MFA
-
Posts
32 -
Joined
-
Last visited
Posts posted by MFA
-
-
At the minute, I'm using prepared statements for safely inserting the link and specialchars function when outputting it. Have I missed anything?
-
Could someone please give me advice or redirect me to helpful information on how to safely insert hyperlinks into a MySQL table by members/users of my site. I am particularly concerned about security. Many thanks.
-
Ahhh, I never knew of the shuffle function. Very useful in this scenerio indeed.
while (count($randommodulearray) == $numberofmodules)
Think about exactly what's happening there. What will happen after $randommodulearray has its first item?It should have been:
while (count($randommodulearray) != $numberofmodules)
Thanks for your help.
-
I knew I could use the array_unique function but I decided to write something more neat. Do you have any ideas as to why my code doesn't work?
-
Hi,
I'm trying to make an array containing values that are unique (i.e. the values are not repeated within the array). There seems to be a mistake somewhere in my code below because only one value (the first element of the array) is being stored in the $randommodulearray array. I would appreciate it if someone could explain why. Cheers.
Also, just to confirm, $module == 'all'.
if (($module == 'all') || ($module == 'sem1') || ($module == 'sem2')) { $modulearray = array("1"=>"Endocrine","2"=>"Renal","3"=>"Genetics","4"=>"GI","5"=>"Neuro","6"=>"EPISTATS"); $randommodulearray = array(); switch ($module) { case 'all': $numberofmodules = '6'; $min = '1'; $max = '6'; break; case 'sem1': $numberofmodules = '3'; $min = '3'; $max = '6'; break; case 'sem2': $numberofmodules = '3'; $min = '1'; $max = '3'; break; } do { $optionmodule = rand($min,$max); $checkmodule = $modulearray[$optionmodule]; if (in_array($checkmodule, $randommodulearray)) { do { echo 'lol'; $optionmodule = rand($min,$max); $checkmodule = $modulearray[$optionmodule]; } while (!in_array($checkmodule, $randommodulearray)); $randommodulearray[] = $checkmodule; } else { $randommodulearray[] = $checkmodule; } } while (count($randommodulearray) == $numberofmodules); // i.e. until they are 6 elements in array } -
Yes I know, it's difficult to explain. Unfortunately, I have to use an array, this is template code from pChart and I have to fill in the array values as they represent the values of the bar graphs.
I am still not sure how to go about this using the list() function. -
I am wondering how to replace several values in an array with a single variable. I have tried just simply creating a variable for all the values within the array (e.g. $variable = $round1.",".$round2.",".$round3) and substituiting that in however it doesn't work as the array understands the comma's literally and outputs them on the page. The original line of code is below. Thank you.
$myData->addPoints(array($round1,$round2,$round3),"Frequency");
-
I just installed pchart2.1.3 onto my server. The examples and sandbox rendering work fine however when implementing any pchart code onto one of my webpages, I get weird characters instead of a graph. For example, I get something like this
PNG IHDR <2IDATxogس]gwc{w4 %YeZ$hiՈ T.i * $RJhQ(=.BjJDIKHThQ@^"jmnKdu:^{v{\&g{<ώyeg~ 33ό\"aW !$w !H@BHBr;$ !$w !H@B$7 |shT*>}궊.W(R}\W#N jwwݭ]Kpʕ+q@ D6Gn^sy䑳g6 q[n%FV+Hi&Nڴium< ܣѨ 'Og>×wuW$Rc<>jD]aVTD%ip/۷og/^\58_R.ϼ-}A ;5HD%ipז.]:and it fills my entire webpage with these characters. Can anyone suggest how to correct this?
-
Hi
I have made the code below that outputs the contents of a CSV file into a table. The code works fine however on my server host CGI error log, it says
PHP Warning: Invalid argument supplied for foreach() in "my_php_file_name" on line 83
do { $array = fgetcsv($filehandle, 65, ","); echo "<tr>"; foreach ($array as $tableformat) { echo "<td>".$tableformat."</td>"; } echo "</tr>"; $nextrow++; } while ($nextrow <= $lines);$lines refers to the number of lines in the CSV file and $nextrow represents the integer value 0.
Although it is working, could someone please explain to me why this message appears so that I can correct it and learn from this experience. Thank you.
-
Hi
I am wondering whether starting (<?php) and stopping (?>) PHP several times throughout a script has an affect on the speed of which it is processed. Sometimes I have a few lines of HTML in between sections of PHP language. Would it more efficient if I just echo'd this HTML section (in PHP) or does it not make a difference? -
So I fixed it by creating 2 separate variables for each $_GET command. One specifically for the <select> tags and the other for the switch statements.
However, I still want to know why it wasn't working before, could someone help me figure this out please. If I had only one variable for each $_GET command and placed it below all the <select> tags, the sql query would work. So, the problem is obviously above that point and to do with the section containing the <select> tags.
-
Thank you for helping out and teaching me how to simplify such a code however you must appreciate I am still only a beginnner in this field and require further practice before attaining the level of expertise to write such codes.
After modifiing my code to as you suggested, I received the following on my page:
"Query:
Error:"
-
Hi. I have spent this whole afternoon (4 hours) trying to find the mistake causing my code to stop working. It was working fine before I appended all the if "if ($module == "neuro") {echo 'selected="selected"';}" in the option html tags. Now i get an error saying "PHP Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, boolean given in /.../.../mcqlist.php on line 241"
<?php if (($_SESSION['year2']) || (($_SESSION['y2s1']) && ($_SESSION['y2s2']))) { echo "<h3>".$_SESSION['year2']."</h3>"; } if ($_SESSION['y1s1']) { echo "<h3>".$_SESSION['y2s1']."</h3>"; } if ($_SESSION['y2s2']) { echo "<h3>".$_SESSION['y2s2']."</h3>"; } $module =$_GET['mod']; $questiontype = $_GET['type']; $diff = $_GET['diff']; ?> <form name="customlist" action="mcqlistquery.php" method="post"> <!-- use mcqlistcustom or just make it the same page??--> <table border="0" width="90%" align="center"> <tr><td><b>Select Modules</b></td><td><b>Select Question Format</b></td><td><b>Select Difficulty</b></td></tr> <tr><td><select name="topic"> <?php if (($_SESSION['year2']) || (($_SESSION['y2s1']) && ($_SESSION['y2s2']))) { echo ' <option value="all"'; if (($module == "") || ($module=="all")) {echo 'selected="selected"';} echo '>ALL MODULES</option> <option value="" ></option> <option value="neuro"'; if ($module == "neuro") {echo 'selected="selected"';} echo '>Neuroscience</option> <option value="gi"'; if ($module == "gi") {echo 'selected="selected"';} echo '>Gastrointestinal and Liver</option> <option value="epistats"'; if ($module == "epistats") {echo 'selected="selected"';} echo '>Epidemiology and Statistics</option> <option value="genetics"'; if ($module == "genetics") {echo 'selected="selected"';} echo '>Clinical Genetics</option> <option value="renal"'; if ($module == "renal") {echo 'selected="selected"';} echo '>Renal and Urology</option> <option value="endocrine"'; if ($module == "endocrine") {echo 'selected="selected"';} echo '>Endocrine</option> <option value=""></option> <option value="sem1"'; if ($module == "sem1") {echo 'selected="selected"';} echo '>SEMESTER 1 MODULES</option> <option value="sem2"'; if ($module == "sem2") {echo 'selected="selected"';} echo '>SEMESTER 2 MODULES</option> '; } if ($_SESSION['y2s1']) { echo ' <option value="sem1"'; if (($module == "") || ($module=="sem1")) {echo 'selected="selected"';} echo 'selected="selected">SEMESTER 1 MODULES</option> <option value="" ></option> <option value="neuro"'; if ($module == "neuro") {echo 'selected="selected"';} echo '>Neuroscience</option> <option value="gi"'; if ($module == "gi") {echo 'selected="selected"';} echo '>Gastrointestinal and Liver</option> <option value="epistats"'; if ($module == "epistats") {echo 'selected="selected"';} echo '>Epidemiology and Statistics</option>'; } if ($_SESSION['y2s2']) { echo ' <option value="sem2"'; if (($module == "") || ($module=="sem2")) {echo 'selected="selected"';} echo '>SEMESTER 2 MODULES</option> <option value=""></option> <option value="genetics"'; if ($module == "genetics") {echo 'selected="selected"';} echo '>Clinical Genetics</option> <option value="renal"'; if ($module == "renal") {echo 'selected="selected"';} echo '>Renal and Urology</option> <option value="endocrine"'; if ($module == "endocrine") {echo 'selected="selected"';} echo '>Endocrine</option> '; } ?> </select></td><td> <select name="questionformat"> <option value="all" <?php if (($questiontype == "") || ($questiontype=="all")) {echo 'selected="selected"';} ?>>ALL FORMATS</option> <option value="" ></option> <option value="mcq" <?php if ($questiontype == "mcq") {echo 'selected="selected"';} ?>>Multiple Choice (MCQ)</option> <option value="emq" <?php if ($questiontype == "emq") {echo 'selected="selected"';} ?>>Extended Matching (EMQ)</option> <option value="srq" <?php if ($questiontype == "srq") {echo 'selected="selected"';} ?>>Selected Response (SRQ)</option> <option value="mcqemq" <?php if ($questiontype == "mcqemq") {echo 'selected="selected"';} ?>>MCQ and EMQ</option> <option value="mcqsrq" <?php if ($questiontype == "mcqsrq") {echo 'selected="selected"';} ?>>MCQ and SRQ</option> <option value="emqsrq" <?php if ($questiontype == "emqsrq") {echo 'selected="selected"';} ?>>EMQ and SRQ</option></select> </td> <td> <select name="difficulty"> <option value="all" <?php if (($diff == "") || ($diff == "all")) {echo 'selected="selected"';} ?>>ALL DIFFICULTIES</option> <option value="" ></option> <option value="easy" <?php if ($diff == "easy") {echo 'selected="selected"';} ?>>Easy</option> <option value="easymoderate"<?php if ($diff == "easymoderate") {echo 'selected="selected"';} ?>>Easy and Moderate</option> <option value="moderate"<?php if ($diff == "moderate") {echo 'selected="selected"';} ?>>Moderate</option> <option value="moderatehard" <?php if ($diff == "moderatehard") {echo 'selected="selected"';} ?>>Moderate and Hard</option> <option value="hard" <?php if ($diff == "hard") {echo 'selected="selected"';} ?>>Hard</option> <option value="easyhard" <?php if ($diff == "easyhard") {echo 'selected="selected"';} ?>>Easy and Hard</option> </select></td> <td> <input type="submit" value="Go!" /> </td></tr> </table> </form> <?php if (($module="") || ($diff="") || ($questiontype="")) { echo "Filter fields not correctly specified!"; die(); } include 'dbyear2.php'; if (($_SESSION['year2']) || ($_SESSION['y2s1'])) //alowed subscriptions { switch ($module) //creating whitelist, used for security, prep_stmt can't be used and is better than using escae_string { case "neuro": $tbl = "Neuro_"; break; case "gi": $tbl = "GI_"; break; case "epi": $tbl = "EPISTATS_"; break; } } if (($_SESSION['year2']) || ($_SESSION['y2s2'])) //allowed subscriptions { switch ($module) { case "genetics": $tbl="Genetics_"; break; case "renal": $tbl="Renal_"; break; case "endocrine": $tbl = "Endocrine_"; break; } } switch ($questiontype) //question format. whitelist. { case "mcq": $qtype = "MCQ"; break; case "emq": $qtype ="EMQ"; break; case "srq": $qtype = "SRQ"; break; } $tablefinal = $tbl.$qtype; switch ($diff) //whitelist { case "easy": $correctdiff = "Easy"; $imgsrc = "http://.mysite../easy.png"; $imgalt = "easy"; break; case "moderate": $correctdiff = "Moderate"; $imgsrc = "http://..mysite../moderate.png"; $imgalt = "moderate"; break; case "hard": $correctdiff = "Hard"; $imgsrc = "http://...mywebsite./hard.png"; $imgalt = "hard"; break; } $statement = mysqli_query($condbyear2, "SELECT UQN FROM $tablefinal WHERE difficulty= '$correctdiff'"); $baseURL = "http://..my website../mcq.php?uqn="; while ($row = mysqli_fetch_array($statement, MYSQLI_NUM)) { foreach ($row as $integer) { $href = $baseURL.$integer; echo "<a href= '$href'> <img src='$imgsrc' alt='$imgalt' width='80' height='80'> </a>"; } } ?> -
So, I finally fixed it. And for anyone else who has/will suffer(ed) from a similar problem, the solution was to reset your CGI error log. Mine was saying:
20130316T222720: www.webaddress.com/webpage.php
PHP Warning: session_start(): open(/var/php_sessions/sess_8dc57575562c346dcdf093266d7a46e4, O_RDWR) failed: No such file or directory (2) in /hermes/waloraweb077/b1980/webaddress.com/webpage.php on line 2
PHP Warning: Unknown: open(/var/php_sessions/sess_8dc57575562c346dcdf093266d7a46e4, O_RDWR) failed: No such file or directory (2) in Unknown on line 0
PHP Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/var/php_sAnd yes, the session.save_path was in the correct place (not sure why it was saying that).
-
Do you actually need every single column? Generally you'll only need a handful so you should be listing them out.
But that has nothing to do with prepared statements.
SELECT * FROM members WHERE userid = ? AND code = ?
The parameters are only for actual values in the query, not names or syntax.I was just going to type "Yes, I know but then how can i bind the result for each column without having to type out a new variable for each one. Is there not a similar function to mysqli_fetch_assoc for prepared statements?" BUT then it hit me that it is exactly the same thing as using mysqli_fetch_assoc still requires me to write out the column name anyway!
If you are trying to limit overhead then you would write out each colum you need.
What is limit overhead?
One final question about prepared statements, will the example below work or must all paramaters be replaced by a '?' - The solution would obviousluy be to create a variable to replace '1' but I'm wondering if this is unnecessary?
"SELECT email,password FROM members WHERE email = ? AND password = ? AND validate=1"
-
How does one go about converting an SQL query such as:
SELECT * FROM members WHERE userid='$userid' AND code=$code'
into a prepared statement for PHP. I understand how to use prepared statements however I'm having trouble with the * part of the query and I'd rather not have to write out all the table coulmns because I have about 20.
EDIT: I'm using mysqli procedural
-
I'm not sure what "out of sync" errors are. I don't get error messages if that's what you mean.This is my code at the moment.
<?php
//prepared statement example
include 'database.php';
$query = "SELECT ID FROM users WHERE email = ?";
$email = 'example@googlemail.com';
$statement = mysqli_stmt_init($condbmembers);
mysqli_stmt_prepare($statement, $query);
mysqli_stmt_bind_param($statement, 's', $email);
mysqli_stmt_execute($statement);
mysqli_stmt_bind_result($statement, $id);
mysqli_stmt_fetch($statement);
echo $id . "</br>"; // THIS WORKS!!
$querytwo = "SELECT fname FROM users WHERE ID = ?";
$uid = '4';
$statementone = mysqli_stmt_init($condbmembers);
mysqli_stmt_prepare($statementone, $querytwo);
mysqli_stmt_bind_param($statementone, 'i', $uid);
mysqli_stmt_execute($statementone);
mysqli_stmt_bind_result($statementone, $fname);
mysqli_stmt_fetch($statementone);
echo $fname; //THIS DOESN'T UNLESS I INSERT mysqli_stmt_close($statement); FOLLOWING echo $id . "</br>";
?> -
No it's not necessary because everything will be garbage collected at the end of the script.
Okay, but how come I can't use another prepared statement unless I use mysqli_stmt_close($etc); after the first one?
-
I've just completed my first prepared statement, converted to using them for security reasons. I've tested it and it works however I am looking for feedback (constructive criticism welcomed) regarding the code itself although I understand it 's fairly basic. Here's teh code:
<?php
//prepared statement example
include 'database.php';
$query = "SELECT ID FROM users WHERE email = ?";
$email = 'myemail@gmail.com';
$statement = mysqli_stmt_init($connect);
mysqli_stmt_prepare($statement, $query);
mysqli_stmt_bind_param($statement, 's', $email);
mysqli_stmt_execute($statement);
mysqli_stmt_bind_result($statement, $id);
mysqli_stmt_fetch($statement);
echo $id;
?>Also, is using mysqli_stmt_close necessary? Am I correct in saying that without using this function I will not be able to create another prepared statement within that script? - because I have tried the latter and it wouldn't work unless I did close the statement.
-
Okay, I now have a much better understanding of mysql injection attacks and what measures I can employ to try and prevent them . One final question, if I was to use prepared statements, should I be using bound parameter prepared statements, bound result prepared statements or both. I would think just bound parameter prepared statements however since I'm new to all this, I'm not sure if using both would confer better protection. Thank you both for your help.
-
Thanks for the replies, security issues and sql injections have always confused me and I really need to understand them. So, I've still got a few questions.
The idea of htmlspecialcharacters is that if you store something in your database that will be displayed in another users browser (let's say user A puts in a job description and user B reads it) you don't want the data to contain something like <script src="http://malware.com/infect.php" /> Sanitizing with htmlspecialchars will convert it to <script....
htmspcialchars won't protect against sql injection attacks. As AyKay47 said use mysqli_real_escape string for that.
Okay, so you're saying if I have something like <Hello> in my database and I echo this out to my webpage, it wouldn't appear as I wanted it to as the < and > signs will be interpreted as HTML language. However, if I used htmlspecialchars the < and > signs will appear as I intended them to?
Hopefully you are not inserting html into the database, as this would be bad practice and a waste of storage space.
mysql_real_escape_string will make any data passed to it safe to use in an SQL statement by prepending any potentially harmful characters with a backslash.
Okay, I've been doing some reading and what happens if the hacker does something similar to the example posted under the heading "Just Escaping Strings Does Not Prevent SQL Injection" on this page (http://www.programmerinterview.com/index.php/database-sql/sql-injection-prevention/).
First off, standard notice: You're not stating what library you're using to connect to your MySQL database, but since AyKay mentioned the old (and no longer maintained) mysql library...
You should be using either mysqli or PDO to connect to your Database, as both of them are actively developed and contains all of the new(ish) features that the old mysql library is missing. Not to mention, since it's no longer developer it is insecure, and thus is deprecated in PHP 5.5 (and onwards).
Then, to your question.
The difference between FILTER_VALIDATE_SPECIAL_CHARS and htmlspecialchars is listed in the manual, so I recommend following the first link and reading up on it for yourself.
That said, as the two above touched upon: You don't want to be using either prior to inserting the data into the database. Escaping output should only be done immediately before sending the content to third party system, and then only escaping using the proper methods.
Which means that when you add the data to the SQL query, you need to either use mysql::real_escape_string (or PDO's equivalent) or Prepared Statements. The latter is recommended, as the database takes care of the proper way to escape the output automatically. The HTML escaping methods, however, should only be used when adding data to HTML strings, or when you're echoing out content to the browser.
Escaping for the wrong system, or prematurely, will corrupt the original data and cause usability issues (at the very least). If you're really unlucky, it may make the data or the whole system unusable.
I'm using mysqli (unfortunately, PDO is not supported by my web host). I have looked at both htmlspecialchars and FILTER_SANITIZE_SPECIAL_CHARS and they are both very similar in that they convert symbols such as < and > to html entities so they are displayed correctly and not mistaken for HTML, or am I mistaken?
Also, why won't a combination of htmlspecialchars and FILTER_SANITIZE_SPECIAL_CHARS work to protect against SQL injection. It would convert quotation marks that a hacker might use into a string of characters and prevent the hacker's code from functioning as intended. -
I have a form where external input by users will be fed into a MySQL database and I obviously need to sanitize this input.
I don't quite understand the differences between the htmlspecialchars and FILTER_SANITIZE_SPECIAL_CHARS fuctions. Which is better to use in this scenario. For FILTER_SANITIZE_SPECIAL_CHARS, I have also used FILTER_FLAG_STRIP_HIGH.
Thanks. -
bump.. anyone have any ideas? - i have been trying for days and it still doesnt work.
-
I didn't know <!doctype> constituted as HTML. anyway, i put the session_start() above doctype so its the first line in both files however it still doesnt work. i did print_r($_SESSION) and got Array ( )
For loop in pagination code not working
in PHP Coding Help
Posted
Hi
I'm trying to make a "pagination" for my webpage so people can flick through several pages of images (6 columns by 4 rows). The code is meant to check how many pages are needed and display a maximum of 5 page links, 2 links for the pages before the current page and 2 links for the pages just after.
Anyway, I have tested it and the if statements are only read when the for loop is removed however the latter is necessary for this code to work.
Also I'm very basic in my coding as I'm still new.
here is my code:
if ($numberofobjects > '23') { function getCurrentPageUrl() { $pageURL = 'http'; if (isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == "on") {$pageURL .= "s";} $pageURL .= "://"; if ($_SERVER["SERVER_PORT"] != "80") { $pageURL .= $_SERVER["SERVER_NAME"].":".$_SERVER["SERVER_PORT"].$_SERVER["REQUEST_URI"]; } else { $pageURL .= $_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"]; } return $pageURL; } $hrefpages = getCurrentPageUrl(); $draftnumberofpages = $numberofobjects / '24'; $numberofpages = count($draftnumberofpages, 0, PHP_ROUND_HALF_UP); $currentpage = substr($hrefpages, -1); $linkwithoutpage = substr($hrefpages, 0, -1); $prevpage1 = $currentpage - '1'; $nextpage1 = $currentpage + '1'; $prevpage2 = $currentpage - 2; $nextpage2 = $currentpage + 2; $keepgoing = '0'; $currentpagination = '0'; $nomoreprev = '0'; $nomorenext = '0'; echo '<div class="row"></div>'; echo '<div class="row"></div>'; echo '<div class="pagination-centered"> <ul class="pagination">'; if ($currentpage != '1') { echo '<li class="arrow"><a href="'.$linkwithoutpage.$prevpage1.'">«</a></li>'; } for ($paginationincrement = 0; $paginationincrement == 5; $keepgoing++) { if ($prevpage2 >= 1) { echo '<li ><a href="'.$linkwithoutpage.$prevpage2.'">'.$prevpage2.'</a></li>'; echo '<li ><a href="'.$linkwithoutpage.$prevpage1.'">'.$prevpage1.'</a></li>'; $paginationincrement + 2; $nomoreprev = '1'; } if ($prevpage1 >= 1 && $nomoreprev != 1 ) { echo '<li ><a href="'.$linkwithoutpage.$prevpage1.'">2</a></li>'; $paginationincrement ++; } if ($currentpagination == '0') { $paginationarray = '<li class="current"><a href="#">'.$currentpage.'</a></li>'; $paginationincrement++; $currentpagination = '1'; } if ($nextpage2 <= $numberofpages) { echo '<li ><a href="'.$linkwithoutpage.$nextpage2.'">'.$nextpage1.'</a></li>'; echo '<li ><a href="'.$linkwithoutpage.$nextpage1.'">'.$nextpage2.'</a></li>'; $paginationincrement + 2; $nomorenext = 1; } if ($nextpage1 <= $numberofpages && $nomorenext != 1) { echo '<li ><a href="'.$linkwithoutpage.$nextpage1.'">'.$nextpage1.'</a></li>'; $paginationincrement ++; } if ($paginationincrement == $numberofpages) { $paginationincrement = 5; } } if ($currentpage != $numberofpages) { echo '<li class="arrow"><a href="'.$linkwithoutpage.$prevpage1.'">»</a></li>'; } echo ' </ul> </div></div>'; }