php-general Digest 8 Jun 2012 18:26:47 -0000 Issue 7846

Topics (messages 318192 through 318200):

Re: Read dynamic variable from HTML form into PHP
        318192 by: ioannes.btinternet.com

Re: A problem about sessions
        318193 by: Tazio Ceri

Your Amazon.com order confirmation.
        318194 by: digital-no-reply.amazon.com
        318195 by: Dan McCullough

SQL Injection
        318196 by: Ethan Rosenberg
        318197 by: Adam Richardson
        318198 by: Jen Rasmussen
        318199 by: Govinda
        318200 by: Jim Lucas

Administrivia:

To subscribe to the digest, e-mail:
        php-general-digest-subscr...@lists.php.net

To unsubscribe from the digest, e-mail:
        php-general-digest-unsubscr...@lists.php.net

To post to the list, e-mail:
        php-gene...@lists.php.net


----------------------------------------------------------------------
--- Begin Message ---

There are essentially 2 ways:
1. All POSTed data is present in the $_POST superglobal array. So you
could just loop over that, ignore the fields you already knew were there,
and the data remaining is then essentially the data you seek. The keys in
the $_POST array are the fieldnames you are looking for.

2. There's a special trick in PHP, when you name a field "name[]" in HTML
and then POST it to a PHP script, it will turn into an array field. So
<input name="a[]" value="1">  <input name="a[]" value="2">  will then end up
in:
$_POST = [
    'a' =>  [
       0 =>  '1',
       1 =>  '2'
    ]
]

If you had not added the square-brackets, you would have:
<input name="a" value="1">  <input name="a" value="2">  ending up in:
$_POST = [
    'a' =>  '2'
]
Thus not ever seeing the value '1'.




<form>
checkbox field name="input_1" value="y"
checkbox field name="input_2" value="y"
field name input_n
..
</form>

<?
//checkboxes return on submit only if ticked
$query="SELECT id FROM table WHERE etc";
$result=mysql_db_query($db, $query,$connection);
$count=mysql_num_rows($result);
while($row=mysql_fetch_row($result)) {
        $id=$row[0];
        //dynamic variable
        //if form uses textfield that returns on submit
        //if(${"input_".$id}=="1"){
        //if checkbox that only returns if ticked
        if(ISSET(${"input_".$id})){
                echo "checked 1";
        }
}
?>

--- End Message ---
--- Begin Message ---
Stuart Dallas <stu...@3ft9.com> ha scritto:

>On 8 Jun 2012, at 00:39, Tazio Ceri wrote:
>
>> I have a PHP script that takes very long time to execute. I manage it
>using the following structure:
>> 
>> ob_start();
>> 
>> // some code
>> session_start();
>> // some code
>> 
>> header("Content-length: ".ob_get_length());
>> ob_end_flush();
>> 
>> // some other, very long, code!
>> 
>> The problem I am facing is that, after having set up a session, often
>I have error as
>> I don't find any simple variable that I wrote in $_SESSION.
>> Correct my if I am wrong, but I think that $_SESSION get saved to
>disk only
>> at the end of the script, after the "very long code" has been
>executed.
>> There is a way to save the session manually just after
>ob_end_flush()?
>
>
>http://php.net/session_write_close
>
>-Stuart
>
>-- 
>Stuart Dallas
>3ft9 Ltd
>http://3ft9.com/
>--
>PHP General Mailing List (http://www.php.net/)
>To unsubscribe, visit: http://www.php.net/unsub.php

Thank you, I don't know how I overlooked that function.
Tazio Ceri

--- End Message ---
--- Begin Message --- Your Order with Amazon.com Thanks for your order, php-db-h...@lists.php.net! Did you know you can view and edit your orders online, 24 hours a day? Visit Your Account. Order Information: E-mail Address: php-db-h...@lists.php.net Billing Address: Av. GAHANNA United States Phone: 1-747-517-7595 Order Grand Total: $ 60.99 Earn 3% rewards on your Amazon.com orders with the Amazon Visa Card. Learn More Order Summary: Details: Order #: Y09-7318668-6213012 Subtotal of items: $ 60.99 ------ Total before tax: $ 60.99 Tax Collected: $0.00 ------ Grand Total: $ 60.00 Gift Certificates: $ 0.99 ------ Total for this Order: $ 60.99 The following item is auto-delivered to your Kindle or other device. You can view more information about this order by clicking on the title on the Manage Your Kindle page at Amazon.com. The Witness by Nora Roberts [Kindle Edition] $ 60.99 Sold By: Random House Digital, Inc. You can review your orders in Your Account. If you've explored the links on that page but still have a question, please visit our online Help Department. Please note: This e-mail was sent from a notification-only address that cannot accept incoming e-mail. Please do not reply to this message. Thanks again for shopping with us. Amazon.com Earth's Biggest Selection Prefer not to receive HTML mail? Click here
--- End Message ---
--- Begin Message ---
I was hoping for a TV

On Fri, Jun 8, 2012 at 10:19 AM, <> wrote:

>                   Your Order with Amazon.com
>
>                            Thanks for your order,
> php-db-h...@lists.php.net!                        Did you know you can
> view and edit your                          orders online, 24 hours a day?
> Visit Your Account.
>
>        Order Information:
>
>
>                                                                   E-mail
> Address:                                       php-db-h...@lists.php.net
>
>
>        Billing                                                Address:
>                                         Av.
>            GAHANNA                                            United States
>                                              Phone: 1-747-517-7595
>
>
>
>                   Order Grand
>  Total:  $                                                60.99
>
>
>
>
>
>                                                              Earn 3%
> rewards on your                                    Amazon.com orders with
> the Amazon                                    Visa Card. Learn
>                          More
>
>
>                                                 Order Summary:
>
>
>                                                                   Details:
>
>
>
>   Order #:
>  Y09-7318668-6213012
>                                     Subtotal of items:
>                                              $ 60.99
>
>                         ------
>                                               Total before tax:
>                                                    $ 60.99
>
> Tax Collected:
>    $0.00
>                                                         ------
>
>   Grand Total:
>    $ 60.00
>                           Gift Certificates:
>                                    $ 0.99
>
>             ------
>                                   Total for this
>            Order:                                $ 60.99
>
>                                                                         The
> following item is auto-delivered to your                          Kindle or
> other device. You can view more                          information about
> this order by clicking on                          the title on the Manage
> Your Kindle page at                             Amazon.com.
>
>                        The Witness by
>  Nora Roberts                                     [Kindle Edition] $ 60.99
>                                  Sold By: Random House
>                Digital, Inc.
>
>                                                          You can review
> your orders in Your Account.                          If you've explored
> the links on that page but                          still have a question,
> please visit our online                          Help Department.
>                                      Please note: This e-mail was sent from
> a                          notification-only address that cannot accept
>                      incoming e-mail. Please do not reply to this
>                message.                        Thanks again for shopping
> with us.                        Amazon.com
>                    Earth's Biggest Selection                        Prefer
> not to receive HTML mail? Click here
>




-- 
Thank you,

Dan

Cell:  484-459-2856

<https://www.facebook.com/dpmccullough>
<http://www.linkedin.com/in/danmccullough>

--- End Message ---
--- Begin Message ---
Dear List -

I am aware of a long email trail on this subject, but there does not seem to be a resolution.

Is it possible to have a "meeting of the minds" to come up with (an) appropriate method(s)?

Thanks.

Ethan Rosenberg



--- End Message ---
--- Begin Message ---
On Fri, Jun 8, 2012 at 12:37 PM, Ethan Rosenberg <eth...@earthlink.net> wrote:
> Is it possible to have a "meeting of the minds" to come up with (an)
> appropriate method(s)?

Minds, meet prepared statements :)

Adam

-- 
Nephtali:  A simple, flexible, fast, and security-focused PHP framework
http://nephtaliproject.com

--- End Message ---
--- Begin Message ---
-----Original Message-----
From: Adam Richardson [mailto:simples...@gmail.com] 
Sent: Friday, June 08, 2012 11:50 AM
To: PHP-General
Subject: Re: [PHP] SQL Injection

On Fri, Jun 8, 2012 at 12:37 PM, Ethan Rosenberg <eth...@earthlink.net>
wrote:
> Is it possible to have a "meeting of the minds" to come up with (an) 
> appropriate method(s)?

Minds, meet prepared statements :)

Adam

--
Nephtali:  A simple, flexible, fast, and security-focused PHP framework
http://nephtaliproject.com

--
PHP General Mailing List (http://www.php.net/) To unsubscribe, visit:
http://www.php.net/unsub.php


PDO is the way to go :D

Jen




--- End Message ---
--- Begin Message ---
>> Is it possible to have a "meeting of the minds" to come up with (an) 
>> appropriate method(s)?


> Minds, meet prepared statements :)


> PDO is the way to go :D


Not to refute the above advice one bit (not to mention oppose the arguments 
against escaping in general) ...  but just curious - can anyone demo a hack 
that effectively injects past mysqli_real_escape_string(), while using utf-8 ?  
It may just be a matter of time (or already?) before mysqli_real_escape_string 
is *proven* ineffective (w/utf-8) ... but here I am just attempting to gather 
facts.

Thanks
-Govinda


--- End Message ---
--- Begin Message ---
On 06/08/2012 10:31 AM, Govinda wrote:
Is it possible to have a "meeting of the minds" to come up with (an)
appropriate method(s)?


Minds, meet prepared statements :)


PDO is the way to go :D


Not to refute the above advice one bit (not to mention oppose the arguments 
against escaping in general) ...  but just curious - can anyone demo a hack 
that effectively injects past mysqli_real_escape_string(), while using utf-8 ?  
It may just be a matter of time (or already?) before mysqli_real_escape_string 
is *proven* ineffective (w/utf-8) ... but here I am just attempting to gather 
facts.

Thanks
-Govinda



Ah, but what if I use sqlite or postgres?

IMHO, the discussion needs to be a the best way to prevent SQL injection across all possible DB types. Not just mysql.

--
Jim Lucas

http://www.cmsws.com/
http://www.cmsws.com/examples/
http://www.bendsource.com/

--- End Message ---

Reply via email to