redbullmarky
Staff Alumni-
Posts
2,863 -
Joined
-
Last visited
Never
Everything posted by redbullmarky
-
possibly: $result = preg_match('/([0-9]{4})/', $input, $matches); however it wouldnt determine if the number is at least 100... edit added boundaries, as would have otherwise find ANY group of 4 numbers: $result = preg_match('/^([0-9]{4})$/', $input, $matches);
-
what have you tried? as long as the file has a .php extension, you can include if you need to - just enclose the include in <?php ?> tags
-
would the addition of is_numeric help? edit: beaten to it
-
Sanitizing GET or POST, and preventing XSS
redbullmarky replied to leesiulung's topic in PHP Coding Help
well mysql_real_escape_string throws a wobbly if no connection exists so you could probably trap the error? (not sure, havent tried it but...) <?php function myEscape($string) { // undo magic quotes if they're on... $string = get_magic_quotes_gpc() ? stripslashes($string) : $string; // NOW escape the string if ($return = @mysql_real_escape_string($string)) { return $return; } else { return addslashes($string); } } ?> -
[SOLVED] Problems Deleting Array Element
redbullmarky replied to stevesimo's topic in PHP Coding Help
haha no worries -
Sanitizing GET or POST, and preventing XSS
redbullmarky replied to leesiulung's topic in PHP Coding Help
IMO, there are only 2 places to "treat" data: 1, when performing a DB query (in which case mysql_real_escape_string does the job) 2, when outputting data to the screen / prefilling a form (in which case htmlspecialchars does the trick). effectively, to me, it means that whilst 'stripslashes' is still useful sometimes (when undoing the mess that magic_quotes_gpc causes), there are absolutely no requirements at all for addslashes. Having said that though, I only use mysql, but I do believe that the other types of DB have their own *_escape_string functions if they're required by that type of DB... addslashes -> bin it -
[SOLVED] Problems Deleting Array Element
redbullmarky replied to stevesimo's topic in PHP Coding Help
doing this: foreach($items as $item) effectively creates a new variable called $item each time. the new var has nothing to do with the original array. what you need is to unset the item from the actual array, so: <?php foreach ($items as $key => $item) { if ($_GET['id'] == $item) { unset($items[$key]); break; } } ?> unrelated: unless there's any reason other than to make sure only one item is deleted, you can avoid using count with 'break' . doesnt work any different, but just a little tidier -
Sanitizing GET or POST, and preventing XSS
redbullmarky replied to leesiulung's topic in PHP Coding Help
as for the opposite, the actual escape sequences (ie, the \) don't actually go into the database, so on retrieval, the data is fine - as long as you didnt escape the escapes (ie, \\) by misusing mysql_real_escape_string (or addslashes). the only thing to really do then to make it safe for the screen or a form is to run it through htmlspecialchars() which is useful for situations where you want to allow tags like < script > ,etc, but you don't want them to be "active" (which also helps to produce valid HTML) -
Sanitizing GET or POST, and preventing XSS
redbullmarky replied to leesiulung's topic in PHP Coding Help
just to clear up on something i've been reading up on. mysql_real_escape_string vs addslashes - there are differences and some things that addslashes wont take care of. you should try and use mysql_real_escape_string in every situation. so to tweak frost's function a bit: <?php function myEscape($string) { // undo magic quotes if they're on... $string = get_magic_quotes_gpc() ? stripslashes($string) : $string; // NOW escape the string return mysql_real_escape_string($string); } ?> -
good question - doing a bit of digging, mssql uses a different method for escaping strings. looking through one of the DB libs i've got, and also in php manual notes for addslashes, it seems you just need to double up your quotes. i adapted an example function on php.net with some extra code from CakePHP: <?php function mssql_addslashes($data) { $data = str_replace("'", "''", $data); if (get_magic_quotes_gpc()) { $data = stripslashes($data); } return $data; } ?> give it a blast and see how it does edit: whoops ignore that, i'm not reading the post properly that you're on ODBC... edit 2: actually, give it a blast anyway - reading the notes on odbc_exec, it seems that one solution IS to double up your apostrophes. have a look at the user contributed notes: odbc_exec
-
i never use the URL in my hyperlinks unless it's linking externally. It has been known for me to change domain names for a project and I'm not a fan of either using php to insert the domain (i tend to keep my HTML pages as HTML as possible) or search+replace+re-upload in the event of me changing the domain name (or going from a testing server to a proper one) I dislike syntax such as ./somewhere/test.php or ../somewhereelse/test2.php so I always start my links off with a / so they're all relative to the web root.
-
danger being that javascript can be turned off. personally i prefer server side validation as it's just more thorough. if you want to strip out chars you dont want, then you can do it in one swipe: <?php // clean out unwanted chars - optional. // this removes everything bar letters, numbers, space and apostrophe $Event_Title = preg_replace("/[^A-Z0-9\ \']/i", "", $_POST['Event_Title']); // escape the data anyway - not really optional! $Event_Title = mysql_real_escape_string($Event_Title); ?>
-
you need to escape the data first. if you know what data you're expecting, then you can use preg_replace() or similar to remove unwanted characters altogether, or you can escape them before putting them in the DB (or both, but DEFINITELY the latter, considering the ' can be both harmful AND legitimate so you dont wanna just get rid of it): <?php $Event_Title = mysql_real_escape_string($_POST['Event_Title']); ... etc ... ?> see mysql_real_escape_string() for more info
-
[SOLVED] PHP date conversion to readable format
redbullmarky replied to andretanguy's topic in PHP Coding Help
take a look at strtotime() for converting the date into a timestamp, and then date() or strftime() for formatting the date to taste. edit: beat me to it -
diffrent way of accessing variables globally
redbullmarky replied to jimmo's topic in Application Design
have a look here for one possibility: http://www.phpfreaks.com/forums/index.php/topic,139997.15.html -
Just incase you ladies and gents fancy a trip here to the UK, Google Maps has put some nice directions for you. Simply follow these steps... (i found this in my email inbox this morning)
-
it'd be nice if the form auto-populated in the event of an error (i filled stuff in the fields but left the image verification out). It's quite a long form to fill in only to have to fill it in again if you mess up...
-
php, mysql, and social networking/commercial site
redbullmarky replied to g2g's topic in Application Design
it's a tall order if you've not got the PHP basics down. I've been at php for a fair while now and reckon I am pretty competent, yet I must say that a social networky type site i did recently was more than a challenge for me. Take a look at this one: http://www.phpizabi.net even if you don't use it, you can probably learn alot from it. good luck! -
it means you've tried to use a constant (a variable that doesn't/cant be changed throughout) that hasn't been 'defined'. <?php echo HELLO_MESSAGE; // will throw notice define('HELLO_MESSAGE', 'hello world!'); echo HELLO_MESSAGE; // works fine as it's now been defined ?> due to the specific constant undefined here (CURLOPT_GETFIELDS), i'd hazard a guess that you do not have cURL installed
-
as i'm generous: catdoc: http://www.45.free.net/~vitus/software/catdoc/ antiword: http://www.winfield.demon.nl/
-
the method i use is very similar to what jitesh mentions. without knowing the exact file format's structure, it's very hit and miss - if it's important to keep the formatting in tact, then you're going to struggle a bit unless you're prepared to get down and dirty and do some serious homework. in addition to jitesh's code, put this line: $header = fread($handle, 2560); just before the $contents = fread() line, which will read off the first 2560 bytes (which is essentially the header and useless without knowing what to do with it...) what you're left with then (in $contents) is the plain text with various formatting characters (ie, the 'Junk' you mention). a series of str_replace / preg_replace will deal with these. there are programs such as antiword / catdoc, etc you can google for (both free) which will take the headache out of it, but like i say - if you want it to appear in your browser as it would in MS Word itself, then you'd need a plugin for your browser, rather than anything specifically PHP
-
"It does not work" doesn't really help us much - if you get errors, please explain what they are.
-
without wanting to veer off topic too much, i just HAVE to say - wow. Your border controls are much tighter than ours. Anyone that knows what "Liverpool FC" or "Man Utd" are get through our gates - not only that, but they get a house, benefits and virtual citizenship too! on topic though. Web dev doesn't seem too well paid here comparitively. As a recruitment consultant (which you can be without qualification and minimal training) I could turn over about £36-40K (~$70 - 80k) with my eyes closed. in a full time post as a webdev, salaries are much lower - £20 - £30k (~$40 - $60k) which doesnt sound too bad, but considering the cost of living over here, coupled with interest rates, blah blah blah, you soon feel the kick in the bollocks. i tend to find that freelance jobs pay more. there's less liability for the company as they're not committing long term to a fixed, high salary - they use you, you do the work, they get rid of you. Not just this industry, but any - always the freelance work. Only downside of freelance is the risk factor of not being guaranteed income (problem when you get around to mortgages/loans, etc).
-
obsidian, if i'm correct, i think darkwinter posted an accidental typo rather than what he meant, as his code cleared up: if ($payee === 'USA'); { } vs if ($payee === 'USA') { } the first will terminate after the semicolon, and execute the contents between the braces anyway. the second will only conditional execute the contents between the braces.
-
igor - unless you can come up with some definitive proof, watch your attitude towards others. neither you, I, suttercain or whoever decides to reply to this topic are the software police - and if there's a case of improper/illegal use of software, then we'll deal with it promptly. There's a good chunk of commercial software that licence you to remove the links and/or copyright if required, yet you do not know if suttercain has done this - you've jumped to an accusation. if the copyright message is hidden as a result of being the same colour as the BG, then accept that it may be a design mistake or a perk of paying - do NOT accuse people outright. this is not the first post of random or unrelated splurge i've seen, so please pay more attention to your posts - there are no prizes for postcount, so your posts should either be asking for help or actually helpful. cheers