RE: [PHP] isset question
On 19 June 2009 19:53, Ashley Sheridan advised: On Fri, 2009-06-19 at 12:36 +0100, Ford, Mike wrote: On 18 June 2009 20:25, LAMP advised: using !empty() instead isset() will work if you don't care for PHP Notice: Undefined variable... If you want to avoid PHP Notice you have to use both: $msg.= (isset($_POST['mort']) and !empty($_POST['mort'])) ? The mortgage amount is $mort\n : ; Absolute rubbish -- as it says at http://php.net/empty, empty($var) is the opposite of (boolean)$var, except that no warning is generated when the variable is not set. -- so protecting empty() with an isset() is a total waste of time, space and cpu cycles. Cheers! Mike -- Mike Ford, Electronic Information Developer, C507, Leeds Metropolitan University, Civic Quarter Campus, Woodhouse Lane, LEEDS, LS1 3HE, United Kingdom Email: m.f...@leedsmet.ac.uk Tel: +44 113 812 4730 To view the terms under which this email is distributed, please go to http://disclaimer.leedsmet.ac.uk/email.htm To be honest, you're still opening yourself up to attack that way. What I'd do is first assign the variable to a forced int, and then use that result if it is 0: $mortgage = (isset($_REQUEST['mort'])?intval($_REQUEST['mort']):0; $msg .= ($mortgage 0)?The mortgage amount is $mortgage:; Too true -- I have a parameter-checking system that does this automatically for me, so I tend not to think of it when writing actual processing code. My bad, probably, but good catch. Cheers! Mike -- Mike Ford, Electronic Information Developer, C507, Leeds Metropolitan University, Civic Quarter Campus, Woodhouse Lane, LEEDS, LS1 3HE, United Kingdom Email: m.f...@leedsmet.ac.uk Tel: +44 113 812 4730 To view the terms under which this email is distributed, please go to http://disclaimer.leedsmet.ac.uk/email.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] isset question
How does echoing back to the page make it vulnerable? This does not go to a DB if that makes any difference. Gary Paul M Foster pa...@quillandmouse.com wrote in message news:20090621032151.gb14...@quillandmouse.com... On Sat, Jun 20, 2009 at 12:20:56PM +0100, Ashley Sheridan wrote: On Sat, 2009-06-20 at 00:19 -0400, Paul M Foster wrote: On Fri, Jun 19, 2009 at 07:52:40PM +0100, Ashley Sheridan wrote: On Fri, 2009-06-19 at 12:36 +0100, Ford, Mike wrote: On 18 June 2009 20:25, LAMP advised: using !empty() instead isset() will work if you don't care for PHP Notice: Undefined variable... If you want to avoid PHP Notice you have to use both: $msg.= (isset($_POST['mort']) and !empty($_POST['mort'])) ? The mortgage amount is $mort\n : ; Absolute rubbish -- as it says at http://php.net/empty, empty($var) is the opposite of (boolean)$var, except that no warning is generated when the variable is not set. -- so protecting empty() with an isset() is a total waste of time, space and cpu cycles. snip To be honest, you're still opening yourself up to attack that way. Why and how? Paul -- Paul M. Foster I've only done a little reading on this, but you're opening yourself up to a XSS attack. If someone posted 'script//malicious code here/script' to your PHP script, you'd essentially be printing that right back out onto your page. I see. You're not talking about being vulnerable because of isset/empty, but by echoing it back to the page. Yes, I agree there. You have to sanitize it first. Paul -- Paul M. Foster -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] isset question
On Sun, 2009-06-21 at 13:57 -0400, Gary wrote: How does echoing back to the page make it vulnerable? This does not go to a DB if that makes any difference. Gary Paul M Foster pa...@quillandmouse.com wrote in message news:20090621032151.gb14...@quillandmouse.com... On Sat, Jun 20, 2009 at 12:20:56PM +0100, Ashley Sheridan wrote: On Sat, 2009-06-20 at 00:19 -0400, Paul M Foster wrote: On Fri, Jun 19, 2009 at 07:52:40PM +0100, Ashley Sheridan wrote: On Fri, 2009-06-19 at 12:36 +0100, Ford, Mike wrote: On 18 June 2009 20:25, LAMP advised: using !empty() instead isset() will work if you don't care for PHP Notice: Undefined variable... If you want to avoid PHP Notice you have to use both: $msg.= (isset($_POST['mort']) and !empty($_POST['mort'])) ? The mortgage amount is $mort\n : ; Absolute rubbish -- as it says at http://php.net/empty, empty($var) is the opposite of (boolean)$var, except that no warning is generated when the variable is not set. -- so protecting empty() with an isset() is a total waste of time, space and cpu cycles. snip To be honest, you're still opening yourself up to attack that way. Why and how? Paul -- Paul M. Foster I've only done a little reading on this, but you're opening yourself up to a XSS attack. If someone posted 'script//malicious code here/script' to your PHP script, you'd essentially be printing that right back out onto your page. I see. You're not talking about being vulnerable because of isset/empty, but by echoing it back to the page. Yes, I agree there. You have to sanitize it first. Paul -- Paul M. Foster My assumption was that because it was displaying the mortgage amount to the user, that it would at some point store it too. Thanks Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] isset question
On Sat, 2009-06-20 at 00:19 -0400, Paul M Foster wrote: On Fri, Jun 19, 2009 at 07:52:40PM +0100, Ashley Sheridan wrote: On Fri, 2009-06-19 at 12:36 +0100, Ford, Mike wrote: On 18 June 2009 20:25, LAMP advised: using !empty() instead isset() will work if you don't care for PHP Notice: Undefined variable... If you want to avoid PHP Notice you have to use both: $msg.= (isset($_POST['mort']) and !empty($_POST['mort'])) ? The mortgage amount is $mort\n : ; Absolute rubbish -- as it says at http://php.net/empty, empty($var) is the opposite of (boolean)$var, except that no warning is generated when the variable is not set. -- so protecting empty() with an isset() is a total waste of time, space and cpu cycles. snip To be honest, you're still opening yourself up to attack that way. Why and how? Paul -- Paul M. Foster I've only done a little reading on this, but you're opening yourself up to a XSS attack. If someone posted 'script//malicious code here/script' to your PHP script, you'd essentially be printing that right back out onto your page. Thanks Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] isset question
Waynn Lue wrote: I notice that you're checking $_POST['mort'] but you're echoing $mort, is that your actual code? That was my observation as well. Is $mort = $POST['mort']; being set somewhere else or not? If not, how is your script supposed to know what value $mort should be? And, what the other guys said. Gary, before you do anything with submitted data you need to process it against strip_tags() and/or htmlentities() at the very least, mysql_real_escape_string() if the data goes to a db. Reese -- On 6/18/09, Gary gwp...@ptd.net wrote: I have a form that gives the submitter a choice or either one set of questions, or another. I am still getting the message even if the input was left blank. So on the line below, $msg.= isset($_POST['mort']) ? The mortgage amount is $mort\n : ; -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] isset question
Yes... I echo the code onto the page as well as sending out the message. The echo is sort of a thank you page, this is what you submitted. A message, which is not going into a DB, is also emailed to the submitter and cleint. Gary Waynn Lue waynn...@gmail.com wrote in message news:d29bea5e0906181231r165c5844wecd7d34026621...@mail.gmail.com... I notice that you're checking $_POST['mort'] but you're echoing $mort, is that your actual code? On 6/18/09, Gary gwp...@ptd.net wrote: I have a form that gives the submitter a choice or either one set of questions, or another. I am still getting the message even if the input was left blank. So on the line below, $msg.= isset($_POST['mort']) ? The mortgage amount is $mort\n : ; I get The mortgage amount is What am I missing here? Thanks Gary -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] isset question
On Sat, Jun 20, 2009 at 12:20:56PM +0100, Ashley Sheridan wrote: On Sat, 2009-06-20 at 00:19 -0400, Paul M Foster wrote: On Fri, Jun 19, 2009 at 07:52:40PM +0100, Ashley Sheridan wrote: On Fri, 2009-06-19 at 12:36 +0100, Ford, Mike wrote: On 18 June 2009 20:25, LAMP advised: using !empty() instead isset() will work if you don't care for PHP Notice: Undefined variable... If you want to avoid PHP Notice you have to use both: $msg.= (isset($_POST['mort']) and !empty($_POST['mort'])) ? The mortgage amount is $mort\n : ; Absolute rubbish -- as it says at http://php.net/empty, empty($var) is the opposite of (boolean)$var, except that no warning is generated when the variable is not set. -- so protecting empty() with an isset() is a total waste of time, space and cpu cycles. snip To be honest, you're still opening yourself up to attack that way. Why and how? Paul -- Paul M. Foster I've only done a little reading on this, but you're opening yourself up to a XSS attack. If someone posted 'script//malicious code here/script' to your PHP script, you'd essentially be printing that right back out onto your page. I see. You're not talking about being vulnerable because of isset/empty, but by echoing it back to the page. Yes, I agree there. You have to sanitize it first. Paul -- Paul M. Foster -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] isset question
On 18 June 2009 20:25, LAMP advised: using !empty() instead isset() will work if you don't care for PHP Notice: Undefined variable... If you want to avoid PHP Notice you have to use both: $msg.= (isset($_POST['mort']) and !empty($_POST['mort'])) ? The mortgage amount is $mort\n : ; Absolute rubbish -- as it says at http://php.net/empty, empty($var) is the opposite of (boolean)$var, except that no warning is generated when the variable is not set. -- so protecting empty() with an isset() is a total waste of time, space and cpu cycles. Cheers! Mike -- Mike Ford, Electronic Information Developer, C507, Leeds Metropolitan University, Civic Quarter Campus, Woodhouse Lane, LEEDS, LS1 3HE, United Kingdom Email: m.f...@leedsmet.ac.uk Tel: +44 113 812 4730 To view the terms under which this email is distributed, please go to http://disclaimer.leedsmet.ac.uk/email.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] isset question
On Fri, 2009-06-19 at 12:36 +0100, Ford, Mike wrote: On 18 June 2009 20:25, LAMP advised: using !empty() instead isset() will work if you don't care for PHP Notice: Undefined variable... If you want to avoid PHP Notice you have to use both: $msg.= (isset($_POST['mort']) and !empty($_POST['mort'])) ? The mortgage amount is $mort\n : ; Absolute rubbish -- as it says at http://php.net/empty, empty($var) is the opposite of (boolean)$var, except that no warning is generated when the variable is not set. -- so protecting empty() with an isset() is a total waste of time, space and cpu cycles. Cheers! Mike -- Mike Ford, Electronic Information Developer, C507, Leeds Metropolitan University, Civic Quarter Campus, Woodhouse Lane, LEEDS, LS1 3HE, United Kingdom Email: m.f...@leedsmet.ac.uk Tel: +44 113 812 4730 To view the terms under which this email is distributed, please go to http://disclaimer.leedsmet.ac.uk/email.htm To be honest, you're still opening yourself up to attack that way. What I'd do is first assign the variable to a forced int, and then use that result if it is 0: $mortgage = (isset($_REQUEST['mort'])?intval($_REQUEST['mort']):0; $msg .= ($mortgage 0)?The mortgage amount is $mortgage:; Thanks Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] isset question
On Fri, Jun 19, 2009 at 07:52:40PM +0100, Ashley Sheridan wrote: On Fri, 2009-06-19 at 12:36 +0100, Ford, Mike wrote: On 18 June 2009 20:25, LAMP advised: using !empty() instead isset() will work if you don't care for PHP Notice: Undefined variable... If you want to avoid PHP Notice you have to use both: $msg.= (isset($_POST['mort']) and !empty($_POST['mort'])) ? The mortgage amount is $mort\n : ; Absolute rubbish -- as it says at http://php.net/empty, empty($var) is the opposite of (boolean)$var, except that no warning is generated when the variable is not set. -- so protecting empty() with an isset() is a total waste of time, space and cpu cycles. snip To be honest, you're still opening yourself up to attack that way. Why and how? Paul -- Paul M. Foster -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] isset question
2009/6/18 Gary gwp...@ptd.net: I have a form that gives the submitter a choice or either one set of questions, or another. I am still getting the message even if the input was left blank. So on the line below, $msg.= isset($_POST['mort']) ? The mortgage amount is $mort\n : ; I get The mortgage amount is What am I missing here? A variable isset even if it's empty. Either compare it to an empty string or test the result from strlen against 0. -Stuart -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] isset question
Use !empty($_POST['mort']) instead of isset() for form input since the form will still set an empty value if left blank. Gary wrote: I have a form that gives the submitter a choice or either one set of questions, or another. I am still getting the message even if the input was left blank. So on the line below, $msg.= isset($_POST['mort']) ? The mortgage amount is $mort\n : ; I get The mortgage amount is What am I missing here? Thanks Gary No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.339 / Virus Database: 270.12.78/2185 - Release Date: 06/18/09 05:53:00 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] isset question
Steve wrote: Use !empty($_POST['mort']) instead of isset() for form input since the form will still set an empty value if left blank. Gary wrote: I have a form that gives the submitter a choice or either one set of questions, or another. I am still getting the message even if the input was left blank. So on the line below, $msg.= isset($_POST['mort']) ? The mortgage amount is $mort\n : ; I get The mortgage amount is What am I missing here? Thanks Gary No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.339 / Virus Database: 270.12.78/2185 - Release Date: 06/18/09 05:53:00 using !empty() instead isset() will work if you don't care for PHP Notice: Undefined variable... If you want to avoid PHP Notice you have to use both: $msg.= (isset($_POST['mort']) and !empty($_POST['mort'])) ? The mortgage amount is $mort\n : ; afan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] isset question
I notice that you're checking $_POST['mort'] but you're echoing $mort, is that your actual code? On 6/18/09, Gary gwp...@ptd.net wrote: I have a form that gives the submitter a choice or either one set of questions, or another. I am still getting the message even if the input was left blank. So on the line below, $msg.= isset($_POST['mort']) ? The mortgage amount is $mort\n : ; I get The mortgage amount is What am I missing here? Thanks Gary -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] isset question
The isset or empty, it's return a boolean (true 1, false 0), the isset will return true if the variable will have been initiated, the empty will return true if the variable is empty, but for that the variable need to be initiated. You can do it in a many ways, like: $msg.= (isset($_POST['mort']) !empty($_POST['mort']) ? The mortgage amount is $mort\n : ); or $msg.= ($_POST['mort'] == '' ? The mortgage amount is $mort\n : ); or $msg.= (strlen($_POST['mort']) 0 ? The mortgage amount is $mort\n : ); Yuri Yarlei. Programmer PHP, CSS, Java, PostregreSQL; Today PHP, tomorrow Java, after the world. Kyou wa PHP, ashita wa Java, sono ato sekai desu. Date: Thu, 18 Jun 2009 20:07:09 +0100 From: stut...@gmail.com To: gwp...@ptd.net CC: php-general@lists.php.net Subject: Re: [PHP] isset question 2009/6/18 Gary gwp...@ptd.net: I have a form that gives the submitter a choice or either one set of questions, or another. I am still getting the message even if the input was left blank. So on the line below, $msg.= isset($_POST['mort']) ? The mortgage amount is $mort\n : ; I get The mortgage amount is What am I missing here? A variable isset even if it's empty. Either compare it to an empty string or test the result from strlen against 0. -Stuart -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php _ Conheça os novos produtos Windows Live! Clique aqui. http://www.windowslive.com.br
RE: [PHP] isset() question
On 15 February 2004 18:30, Richard Davey wrote: I feel the book you're learning from might not be the best out there! Especially as it uses the horrible if : else : endif notation, I'd have to disagree with you on that one -- personally I think that's a very elegant and useful syntax, and all the scripts written for my applications use it. However, this is a matter of personal opinion, and the choice between the colonified syntax and the various brace styles should be down to what suits *you* best. Cheers! Mike - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning Information Services, JG125, James Graham Building, Leeds Metropolitan University, Beckett Park, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] isset() question
Hello Anthony, Sunday, February 15, 2004, 4:43:12 PM, you wrote: AR Why doesn't the call to !isset() with the negation mark loads the next page AR when a name is not entered? Because it's using isset() in the wrong capacity. isset() does not check to see if a variable HAS a value, it checks to see if the variable exists. The variable in the code you posted will always exist, so the use of isset() is redundant and should be changed for something like empty as you noted. Stick the following in the top of your code to see: ?php echo pre; print_r($_GET); echo /pre; ? I feel the book you're learning from might not be the best out there! Especially as it uses the horrible if : else : endif notation, includes code on the same line as the PHP tags themselves and is teaching you to code with register globals on. Is the book still on sale? (i.e. did you buy it recently) or was it something you've had for a while/got 2nd hand? -- Best regards, Richard Davey http://www.phpcommunity.org/wiki/296.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] isset() question
- Original Message - From: Richard Davey [EMAIL PROTECTED] Hello Anthony, I feel the book you're learning from might not be the best out there! Especially as it uses the horrible if : else : endif notation, includes code on the same line as the PHP tags themselves and is teaching you to code with register globals on. Is the book still on sale? (i.e. did you buy it recently) or was it something you've had for a while/got 2nd hand? Best regards, Richard Davey http://www.phpcommunity.org/wiki/296.html Thank you for the reply Richard. Yes. The book is on sale at: www.sitepoint.com also, at amazon, b and n, etc. In fact, it's now in it's second edition by Kevin Yank. It's not a bad book - quite readable to a newbie like myself - but when I ran that code it didn't jive with that function call. To make sure, I downloaded it from their site and ran it again - and the same thing happened. Thank you for your help. TR --- [This E-mail scanned for viruses by gonefishingguideservice.com] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] isset() question
On Monday 16 February 2004 02:30, Richard Davey wrote: I feel the book you're learning from might not be the best out there! Especially as it uses the horrible if : else : endif notation, includes code on the same line as the PHP tags themselves What is horrible about that style? IMO doing this: ?php if ($something) : ? [... a bunch of HTML ...] ?php endif; ? looks a lot neater than: ?php if ($something) { ? [... a bunch of HTML ...] ?php } ? But whichever style a book chooses to use should not impact on one's decision as to whether it is a good book or not. I have not seen the book in question so I've no idea whether I would find it good or bad. -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- /* There's another way to survive. Mutual trust -- and help. -- Kirk, Day of the Dove, stardate unknown */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php