-
Posts
33 -
Joined
-
Last visited
Never
Everything posted by Pancake
-
I'm guessing you mean... class someThing { public function someFunction() { /* */ return 'foo'; } } /* */ class anotherThing { protected $do; function __construct() { $this->do = new someThing(); } public function display() { echo $this->do->someFunction(); } } $a = new anotherThing(); $a->display();
-
"INSERT INTO ... WHERE username='". $_POST['username'] ."'" is the same as "INSERT INTO ... WHERE username="{$_POST['username']}"
-
Right-click the file first, and then give yourself premissions to edit it.
-
Ahh.. you have a good point there.. I've only been on this forum for so long
-
Examples - http://www.phpfreaks.com/forums/index.php/topic,177199.0.html - http://www.phpfreaks.com/forums/index.php/topic,177132.0.html (I'm assuming cpg_db_query doesn't auto-escape queries?)
-
I know how to escape them. I probably was not conveying my point very clearly. Lately, I've seen newer people post code that uses $_POST directly in their SQL statements, and I've seen almost nobody point it out. Anyway, best method (I think(: function escapeString($str) { if(get_magic_quotes_gpc()) $str = stripslashes($str) return mysql_real_escape_string($str); }
-
Is it just me, or is there nothing wrong with inserting $_POST and $_GET variables into SQL queries? I've seen a lot of: mysql_query("SELECT * FROM users WHERE username='" . $_POST['username'] ."'"); because can't a user send along: foo' OR 1=1 -- It seems like we are teaching new people to rely on Magic_quotes
-
http://en.wikibooks.org/wiki/Programming:PHP:SQL_Injection
-
is it just me, or is there nothing wrong with directly using a $_POST variable into an SQL query?
-
<?php setcookie("cartId", "", time() - 3600); ?> Should work just fine. even time()-1 should work. (I think)
-
[SOLVED] Problem with inserting into DB a disabled field
Pancake replied to argrafic's topic in PHP Coding Help
And crafty users can change hidden form fields and disabled fields, so treat hidden/disabled fields as if they were not hidden/disabled -
I like it because you can reuse the code very easily, AND it's extremely easy to pass variables between functions. For example: class myExample { var $num = 1; function add() { $this->num++; } function returnNum() { return $this->num; } } $example = new myExample(); $example->add(); echo $returnNum(); //Returns 2 $example->add(); $example->add(); $example->add(); echo $returnNum(); //Returns 5
-
??? $query = "UPDATE `news` SET `title` = '".$_POST['title']."', `description` ='".$_POST['description']."', `author` ='".$_POST['author']."' , `main_page` ='".$_POST['main_page_display']."' WHERE `id` ='".$_POST['id']."';" ; If it wasn't for magic_quotes_gpc, then that would mean bad news...
-
Sql Injections!!!
-
AAHHHH!!! SQL INJECTION!!!! try something like this: <?PHP $name = escapeString($_POST['name']); $email = escapeString($_POST['email']); $username = escapeString($_POST['username']); $password = escapeString(md5($_POST['password'])); // lets check to see if the username already exists $checkuser = mysql_query("SELECT username FROM users WHERE username='$username'"); $username_exist = mysql_num_rows($checkuser); /* Stuff removed to shorten post */ $query = "INSERT INTO users (name, email, username, password) VALUES('$name', '$email', '$username', '$password')"; mysql_query($query) or die(mysql_error()); /* Removed to shorten post */ function escapeString($str) { if(get_magic_quotes_gpc()) stripslashes($str); return mysql_real_escape_string($str); } ?>
-
If you're new to PHP, then don't handle people's credit card numbers Use something like PayPal
-
You need to also download PHP Click Here and download it. When it asks to configure for a server, select "Apache 2.X" And when it asks for the config directory for apache, browse for something like this: C:\Program Files\Apache Software Foundation\Apache2.2\conf For your previous posts, PHP (by default) will only process files that end in .php. a .php file is basically a .html file, but PHP processes them.
-
This would probably require the use of a database to be completely exact. This *might* help... http://www.phpit.net/article/creating-whosonline-script-php/
-
[SOLVED] Easiest Way to check string is Alpha-Numeric
Pancake replied to ChadNomad's topic in PHP Coding Help
The only issue is that a-z doesn't allow capital letters, and (I think) the {0, 100} is the amount of text that can be sent through... try: if(eregi("^[a-zA-Z0-9]$", $x)) { Or the easier way: if(preg_match('^[[:alnum:]]$', $x) { -
VALUES ('$form_description', '$data', '$form_data_name', '$form_data_size', '$form_data_type')") I'm assuming that $form_description and such have been defined earlier?
-
sqlStuff Class: class sqlStuff { /* Creates variables to be used in the SQL Connection. These should be changed to match your SQL server settings */ protected $db_host = 'localhost'; protected $db_user = 'root'; protected $db_pass = 'root'; protected $db_name = 'database'; /* This one needs to be used accross all classes, so this is public */ public $cnx; /* Actually connect to the DB */ function __construct() { if(!$this->cnx = new mysqli($this->db_host, $this->db_user, $this->db_pass, $this->db_name)) { //A connection was unsuccessfully made... return false; throw new Exception("ERROR Connecting to DB! Bad username/password?"); //Makes an error message to be cleaned up later. } else { //Connection was successfully made! return true; } } function __destruct() { //Closes the connection when an unset() function is used. $this->cnx->close(); } } I suppose I would possible want to use in some procedural coding later: mysqli_query($sql->cnx, "SELECT * FROM someTable"); So it could be some use/ And at the end of my script, I use: unset($sql); Whole Script: http://www.newerth.com/pancake/showproject/sqlClassExample
-
Lol it was a joke I posted in the miscellaneous board... It got moved to here though Im guessing he didn't read this thread though...
-
Just wondering if this is used properly: class sendQuery extends sqlStuff { /* Sends the data to the DB */ function insertInfo($b, $c) { $query = $this->cnx->prepare("INSERT INTO users (user, pass) VALUES (?, ?)"); //Prepares the query... $query->bind_param('ss', $b,$c); //Binds the value with the query if($query->execute()) { //Runs the query and checks if it was successful. return true; } else { //Query was unsuccessful! Sends an error message. return false; throw new Exception("ERROR doing query!"); } $query->close(); } } /* END sendQuery Class */ try { //Runs the above classes and checks for errors.... $cnx = new sqlStuff(); $do = new sendQuery(); $do->insertInfo('Username', sha1('Password')); echo 'Information Inserted Successfully!'; }catch(Exception $e) { //If there are any errors, they will be printed out how we defined them earlier. echo 'Caught Exception: '. $e->getMessage(); } Will the string be escaped? Or should I do something like mysqli_relal_escape_string() along with it? Note: The sqlStuff just connects and isn't vital to the script. And is it possible to simply do: new sqlStuff(); instead of $sql = new sqlStuff(); (sqlStuff only has a __construct and __destruct function that doesn't return anything)
-
I do this script here: //Assume all variables declared earlier... while(mysql_connect($host, $user, $pass)) { mysql_select_db($db_name); } I run it on my computer and my computer runs slow... Anyone know why?
-
Yea, if you are using PHP 5, rename the function "connect" with "__construct" So it would be: function __construct($db_username, $db_password, $db_server_name, $db_db_name) { And to execute: $atabase_obj = new DB_OBJECT('username', 'password', 'localhost', 'call_center'); I had plenty of trouble grasping the concept of OOP in php when I started :\ __construct runs when the class is called. Remember, __construct works only in PHP5 or above!!