fortnox007
-
Posts
783 -
Joined
-
Last visited
Never
Posts posted by fortnox007
-
-
I just tested this only happends in the above composition with these 3 files.
I am running:
PHP Version 5.3.1 System Windows NT LAPTOP 6.0 build 6002 (Windows Vista Home Premium Edition Service Pack 2) i586 Build Date Nov 20 2009 17:20:57 Compiler MSVC6 (Visual C++ 6.0) Architecture x86 Configure Command cscript /nologo configure.js "--enable-snapshot-build" Server API Apache 2.0 Handler Virtual Directory Support enabled Configuration File (php.ini) Path no value Loaded Configuration File C:\php.ini Scan this dir for additional .ini files (none) Additional .ini files parsed (none) PHP API 20090626 PHP Extension 20090626 Zend Extension 220090626 Zend Extension Build API220090626,TS,VC6 PHP Extension Build API20090626,TS,VC6 Debug Build no Thread Safety enabled Zend Memory Manager enabled Zend Multibyte Support disabled IPv6 Support enabled Registered PHP Streams https, ftps, php, file, glob, data, http, ftp, compress.zlib, compress.bzip2, phar, zip Registered Stream Socket Transports tcp, udp, ssl, sslv3, sslv2, tls Registered Stream Filters convert.iconv.*, string.rot13, string.toupper, string.tolower, string.strip_tags, convert.*, consumed, dechunk, zlib.*, bzip2.*
-
<script>alert(1)</script>
anything with just numbers works as long as not quoted
if you want i can upload the files as is. but you pretty much have them
-
i have no idea what i am doing wrong, but with the above setup I get the same result. It must have something to do with that include stuff this is how i put your code in mine:if(isset($_POST['submit'])&&!empty($_POST['query'])){ $query = $_POST['query']; //$query = "SELECT username, password, study FROM users"; echo 'The following string was inserted into the DB: ' . htmlentities($_POST['query'], ENT_QUOTES); //process query $result = mysqli_query($dbc, mysqli_real_escape_string($dbc, $query)); if(!$result){ echo 'error executing query '.mysqli_error($dbc); }else{ echo 'total rows: '.mysqli_num_rows($result); } }schould i reinstall xampp maybe?
-
Thanks Pikachu,
Ill give that ago, it just seemed as if the i were not able to directly put that sanitation function in the echo. Sorry formy confusing way of posting. I am was just totally confused myself.
Thanks!
-
sorry Pikachu , confusing you is the last thing I want.
What i want is a simple form where i can insert a query, which will be executed (just for testing)
Now i would like that query to be shown after i type it. So i thought since it's user input i should not only sanitize the query that goes to the database, but also the query that is show on my screen. I am just trying to learn this and i want to be certain noone can for instance fack up my site with those little pop ups.
So very simple a form to insert a query and after submit you see your query and it is sanitized. but when I use the include stuff above it allows for the pop ups, which i don't want
-
no i didn't solve it at all :'(
I am totally confused because i thought this was the right way to sanatize, but for some reason i still get the pop up when i insert wehn using the scripts above, so that is index.php dbconnect.php and simpleform.php
</script>alert(somenumbers)</script>
-
wtf??? is this really true,
try to echo without anything else
$string = '<script>alert(10101010101010101)</script>'; echo 'string = '.htmlspecialchars($string).'<br />';
you get a pop up?? wtf
edit hmm that is not totaly true, somehow my script above allows this to happen...
-
ok this is what i have:
index.php
<?php error_reporting(E_ALL); ini_set("display_errors", 1); ?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" > <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <link type="text/css" rel="stylesheet" href="css/style1.css" /> <title></title> </head> <body> <div id="content"> <?php require_once 'functions/dbconnect.php'; include 'forms/simpleform.php'; ?> </div> </body> </html>dbconnect.php
<?php // credentials $hostname = 'host'; $username = 'user'; $password = 'pass'; $database = 'db'; // connector $dbc = mysqli_connect($hostname, $username, $password, $database) or die ('unable to connect to database, please try again later'); //var_dump($dbc); //query if(isset($_POST['submit'])&&!empty($_POST['query'])){ $query = $_POST['query']; //$query = "SELECT username, password, study FROM users"; echo 'query: '.filter_var($query, FILTER_SANITIZE_SPECIAL_CHARS).'<br />'; //process query $result = mysqli_query($dbc, mysqli_real_escape_string($dbc, $query)); if(!$result){ echo 'error executing query '.mysqli_error($dbc); }else{ echo 'total rows: '.mysqli_num_rows($result); } } ?>simpleform.php
<form action="<?php echo filter_var($_SERVER['PHP_SELF'], FILTER_SANITIZE_STRING); ?>" method="post"> <input type="text" name="query" value="" size="150"/> <input type="submit" name="submit" value="submit" /> </form>
Edit: this is extremly weird. when i insert as query in the form
<script>alert(1)</script>
you will get a pop up
when i do
<script>alert('1')</script>you dont... wtf?
-
Hi all, I can't find anything about this, but maybe someone knows this.
the code below works as it should except when it is being included for some reason the filter function doesn;'t work and i get a pop up...
$string = "<script> alert('koekoek')</script>"; echo 'string = '.filter_var($string, FILTER_SANITIZE_SPECIAL_CHARS).'<br />';-edit: the string is normally is retrieved from a $_POST['var'] like:
$query = $_POST['query']; echo 'query: '.filter_var($query, FILTER_SANITIZE_SPECIAL_CHARS).'<br />';
and thats when it seems to not work when included
edit2: Now i changed the code a bit and put the filter function before echoing it, and than it works... may i assume that it should not be used in the echo directly?
$query = filter_var($_POST['query'], FILTER_SANITIZE_SPECIAL_CHARS); echo $query;
-
maybe have a look here: http://www.w3schools.com/PHP/php_ref_filter.asp
I am not sure if the proper filter is between those, but those have more parameters than htmlspecialchars()
-
Is this maybe something? havent tested it, but the idea is that it should group the url's according to the end part after having them grouped.
$query = "select your_url from your_table group by your_url having REGEXP '(/|//|//|///).[a-z]{3,4}$'";But i would love to hear some expert about this
-
hehe i am thinking really hard about it, but nothing good popped up yet
-
Hmm isn't this something for regular expressions?
I can't directly come up with a good one for this but that's the first thought i have.
-
Uhm well it's kinda hard to see what is going wrong, without seeing source code and stuff. (did you noticed my edit above btw?)
Maybe instead of bputting the div in your echo (which should normally work) try the following.
your index.php
<?php error_reporting(E_ALL); ini_set("display_errors", 1); ?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" > <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title></title> </head> <body> <?php include 'yourfile.php';//without allready echo it ?> <div id="wrapper"> <div id="header"> </div> <div id="content"> <?php echo $your_variable_from_your_includefile; //this could be a spot where you echo the variable (= your box) ?> </div> <div id="footer"> </div> </div> </body> </html>As you can see a simple mark-up as a framework. with an include of your processing or function file. Notice my comment that you don't want the echo there, but you assign the value you like to output to a variable, which you eventually output in the spot you choose. that way you keep it clean.
Add some css in an external style sheet and this should just work if that processing or function file worked before. I assume that worked before right? Also notice the Stuff in the top of the script, we want full error reporting when testing files.
-
If I understand you this is a layout problem right? at least that's what i make up when you say 'it stays at the top' (php doesn't do anything with that)
Maybe put a container div around the stuff you echo, give it an #id and position it like you normally would with css.
I don't really see what php has to do with this as far as echo-ing the stuff out.
so in other words do the following.
in php file
echo '<div id="my_table">'.$this->ObjectTable().</div>';
in css file
div#my_table{ float:left; /* in case you want it to be floated left but depends on your template */ }but i can really recommend you stop using those inline styles and start using an external stylesheet.
i made a little error in my code above it should be
echo '<div id="my_table">'.$this->ObjectTable().'</div>';
instead of
echo '<div id="my_table">'.$this->ObjectTable().</div>';
-
start a topic in de css forum and ill help you position it. I can't move this post
- edit and if this is your layout php (also to be referred as a template) use only the html mark-up and strategically place includes and echo's as if they were modules
-
If I understand you this is a layout problem right? at least that's what i make up when you say 'it stays at the top' (php doesn't do anything with that)
Maybe put a container div around the stuff you echo, give it an #id and position it like you normally would with css.
I don't really see what php has to do with this as far as echo-ing the stuff out.
so in other words do the following.
in php file
echo '<div id="my_table">'.$this->ObjectTable().</div>';
in css file
div#my_table{ float:left; /* in case you want it to be floated left but depends on your template */ }but i can really recommend you stop using those inline styles and start using an external stylesheet.
-
-
Morning
you say it must return: EN4 1PP, EN5 6RT, EN7 3OL etc.
if your search should only look at the first 2characters of the word try out regular expressions. There are quite a few so use the proper one. but fr this one where it should look at the first 2 characters not knowing what comes behind maybe try:
SELECT email FROM treesurgeons WHERE postcode REGEXP '^$code'
have a look here for more stuff about it: http://dev.mysql.com/doc/refman/5.1/en/regexp.html
maybe also the following could work, havent tested it though: [[:<:]]
SELECT email FROM treesurgeons WHERE postcode REGEXP ':[[:<:]]$code'
-
Hi all,
I just stumbled upon the 'new' filter function of php and i was wondering if someone could maybe recommend me which to use.
for instance if i have a script:
<?php $_evilstring = "<script> alert('justin bieber is ruining your sound system')</script>"; $_clean1 = htmlspecialchars($_evilstring); echo 'clean string one = '.$_clean1.'<br />'; $_clean2 = filter_var($_evilstring, FILTER_SANITIZE_SPECIAL_CHARS); echo 'clean string two = '.$_clean2.'<br />'; ?>Both output exactly the same. Now i was wondering if there might be differences in them. For some reason I would like to use the filter function because the name sounds better, but that of course is not very scientific. Anyone with ideas maybe performance, speed, wickedness??
-
Maybe have a look into joomla, highly custamizable (if you know how) loads and laods of components like a forum,
Kunena is a forum component for joomla. This is in the wrong forum posted though.
-
i would first of all recommend you use <?php as starting tag instead of <?
And concerning your question, if you open up a php file locally without having a server with php installed you will ofcourse see all the code. install xampp for instance and run it again.
I have quite a few php documents that open up just fine off a web server (i.e., i can view the markup on them). It's just when I add that little bit of code at the very top of the php document, the markup no longer becomes visible.
Well do as you like and use shorttags if you think that is the way to go i don't mind. About opening stuff in your browser locally without a server running( because that is what ou said you did). see my answer again. Post your code. including the stuff you include.
-
lol did you see the code above you just posted?
Maybe rewrite the code, and leave the styling (css) out and put that in an external stylesheet.
That also makes it easier for everyone to solve what you want?
Also i see some weird tags i assume that is smarty? If it's a pure smarty thing i would post that in the right forum to be honest. this is total abracadabra for anyone not using smarty
-
well what i can think of is a database with a table named images where you store the file name of the uploaded images.
every-time you upload an image a new row is made in the table.
Than you make a little php script hat does a simple select query
$query = "SELECT * FROM images LIMIT 0,23 DESC";
Does this help a little?
edit: table could look like this
image_ID + image_name + timeperhaps
---------------------------------------------------------
0 | lalala.jpg | xxxxxx
very weird include thing
in PHP Coding Help
Posted
No problem Pikachu,
I am allready extremly thankfull for you help.
I added the folowing to surpress this, but it's not extremly nice looking:
$query = htmlentities(preg_replace("/^[(][0-9]+[)]$/", "", $_POST['query']), ENT_QUOTES);Damn wind Ho's!
Thanks alot for the help really appreciate it
P.s. ill test this on a unix machine see what happens