ManiacDan
-
Posts
2,604 -
Joined
-
Last visited
-
Days Won
10
Posts posted by ManiacDan
-
-
The switch is the safest way. I assume someone is inputting these arguments into your script. What if, instead of "+" they input "; eval('rm -rf .'); //"?
If you must use eval (which is stupid and wrong):
eval('$ohboy = ' . $arg . ';');-Dan
-
It doesn't seem like you understand what the include/require functions actually do. When you include a PHP file, basically what happens is PHP copies the contents of the file right into the script that's including them. Include/require will ALWAYS succeed if the file is present, the only question you should have is whether or not the PHP inside the included file is valid. This is something you have to ensure by writing good code in your include files, not by wrapping them in a validator.
Include files shouldn't "return" anything to the parent file, because they're designed to operate as if the code is IN the parent file to begin with.
-Dan
-
What he means is, PHP by default doesn't allow two queries to be processed in the same string specifically because developers are generally not smart enough to properly sanitize their incoming user data, so a user puts "'; DROP TABLE `users`;#" inside the "login" form and your site suddenly disappears. PHP has a lot of "quirks" to protect the dumber members of the web dev community.
You will have to put your queries in an array and run them one at a time.
-Dan
-
-
As mjdamato has pointed out, sometimes we give extra information where advice is needed. You seemed to not understand what forms are actually for and how they're used, so I attempted to explain them using a rhetorical question.
Take your site down right now and secure it before putting it back up.
-Dan
-
Why would you expect it to? What good would it do under normal circumstances to be able to grab the style of the HTML element out of POST? The whole purpose of the functionality is to allow users to post values into named fields. The ID (which you assigned in the HTML, cannot change, and should be associated with the name) isn't something you should be wasting bandwidth transmitting.
-Dan
-
The ID is not posted, only the name and value. If you must get two values out of a single element, make the "value" a delimited string.
-Dan
-
Yes, right, it's only good for MYSQL, not the other SQL engines.
Nobody really switches databases mid-stream anyway. Backticks aren't going to be the problem when you switch, all the built in functions are.
-
Already solved this, scroll up.
-
3) Sessions are tied to a specific browser session. Closing the browser, clearing its cookies, or switching to another computer will destroy the session.
-Dan
-
You have an else immediately followed by another else right in the middle of that block. You can't do that.
Also, none of this code makes any sense, you're using && where it doesn't belong and your indentation is horrible.
-Dan
-
That's not an apostrophe, that's a "backtick." An apostrophe and a single quote are the same thing.
That being said, you wrap mysql column and table names in backticks to ensure that they're recognized as what they are, this is how you can use a column name like `date`.
You don't need them, but technically it's the correct way to write SQL.
-Dan
-
$sql = "INSERT INTO `test`.`users` (`id` ,`username` ,`password`) VALUES ('' , '$username', MD5( '$password' ));";Ahem...
$sql = "SELECT * FROM users WHERE username='$username' AND password='$password'";
See the problem?
-Dan
-
Right, so now it's the next day and the OS has deleted your data from yesterday. Try all your tests again. Code isn't magic, problems that go away on their own generally come back on their own.
-Dan
-
When we say "empty a variable" we don't mean empty($_SESSION['rand']) we mean unset($_SESSION['rand'])
-Dan
-
You did a print_r($_POST) and you got array() and that's it? Then it's empty.
Also note that print_r($_POST) should ALWAYS give you an array, the key is to look at the output and see what $_POST['ques'] is. I'm guess it's not an array or it doesn't even exist.
-Dan
-
print_r($_POST), see what's in there.
-Dan
-
Normally you need an exit() after a header() call, but that doesn't explain why it's doing nothing...
Get the LIVE HTTP HEADERS plugin for firefox, see what's happening on your machine.
-Dan
-
That has no real effect...and you still haven't said whether or not you're deleting the cookies or URL params, but it's good that you think it's working now.
-
Don't do that, and don't advertise that fact on a public forum.
-
The code you're matching is generally the reason why a match won't work. I bet you have <a class="something" href="url.php" />
-Dan
-
After your WHILE loop finishes, $row will be false and will not have the 'id' property. You will have to fetch the variable INSIDE the loop.
-Dan
-
If you're not deleting the cookie or the URL parameter, the session won't go away.
-
Assuming you haven't overridden any settings, sessions are stored in a temporary file on your server's file system.
The session file is named after the user's session ID, which is stored either (a) in the user's PHPSESSID cookie, or (b) in the URL.
When the user visits the site, his cookie/URL are analyzed and the proper file is loaded into memory as $_SESSION.
Check the URL you're using. If there's a 32-character hexadecimal code there that you don't recognize, it's your session ID, and anyone who uses that URL will get the same session as you. This is why URL-based sessions are frowned upon and rarely used.
If there's no session ID in the URL, then you have a cookie called PHPSESSID on your browser. It SHOULD be deleted once all your browser windows are closed, but it won't necessarily. You'll have to delete the cookie by hand to clear your session.
-Dan
help with image border.
in CSS Help
Posted
Your "top" div has three children: top left corner, top border, top right corner. The top border is set to 25px wide.
OUTSIDE of that, you have the image. The image's width has no effect on your top border width.
-Dan