appobs

Edit: I'm just off to look up 'storing a function in a variable', thought I'd post anyway, brb!! Hi all, back for more! I'm working on my standard php script, it goes something like: bootstrap settings build page content vars HTML5 So I build a variable like $pageContent then echo it in the HTML bit. Thing is, in trying to make an automated menu, I think two things I'm doing turn out to be at odds with each other. The menuer() does: Looks in a $dir for files (includes) returns an unordered list with 'query-links' like: ?p=$nameOfIncludeFile Page content generator (previous version) does: [html before] <? if($_GET) { include($dir . $_GET['p']); } ?> [html after] Building the var first, the IF wouldn't be in the HTML: (Cleaning up the HTML is largely the point) [html before] <? echo $pageContent; ?> [html after] But I don't think I can: Use the contents of the include file to build $pageContent Put a function after $pageContent .= Store an actual function in a variable (otoh, brb)

Nice one Test files set up as below, will throw something similar in my live app in a sec. index.php <h4>This line HTML in index.php</h4> <?php include 'config.php'; include 'tools.php'; ?> config.php and tools.php <h4>This line HTML in config.php</h4> <?php include 'debug.php'; ?> <h4>This line HTML in tools.php</h4> <?php include 'debug.php'; ?> debug.php <h4>This line HTML in debug.php</h4> <?php $array = debug_backtrace(DEBUG_BACKTRACE_IGNORE_ARGS); echo basename($array['0']['file']) . ' is loaded<br>'; ?>

Thanks, looking now

I have this at top of my index page: <?php $debug = 'off'; define (SCR_PATH, '/home/buildmyb/scripty'); // Obligatory config file include SCR_PATH . '/config.php'; // tools include SCR_PATH . '/tools.php'; ?> and this debug thing in each file that gets included: <?php $debug = ''; // initialise it so if anything other then empty, do NOT do the if if ($debug === '') { echo 'this line is in ' . __FILE__; echo '<hr>'; } ?> I'd like a single source for the debug thing but, obviously I can't include() it in each include or __FILE__ will show info for that, not the one I want. What do I do?

Yes... the context of my question! It appears I've found out why it doesn't exist, which answers my question, thank you

The question I'm asking fizzles out if I'm loading content using a single point of entry, which I've figured out only very recently. (I have an awful lot of folders lying around containing index.php files!) So if you have a repository of your own scripts/functions etc... Do you keep them outside of public_html?

I just put the following on a page pa($_SERVER); pa(get_defined_constants(true)); (where pa() just does a print_r wrapped in <pre> tags) I'm looking at it now...

Increasingly I'm hardcoding '/home/username/myScriptsDir/script.php' at the start of index.php files to include some 'tools' I use during development. Now I'm getting more use out of functions, I want a library of my own available in the same way, to every site/subdomain/app/whatever on my rented (shared) linux webserver. Why am I finding it so hard to find a var (or constant) for '/home/username'? phpinfo() doesn't show me anything useful. Lot's of googling, nothing sems to work on my server (see paste below, not exhaustive, just to show I've been trying) I'm trying to get away from: Every site/subdomain/app/whatever gets it's own script in its own $_SERVER['DOCUMENT_ROOT'] Hardcoding '/home/username/blah/' Non-solutions like ../ when depth varies file to file Could do but not ideal: Use php to 'look for' a known path/file outside of public_html The above but, make php write the path it figures out, automated-hardcoding, then delete itself... Seems a little crazy to me... Compare get_current_user to $_SERVER['DOCUMENT_ROOT'] and make a var/constant from there (most reasonable idea so far IMO!) Things I just added because I'm looking at it now: Adjust $_SERVER vars using PHP Variables Manager (it's there in my cPanel) Add my own var using PHP Variables Manager or put a php.ini file in there Given the var isn't already there, I think there might be something bad about this idea /* ========== INCLUDES =========== */ include '~/ti.php'; include ('~/ti.php'); include realpath('~/ti.php'); /* $_SERVER vars that don't work on my server */ include $_SERVER['HOME'] . '/ti.php'; include ($_SERVER['HOME']) . '/ti.php'; include $_SERVER['USER'] . '/ti.php'; include ($_SERVER['USER']) . '/ti.php'; include $_SERVER['USR'] . '/ti.php'; include ($_SERVER['USR']) . '/ti.php'; echo $_SERVER['HOMEDRIVE']; echo $_SERVER['HOMEPATH']; /* getenv instead */ include getenv("home") . '/ti.php'; include (getenv("home")) . '/ti.php'; include getenv("user") . '/ti.php'; include (getenv("user")) . '/ti.php'; include getenv("usr") . '/ti.php'; include (getenv("usr")) . '/ti.php'; include getenv("HOME") . '/ti.php'; include (getenv("HOME")) . '/ti.php'; include getenv("USER") . '/ti.php'; include (getenv("USER")) . '/ti.php'; include getenv("USR") . '/ti.php'; include (getenv("USR")) . '/ti.php'; /* posix stuff */ include(posix_getuid()) . '/ti.php'; include (posix_getpwuid(posix_getuid())) . '/ti.php'; /* =========== ECHOES ============ */ echo realpath('~/ti.php'); /* $_SERVER vars that don't work on my server */ echo $_SERVER['HOME']; echo ($_SERVER['HOME']); echo $_SERVER['USER']; echo ($_SERVER['USER']); echo $_SERVER['USR']; echo ($_SERVER['USR']); echo $_SERVER['HOMEDRIVE']; echo $_SERVER['HOMEPATH']; /* getenv instead */ echo getenv("home"); echo (getenv("home")); echo getenv("user"); echo (getenv("user")); echo getenv("usr"); echo (getenv("usr")); echo getenv("HOME"); echo (getenv("HOME")); echo getenv("USER"); echo (getenv("USER")); echo getenv("USR"); echo (getenv("USR")); /* posix stuff */ echo (posix_getuid()); echo (posix_getpwuid(posix_getuid()));

So similarly, this JS is bad also? It appears JS has necessary restrictions on stuff similar to include or get_file_contents. I'm writing a CV for view in browser, trying to keep it in one file. base64 images is handy for coloured bullet points, JS is new to me but also very useful for this purpose. (forget what's IN the code, just the fact that JS is writing the whole thing similar to the original question) document.write("<link href=\"css/1-bare-minimum.css\" rel=\"stylesheet\" type=\"text/css\" /> \ <link href=\"css/devBorders0.css\" id=\"devBorderStylesheet\" rel=\"stylesheet\" type=\"text/css\" /> \ <div class=\"theDeveloperArea\" style=\"background: #f4fef4; border: 1px solid green\"> \ \ <span>devBorders: </span> \ <a href=\"#\" onclick=\"devBorders('css/devBorders1.css');return false;\" >ON</a> \ <a href=\"#\" onclick=\"devBorders('');return false;\" >OFF</a> \ \ <a style=\"float:right;\" href=\"http://validator.w3.org/check?uri=referer\">HTML</a> \ <a style=\"float:right; margin-right: 3px;\" href=\"http://jigsaw.w3.org/css-validator/check/referer\">CSS</a> \ <br /> \ \ <a href=\"#\" onclick=\"swapStylesheet2('');return false;\" >0 - No stylesheet</a> \ <a href=\"#\" onclick=\"swapStylesheet2('css/1-bare-minimum.css');return false;\" >1-bare-minimum.css</a> \ <a href=\"#\" onclick=\"swapStylesheet2('css/2-cv5-style.css');return false;\" >2-cv5-style.css</a> \ <br /> \ \ <span>Note: No cross-browser testing yet!</span> \ </div>");

Ah yes, I am using exactly the same script in all index.php files. <?php include $_SERVER['DOCUMENT_ROOT'].("/inc/structure/decs.php"); include $dRoot . ("inc/structure/opener.php"); include("content.php"); include $dRoot . ("inc/structure/closer.php"); ?> decs.php starts with doctype then defines $dRoot so i have shorthand for $_SERVER['DOCUMENT_ROOT'] I also put my during-development tools in there temporarily and I've added the error_reporting bit (in your sig). I'm thinking of renaming it to config.php Does that sound sensible & any further suggestions? Edit - just realised they should probably be require_once rather than include

yeah i haven't standardised anything really have i

What I'm doing now is a single page thing but I'd usually have, in each index.php file, only ONE include for content unique to that page, preceded by one named opener.php and followed by one named closer.php. opener.php has everything that appears before the content unique to that page, closer.php has everything that comes after it. So I'm using php to include content in the index.php files AND using php to include all the stuff that makes up the rest of the page structure. The question of whether the 2nd example is OK came up just because I had to put like 8 includes one after the other. I kinda like that the 2nd example is not so good, it makes for tidy html when view source in browser.

Interesting... I think I am using php to help me standardise my html which might be a template engine. Thinking of it like that might help me a lot, thank you.

Are either of these OK depending on circumstance or stupid things I should never do? Is one or the other sensible/idiotic? Is there an obvious 'better' way? I think all the php tags opening and closing within the DIVs is untidy but it's static HTML therefore if there's a LOT of it it's easier on the server right/wrong? On the other hand, maybe all the open/close of php tags defeats the object. I'm applying for a web design apprenticeship (I know, I need one) so I'm trying to appear less stupid as much as make nice php. Many thanks in advance, I know I'll end up better off by asking here <?php // php in here ?> <div class='content header'> <?php include("includes/header.php"); ?> </div> <div class='content content1'> <?php include("includes/intro.php"); ?> </div> <div class='content content2'> <?php include("includes/quals.php"); ?> </div> <div class='content content3'> <?php include("includes/experience.php"); ?> </div> <div class='content content4'> <?php include("includes/hobbies-and-interests.php"); ?> </div> <?php // More php here ?> Or this one: <?php print("<div class='content header'>"); include("includes/header.php"); print("</div> \r\n <div class='content content1'>"); include("includes/intro.php"); print("</div> \r\n <div class='content content2'>"); include("includes/quals.php"); print("</div> \r\n <div class='content content3'>"); include("includes/experience.php"); print("</div> \r\n <div class='content content4'>"); include("includes/hobbies-and-interests.php"); print("</div> \r\n"); ?> test.zip

Yep, seen it happen. The website owner does it regularly, ignoring the "annoying popup" (autosuggest - which incidentally goes away the moment you stray from the CORRECT spelling of the email - counter to positive reinforcement!). (I find it far-fetched too!) Another percent chance of catching a mistake and, more importantly, demonstration of thoroughness to the client. Is there a chance of a genuine domain failing this check? If not I can use it but if it *might* cause a prob, I can't. On balance, so far a combination of requiring email entered twice and telling the user to expect a confirmation email is worth implementing as it's not against user expectations and doesn't actually disallow anything so can't make things worse. DNS check *can* exclude stuff so adds risk of that. Fakes don't matter here. The website owner loses nothing from someone deliberately submitting a fake and anyone using this form *does* actually want to get in touch. Also, I prefer not to restrict the user - if they WANT to give a fake and it doesn't break the system in some way, why second guess their motivations? I've done it myself - want to tell someone something but don't want a response...

Edit: If I use checkdnsrr, will that be reliable or wrongly reject user submissions?

Hmmm... email addresses do in fact suck... I thought I'd send a confirmation message containing the email they entered - so they have another chance to spot any mistake - also containing the message they sent - so it doesn't look like I'm second guessing them on knowing their own email address.............. Clever............. Then I saw the mistake in that! Maybe I do need a field for "your email address again". Irritating as it is, it's not against user expectations. Since this is a contact form, not a signup I don't think asking user to click a verification in an email before their message is actually sent is in order... Unless it's a lie and the mesage is sent anyway... Suppose ultimately it's about what seems more thorough and professional.

I'll be working on this contact form later on tonight so I'll try the php validator. What about this one, purely for warning the user they copy/pasted the wrong data in the email from box: ^\S+@\S+$ Allows gmail addys with + sign which the previous one didn't. I'm still tempted to restrict string length. I'm wondering now if there's any point validating user input email addresses at all for a contact form. Signups need proper user/email verification so this kind of validation's pointless there too. In any case, now I know learning from other peoples' regexes can help with syntax but not necessarily good practice! And I have a good builder/tester now that educates me and covers PCRE, JS & Python NB: This was the 'monstrous' one I read about before. Generated by a Perl script. Thanks everyone

Yeah I know, since regex was used in the contact form I'm adapting it seems the right time to learn a bit about it. Doesn't the php email address validator have flaws? Maybe there's a newer one or maybe those flaws just don't matter. I've read so much waffle about email address validation, not sure where I am with it anymore. Certainly don't want to use something as far outside my understanding as a certain monstrous RFC regex I've seen.

Tested with some invalid strings but not enough obviously! So characters that do not have a special meaning in regex don't need the backslash to be literal but even . is literal without the backslash if it's contained within [ ] ?? I'd love to get some handle on regex. This is the regex that came with the original version of the contact form I've been adapting: /^([a-zA-Z0-9])+([a-zA-Z0-9._-])*@([a-zA-Z0-9_-])+([a-zA-Z0-9._-]+)+$/ Are ._- and ._- literal because they're inside [ ]?

For a very 'loose' email address validator, does the following regex need the backslash before the dot? ^\S+@\S+\.\S+$ (Checks for anything@anything.anything but I'm gonna change that to anything.anything to make it even 'looser') I tested with and without the backslash using rubular.com and it seems superfluous but I'd like a second opinion or two please. ALSO: does rubular.com use the right engine to be correct for php? I hope so coz it's the first time I've been able to fully understand some regexes I've been blindly implementing for some time! Many thanks in advance

The point is there is NO data being passed in by the user - I was making a UI thing to try out creating and deleting files and dirs and was tidying up my code when I realised the value in the form inputs was redundant. So I took them out, I even took out the attribute itself so: <input type="hidden" name="test1" value=''></form> Becomes: <input type="hidden" name="test1"></form> Not a vast difiference but it brought up a question - I wanted a final answer on what is or isn't a "security risk". Sounds like you have to make a program that actually allows bad stuff to happen. I've assumed in the past that there are what people call "vulnerabilities" waiting to happen in systems such as HTML, java, javascript, php, databases and the programs end users use to interact with them. I still think some of them do have vulnerabilities waiting to happen but that's what all the Java updates are about right? HTML can't cause "security problems" though - it doesn't "do" anything Are those two points correct? It sounds like a programmer has to actually do something stupid (like allowing an end user to insert bcc into a contact form or something into a database ala little Bobby Tables). My concern is that I've been learning tutorial-programming which leaves out a lot of important real-world stuff... Who really uses "or die()" ?? Seems pretty useless to me - you'd always do something 'better' like send the user to an actual page or something - what's it REALLY for? But Tuts spatter it about allover the place, so do many scripts you get 'for free' on the internet. It seems I've been assuming there's more mystery to "security vulnerability" than there actually is. Anyway - my code - This is what I've been doing: <?php $uRoot = "/home/username"; // Folder should have a convoluted name so unlikely to accidentally delete important other stuff $folder = "folderWithNameUnlikelyToEverBeRepeated31Bd46"; ?> <!-- Reset and Test button --> <button onclick="location.href=''">reset - onclick</button> <form action="" method="post" id="formTest"> <input type="hidden" name="test1"></form> <button form="formTest">Test 1</button> <?php isset($_POST['test1']) ? print "Test 1 button has been pressed!" : print 'Test 1 button not yet pressed'; ?> <hr> <!-- NOW THE "MAKE/DELETE FOLDER USING BUTTONS" THING! ======================================================= some examples: http://davidwalsh.name/basic-php-file-handling-create-open-read-write-append-close-delete --> <!-- MAKE THE FOLDER --> <form action="" method="post" id="makeFolder"> <input type="hidden" name="makeFo"></form> <button form="makeFolder">make the unlikely-name folder</button> <?php isset($_POST['makeFo']) ? mkdir($folder) : print ''; ?> <!-- REMOVE THE FOLDER --> <form action="" method="post" id="removeFolder"> <input type="hidden" name="removeFo"></form> <button form="removeFolder">remove the folder</button> <?php isset($_POST['removeFo']) ? rmdir($folder) : print ''; ?> <!-- MAKE A FILE IN THE FOLDER --> <form action="" method="post" id="makeFile"> <input type="hidden" name="makeFi"></form> <button form="makeFile">make a file in the folder</button> <?php isset($_POST['makeFi']) ? fopen($folder . '/file.txt', 'w') : print ''; ?> <!-- UNLINK ALL FILES IN THE FOLDER --> <form action="" method="post" id="unlinkFilesInFolder"> <input type="hidden" name="unlinkFis"></form> <button form="unlinkFilesInFolder">unlink the file(s)</button> <?php if (isset($_POST['unlinkFis'])){ $files = glob($folder . "/*.txt"); // Leave just .txt for safety foreach($files as $file){ unlink($file); } } ?> <br> <?php is_dir($folder) ? print "Folder exists<br>" : print "Folder isn't there<br>"; file_exists($folder . '/file.txt') ? print "File exists<br>" : print "File isn't there<br>"; ?>

What a warm and helpful welcome. Lemme ask the question more better this time now I've had longer to think about it: "If you don't connect a form to anything (e.g. a database) is there anything malicious a user could do with a form input? Is an otherwise completely innocent HTML form a potential 'way in' for an attacker?" As I said, after some thought, I can't imagine there is - HTML itself would have to have a vulnerability which I don't thnik is possible because it just doesn't "do" very much.

I read ages ago (and checked to see if it's true, it was and given how it works, it must still be) the end user can alter the value of any form field, using Firebug or similar, before submitting it. Two things I've figured out today: 1) a form input doesn't need a value - doesn't even need the attribute - if you're only checking whether the POST var isset and the actual value isn't important 2) Although it appears not to matter in the example I'm working on now, if the script doesn't check what the value is, and potentially sanitise it, the user could submit the form with any value, true, false, malicious, idk... So my question is: is this one of the ways malicious bad things can happen and do I *have to* specify a value, not because the script won't work without it, it does, but because in the real world it opens a security door if I don't check for malicious script by saying "if value not as expected, script has to die". Having formulated the question properly and thought about it I can't imagine simply making a form, without obvious connections to anything important, could be a problem in the way I'm asking about but I asked it now so

Hi all, Php and web development wannabe, started HTML in about 2006 for my ebay listings, CSS came shortly after but it wasn't until maybe 2009 when I used my first 'someone-else's-php-script' to implement a dynamic breadcrumb. Although I have trouble reading volumes of text, a lot of discussions on code draw me in. I end up taking in a lot but in a totally non-structured way. After lots of googling, reading and some more practice of putting 'other-people's-php' into action I found I understood that breadcrumb... Sort of. I merrily tore out over half the code and refactored using ternary operators - I can't see why people remove those to increase readability?? OFC I lost every hint of error management! Now I've heard of error management I try to envisage what might go wrong and print messages to screen if "something unexpected happened". So I've been bumbling along solving problems for specific tasks and asking a lot of questions - But I've never joined a php forum! Formulating a question that's not embarrassing to ask, usually ends with me answering my own question and when I do want to put something out there, I'd rather fill up Yahoo Answers (A few very good and very generous users on there!) with my gibberish than contaminate someone's proper, serious, scripting forum. So anyway, I had a question to ask earlier, YA seems to be running out of steam and I only half answered it myself so here I am... Hi!