Re: [PHP] Lost in PHP (part 1) ---- Sequle to Lost in Query
GH wrote: Now I m perplexed time 10! I run the code that follows this time providing a query string of admin_template.php?api=101 I have an if statement that tests if $_GET['api'] == 0 if it is true I have it listing options, else it queries the database with that ID and loads the associated file. You have a lot more tests than that... However it does not seem to execute the else I: thought that the value may of been wrong so I usedecho $_GET['api']; and it returned 101 use var_dump($_GET['api']) and it may give you a clue. Your is_int() test is going to fail each time because anything passed through $_GET or $_POST is a string. FYI, you could essentially replace all of those tests you do on $_GET['api'] with if(empty($_GET['api'])) { echo 'bad value'; //or select everything from table ? } else { $input['api'] = (int)$_GET['api']; $query = SELECT * FROM yourtable WHERE api = {$input['api']}; ... } -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals www.phparch.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Lost in PHP (part 1) ---- Sequle to Lost in Query
How can I convert it to an integer aslong as it is only a number in the string? On Mon, 11 Oct 2004 13:19:40 -0400, John Holmes [EMAIL PROTECTED] wrote: GH wrote: Now I m perplexed time 10! I run the code that follows this time providing a query string of admin_template.php?api=101 I have an if statement that tests if $_GET['api'] == 0 if it is true I have it listing options, else it queries the database with that ID and loads the associated file. You have a lot more tests than that... However it does not seem to execute the else I: thought that the value may of been wrong so I usedecho $_GET['api']; and it returned 101 use var_dump($_GET['api']) and it may give you a clue. Your is_int() test is going to fail each time because anything passed through $_GET or $_POST is a string. FYI, you could essentially replace all of those tests you do on $_GET['api'] with if(empty($_GET['api'])) { echo 'bad value'; //or select everything from table ? } else { $input['api'] = (int)$_GET['api']; $query = SELECT * FROM yourtable WHERE api = {$input['api']}; ... } -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals www.phparch.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Lost in PHP (part 1) ---- Sequle to Lost in Query
GH wrote: How can I convert it to an integer aslong as it is only a number in the string? Does it _really_ matter if only a number is passed? If someone passes abcd and it's converted to an integer, it'll be zero. Then your query will not return any rows (which you're already testing for, anyhow, right?) and be handled accordingly. Who cares if they pass 104abcd? It'll just be converted to 104 and see if a matching record exists. I think you're getting caught up in too many tests. If you're expecting an integer, MAKE it an integer, then run your query. 99.9% of your values are going to come through correct if they are coming from your program, right? Just silently ignore the rest because it's someone screwing around. If, however, you _really_ want to ensure $_GET['api'] is _only_ numbers, then you can use if(!isset($_GET['api']) || preg_match('/[^0-9]/',$_GET['api'])) { echo 'API is not all numbers'; } or if(isset($_GET['api']) preg_match('/^[0-9]+$/',$_GET['api'])) { echo 'API is a number only'; } -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals www.phparch.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Lost in PHP (part 1) ---- Sequle to Lost in Query
Re: Does it _really_ matter if only a number is passed? I would think so since if someone is trying to pass a string that is not proper it should be treated as such and not as if they are just take the first set of numbers and Throw away all the rest. Maybe I am over thinking this or I am being paranoid I am trying to make this work good and hope to design it to be secure since this is my first PHP endevor Thanks G On Mon, 11 Oct 2004 14:02:08 -0400, John Holmes [EMAIL PROTECTED] wrote: GH wrote: How can I convert it to an integer aslong as it is only a number in the string? Does it _really_ matter if only a number is passed? If someone passes abcd and it's converted to an integer, it'll be zero. Then your query will not return any rows (which you're already testing for, anyhow, right?) and be handled accordingly. Who cares if they pass 104abcd? It'll just be converted to 104 and see if a matching record exists. I think you're getting caught up in too many tests. If you're expecting an integer, MAKE it an integer, then run your query. 99.9% of your values are going to come through correct if they are coming from your program, right? Just silently ignore the rest because it's someone screwing around. If, however, you _really_ want to ensure $_GET['api'] is _only_ numbers, then you can use if(!isset($_GET['api']) || preg_match('/[^0-9]/',$_GET['api'])) { echo 'API is not all numbers'; } or if(isset($_GET['api']) preg_match('/^[0-9]+$/',$_GET['api'])) { echo 'API is a number only'; } -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals www.phparch.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Lost in PHP (part 1) ---- Sequle to Lost in Query
As far as checking to see if it's a number, note that you can get the following 10 = string that contains 10 10 = integer that contains 10. You can verify that a variable contains numbers or numeric data by using if (is_numeric($variable)) { $variable is either a number variable or a string containing only numeric data } HTH -Minuk - Original Message - From: GH [EMAIL PROTECTED] To: John Holmes [EMAIL PROTECTED] Cc: GH [EMAIL PROTECTED]; PHP General [EMAIL PROTECTED] Sent: Tuesday, October 12, 2004 12:00 AM Subject: Re: [PHP] Lost in PHP (part 1) Sequle to Lost in Query Re: Does it _really_ matter if only a number is passed? I would think so since if someone is trying to pass a string that is not proper it should be treated as such and not as if they are just take the first set of numbers and Throw away all the rest. Maybe I am over thinking this or I am being paranoid I am trying to make this work good and hope to design it to be secure since this is my first PHP endevor Thanks G On Mon, 11 Oct 2004 14:02:08 -0400, John Holmes [EMAIL PROTECTED] wrote: GH wrote: How can I convert it to an integer aslong as it is only a number in the string? Does it _really_ matter if only a number is passed? If someone passes abcd and it's converted to an integer, it'll be zero. Then your query will not return any rows (which you're already testing for, anyhow, right?) and be handled accordingly. Who cares if they pass 104abcd? It'll just be converted to 104 and see if a matching record exists. I think you're getting caught up in too many tests. If you're expecting an integer, MAKE it an integer, then run your query. 99.9% of your values are going to come through correct if they are coming from your program, right? Just silently ignore the rest because it's someone screwing around. If, however, you _really_ want to ensure $_GET['api'] is _only_ numbers, then you can use if(!isset($_GET['api']) || preg_match('/[^0-9]/',$_GET['api'])) { echo 'API is not all numbers'; } or if(isset($_GET['api']) preg_match('/^[0-9]+$/',$_GET['api'])) { echo 'API is a number only'; } -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals www.phparch.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Lost in PHP (part 1) ---- Sequle to Lost in Query
Now I m perplexed time 10! I run the code that follows this time providing a query string of admin_template.php?api=101 I have an if statement that tests if $_GET['api'] == 0 if it is true I have it listing options, else it queries the database with that ID and loads the associated file. However it does not seem to execute the else I: thought that the value may of been wrong so I usedecho $_GET['api']; and it returned 101 what am i doing wrong? CODE- html head titleCB12M CERT TEAM ADMINISTRATION SCREEN/title meta http-equiv=Content-Type content=text/html; charset=iso-8859-1 /head body ?PHP require 'mod/db_access.php'; echo 'this is a test of the system br'. $_GET[api] ; if(!isset($_GET['api']) || (isset($_GET['api']) ((strlen(trim(urldecode($_GET['api']))) == 0) || (!is_int($_GET['api']) $_GET['api']=0; if((isset($_GET['api']) ((strlen(trim(urldecode($_GET['api']))) == 0) || (!is_int($_GET['api']) echo 'strong ERROR: /strong the page identifier provided is not valid. Please try again.'; if($_GET['api'] == 0) { $admin_get_options_query_text = Select * from adminpage; $admin_get_options_results_reference = mysql_query($admin_get_options_query_text,$db_access) or die(Admin Get Options: . mysql_error()); if(mysql_num_rows($admin_get_options_results_reference)0) { ? table width=600 TR TD Link /TD TD DESCRIPTION /TD/TR ?PHP while($admin_get_options_result = mysql_fetch_assoc($admin_get_options_results_reference)){ echo 'TR TD'; echo 'a href=?api='.urlencode($admin_get_options_result['adminpageid']).' Click Here /a /td'; echo 'TD'.$admin_get_options_result['description'].'/TD/TR'; } Mysql_free_result($admin_get_options_results_reference); ? /table ?PHP } } else { $admin_get_page_query_text = Select * from adminpage Where adminpageid =. $_GET['api']. LIMIT 1; $admin_get_page_results_reference = mysql_query($admin_get_page_query_text,$db_access) or die(Admin Get Page: . mysql_error()); $admin_get_page_result = mysql_fetch_row($admin_get_page_result_reference); if (mysql_num_rows($admin_get_page_results_reference) 0) { require mod/admin/.trim(strtolower($admin_get_page_result[1])); } else { echo ERROR: Invalid Admin Page Requested br; echo 'Please Try Again ... a href=admin_template.php?api=0 Click Here /a'; } } ? /body /html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php