Jump to content

RichardRotterdam

Members
  • Posts

    1,509
  • Joined

  • Last visited

Everything posted by RichardRotterdam

  1. could you explain what piece of the application you want to fix/change and what the problem is with that? Maybe that would point you in the right direction
  2. hmmm true i have seen the .php extention a couple of times for script inclusion but that was a php that generated javascript. however i do believe he is trying to just perform an remote include a some html from a remote page
  3. thnx for that i didn't knew that
  4. after reading this http://de2.php.net/pdo-prepare you can see that the variables do get escaped automatically. however it is totally true that doing a check with php is wise when working with numbers. I'll still use is_numeric for this purpose
  5. only one way to find out try a lot of injections and i tried using single quotes and double quotes for the injection
  6. ok using the following code <?php $name=$_GET['name']; $id=$_GET['id']; try{ $dbh=new PDO('mysql:host=localhost;dbname=xxx','xxx','xxx'); $pquery=$dbh->prepare('SELECT * FROM product WHERE product_name=:name and category_id=:id'); $pquery->execute(array( ':name'=>$name, ':id'=>$id )); $result=$pquery->fetchAll(); // displays data for 'Alejandro' print_r($result); }catch(PDOException $e) { echo 'Error : '.$e->getMessage(); exit(); } ?> now i tried to do an injection by calling the following url index.php?name=banana&id=1 or 1=1 and also tried index.php?name=banana&id=monkey or 1=1 hmm no errors seems safe to me
  7. if youre trying to include a external js file yes that would be the right way but it should look like this. <script type="text/javascript" src="some_file.js"></script> but i see you're trying to include an html file. if it is suppose to be a html file then a iframe would be the way to do this <iframe src="http://www.site.com/some_file.html"></iframe> and if you really don't want a iframe you could solve it with php using fopen or curl
  8. plz dont use ugly popups try using a modal instead. that way you don't have to worry about a popup blocker and it looks nicer. here is an example for you http://prototype-window.xilinus.com/ there are tons of modal scripts out there just take one you like
  9. I was reading an article about prepared queries using the PDO class http://www.devshed.com/c/a/PHP/Working-with-Prepared-Queries-with-PDO-Objects-in-PHP-5/1/ And it made me wonder about something. Just take a look at the following code <?php $name="banana"; $dbh=new PDO('mysql:host=localhost;dbname=webshop','********','***********'); $pquery=$dbh->prepare('SELECT * FROM product WHERE product_name=:name and category_id=:id'); $pquery->execute(array( ':name'=>$name, ':id'=>'1' )); $result=$pquery->fetchAll(); print_r($result); ?> in the where clause you see that the variable :name isn't between quotes WHERE product_name=:name the follwoing code changes :name to "banana" and :id to 1 <?php $pquery->execute(array( ':name'=>$name, ':id'=>'1' )); ?> With this i tried to do an sql injection to see if it is secure and I couldnt get any error. Now for my question. Does using this prepared query mean I dont have to escape the string to prevent sql injections?
  10. why are you trying to include an html? ??? thats what server side languages are for that or a remote ajax call
  11. there both 2 different things. php is php where MVC stands for Model View Controller wich is a design pattern. http://en.wikipedia.org/wiki/Model-view-controller
  12. are you using this on a myspace page? If so I think myspace doesn't allow inserting javascript into a page
  13. The storing part is easy using foreign keys but fetching all lower child elements is a bit trickier. I thought there might be some other neat way besides using a stored procedure but it seems to be the best way to go
  14. Hi, I found some article about xpath expression builder and i sorta want to try this thing out. http://livedocs.adobe.com/en_US/Dreamweaver/9.0/help.html?content=WScbb6b82af5544594822510a94ae8d65-7a3d.html however i can find the thing. the first instruction is "Double-click the XML data placeholder" but what heck is a data placeholder?
  15. I've encountered this situation a couple of times and usually i solved it by using some php. So here is the situation. When having to deal with tree structures sometimes it would be nice to have some sort of inheritance and getting all the child items. for example when you have the following tree structure using 2 tables categories and products category1 -product1 -product2 +category2 -product3 -product4 +category3 -product5 -product6 let's say i want all the products in category1 including all the products in the sub categories.(in this case products 1 to 6) what would be the best way to solve this. I am thinking about using a stored procedure for this and using some kind of loop in it. Would this be the best approach ? I just want methods of solving it I dont want any full working queries or code i just want some hints. ty
  16. not sure about the MFC framework since I don't like building stuff that works on MS only. however usually microsoft has excellent documentation about their stuff. Have you tried http://msdn.microsoft.com/ ? if that doesn't help you can always try an alternative framework http://en.wikipedia.org/wiki/Microsoft_Foundation_Class_Library#Other_frameworks. I'm concidering to learn GTK myself
  17. google up the search term modal you will find plenty of useful scripts
  18. are you saying you cant use any php what so ever? if you could use a local php file the solutions have been discussed here http://www.phpfreaks.com/forums/index.php/topic,210317.0.html and http://www.phpfreaks.com/forums/index.php/topic,210317.0.html if you can't use any local file then yes it is a crossdomain security thing. and json wouldn't work either only difference between ajax and json is that you are sending javascript objects instead of plain text/html
  19. if the file litterly is called page then its different you are not using a url rewrite at all. www.example.com/page calls the page and parses the php code inside that file www.example.com/page/ this will look in the directory called page instead of parsing the page file(which prob leads to an error) what you could do is url rewrite www.example.com/page/ so it opens the file
  20. the way I would do it is like so: 1. javascript function(s) for drop and drag functionality 2. after the drop do an ajax call to a php file that updates the database 3. In the php you called make sure the user is the profile owner using sessions
  21. when building large queries I often find it useful to notate the query in a way that it will be still readable when large. you can use new lines and indents to make the whole thing more readable. That would be a lot better then using multiple queries and slowing stuff down. And if things really get complex where a query wouldn't be sufficient you might want to look into stored procedures
  22. why don't you use a local php file to read data from a remote server?
  23. could you post the browser source instead it makes it more readable. I assume you have a js error
  24. this most likely has to do with your url rewrite. the www.example.com/page makes a call to page.php and with the slash it doesnt make a call to the right page. what kind of webserver do you use is it IIS or Apache?
  25. I remember answering something similar on this forum http://www.phpfreaks.com/forums/index.php/topic,199285.0.html maybe that will point you in the right direction
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.