Tyche
-
Posts
49 -
Joined
-
Last visited
Never
Posts posted by Tyche
-
-
Its not random because you are using 4 zero filled spaces for the Green component in the sprintf format , effectively fixing it as 00.
Change random_hex_color function to this
function random_hex_color() { return sprintf("%02X%02X%02X", mt_rand(0, 255), mt_rand(0, 255), mt_rand(0, 255)); } -
what exactly could sum1 do by xss injecting into html.. they could only really modify their own output.. but I hear what you mean
In most XSS attacks the attacker sends the victim a XSS modified URL to a site the Victim trusts (e.g. slaterino's site) . It's the Victim's output which is changed .They see the site but the Attacker can then potentially gain access to the Victims user credentials and/or cookie info for that site - In this example I just showed an injection of a visible image the Injection could be a javascript program. The wikipedia page on XSS is well worth reading http://en.wikipedia.org/wiki/Cross-site_scripting
-
If you are using $_SERVER['PHP_SELF'] you really must sanitise the input, as it can be modifed by the user just like any other user input. If you don't you will leave yourself open to XSS attacks.
Taking the bare bones of your modified code as an example
<html> <body> <?php $self=$_SERVER['PHP_SELF']; $prev = " <a href=\"" . $self . "?page=1\">[Prev]</a> "; echo $prev; ?> </body> </html>
On the surface it looks OK but if for instance the user adds the following string To the URL directly after the filename they can load this forums logo into your page .
/%22%3E%3Cimg%20src=http://www.phpfreaks.com/media/images/forums/logo.png%3E%3C
Ok course that is a non-malicious example of XSS.
If you want to use $_SERVER['PHP_SELF'] ensure that its clean (or at least neutralised) by running it through htmlspecialchars()
-
You don't need the single quotes round the field names - just the values
-
You are also calling mysql_query twice and also trying to fetch records from the UPDATE query
Try this
$update =mysql_query("UPDATE tourney SET '$nround' = '$winner' AND '$roundh' = '$hscore' AND '$rounda' = '$ascore' WHERE tid = '$tid'"); if (!$update) { die(mysql_error() . $update); } -
mysql_num_rows only returns the number of rows for queries whihc return a record set
UPDATE queries don't return a record set - You probably want to use
mysql_affected_rows instead.
-
You can't use # in MySQL table names # is a reserved character which means from here to the end of the current line is a comment and should be ignored - SO effectively your command becomes
CREATE TABLE EMPLOYEE (
E
EFNAME VARCHAR(20),
ELNAME VARCHAR(20)
);
which is why the first field is named EEFNAME as the white space is removed
-
Strictly speaking the INSERT command does not recognise LIMIT and a
INSERT ... SET col=... LIMIT 1 will fail as will INSERT ... VALUES (...),(...) LIMIT 2 command
You can use LIMIT on an INSERT .... SELECT ... Command but there the LIMIT is an optional part of the SELECT command component, its use here should improve performance in many cases
-
You refer to the table CLASSES_ares in the 2nd SELECT statement , This should be CLASSES_areas
-
till able to use transaction, foreign keys and locking
Only MyISAM supports transactions and foreign keys. Locking is a part of any and every database engine.
This is wrong - MyISAM tables do not support Transactions - You need to use the InnoDB engine if you require Transactions, the same goes for Foreign Keys (They can be defined for MyISAM tables but there is no referential integrity support) .
-
If I understand you correctly you want to know the number of digits in an integer
The following code will give the number of digits in $n
$number_of_digits= 1 + floor(log10(abs($n)));
-
You can take advantage of the "WHERE 1" statement equating to true
Use something like this ...
$where_nick="1"; $where_datetime="1"; $where_channel="1"; $where_link="1"; if (!empty($filter_nick))$where_nick = " nick = '$filter_nick' "; if (!empty($filter_datetime))$where_datetime = " datetime = '$filter_datetime' "; if (!empty($filter_channel))$where_channel = " channel = '$filter_channel' "; if (!empty($filter_link))$where_link = " link = '$filter_link' "; $query = mysql_query("SELECT * FROM urls WHERE $where_nick AND $where_datetime AND $where_channel AND $where_link"); -
Why not try
UPDATE users SET images=images-1 WHERE userid=x AND images > 0;
-
That does work if the "FROM 4" is changed to ",5" (and then is better than my suggestion
)As below :
SELECT *, IF ( LEFT( vch_title, 4)='The ', SUBSTRING(vch_title,5), vch_title ) AS title_sort FROM tbl_links WHERE int_category = '$i' ORDER BY title_sort;
-
The following code will ignore the string "The " in the orderering of records
SELECT your_title_field FROM your_table ORDER BY REPLACE(your_title_field,"The ","");
It will ignore "The " wherever it appears not just at the front of the title string so may have a few undesired effects but will certainly sort your example as you want it
-
It does ... if your default character sets and collations are the same as your table - you may need to force the character /collation on the string literals (see below to force latin1/latin1_swedish_ci )
SELECT _latin1 'User ID' collate latin1_swedish_ci, _latin1 'Name' collate latin1_swedish_ci .... UNION SELECT id,Name ....
-
You can use a UNION to achieve this (if using MySQL 4.0 or higher)
SELECT 'User ID','Name','Job','Address' UNION SELECT id,name,job,address FROM users INTO OUTFILE '/tmp/users.csv' FIELDS TERMINATED BY ',' LINES TERMINATED BY '\n'
-
This error can occur if you haven't uploaded your file (lib.php) as binary - Try uploading it again and use binary transfer in your FTP client
-
You can escape the quote using a preceding \
so the following code should work
$sql = "select * from members where member_id = '".str_replace("'","\'",$member_id)."'";\ is used as the escape character in MySQL but I believe it should work in most other SQL variants
-
You can use Memory (or Heap) tables which are created in RAM and these are extremely fast- however should only be used as temporary tables as all data is lost if there is a system shutdown - The Table structure is preserved (since this is stored as .frm files) but the contents will be deleted
CREATE TABLE memory_table ENGINE=MEMORY; or if using a MYSQL version < 4.1 CREATE TABLE memory_table TYPE=HEAP;
If the data is fairly static you could create a cron job to copy the MEMORY tables to a more permanent table (such as a MyISAM one) every now and then - The same job could be used to reload the MEMORY tables from this permanent backup table if they are found to be empty (i.e. after a server restart) using a INSERT INTO memory_table SELECT * FROM backup_table; command
-
Use the vbCRLF constant - this should put a line throw between each string
message = strPart1ofText & vbCRLF & strPart2ofText
-
You can use
set_time_limit($execution_time_in_seconds);
which overrides the max_execution_time setting in php.ini
However if you are running in safe mode this will not work - under those circumstances you have to change the max_execution_time value in php.ini
-
Not a lot - both are pattern matching functions
REGEXP can be used to perform pattern matching which is more complex than LIKE - but there are overheads - I'd recommend always using LIKE where you can - and only use REGEXP when a LIKE can't handle the query
-
Not as it stands
if you try
$regexpstr = str_replace(" ","[_ ]",$ven); $sql = "SELECT id,transno,vendorname,vendorid,nature FROM tblvendor WHERE vendorname REGEXP '$regexpstr' ";Then that should work
so in your example "John Paul" is changed to "John[_ ]Paul" which when used as a RegEx in MySQL will search for "_" or " "
Creating an HTML hex color chart/table?
in PHP Coding Help
Posted
You new method does produce random colors but there is still a bias in color selection . There are some possible colors which will never be produced and the bias is towards colors with higher red components and lower blue .
This is because you are dropping leading 0's in your RGB color settings then concatenating them together.
So for instance the 3 different colours rgb(0F,FF,0F) rgb(0F,0F,FF) & rgb(FF,0F,0F) get returned as FFFF which is interpreted as rgb(FF,FF,00) . If you want your random colors to be uniformly distributed across all possible colors then just use the fix I gave you earlier.