on submit only if ticked
$query="SELECT id FROM table WHERE etc";
$result=mysql_db_query($db, $query,$connection);
$count=mysql_num_rows($result);
while($row=mysql_fetch_row($result)) {
$id=$row[0];
//dynamic variable
//if form uses textfield that returns on submit
//if(${"input_".$id}=="1"){
//if checkbox that only returns if ticked
if(ISSET(${"input_".$id})){
echo "checked 1";
}
}
?>
--- End Message ---
--- Begin Message ---
Stuart Dallas <stu...@3ft9.com> ha scritto:
>On 8 Jun 2012, at 00:39, Tazio Ceri wrote:
>
>> I have a PHP script that takes very long time to execute. I manage it
>using the following structure:
>>
>> ob_start();
>>
>> // some code
>> session_start();
>> // some code
>>
>> header("Content-length: ".ob_get_length());
>> ob_end_flush();
>>
>> // some other, very long, code!
>>
>> The problem I am facing is that, after having set up a session, often
>I have error as
>> I don't find any simple variable that I wrote in $_SESSION.
>> Correct my if I am wrong, but I think that $_SESSION get saved to
>disk only
>> at the end of the script, after the "very long code" has been
>executed.
>> There is a way to save the session manually just after
>ob_end_flush()?
>
>
>http://php.net/session_write_close
>
>-Stuart
>
>--
>Stuart Dallas
>3ft9 Ltd
>http://3ft9.com/
>--
>PHP General Mailing List (http://www.php.net/)
>To unsubscribe, visit: http://www.php.net/unsub.php
Thank you, I don't know how I overlooked that function.
Tazio Ceri
--- End Message ---
--- Begin Message ---
Your Order with Amazon.com Thanks for your order, php-db-h...@lists.php.net! Did you know you can view and edit your orders online, 24 hours a day? Visit Your Account. Order Information:
E-mail Address: php-db-h...@lists.php.net Billing Address: Av. GAHANNA United States Phone: 1-747-517-7595
Order Grand Total: $ 60.99
Earn 3% rewards on your Amazon.com orders with the Amazon Visa Card. Learn More
Order Summary:
Details:
Order #: Y09-7318668-6213012
Subtotal of items: $ 60.99
------
Total before tax: $ 60.99
Tax Collected: $0.00
------
Grand Total: $ 60.00
Gift Certificates: $ 0.99
------
Total for this Order: $ 60.99
The following item is auto-delivered to your Kindle or other device. You can view more information about this order by clicking on the title on the Manage Your Kindle page at Amazon.com. The Witness by Nora Roberts [Kindle Edition] $ 60.99 Sold By: Random House Digital, Inc.
You can review your orders in Your Account. If you've explored the links on that page but still have a question, please visit our online Help Department. Please note: This e-mail was sent from a notification-only address that cannot accept incoming e-mail. Please do not reply to this message. Thanks again for shopping with us. Amazon.com Earth's Biggest Selection Prefer not to receive HTML mail? Click here
--- End Message ---
--- Begin Message ---
I was hoping for a TV
On Fri, Jun 8, 2012 at 10:19 AM, <> wrote:
> Your Order with Amazon.com
>
> Thanks for your order,
> php-db-h...@lists.php.net! Did you know you can
> view and edit your orders online, 24 hours a day?
> Visit Your Account.
>
> Order Information:
>
>
> E-mail
> Address: php-db-h...@lists.php.net
>
>
> Billing Address:
> Av.
> GAHANNA United States
> Phone: 1-747-517-7595
>
>
>
> Order Grand
> Total: $ 60.99
>
>
>
>
>
> Earn 3%
> rewards on your Amazon.com orders with
> the Amazon Visa Card. Learn
> More
>
>
> Order Summary:
>
>
> Details:
>
>
>
> Order #:
> Y09-7318668-6213012
> Subtotal of items:
> $ 60.99
>
> ------
> Total before tax:
> $ 60.99
>
> Tax Collected:
> $0.00
> ------
>
> Grand Total:
> $ 60.00
> Gift Certificates:
> $ 0.99
>
> ------
> Total for this
> Order: $ 60.99
>
> The
> following item is auto-delivered to your Kindle or
> other device. You can view more information about
> this order by clicking on the title on the Manage
> Your Kindle page at Amazon.com.
>
> The Witness by
> Nora Roberts [Kindle Edition] $ 60.99
> Sold By: Random House
> Digital, Inc.
>
> You can review
> your orders in Your Account. If you've explored
> the links on that page but still have a question,
> please visit our online Help Department.
> Please note: This e-mail was sent from
> a notification-only address that cannot accept
> incoming e-mail. Please do not reply to this
> message. Thanks again for shopping
> with us. Amazon.com
> Earth's Biggest Selection Prefer
> not to receive HTML mail? Click here
>
--
Thank you,
Dan
Cell: 484-459-2856
<https://www.facebook.com/dpmccullough>
<http://www.linkedin.com/in/danmccullough>
--- End Message ---
--- Begin Message ---
Dear List -
I am aware of a long email trail on this subject, but there does not
seem to be a resolution.
Is it possible to have a "meeting of the minds" to come up with (an)
appropriate method(s)?
Thanks.
Ethan Rosenberg
--- End Message ---
--- Begin Message ---
On Fri, Jun 8, 2012 at 12:37 PM, Ethan Rosenberg <eth...@earthlink.net> wrote:
> Is it possible to have a "meeting of the minds" to come up with (an)
> appropriate method(s)?
Minds, meet prepared statements :)
Adam
--
Nephtali: A simple, flexible, fast, and security-focused PHP framework
http://nephtaliproject.com
--- End Message ---
--- Begin Message ---
-----Original Message-----
From: Adam Richardson [mailto:simples...@gmail.com]
Sent: Friday, June 08, 2012 11:50 AM
To: PHP-General
Subject: Re: [PHP] SQL Injection
On Fri, Jun 8, 2012 at 12:37 PM, Ethan Rosenberg <eth...@earthlink.net>
wrote:
> Is it possible to have a "meeting of the minds" to come up with (an)
> appropriate method(s)?
Minds, meet prepared statements :)
Adam
--
Nephtali: A simple, flexible, fast, and security-focused PHP framework
http://nephtaliproject.com
--
PHP General Mailing List (http://www.php.net/) To unsubscribe, visit:
http://www.php.net/unsub.php
PDO is the way to go :D
Jen
--- End Message ---
--- Begin Message ---
>> Is it possible to have a "meeting of the minds" to come up with (an)
>> appropriate method(s)?
> Minds, meet prepared statements :)
> PDO is the way to go :D
Not to refute the above advice one bit (not to mention oppose the arguments
against escaping in general) ... but just curious - can anyone demo a hack
that effectively injects past mysqli_real_escape_string(), while using utf-8 ?
It may just be a matter of time (or already?) before mysqli_real_escape_string
is *proven* ineffective (w/utf-8) ... but here I am just attempting to gather
facts.
Thanks
-Govinda
--- End Message ---
--- Begin Message ---
On 06/08/2012 10:31 AM, Govinda wrote:
Is it possible to have a "meeting of the minds" to come up with (an)
appropriate method(s)?
Minds, meet prepared statements :)
PDO is the way to go :D
Not to refute the above advice one bit (not to mention oppose the arguments
against escaping in general) ... but just curious - can anyone demo a hack
that effectively injects past mysqli_real_escape_string(), while using utf-8 ?
It may just be a matter of time (or already?) before mysqli_real_escape_string
is *proven* ineffective (w/utf-8) ... but here I am just attempting to gather
facts.
Thanks
-Govinda
Ah, but what if I use sqlite or postgres?
IMHO, the discussion needs to be a the best way to prevent SQL injection
across all possible DB types. Not just mysql.
--
Jim Lucas
http://www.cmsws.com/
http://www.cmsws.com/examples/
http://www.bendsource.com/
--- End Message ---
