-
Posts
15,227 -
Joined
-
Last visited
-
Days Won
427
Everything posted by requinix
-
Hold on. Why do you need to chmod anything?
-
Uh, generateKeywords() returns calculateKeywords() which $keystring = implode(', ', array_slice($keywords, 0, $keyword_amount)); returns a string.
-
You are correct with your $myValue thing. There is no risk of SQL injection. If you're wondering about the 302, (a) where does it redirect and (B) is there anything in the server logs about why?
-
echo KeywordsGenerator("$text"); Put it in a variable instead of echoing it.
-
Because I just love bringing this up, linky. The wheel is a complicated beast. Also worth noting: if a regex is too restrictive and a user doesn't want to enter a real address, they can very easily just put in "nobody@example.com". Totally valid. That's why places that need a real email address typically send a confirmation message.
-
That regex will accept "hey @twitteruser, shut up.everything you say is stupid and wrong" as an email address. Which it clearly isn't. Find yourself a different regex, and when you do so that might fix your problem. And if not then we'll need to see the regex and your code.
-
Trailing slash in the path. Can haz one? Without it the filenames look like "/home/domain/testimage.jpg".
-
Not tell us about the T_ENCAPSED_AND_WHITESPACE error you were getting. If you're just using a variable then don't put it in strings; if you do put one in strings then make sure you do so correctly. And then you'd say something about not getting mail and we'd point out that the fourth argument to mail() needs to be a proper set of headers - not merely the sender's email address. Check the manual page for an example. Or even better, as someone would no doubt point out, would be to use a third-party tool like PHPMailer to send emails because they can handle all the little intricacies that may arise. Possibly overlooked might be that you shouldn't just put the sender's email in that aforementioned list of headers because there's a risk of (email) header injection; another problem that the third-party thing would address.
-
You can't copy files into a website. You have to copy them as the actual files they are. Figure out where the /test path is on your filesystem (spoiler: $_SERVER["DOCUMENT_ROOT"] . "/test") and copy the files into that. And you know you've got a block of code there repeated, right? And don't use the ["type"] to tell the file type - it cannot be trusted and might even be wrong in some (coughIE) browsers. Look at the extension first and, for images, use getimagesize to be extra sure.
-
How Can Site Get Hacked If You Protect All Get And Post Inputs ?
requinix replied to Eritrea's topic in Application Design
So basically your question is what else you have to worry about besides user input (assuming you're properly set up against that), file uploads, and server intrusion? If you're on a shared hosting machine then other users already have (limited) access to the server; they could quite possibly have read access to all your files by default. The database server is another vector. Of course there's also bugs in PHP, like the recent ?-s and that one floating-point number, but you can't really do anything about those.- 7 replies
-
- php
- sql-injection
-
(and 2 more)
Tagged with:
-
How Can I Insert String With Single And Double Quote Into Mysql Table?
requinix replied to colap's topic in PHP Coding Help
fgetcsv() will leave the quotes out automatically - they won't be in the values you get back. -
How Can I Insert String With Single And Double Quote Into Mysql Table?
requinix replied to colap's topic in PHP Coding Help
That looks like CSV data. Are you getting it from a file? Use fopen+fgetcsv+fclose to read the file line by line. The best part is that fgetcsv() will turn each line into an array according to the delimiters (ie, the commas). Assuming you know what the columns are then you can construct an INSERT based on the values in the arrays. -
There's nothing in there that actually needs regular expressions. Use strpos instead of preg_match().
- 4 replies
-
- modifier d
- preg_match
-
(and 2 more)
Tagged with:
-
Do you have the magic_quotes_gpc php.ini setting enabled? Use phpinfo if you're not sure. If you have it enabled then disable it.
-
What encoding are your databases/tables in? Those need to be UTF-8 too. You may need to send a SET NAMES utf8 when you first open your database connection too.
-
// read the post from PayPal system and add 'cmd' $req = 'cmd=_notify-validate'; foreach ($_POST as $key => $value) { $value = urlencode(stripslashes($value)); $req .= "&$key=$value"; } I don't like that part. Use $_POST["cmd"] = "_notify-validate"; $req = http_build_query($_POST); For debugging, have the script send you an email containing the $req and the $res (when it reads the value). See the invalid payment email code for an example how to do that. The $req should contain data that looks right to you and the $res should contain VERIFIED. Oh, and you should get an email in the first place.
-
You're not outputting UTF-8. Well, technically yes you are, but whatever's displaying the characters doesn't think they're UTF-8. For PHP send another header: header("Content-Type: text/html; charset=utf-8"); (or any other text/* type) For HTML: <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> (same as the header above) For XML: <?xml version="1.0" encoding="utf-8" ?> Though it could be you're doubly-encoding the stuff. Remove the call to utf8_encode() and see if that fixes it. But the above changes are still important so make sure something like them is in place.
-
If the real problem is that the query string is being lost, double-check the crontab entry. A question mark may have a special meaning. Running it as a CLI script would be better but you'd have to make a couple code changes if there isn't support for it already. You can't pass URL arguments into a command-line script directly; you'd have to grab them from $argv and set them manually. Actually you'd have to fake a few things, mostly in $_SERVER, if the code expects this to be an HTTP request.
-
If that's what's happening (and given your description it sounds possible) then that's the browser's fault. Besides the HUGE SECURITY HOLE the only thing I see missing is setting the content-length. header('Content-Length: ' . filesize($_GET["f"])); As for the more important problem, your script will allow anyone to download any file on your server. All I have to do is change the URL like script.php?f=/etc/passwd And now I have a list of all the users on your machine. And if one of those users is "jonahb" then script.php?f=/home/jonahb/.htpasswd to grab your password list (for example). You need to validate the filename. You cannot just allow anything. If all the files are uploads/*.mp3 then validate that: if (dirname($_GET["f"]) != "uploads" || !fnmatch("*.mp3", basename($_GET["f"]))) { // invalid file! they shouldn't be downloading this! } And you should check that the file actually exists, of course. And that $_GET["f"] actually exists (otherwise you'll get "undefined offset" warnings from PHP).
-
And that endforeach is coming from... where?
-
Okay, I'll just reverse-engineer it from the code. <something> <host starttime="1350215881" endtime="1350215891"> <status state="up" reason="arp-response" /> <address addr="192.168.0.1" addrtype="ipv4" /> <address addr="A0:21:B7:06:20:67" addrtype="mac" /> </host> </something> xpath() can make the searching easier, and remove the need to rely on the ordering of the nodes (ie, [0] is the IPv4 address and [1] is the MAC address). $discovery = simplexml_load_file('discovery.xml'); $ipnum = 0; $ip = $mac = array(); foreach ($discovery->xpath("//host[status/@state='up']") as $ndiscovery) { $ipnum++; $ip[$ipnum] = (string)current($ndiscovery->xpath("address[@addrtype='ipv4']/@addr")); $mac[$ipnum] = (string)current($ndiscovery->xpath("address[@addrtype='mac']/@addr")); }
-
There's probably an easier way of doing this. What's the XML?
-
I assume those are two different things happening at two different times? file will read a file into an array. Line N will be offset N-1 in that array. Mind the newlines.
-
Does ssconvert output anything? Does it go to stdout or stderr? Did it error out and/or did it create the CSV output?
-
I can't tell for sure but it looks like you're over-thinking the problem. It could be as simple as this: - Request comes in to home.php?quote=555. - Controller (home.php) handles that. The quote number comes from $_GET and the controller goes off to the model to grab that quote (as an object). - Controller sets a variable with the quote object, or if there's no such quote displays the relevant 404 page/view. - Normal view gets that variable and outputs whatever it wants from the quote object. <?php // home.php /* controller */ if (empty($_GET["quote"])) { // no quote } $quote = Quote::getInstance($_GET["quote"]); if (!$quote) { // no such quote } /* end of controller */ /* view */ // blah blah blah echo "Quote: ", $quote->name; // blah blah blah /* end of view */