Jump to content

ajoo

Members
  • Content Count

    723
  • Joined

  • Last visited

Everything posted by ajoo

  1. ajoo

    an exact string match only

    Hi, Yea so it fails there as well. Great ! Thanks.
  2. ajoo

    an exact string match only

    Hi Psycho ! Thanks for the reply. Actually I tested it online here with a whole bunch of strings and it seemed ok. I was just trying to be doubly sure and so asked for your affirmation. Thanks very much for the code snippet. These, by the way, array("abcd.abc!", 'Pass'), array("abcd.abcd!", 'Pass'), array("abcd.abcde!", 'Pass') failed when i tested them online as I would want them too. I will check them using the snippet as well. Thanks.
  3. ajoo

    an exact string match only

    Hi psycho ! Thanks for the response ! Yes you understood it right. That was almost what i wanted. I also wanted that it should give a mismatch if there is any character in the subject string which is not allowed by the regex. The following seems exactly right so far i could test. /^([A-z0-9])\w+\.\w{3,4}$/ If you can verify that I'ld be grateful. One more thing, even though it seems not required because of the regex now takes care of it, what if i wanted to ensure that there can be only one dot in the string? How could that be achieved. Thanks loads !
  4. Hi, Below is how I am handling the database data before I display it on a page. . $query = "SQL QUERY to retrieve some data"; . . while ($stmt->fetch()) { $fname = html_escape($fname); $lname = html_escape($lname); $city = html_escape($city); $cell = html_escape($cell); // verify that $xid is numeric. if(($xid = fcheckNumber($xid)) === false) die('Internal error. Conatct Admin'; // verify that $role has a valid value against a set of values. if(($role = html_escape(fcheckRole($role)))=== false) die('Internal error. Conatct Admin'; // verify that $email is correctly formatted as an email should be. if(($email = html_escape(fcheckEmail($email)))=== false) die('Internal error. Conatct Admin'; // verify that $status is numeric. if(($status = fcheckNumber($status))===false) die('Internal error. Conatct Admin'; . . . display the above data in a form. } My questions are: Is this the right way of handling the data before I display it on a form or am i overdoing it with all the checks and die statements? Am I missing out some other security aspect here ? Then there are instances where i use verify a SESSION variable or a POST / GET variable similarly. if(($xid = $_SESSION['xid'])===false) die('Internal Error. Contact Admin'); OR if(($xid = $_POST['id'])===false) die('Internal Error. Contact Admin'); Is this alright or can I skip some of these checks ? I'd like to mention here that I use prepared statements for all queries and the same data verification as above when I add the data to the database. I do not html escape any data that is put into the DB. Thanks all !
  5. Hi all !! Sorry for the delayed response as I was away for a few days. @ginerjm : Yes that's correct. bind_result($lname, $ fname, $date, ...); @stratadox : Correct ! Thanks for that. You are right. I have only recently, since my last 2 posts, added the html_escape to the fcheck functions missing out on some good advise by Guru Jacques of using the html_escape function only while outputting the data. My fault. Thanks a lot for pointing out this blunder. @ Guru Barand : It would be great to hear your views on this. I mean on the idea of checking / validating the data fetched from the DB. Should it be done or not as every one else seems to think that it's redundant. @ Phi11W: Hi, Thanks for reply. May I request you to elaborate on this. Irrespective of whether I check the value of the data from the DB or not, wouldn't this happen anyway if a site is hacked and data compromised? Thanks all !
  6. Hi Psycho, Thanks for the advice. I won't really use die, but then can't this be considered as an extreme case if I find that data stored in the database, which was stored after data validation, has a different data type than was initially inserted, on retrieval from the DB. However I intend to use the I think I am doing exactly as you have mentioned in 2 and 3. i.e. I am doing the validation before saving the data to the database if they pass the criteria. I do not sanitize any inputs or change them in any way. I escape the output only while displaying the data from the DB. I am however validating the data from the DB upon retrieval. I thought it was a bit cumbersome but I am doing it anyways. Thanks loads !
  7. Hi !! Thanks benanamen, ginerjim and stratadox for the response. @benanamen: That's one of the reasons that I asked this question. However, I do recall reading somewhere, data should never be trusted even if it is coming from a DB. I believe there are cases when the data of a particular user may be compromised and as against the entire DB. In such cases, these checks will restrict attacks, that would otherwise occur, like stored xss attacks as mentioned by stratadox. @ginerjim: I am fetching the data directly into the variables as shown. I don't need the array as the data is displayed as an HTML page immediately after the data validation. I am using the fetch to directly populate the data variables. @stratadox: Yes, That's what I am seeking to avoid by these checks. I have extensively checked fcheckEmail and html_escape function. html_escape was provided by Guru Jacques, so can't be wrong. Here's the code for these below for you to verify. function fcheckEmail($str) // to validate the format of an email. { $str = filter_var($str, FILTER_VALIDATE_EMAIL); return $str;} I understand the issues with filter_var but my intent here is to check that the data passed by the user is in the valid format. function html_escape($raw_input) { return htmlspecialchars($raw_input, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8'); } I think the above stems from the fact that you are assuming that the functions do not do what they say they do. So I have put in the snippet functions for you to see and check if you would like to. hmmm I know about unit testing but yes I have not incorporated that yet. Will revisit that sometimes in the near future again. Thanks for a reference to the tools for unit testing. Thanks all !!
  8. ajoo

    Approve or reject employee leave by admin panel

    Hi ginerjm ! Thanks for the response. Testing each function call within it's own if block seems to be very cumbersome and long winded. I was actually wondering if there was something simpler, a better method to check and handle these errors. Thank you.
  9. ajoo

    access.log

    Thanks requinix, Great link that ! Answers quite a few of my queries. Thanks.
  10. ajoo

    access.log

    Hi all ! i am getting the following output in my access.log which looks quite alien to me. Also there seem to be attempts to upload some images to the server. Bank icons !! Do I need to worry about these ? If so, what precautions should I take? Thanks.
  11. ajoo

    access.log

    hmm ok I think I understand it. If our request had produced a 404 error or something like that then we would have assumed that the HEAD query was trying something malicious and that was blocked by the server. Right !? Thanks !
  12. ajoo

    Approve or reject employee leave by admin panel

    Hi, May I ask what would be most efficient & simplest possible way to handle errors / exceptions in a code like above : For e.g. say i had a function like checkMail($row_message['email']l ) which returns a false because it's a malformed email and more such functions to check for say numeric values etc. So what would be the simplest way to handle these errors. -- Hope I am not breaking any rules here by asking another, albeit related question here. Thanks.
  13. ajoo

    access.log

    Hi requinix, yes I did. Great to know that It's safe and I can ignore it. May I request you to kindly explain this code a bit. Like what was the code that we sent and how we figured out from the response that it's ok. Thanks a lot.
  14. ajoo

    access.log

    Hi, Here's what I got and access.log shows: Thanks !
  15. ajoo

    access.log

    yes, so it does ! Hi !! The code outputs : access.log Thanks !
  16. ajoo

    access.log

    Hi requinix, Is this a php script that I need to execute from a php file? Thanks.
  17. ajoo

    access.log

    Hi ! I get this in the access.log and this in the terminal Thanks !
  18. ajoo

    access.log

    Hi requinix, This is what I got on the terminal and this is what I get in the access.log If you would be good enough to say what is the interpretation from this? Safe or Dangerous? And any remedial action necessary ? Thanks loads !
  19. ajoo

    access.log

    Hi requinix, Thanks ! hmm how can I check whether the server responded with my home page ?and what should I do to ensure that the server returns a 4xx message instead of the 200? Thanks again !
  20. ajoo

    linearize relationship

    Hi all !! I have the following three data tables : mysql> select * from franch; +-----+ | fid | +-----+ | 3 | | 5 | | 7 | +-----+ 3 rows in set (0.00 sec) mysql> select * from master; +-----+-----+ | xid | mid | +-----+-----+ | 5 | 4 | | 7 | 6 | +-----+-----+ 2 rows in set (0.01 sec) mysql> select * from admin; +-----+-----+ | xid | aid | +-----+-----+ | 3 | 2 | | 4 | 2 | +-----+-----+ These are connected on common fields and I was trying to linearize the relationship between them using this query : mysql> SELECT vc.aid, vd.mid as mid, ve.fid as franch FROM franch as ve LEFT JOIN master as vd ON ve.fid = vd.xid LEFT JOIN admin as vc ON vd.mid = vc.xid; which gives the following , almost correct, output. +------------+------------+--------------+ | aid | mid | franch | +------------+------------+--------------+ | NULL | NULL | 3 | | 2 | 4 | 5 | | NULL | 6 | 7 | +------------+------------+--------------+ what I want to achieve as output is this ( difference HIGHLIGHTED in RED ): +---------+---------+---------+ | aid | mid | franch | +---------+---------+---------+ | 2 | NULL | 3 | | 2 | 4 | 5 | | NULL | 6 | 7 | +---------+---------+---------+ In the first since there is no corresponding vale for mid in the master table it produces the null value. Here there has to be a way that when such a null value is produced, the franch should check for a corresponding value in the admin table instead. Thanks all for any help on achieving this !!!
  21. ajoo

    linearize relationship

    Hi requinix and Guru Barand ! Thanks for the replies !! @requinix Yes I read your caution. An admin will never be in the master table and vice versa since each can be either a master or an Admin alone. So I guess this approach will safely work. Still I'll add more users to the tables and test it more thoroughly. @ Guru Jacques Thank you for this approach. I'll study it and I am sure it will help me in more than one way as have many such queries that you helped me with. I am also sure that this is a more foolproof solution. Not at all Sir. I do make changes to tables and shorten queries so that the problem is clear and easy to follow but It's never been my intention to obfuscate the queries / code. I am sorry if it seems that way. Maybe you can point out what makes my query obfuscated and I'll try and be more careful about it next time. Thanks loads !!
  22. ajoo

    linearize relationship

    Hi requinix, Works !!! SELECT vc.aid, vd.mid as mid, ve.fid as franch FROM franch as ve LEFT JOIN master as vd ON ve.fid = vd.xid LEFT JOIN admin as vc ON vd.mid = vc.xid OR ve.fid = vc.xid; +---------+---------+-----------+ | aid | mid | franch | +---------+---------+-----------+ | 2 | NULL | 3 | | 2 | 4 | 5 | | NULL | 6 | 7 | +---------+---------+-----------+ 3 rows in set (0.00 sec) Why did I not think of that OR statement there !?? It would be great to learn how it can be achieved using the coalesce command. If you can take some time to show that too. Thanks loads !!
  23. ajoo

    linearize relationship

    Hi requinix, Thanks for the reply. May I please request you to kindly show me how this is done? I have no idea of the coalesce command. I'll just try out the other one. Thanks loads !
  24. Hi all ! Is it good practice to a have a separate database for a different group of people, say people in a different country. For e.g. If I run a franchisee business model in different countries, would it be a good thing to have a separate database based on the country? I was thinking of naming the database prepended by country name like USA_mydatabase, Canada_mydatabase and so on. Would that be ok ? What is the best practice in such cases. Thanks all !
×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.