Re: [PHP] Lost in PHP (part 1) ---- Sequle to Lost in Query

2004-10-11 Thread John Holmes 
GH wrote:
Now I m perplexed time 10!
   I run the code that follows this time providing a query string
of admin_template.php?api=101
I have an if statement that tests if $_GET['api'] == 0  if it is
true I have it listing options, else it queries the database with that
ID and loads the associated file.
You have a lot more tests than that...
However it does not seem to execute the else 

I: thought that the value may of been wrong so I usedecho 
$_GET['api']; and it returned 101
use var_dump($_GET['api']) and it may give you a clue. Your is_int() 
test is going to fail each time because anything passed through $_GET or 
 $_POST is a string.

FYI, you could essentially replace all of those tests you do on 
$_GET['api'] with

if(empty($_GET['api']))
{
  echo 'bad value';
  //or select everything from table ?
}
else
{
  $input['api'] = (int)$_GET['api'];
  $query = SELECT * FROM yourtable WHERE api = {$input['api']};
  ...
}
--
---John Holmes...
Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
php|architect: The Magazine for PHP Professionals  www.phparch.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Lost in PHP (part 1) ---- Sequle to Lost in Query

2004-10-11 Thread GH 
How can I convert it to an integer aslong as it is only a number in the string?



On Mon, 11 Oct 2004 13:19:40 -0400, John Holmes
[EMAIL PROTECTED] wrote:
 GH wrote:
 
  Now I m perplexed time 10!
 
 I run the code that follows this time providing a query string
  of admin_template.php?api=101
 
  I have an if statement that tests if $_GET['api'] == 0  if it is
  true I have it listing options, else it queries the database with that
  ID and loads the associated file.
 
 You have a lot more tests than that...
 
  However it does not seem to execute the else
 
  I: thought that the value may of been wrong so I usedecho
  $_GET['api']; and it returned 101
 
 use var_dump($_GET['api']) and it may give you a clue. Your is_int()
 test is going to fail each time because anything passed through $_GET or
  $_POST is a string.
 
 FYI, you could essentially replace all of those tests you do on
 $_GET['api'] with
 
 if(empty($_GET['api']))
 {
   echo 'bad value';
   //or select everything from table ?
 }
 else
 {
   $input['api'] = (int)$_GET['api'];
   $query = SELECT * FROM yourtable WHERE api = {$input['api']};
   ...
 }
 
 --
 
 ---John Holmes...
 
 Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
 
 php|architect: The Magazine for PHP Professionals  www.phparch.com
 


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Lost in PHP (part 1) ---- Sequle to Lost in Query

2004-10-11 Thread John Holmes 
GH wrote:
How can I convert it to an integer aslong as it is only a number in the string?
Does it _really_ matter if only a number is passed? If someone passes 
abcd and it's converted to an integer, it'll be zero. Then your query 
will not return any rows (which you're already testing for, anyhow, 
right?) and be handled accordingly. Who cares if they pass 104abcd? 
It'll just be converted to 104 and see if a matching record exists.

I think you're getting caught up in too many tests. If you're expecting 
an integer, MAKE it an integer, then run your query. 99.9% of your 
values are going to come through correct if they are coming from your 
program, right? Just silently ignore the rest because it's someone 
screwing around.

If, however, you _really_ want to ensure $_GET['api'] is _only_ numbers, 
then you can use

if(!isset($_GET['api']) || preg_match('/[^0-9]/',$_GET['api']))
{ echo 'API is not all numbers'; }
or
if(isset($_GET['api'])  preg_match('/^[0-9]+$/',$_GET['api']))
{ echo 'API is a number only'; }
--
---John Holmes...
Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
php|architect: The Magazine for PHP Professionals  www.phparch.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Lost in PHP (part 1) ---- Sequle to Lost in Query

2004-10-11 Thread GH 
Re: Does it _really_ matter if only a number is passed? 
 I would think so since if someone is trying to pass a string that is
not proper it should be treated as such and not as if they are just
take the first set of numbers and Throw away all the rest.

 Maybe I am over thinking this or I am being paranoid

  I am trying to make this work good and hope to design it to be
secure since this is my first PHP endevor

Thanks
G


On Mon, 11 Oct 2004 14:02:08 -0400, John Holmes
[EMAIL PROTECTED] wrote:
 GH wrote:
 
  How can I convert it to an integer aslong as it is only a number in the string?
 
 Does it _really_ matter if only a number is passed? If someone passes
 abcd and it's converted to an integer, it'll be zero. Then your query
 will not return any rows (which you're already testing for, anyhow,
 right?) and be handled accordingly. Who cares if they pass 104abcd?
 It'll just be converted to 104 and see if a matching record exists.
 
 I think you're getting caught up in too many tests. If you're expecting
 an integer, MAKE it an integer, then run your query. 99.9% of your
 values are going to come through correct if they are coming from your
 program, right? Just silently ignore the rest because it's someone
 screwing around.
 
 If, however, you _really_ want to ensure $_GET['api'] is _only_ numbers,
 then you can use
 
 if(!isset($_GET['api']) || preg_match('/[^0-9]/',$_GET['api']))
 { echo 'API is not all numbers'; }
 
 or
 
 if(isset($_GET['api'])  preg_match('/^[0-9]+$/',$_GET['api']))
 { echo 'API is a number only'; }
 
 
 
 --
 
 ---John Holmes...
 
 Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
 
 php|architect: The Magazine for PHP Professionals  www.phparch.com
 


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Lost in PHP (part 1) ---- Sequle to Lost in Query

2004-10-11 Thread Minuk Choi 
As far as checking to see if it's a number, note that you can get the 
following

10 = string that contains 10
10  = integer that contains 10.
You can verify that a variable contains numbers or numeric data by using
if (is_numeric($variable))
{
   $variable is either a number variable or a string containing only 
numeric data
}

HTH
-Minuk
- Original Message - 
From: GH [EMAIL PROTECTED]
To: John Holmes [EMAIL PROTECTED]
Cc: GH [EMAIL PROTECTED]; PHP General [EMAIL PROTECTED]
Sent: Tuesday, October 12, 2004 12:00 AM
Subject: Re: [PHP] Lost in PHP (part 1)  Sequle to Lost in Query

Re: Does it _really_ matter if only a number is passed? 
I would think so since if someone is trying to pass a string that is
not proper it should be treated as such and not as if they are just
take the first set of numbers and Throw away all the rest.
Maybe I am over thinking this or I am being paranoid
 I am trying to make this work good and hope to design it to be
secure since this is my first PHP endevor
Thanks
G
On Mon, 11 Oct 2004 14:02:08 -0400, John Holmes
[EMAIL PROTECTED] wrote:
GH wrote:
 How can I convert it to an integer aslong as it is only a number in the 
 string?

Does it _really_ matter if only a number is passed? If someone passes
abcd and it's converted to an integer, it'll be zero. Then your query
will not return any rows (which you're already testing for, anyhow,
right?) and be handled accordingly. Who cares if they pass 104abcd?
It'll just be converted to 104 and see if a matching record exists.
I think you're getting caught up in too many tests. If you're expecting
an integer, MAKE it an integer, then run your query. 99.9% of your
values are going to come through correct if they are coming from your
program, right? Just silently ignore the rest because it's someone
screwing around.
If, however, you _really_ want to ensure $_GET['api'] is _only_ numbers,
then you can use
if(!isset($_GET['api']) || preg_match('/[^0-9]/',$_GET['api']))
{ echo 'API is not all numbers'; }
or
if(isset($_GET['api'])  preg_match('/^[0-9]+$/',$_GET['api']))
{ echo 'API is a number only'; }

--
---John Holmes...
Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
php|architect: The Magazine for PHP Professionals  www.phparch.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Lost in PHP (part 1) ---- Sequle to Lost in Query

2004-10-11 Thread GH 
Now I m perplexed time 10!

   I run the code that follows this time providing a query string
of admin_template.php?api=101

I have an if statement that tests if $_GET['api'] == 0  if it is
true I have it listing options, else it queries the database with that
ID and loads the associated file.

However it does not seem to execute the else 

I: thought that the value may of been wrong so I usedecho 
$_GET['api']; and it returned 101

what am i doing wrong?




CODE-
html
head
titleCB12M CERT TEAM ADMINISTRATION SCREEN/title
meta http-equiv=Content-Type content=text/html; charset=iso-8859-1
/head

body

?PHP 
require 'mod/db_access.php';

echo 'this is a test of the system br'. $_GET[api] ;

if(!isset($_GET['api']) || (isset($_GET['api']) 
((strlen(trim(urldecode($_GET['api']))) == 0) ||
(!is_int($_GET['api'])
$_GET['api']=0;

if((isset($_GET['api'])  ((strlen(trim(urldecode($_GET['api']))) ==
0) || (!is_int($_GET['api'])
echo 'strong ERROR: /strong the page identifier provided is not
valid. Please try again.';


if($_GET['api'] == 0)
{
$admin_get_options_query_text = Select * from adminpage;
$admin_get_options_results_reference =
mysql_query($admin_get_options_query_text,$db_access) or die(Admin
Get Options: . mysql_error());

if(mysql_num_rows($admin_get_options_results_reference)0)
{   
?

table width=600
TR TD Link /TD TD DESCRIPTION /TD/TR
?PHP
while($admin_get_options_result =
mysql_fetch_assoc($admin_get_options_results_reference)){
echo 'TR TD';
echo 'a 
href=?api='.urlencode($admin_get_options_result['adminpageid']).'
Click Here /a /td';
echo 
'TD'.$admin_get_options_result['description'].'/TD/TR';
}

Mysql_free_result($admin_get_options_results_reference);

?

/table

?PHP 
}
}
else
{
  $admin_get_page_query_text = Select * from adminpage Where
adminpageid =. $_GET['api'].  LIMIT 1;
  $admin_get_page_results_reference =
mysql_query($admin_get_page_query_text,$db_access) or die(Admin Get
Page: . mysql_error());
  $admin_get_page_result = mysql_fetch_row($admin_get_page_result_reference);

  if (mysql_num_rows($admin_get_page_results_reference)  0)
  {
require mod/admin/.trim(strtolower($admin_get_page_result[1]));
  }
  else
  {
echo ERROR: Invalid Admin Page Requested br;
echo 'Please Try Again ... a href=admin_template.php?api=0 Click
Here /a';
  }
  
}   
?
/body
/html

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php