|
Thanks Hockey! Yes, I noticed after posting my php4 function that my 'valids' were missing the $s. Also, the help on the concatenation helped a lot. This was throwing me off more than anything. Thanks again! The form (up to the rest of my commented-out code) works great!
Ben
|
|
|
|
|
Not that I've even used Perl ( I used Pyhton tho )
Christian Graus
Please read this if you don't understand the answer I've given you
"also I don't think "TranslateOneToTwoBillion OneHundredAndFortySevenMillion FourHundredAndEightyThreeThousand SixHundredAndFortySeven()" is a very good choice for a function name" - SpacixOne ( offering help to someone who really needed it ) ( spaces added for the benefit of people running at < 1280x1024 )
|
|
|
|
|
Wow...someone else that hasn't used it...I thought I was the only one in this day and age.
Scott Dorman Microsoft® MVP - Visual C# | MCPD
President - Tampa Bay IASA
Hey, hey, hey. Don't be mean. We don't have to be mean because, remember, no matter where you go, there you are. - Buckaroo Banzai
[ Forum Guidelines][ Articles][ Blog]
|
|
|
|
|
Christian Graus wrote: ( I used Pyhton tho )
You're off-topic. This is the Perl forum. You may want to check out the Python[^] forum. I just took a peak, and a well-known CP regular has already posted there. He can probably give you a hand with your Python questions.
|
|
|
|
|
For what it's worth
Christian Graus
Please read this if you don't understand the answer I've given you
"also I don't think "TranslateOneToTwoBillion OneHundredAndFortySevenMillion FourHundredAndEightyThreeThousand SixHundredAndFortySeven()" is a very good choice for a function name" - SpacixOne ( offering help to someone who really needed it ) ( spaces added for the benefit of people running at < 1280x1024 )
|
|
|
|
|
which apparently isn't much since there isn't any other activity yet.
Scott Dorman Microsoft® MVP - Visual C# | MCPD
President - Tampa Bay IASA
Hey, hey, hey. Don't be mean. We don't have to be mean because, remember, no matter where you go, there you are. - Buckaroo Banzai
[ Forum Guidelines][ Articles][ Blog]
|
|
|
|
|
Python, sounds like a pet to me
but on a more serious note, all i know is that python is a scripting language. What exactly does that mean? why would i as a C# developer use python for?
Harvey Saayman - South Africa
Junior Developer
.Net, C#, SQL
think BIG and kick ASS
you.suck = (you.passion != Programming)
|
|
|
|
|
see my response under "what is python's claim to fame?". The only reason not to learn Python is that once you do so much of C# will drive you insane,... that has certainly been my experience
Paul Coldrey
http://www.lumient.com.au/
|
|
|
|
|
Some background: I have taken a few measures to prevent SQL injection on my PHP/MySQL setup (currently WAMP for development, but will be LAMP for production server):
- In my users table, I have entered a "bad" user, with all the fields equal to 0.
- this is the first user in the table
- if a hacker tries to enter ' or ''=' in the uname field:
- (theoretically,) "bad" user will be first result, and
- (theoretically,) # of results will also be greater than 1 (more than 1 user)
- (theoretically,) the following code will prevent said hacker from gaining unauthorized access
- mysql_real_escape_string() function will be used to escape input when site is launched, but right now it is not in use to allow testing of common SQL injection methods.
- I have read that mysql_real_escape_string() has some vulnerabilities.
- I know mysql_real_escape_string() is more secure than addslashes().
<span style="color: green">
<span style="color: blue">$u</span> = <span style="color: blue">$_POST[uname]</span>;
<span style="color: blue">$p</span> = <span style="color: blue">$_POST[pass]</span>;
<span style="color: green">
<span style="color: blue">$query</span> = <span style="color: red">"select uid,uname,fname,lname,email,phone,other,pass from ads.users where uname = '$u'"</span>;
<span style="color: blue">$result</span> = mysql_query(<span style="color: blue">$query</span>);
<span style="color: blue">$rows</span> = mysql_num_rows(<span style="color: blue">$result</span>);
<span style="color: green">
if (<span style="color: blue">$rows</span> > 1) {
<span style="color: green"></span>
die (<span style="color: red">"Error[20]: You have entered potentially harmful input. Security measures have been put in place until this incident can be reviewed."</span>);
}
<span style="color: blue">$record</span> = mysql_fetch_assoc(<span style="color: blue">$result</span>);
<span style="color: blue">$passQuery</span> = <span style="color: red">"select password('$p') = '$result[pass]'"</span>;
if (<span style="color: blue">$rows</span> == 1 && mysql_num_rows(mysql_query(<span style="color: blue">$passQuery</span>))) {
if (<span style="color: blue">$record[uid]</span> == 0) {
<span style="color: green">
die (<span style="color: red">"Error[25]: You have entered input that could be harmful to the site. Security measures have been put in place until this incident can be reviewed."</span>);
}
<span style="color: blue">$l</span> = 1; <span style="color: green">
<span style="color: green">
<span style="color: blue">$_SESSION[uid]</span> = <span style="color: blue">$record[uid]</span>;
<span style="color: blue">$_SESSION[uname]</span> = <span style="color: blue">$record[uname]</span>;
<span style="color: blue">$_SESSION[fname]</span> = <span style="color: blue">$record[fname]</span>;
<span style="color: blue">$_SESSION[lname]</span> = <span style="color: blue">$record[lname]</span>;
<span style="color: blue">$_SESSION[phone]</span> = <span style="color: blue">$record[phone]</span>;
<span style="color: blue">$_SESSION[email]</span> = <span style="color: blue">$record[email]</span>;
} else <span style="color: blue">$loginError</span> .= <span style="color: red">"Error: Invalid username and/or password."</span>;
I dunno... maybe I'm just paranoid... I just want to make sure to CMA to prevent liability problems, since this will be a commercial site.
P.S. I hope the markup helps read my programming - I know my lines tend to be fairly long...
"Silently laughing at silly people is much more satisfying in the long run than rolling around with them in a dusty street, trying to knock out all their teeth. If nothing else, it's better on the clothes." - Belgarath (David Eddings)
|
|
|
|
|
To prevent SQL injection all you need to do is escape and use good validation. Other stuff can be a waste of time.
Brad
Australian
The PHP MVP
- Christian Graus on "Best books for VBscript"
A big thick one, so you can whack yourself on the head with it.
|
|
|
|
|
I usually use this function to prevent SQL injection, maybe it's useful for you :
function quote_smart($value)
{
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
if (!is_numeric($value))
{
$value = mysql_real_escape_string($value);
}
return $value;
}
Sorry for my English. I'm a freshman .
|
|
|
|
|
Bradml wrote: Other stuff can be a waste of time
Like using parameters instead of inlining?
cheers,
Chris Maunder
CodeProject.com : C++ MVP
|
|
|
|
|
Exactly.
Brad
Australian
The PHP MVP
- Christian Graus on "Best books for VBscript"
A big thick one, so you can whack yourself on the head with it.
|
|
|
|
|
What level of validation is enough?
I think that using prepared statements with parameters is the safest way, what do you think ?
|
|
|
|
|
SQLi is best handled using the database's native escaping routines and not just relying on addslashes() -- there is actually a way to circumvent addslashes from what I remember.
Filtering is probably a good practice as well.
To avoid escaping, you could just use PDO and prepared statements which handles the escaping for you automagically as well.
I'm finding the only constant in software development is change it self.
|
|
|
|
|
Hi friends.
I usually use Smarty to create templates.
When I wanted to create somethings like this :
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Test</title>
</head>
<body>
<table>
<tr>
<td> </td>
</tr>
</table>
<table>
<tr>
<td> </td>
</tr>
</table>
<table>
<tr>
<td> </td>
</tr>
</table>
<table>
<tr>
<td> </td>
</tr>
</table>
</body>
</html>
I created three files ( for example Header.tpl , Footer.tpl , Body.tpl )
Header.tpl :
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Test</title>
</head>
<body>
Body.tpl :
<table>
<tr>
<td> </td>
</tr>
</table>
Footer.tpl :
</body>
</html>
Then I wrote this Smarty code in PHP to created above HTML file :
$smarty -> display('Header.tpl');
for ($i=0; $i<=3; $i++)
$smarty -> display('Body.tpl');
$smarty -> display('Footer.tpl');
This way is bad, because designing template is very difficult.
Are there any ways to use Smarty and create above HTML file.
Thanks in advance
Sorry for my English. I'm a freshman .
|
|
|
|
|
Can't you just output the HTML? It doesn't stop normal PHP from working.
Brad
Australian
The PHP MVP
- Christian Graus on "Best books for VBscript"
A big thick one, so you can whack yourself on the head with it.
|
|
|
|
|
Thanks Bradml.
Bradml wrote: Can't you just output the HTML?
Yes, I can. but I want generate output by SMARTY !
Sorry for my English. I'm a freshman .
|
|
|
|
|
.... why? What benefit does that provide?
Brad
Australian
The PHP MVP
- Christian Graus on "Best books for VBscript"
A big thick one, so you can whack yourself on the head with it.
|
|
|
|
|
Bradml wrote: What benefit does that provide?
With Smarty you can sift Template through program , so we can change template easily.
Sorry for my English. I'm a freshman .
|
|
|
|
|
Ok, well sorry I haven't really looked into Smarty so I'm not going to be of too much help. Check out the Smarty Forums[^]. They can probably help you out.
Brad
Australian
The PHP MVP
- Christian Graus on "Best books for VBscript"
A big thick one, so you can whack yourself on the head with it.
|
|
|
|
|
OK, That's all right. Thanks
Sorry for my English. I'm a freshman .
|
|
|
|
|
I want to place image generating code in my webpage, but it is working fine alone..
But when I implement that code in my webpage it doesn't work..
Mohsin Ali
|
|
|
|
|
Can you tell us what happens? Does it through errors? Can you show us the code?
Brad
Australian
The PHP MVP
- Christian Graus on "Best books for VBscript"
A big thick one, so you can whack yourself on the head with it.
|
|
|
|
|
It's hard to say without any code .
Write your code Ali
Sorry for my English. I'm a freshman .
|
|
|
|