deadonarrival

Okay, I've mostly solved it... With the above, the url cleanly redirects to index.php with the variables easily accessible. The obvious problem being that EVERYTHING gets redirected, and I need to ignore certain files. I made a simple regex to ignore .png etc, but with the mod_rewrite then any image in the site with a relative path eg img/pic.png is being rewritten to http://site.com/a/b/c/img/pic.png rather than http://site.com/img/pic.png I can solve this by adding / to the start of images, but this is a bit counter-intuitive as I'd have to remember to do it every time: that's fine for now while it's just me working on it, but in 6 months I'll forget that and be scratching my head again. I've come up with the following which is "nearly there". It works if the url is site.com/ or site.com/a but not if it goes any further eg site.com/a/ or site.com/a/b. Can anybody spot where I'm going wrong? ^(/.*/)*(/.*\.(png|css|jpg|jpeg|gif|js)+)$ I think what I need to do is use regex to split it into three sections, but 2 is turning out to be tricky 1) /a/b/c/d/e/....ad infinitum 2) = /img/ subfolder (possibly optional, things can be in root) 3) = file.png My other option is to write some PHP functions for images in order to remove anything after the base site path and write the URL there - ie get the location of /site/index.php, strip anything after site/ and add image.png after that. The problem here is as before, in 6 months I'll forget that I have to use the function.

Aha, got it. I found an old post on here documenting when I got it right first time round, back in 2008 http://forums.phpfreaks.com/index.php?topic=198062.msg894306#msg894306 First up I had to set the Rewrite Base RewriteBase /path/to/site/ Then the rule I used was RewriteRule ^/?(.+)$ index.php?values=$1 [L,QSA] Which takes http://site.com/a/b/c/ and gives a $_GET['values'] variable which looks like a/b/c/ and can then be parsed by splitting. PHPFreaks, helping me to help myself.

Hey guys I had a perfect setup for this years ago but lost it in a hard drive crash (it wasn't part of a project, just a test). What I'm trying to do is the standard http://website.com/seo/friendly/urls/ but can't quite get it right I seem to remember that my system just redirected everything to index.php (invisibly) and PHP did some parsing of the URL to put values into arrays So first up, I need some .htaccess to redirect everything to index.php I have #Rewrite on RewriteEngine On #If the URL points to a real file/directory, don't redirect RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d #Send site.com/a/b/c/ to site.com/index.php RewriteRule ^/?(.+)$ http://site.com/~user/sitename/index.php?values=$1 [L] This works in terms of it gets the values to index.php but has problems: 1) I have to use a full URL (including http://site.com) because if I just put index.php?values=$1 or /index.php?values=$1 I get 404 errors - this means I can't just move straight over to the production server 2) It's not invisible - the URL bar no longer shows http://site.com/a/b/c/, it shows http://site.com/index.php?values=a/b/c/ So I think I'm doing something wrong, and I can't for the life of me remember how I did it last time. I know it's possible, because I definitely remember the end results being that I took it a stage further and had something like http://site.com/page/a.b/1.2/ mapping to index.php and including page.php within that, with $values[a] = 'b' and [1] = [2] Any hints/tips/"look here"s/fully working code snippets/"you're an idiot, it's this"s are gratefully accepted

Yes. ALWAYS escape user input before putting into your database. Read this

http://uk2.php.net/str_replace str_replace() might work better if you just run it on the one character field. No regex needed. $var = str_replace("{char}","{full text}",$var);

Either Javascript, or a meta tag with a redirect after x seconds would do the job too. The advantage being that you don't need javascriptThe downside being that you can only redirect after a set number of seconds; rather than on a user action and that it's x seconds after the meta loads, rather than the page completion.

Well I've temporarly and partially solved the problem by putting a stat analyser on wordpress; it's the only thing on the server right now anyway. When I add more I'll have to look at activeperl - does it not need a webserver on the computer? ie it runs with just activeperl and awstats?

Doesn't that need perl installed?

First, apologies if this is in the wrong place - nowhere quite seems to fit. Okay, basically I need a raw stat/log analyser that I can run on my home PC after downloading the logs. My host only lets AWStats run once per day, which is useless to me at the moment. They won't increase it, so my only option is to try and get an analyser to run off-server. Any suggestions? Thanks ~Jon

Netbeans looks okay, but they need to get it into an all-in-one package instead of sending me off to install bits of java runtime environments and development kits. If I cared about Java, I wouldn't be coding in PHP would I?

No, you can store any timestamp, and just convert it to the date. If you need the due date to be in the format 0000-00-00 just use the date("Y-m-d",$timestamp) where $timestamp is the value from the database. If you need to change the value in the database by using a string, just use $timestamp = strtotime("0000-00-00"); Which will return the timestamp for a given date. You can also enter things like 01 Jan 2008 etc. But if you specify 0000-00-00 it has to be in the format YYYY-MM-DD.

Whoops, looked at the w3schools (first google result for stristr) instead of php.net I think that's perfect, thankyou!

Hmm, never seen that before - nice suggestion. But if I need to use it as if(function(regex,$str)){} will it still return true? Since it returns the remainder of the string?

448191 - it sums it up, assuming you know and understand the terms "Encapsulation" and "Static coupling"

I need it to find the word, but be case-insensitive and find the word within other words aswell. Is it just a case of using substr() on the second argument and using /\bword\b/i ?

Static works okay if you only want ONE of an object. But what if you want two different database connections? db::query(); won't be so useful when you want to have two seperate connections, but $main->query(); and $archive->query(); and $logs->query(); can be handy. Also, you don't always want people to be able to access your functions directly. Fair enough when it's your own code you can just not use them, but what when you want people to make their own modules for your CMS, for example? If they can just use auth::get_password(); they've got your users password... but if you make them use $auth->is_logged_in() and have the get_password() function private, along with the password variable, then the users can only check if they're logged in, not see the password.

I just need the regex to find a whole word within a string. Eg $string = "then he said hello to me"; $word = "hello"; if(_regex here_) { //$word is in $string } else { //$word is not in string } I'm completely clueless with regex. Is it just something like preg_match("^(.*)$word(.*)$",$string); ?

There is a speed penalty, but on each single page load it's not a huge difference. You have the added overhead of extra queries, but it's offset to an extent by the fact that each query is simpler and faster. One worry is the extra traffic between the http and mysql servers - if you're not using persistant connections, now might be the time to start! I'd suggest that you aren't doing too much harm by splitting the queries up - it's like the people who test 5million prints against 5million echos - even if one is faster, nobody really cares that much. Your users won't notice the thousandths of a second. Think of it this way, one page load might be significantly slower than another just due to their connection and increased traffic. Their connection will make far more fluctuation than your switching methods.

No, they can say it... All I'm doing is making sure that they can't actually inject sql, and logging any instances where people do use one of those terms. If valid, the variable will be used as normal - but admins will hopefully be able to catch the people doing it, and find out where exactly they're targetting. A quick glance down the list of logs will quickly show up any SQL statements. The fields aren't personal information such as personal messages, so there's no invasion of privacy. It's usually monetary values or short strings.

No, I know how to prevent SQL injection, what I want to do is log attempts at it. I'm helping a fella out with a website which was poorly coded to start with, and has been the victim of some sql injection. I'm in the process of finishing santitizing all user input, but he'd really like to find out who is doing it. Simply, I want to check each submitted variable and see if it contains any of the keywords likely to be used during injection attacks - then log the information if it does. Then an admin can trawl through and see if any were actual directed attacks. All I need is something to check if a given value contains one or more of an array of words. Walk through the POST array, and see if any contain one of the bad things. If they do, store the username, IP etc to a log table in mysql. But it has to do it without worrying about the exact layout. I'm just looking for, for example, the word "UPDATE" anywhere within a string.

I thought of exploding it, but the problem is that there's nothing to say they'll leave the convenient spaces in... Javascript, for example, can work with virtually no white spaces, and I've not tested it but I'd imagine SQL alllows UPDATE`table`SET`key`='val`WHERE`key`='val' Is the best thing to do a preg_match?

Store the timestamp, then if you need it as yyyy-mm-dd just use date("Y-m-d",$timestamp); Timestamps are easiest to do sums/comparisons with, and it's easy enough to use the date function to convert it into a datetime. I prefer to use date("Y-m-d H:i:s",$timestamp); Which produces 2008-08-06 23:25:10 or similar. Note that if you have users in both america and england (or other countries with different formats) it often makes sense to change the month to a string. So 06 Aug 2008. It's just a bit easier to work out, and avoids confusion in the first 12 days of a month

they aren't, i'm retrofitting this sanitization/logging over someone elses script. I'll pseudo what I think my method will be though badwords = array(-some bad words such as update, select, javascript, session) foreach(post variable as key->value) { key = sanitise(value) if(the variable contains any of the bad words) { insert the username, ip, script, field and value into the log table } } I really just need to work out how to check if the variable contains any of the forbidden words in the array

I'm intending to do some sanitising of user input, and also logging of certain contents of text boxes. Essentially I want to take the $_POST array, walk through the variables and see if certain keywords, such as JAVASCRIPT: <script> UPDATE INSERT SELECT DROP or any of a dozen other SQL/XSS related keywords. Could anyone suggest a decent way of seeing if each word is in the variable, without using a dozen preg_match or similar functions for each variable? Or rather, how would you go about it? (Also, if anyone has any suggestions for words to check for, that'd be great)

We already have the domain, the board are being a bit of a pain. There was originally a fansite and forum, which went offline. At that time the club started to make their own official site, and members of the original forum started a new forum, and a fansite to go with it. The argument of the club is that we'll detract from their visitors and therefore revenue. My argument is that the website performs a completely different purpose, it will only contain results/game stats and no/very little content shared with the official site... basically I'd hardly be stealing their visitors, since they can't find that info on my site. The forum is the bread and butter of the site, somewhere unconnected with the club for the fans to say (within reason) what they like about the club. "Iko Sun is a commie bastard" I won't allow, but "Todd Fletcher played an awful game, I blame the way the manager played him" won't recieve an instant ban for badmouthing Mr Manager. Anyway, I'll probably make the site - we can always switch domains later if the club take it too far, but the "bite the hand that feeds you" applies pretty well... thanks