bubblybabs

Yes, that error is 2147483647... I just struggled with that problem myself... Babs

Oh, OK... The int was part of the original code... It's been deleted with my modification so I guess no worries... Ah, so much to learn, so much... Babs

OK, removing unassigned allows this to work (as well as removing the extra cardid - I was following the instructions but mixed up what they meant)... But this must be unsigned or the mod I'm working on won't work... This worked for me thus far: "ALTER TABLE ".$tablePrefix."sentcards MODIFY cardid BIGINT(30) NOT NULL default '0'"; I'll look at the link you gave me, maybe it'll be clearer... I have to have it unsigned... And, looking at what I originally post I see I had a spelling error! It's unsigned not unassigned! Duh... Once I changed it to this it works: "ALTER TABLE ".$tablePrefix."sentcards MODIFY cardid BIGINT(30) UNSIGNED NOT NULL default '0'"; Thanks, I appreciate all of you helping me get this figured out... Babs

Since this was asking for coding in php I figured this was the place to go... I changed the coding to this: "ALTER TABLE databasename gc_sentcards CHANGE cardid cardid BIGINT(30) UNASSIGNED NOT NULL default '0'"; but it still does not work... (databasename is changed from its correct info) That webpage states I don't need to use the word column but I tried it anyway: "ALTER TABLE databasename gc_sentcards CHANGE COLUMN cardid cardid BIGINT(30) UNASSIGNED NOT NULL default '0'"; Still not working... Should I go to this other forum to ask for assistance or stay here? Babs

I guess I should technically call this post solved... Babs

I have a table named sentcards with a field called cardid with a current type int... I wish to change the type int to bigint(30) with an attribute that is unassisgned and a default of 0... This is my code: "ALTER TABLE ".$tablePrefix."sentcards MODIFY cardid cardid BIGINT(30) UNASSIGNED NOT NULL"; : but it doesn't work which makes me think I have something incorrect in my command... Could you point me in the right direction? Babs

I have a feeling he needs the fp1.formmail.com program to complete the coding... Babs

Corbin, I am so sorry but I have no idea what you mean... Is my coding incorrect or can it cause a problem? Babs

The code could be made easier to read by using single quotes: echo '<fieldset><form method="POST" action="http://fp1.formmail.com/cgi-bin/fm192"> <input type="hidden" name="redirect" value="http://www.mysite/thankyou.html"> First Name:<input type="text" name="Customer_First_Name"> <br>Last Name:<input type="text" name="Customer_Last_Name"> <br><input type="submit" value="Submit your Information"></form> </fieldset>'; By using the single quotes on the outside instead of double quotes you shouldn't have to escape all of the double quotes contained within... Just wanted to mention that... Babs

Yes, the coding I have to check and make sure there are only numbers is: function validCardid($cardid) { if (eregi("^([0-9])+$",$cardid)) return true; else return false; } Babs

No, I didn't know that... Doesn't the int tell the coding you only want an integer? That is what I was thinking it meant and that is what I want... Is this correct? I should elaborate, at first I thought that but then I kept getting an error so then I thought perhaps it was indicating the MySQL table... Looking at is_numberic there seems to be a chance that letters could be considered acceptable and some of the coding used on that page seems longer than what I used... I wanted to make sure that only numbers are given the OK to use the coding... Thank-you for taking the time to help me figure this out... Babs

Thanks frost110... I tried just the (int) and it would not work, I kept getting that error code... However, what I did do was make a function to call upon the cardid number and check to make sure it wasn't too long and only had numbers in it (using the same strategy I used when trying to correct some coding for the newsid a few days ago)... I change the coding from: $cardid = (int)$_GET['cardid']; to: // Check $cardid for numbers only // If anything else is put into the address bar an error message will show if (!validCardid($cardid)) { echo '<span class="error">'.$getcard01.'</span>'; $page->showFooter(); exit; } // Check size of cardid and throw errors if it is longer than 30 characters if (strlen($cardid) > 30) { echo '<span class="error">'.$getcard01.'</span>'; $page->showFooter(); exit; } if (!$cardid) { echo '<span class="error">'.$getcard01.'</span>'; $page->showFooter(); exit; } and now it's working... I had to add a function on another page called to this one but now it works... Babs

I'm almost afraid to think of what your comment was frost110, hope it wasn't too mean... Anyway, I've a new problem... I can now save cards after changing to bigint... However when I try to view the eCard I get an error: Parse error: syntax error, unexpected T_VARIABLE in /home/ecards/public_html/viewcard.php on line 30 Line 30 is this: $cardid = (bigint)$_GET['cardid']; It used to be $cardid = (int)$_GET['cardid']; but once I changed the MySQL table from int to bigint I thought I had to change this line as well... I get that darn error number again (2147483647) instead of the ecard id# if I leave it as (int)... Looking on the net it seems I should have a missing terminating semi-colon but I can't find one... Here is the coding above line 30: session_start(); include('inc/adodb/adodb.inc.php'); # load code common to ADOdb include_once('config.php'); include('inc/UIfunctions.php'); $page = new pagebuilder; include_once('inc/setLang.php'); $page->langargs = "&cardid=$cardid"; $page->showHeader(); So, shouldn't (int) be changed to (bigint)? Thanks, Babs

Oooo! I think I figured it out... Had to change the MySQL column from int to bigint... :-) Babs

I am looking to create a random number and then combining that with time()... The coding I have was achieved by using several types of coding I found on the net and then playing around with them in an attempt to make the random number truly random (I understand that some coding isn't always random even though it's supposed to be) therefore I'm sure this is sloppy coding to those of you who have been doing this a long time... Here it is: <?php /** * Generate and return a random string * * The default string returned is 8 alphanumeric characters. * * The type of string returned can be changed with the "seeds" parameter. * Four types are - by default - available: alpha, numeric, alphanum and hexidec. * * If the "seeds" parameter does not match one of the above, then the string * supplied is used. * * @author Aidan Lister <aidan@php.net> * modified a tad bit by BubblyBabs by randomzing the length of the string (see line below) * example which produces random length string 11-19 characters long: str_rand(rand(11,19), 'numeric'); * to view put: echo str_rand(rand(11,19), 'numeric'); * @version 2.1.0 * @link http://aidanlister.com/repos/v/function.str_rand.php * @param int $length Length of string to be generated * @param string $seeds Seeds string should be generated from */ function str_rand($length = 8, $seeds = 'alphanum') { // Possible seeds $seedings['alpha'] = 'abcdefghijklmnopqrstuvwqyzABCDEFGHIJKLMNOPQRSTUVWXYZ'; $seedings['numeric'] = '09182736454637281959513074682987456321085021479630946132587'; $seedings['alphanum'] = 'abcdefghijklmnopqrstuvwqyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'; $seedings['hexidec'] = '0123456789abcdef'; // Choose seed if (isset($seedings[$seeds])) { $seeds = $seedings[$seeds]; } // Seed generator list($usec, $sec) = explode(' ', microtime()); $seed = (float) $sec + ((float) $usec * 100000); mt_srand($seed); // Generate $str = ''; $seeds_count = strlen($seeds); for ($i = 0; $length > $i; $i++) { $str .= $seeds{mt_rand(0, $seeds_count - 1)}; } return $str; } $acceptedChars = '09182736454637281959513074682987456321085021479630946132587'; $max = strlen($acceptedChars)-1; $code1 = null; for($i=0; $i < rand(3,; $i++) { $code1 .= $acceptedChars{mt_rand(0, $max)}; } $ttcode1 = $code1 . $from_remoteport . time(); $ttcode2 = str_rand(rand(5,, 'numeric'); $randnum = substr($ttcode2,0,10); ?> I then add this to my ecard program to create a cardid that combines time and the random number (the coding above is called by the page that sends the ecard emails out): $cardid = time() . $randnum; All seems to work fine... HOWEVER, the ecard program sends an email out with the proper cardid but what is saved to the MySQL table is ALWAYS this cardid: 2147483647 Looking on the net this number (2147483647) seems to be an error code? My question, what is wrong with this coding and how do I achieve my goal and what does this error code mean? I should add that I am trying to make it so that the cardid isn't ALWAYS 11 or 15 or 19 digits long... I want it to be variable... I have a working portion of the code here: http://ecards.fractalfairy.com/randomttcode.php but it won't work in my ecard coding... Thanks, Babs

Wanted to add some more info... Your example does work better than my digit one chocopi so I'm using that one instead... *That* was what was causing the error, not the code I thought... I modified the original coding in question to: // Check size of post data and throw errors if it is longer than 3 characters if (strlen($newsid) > 3) { echo $nav16; exit; } so we won't have more than characters in the newsid which should be sufficient... And modified the inc/formFunction.php coding to: function validNewsid($newsid) { if (eregi("^([0-9])+$",$newsid)) return true; else return false; } Kept the eregi even though you say it doesn't need it... So, the original topic seems to be solved.. :-) Again, many thanks, Babs

Well, nevermind, I just realized strlen is not what I want to use... And your example does work better than my digit one chocopi so I'm using that one instead... Otherwise, the original topic seems to be solved.. :-) Babs

Oops, found a problem... If I have more than 9 news items I get my error message due to this coding: // Check size of post data and throw errors if it is too big // Change this number if your news entries go over the digit shown below // Keep as small as possible to discourage script kiddies if (strlen($newsid) > 100) { echo $nav16; // error message exit; } What is wrong with this code? You'd think I could go from 1-100 characters... Babs

I found that digit coding on the net and it worked so I used it... Would yours be more standard and therefore more cross-site friendly? Babs

Thanks chocopi... I know it can be difficult to tell if this is secure, but does the coding seem to be now? Babs

Whoops! Here I was looking all over the net trying to find a way to make sure numbers were only used and here is some nice coding... Is this better than what I have? Babs

OK, how does this look? I can test it by putting a letter into the address bar and getting the error message I intended... I noticed that the newsid is always a number so I tried to code it so only numbers can be used... I don't know if the size limit is of any use but thought I'd toss it in there and ask you what you thought... The formfunction coding is at the bottom... Does this seem a solid? include_once('inc/adodb/adodb.inc.php'); # load code common to ADOdb include_once('config.php'); include_once('inc/UIfunctions.php'); include_once('inc/formFunctions.php'); include_once('inc/newsclass.php'); $page = new pagebuilder; include_once('inc/setLang.php'); $page->showHeader(); // Check size of post data and throw errors if it is too big if (strlen($newsid) > 100) { echo $nav16; exit; } // Check $newsid for numbers only if (!validNewsid($newsid)) { echo $nav16; exit; } else { $ADODB_FETCH_MODE = ADODB_FETCH_ASSOC; formfunction code: function validNewsid($newsid) { if (eregi("^[[:digit:]]$", $newsid )) return true; else return false; } Thanks, Babs

Ah! Let me look at this and work on it more... Many thanks for the input... Babs

I understand the sanitizing idea but am having difficulty understanding how to implement it... I'm not a complete newbie to php but I'm currently only at the stage of editing what others have done before me (so, I guess you'd consider me a newbie)... A program I am using has an injection problem that was just discovered and I am trying to learn how this is done so I can try to fix the script... I know of several users who have been affected and I want to help others as well as myself who use this script... I've looked at the malicious coding and have been able to do a "simple" work-around but I'm sure a smart programmer would know how to get around that... I don't know where to read to understand how to sanitize the program code... Looking on the internet I keep coming across a sanitizing code but that is not what I want to do... One problem is that I don't know how to actually run this malcious coding so I can't check my new coding with it to see if it's fixed... You state "Make sure that anywhere where a user can insert something, such as a html input field or the address bar if you are using $_GET variables" = this part of the script uses a GET variable... Looking at this malicious coding, it somehow uses an unsanitized GET variable to allow a script to "inject" information onto a persons website as well as snagging the website owners username and passwords from their MySQL tables... The program I am referring to is gCards 1.46 ... The file in question is the getnewsitem.php file... The code in question is information given before the MySQL fetch string... Problem part of code (from what I understand, it is the get newsid part): include_once('inc/adodb/adodb.inc.php'); # load code common to ADOdb include_once('config.php'); include_once('inc/UIfunctions.php'); include_once('inc/newsclass.php'); $page = new pagebuilder; include_once('inc/setLang.php'); $page->showHeader(); $newsid = $_GET['newsid']; if ($newsid) { $ADODB_FETCH_MODE = ADODB_FETCH_ASSOC; $conn = &ADONewConnection('mysql'); # create a connection $conn->Connect($dbhost,$dbuser,$dbpass,$dbdatabase); My coding I've played with: include_once('inc/adodb/adodb.inc.php'); # load code common to ADOdb include_once('bbconfigff.php'); include_once('inc/UIfunctions.php'); include_once('inc/newsclass.php'); $page = new pagebuilder; include_once('inc/setLang.php'); $newsid = (int)$_GET['newsid']; $page->langargs = "&newsid=$newsid"; $page->showHeader(); if (!$newsid) { echo '<span class="error" id="news_id_error">"News ID required"</span>'; $page->showFooter(); exit; } How do I figure out if what I have done will be secure? Thanks so much, babs

I know, dumb question but I'm not sure how to go about doing this... How does one go about checking their code to see if it is "sanitised" to prevent exploitation? Thanks, Babs