heh,
Yeah I guess. They weren't validating the users input. = ]
- Ben
Ben Sgro, Chief Engineer
ProjectSkyLine - Defining New Horizons
- Original Message -
From: "John Campbell" <[EMAIL PROTECTED]>
To: "NYPHP Talk"
Sent: Tuesday, August 14, 2007 8:31 PM
Subject: Re: [nyphp-talk] Is t
> They had the exact same problems w/XSS, no input validation.
Input validation? Don't you mean output escaping? You must not allow
uber leet usernames like |<33|>. :)
-john cambpell
___
New York PHP Community Talk Mailing List
http://lists.nyphp.org
On 8/14/07, Rob Marscher <[EMAIL PROTECTED]> wrote:
>
> When can we all agree that the extra disk space needed for every app
> to use utf8 is worth it? :)
>
Sometime around 2003... ;-)
--
Chris Snyder
http://chxo.com/
___
New York PHP Community Talk M
The problem is how do I queue the returned records and then back
each record individually, one by one, view, get next record and so
on until all the returned records have been read?
save what is returned in a session, along with a total count of rows.
redirect to a display page where you can
Can anybody help
I am not sure if this is PHP or MySQL. I query a MySQL table
for example - $sql = "SELECT * FROM school_table WHERE class = '2005' ORDER
BY students";
and 24 records are returned. I then want to view each record individually in
an HTML form formatted to look like the HTML fo
Hello,
I just did a security audit for a site. This was a huge problem they had:
doing, "...where id = $_POST['id']"
Not only can you run sql commands you could update all the records where
id=1 or id > 1
via SQL injection.
The larger problem they had was that all the sql was being hardcoded
On 8/14/07, Anthony Wlodarski <[EMAIL PROTECTED]> wrote:
>
> So I will definitely in the future keep an out for direct $_POST variables
> directly in a SQL query (I will just save a local copy from now on and use
> that.).
No, you're missing the point. It isn't direct use of the variable from
$_PO
On Aug 14, 2007, at 10:01 AM, Stephen Musgrave wrote:
Oh, how I love character encoding problems! ;-)
Indeed... there's so many levels where they can get messed up -- the
way the text was originally encoded, anything that php might do to
it, the database column character encoding, the databa
TADA! We have a winner!
The function was bogging down on the second parameter. I think I copied the
code from an earlier project and forgot to check the function syntax and now
the echo statement is returning a 1 so we know it is right on now (also made
changes in the main application and it is
In case this wasn't clear...
> On quick inspection, function mysql_fetch_assoc only takes one
parameter...
> this might be a problem. mysql_fetch_assoc
Try Removing the second parameter from function mysql_fetch_assoc, i.e.
take out the MYSQL_ASSOC to read $row = mysql_fetch_assoc($result);
Carl
Hi All,
When I try to call some javascript function for the popup window, it shows
a message(popup blocked..To see this popup click here) in IE. I dont want to
do any change in the brower settings.
The problem comes while I call the function from AJAX request. When I try
with href="javascript:po
Ran the query from the command line this was the output:
mysql> SELECT * FROM `jobsdb`.`jobsdb` WHERE `id` =1;
++---+-+--+-+++-
--+-++--+-+
| id | recruiter | jobid | position | link|
I would take Brian O'Connor's suggestion, first... make sure you're
getting the expected values in $_POST. Use var_dump($_POST) to get all
of the values.
Also, I don't know if you're already checking this or not, but given the
SQL statement you provided your application is definitely open for
It does evaluate to true every time, as I wouldn't get to the debug echo
statement in the application. I put it in its own script and added a few
lines, here is the test script:
";
echo "Debug data";
echo "id ".$row['id']."";
// close our database handle
mysql_close($dbh);
?>
I gave i
> I have been staring at this for about a week and it is turning into
> a mind bender. Here is the code excerpt:
I'm sure you'll get plenty of comments on not directly passing a posted
variable to your query, as you're app is open to sql injection, so I'll
leave it at that.
On quick inspection
Hmm, have you tried outputting the results of $_POST['editjob']? It might
not be set to something that evaluates to true, which would cause none of
the information you're looking for to be processed.
On 8/14/07, Anthony Wlodarski <[EMAIL PROTECTED]> wrote:
>
> I have been staring at this for abo
I have been staring at this for about a week and it is turning into a mind
bender. Here is the code excerpt:
// pre: none
// post: displays our controls for .
function displayControls()
{
if($_POST['editjob'])
{
$query = "SELECT * FROM `jobsdb` WHERE `id`
Rob Marscher wrote on Monday, August 06, 2007 10:50 AM:
> On Aug 5, 2007, at 2:42 PM, Hans Zaunere wrote:
> > AliasMatch /(.*) "/var/www/www.something.com/index.php"
>
> http://httpd.apache.org/docs/2.0/mod/mod_alias.html#aliasmatch
>
> I wonder why the major php frameworks don't mention this as
And you will want 'profiler' => true in your db config.
On 8/10/07, Brian Dailey <[EMAIL PROTECTED]> wrote:
>
> For future reference, the easiest way (in postDispatch()) was:
>
> $dbAdapter = Zend_Registry::get( 'dbAdapter' );
> $profiler = $dbAdapter->getProfiler( );
> $query = $profiler->getLast
> Is there any way to tell what the encoding is from within Excel? (I
> didn't see anything in Excel and Google didn't have anything to
> offer.) I have the original Excel file.
You will never be able to figure out what is going on from within
Excel. Microsoft uses a lot of character set conver
Interesting... \x9f and \x8a are not valid Latin-1/8895
characters. My guess is that the CSV's are UTF-8 and your
database is Latin-1. If that is the case, try converting the csv
to 8859-1 with utf8_decode().
I've tried to use utf8_decode() as well as using iconv to translate
between
Locale wouldn't matter in this case; that's primarily useful when
generating content (such as formatted dates or gettext translations).
That's odd, because they have examples in the comments in the
documentation on php.net that it does. However, my experience is in
line with your statement.
On 8/14/07, Steve Manes <[EMAIL PROTECTED]> wrote:
> Daniel Krook wrote:
> > Here's a press release put out today on a healthcare provider that appears
> > to be using XML in DB9 v9 for that sort of thing. Express-C is free (not
> > open source though) and comes with the pureXML feature.
> > http:
Interesting... \x9f and \x8a are not valid Latin-1/8895 characters. My
guess is that the CSV's are UTF-8 and your database is Latin-1. If that is
the case, try converting the csv to 8859-1 with utf8_decode().
It is a bit of a hack, but it should work if the only languages you support
are german
Daniel Krook wrote:
Here's a press release put out today on a healthcare provider that appears
to be using XML in DB9 v9 for that sort of thing. Express-C is free (not
open source though) and comes with the pureXML feature.
http://www.ibm.com/press/us/en/pressrelease/22131.wss
The health car
On 8/14/07, Stephen Musgrave <[EMAIL PROTECTED]> wrote:
> Oh, how I love character encoding problems! ;-)
>
> I have a file upload utility whereby the user uploads a CSV document. The
> file is saved to a temporary folder. I open that document, use fgetcsv() to
> pull the values and then insert
Good - then see the footer of every message:
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
H
___
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2
Oh, how I love character encoding problems! ;-)
I have a file upload utility whereby the user uploads a CSV
document. The file is saved to a temporary folder. I open that
document, use fgetcsv() to pull the values and then insert them into
a database.
The problem is that German charact
28 matches
Mail list logo
