Jump to content

fortnox007

Members
 View Profile  See their activity

  • Posts

    783

  • Joined

  • Last visited

    Never

 Content Type 

Posts posted by fortnox007

    i know this is another stupid question, but i'm tired and can't find it

    in PHP Coding Help

    Posted 

    <?php
$result = mysql_query ("SELECT genre FROM genres ORDER BY genre");


	while ($row = mysql_fetch_row($result)) {
	    echo "<tr>";
		for ($i =0; $i<5; i++) {
		foreach ($row as $genre)
     		  echo "<td><input type='submit' name='listMovies' value='" .$genre ."'></td>"; 

	}	 

echo "</tr>";
}
?>

     

    ok i'm getting a single line of submit buttons for this output. i want there to be 5 buttons in a row.  it seems like i have done this before with the for loop i have, but something is not working right.  i know it will have to be a for loop, i just can't figure out where to start it.  i know there are 1000 different ways to get the buttons on the screen, but i want to do it with the submit buttons.  the best i can get is 5 columns of the same thing i'm outputting now.

     

    thanks in advance, i know this is a no-brainer.  i just don't have a brain atm

     

    i assume you have <table>  before this php code and </table> after it?

    Unable to retrieve ID number using $_GET

    in PHP Coding Help

    Posted

    Hi guys,

     

    Currently I am editing profiles online and get it updated in my database.

     

    And when user has successfully updated his/her profile, they will be directed to a link

    echo '<p>Your profile has been successfully updated. Would you like to <a href="viewprofile.php?tutor_id=' . $_GET[$row['tutor_id']] . '">view your profile</a>?</p>';

     

    As you can see, I have set tutor_id=' . $_GET[$row['tutor_id']] . ', which I personally know is incorrect to code it in this manner. May I know how do I code in a way where I can achieve something like this...

    www.abc.com/viewprofile?tutor_id=12343

     

     

    The value which currently I receive is www.abc.com/viewprofile?tutor_id='blank'

    <?php
if (!$error) {
      if (!empty($tutor_id) && !empty($name) && !empty($nric) && !empty($dob_day) && !empty($dob_mth) && !empty($dob_year) && !empty($gender)) {
        
	// Only set the picture column if there is a new picture
	if (!empty($new_picture)) {
		$query = "UPDATE tutor_profile SET name = '$name', nric = '$nric', dob_day = '$dob_day', dob_mth = '$dob_mth', dob_year = '$dob_year',  
		gender = '$gender', picture = '$new_picture' WHERE tutor_id = '$tutor_id' ";
	}
	else {
          $query = "UPDATE tutor_profile SET name = '$name', nric = '$nric', dob_day = '$dob_day', dob_mth = '$dob_mth', dob_year = '$dob_year',  
	  gender = '$gender' WHERE tutor_id = '$tutor_id' ";
        }

	mysqli_query($dbc, $query)
	or die(mysqli_error($dbc));

        // Confirm success with the user
        echo '<p>Your profile has been successfully updated. Would you like to <a href="viewprofile.php?tutor_id=' . $_GET['tutor_id'] . '">view your profile</a>?</p>';

        mysqli_close($dbc);
        exit();
?>

     

    your $tutor_id  doesn't get a value same is for $_GET['tutor_id'] if i look at the script above. so the whole script that starts with

    if (!empty($tutor_id)......etc will not be executed.

    Also the echo is outside the if statement, so it's not a confirmation of succes it's just an echo.

     

    Don't you have some more code besides the above?

    filter PHP_SELF

    in PHP Coding Help

    Posted

    wicked that little explanation already gave me a headstart.

    Thanks alot! I'll certainly will sanitize everything, but i find things easier to remember ones i understand it. And because most explanation have that little 'xss here' snippet i never really understood what the fuzz was all about. Those sneaky people just send victims a link to a trusted site.

     

    Thanks guys for helping me understand this.

    ::)

    filter PHP_SELF

    in PHP Coding Help

    Posted

    You just need to encode the potentially harmful characters, such as double/single quotes, greater/less than symbols and ampersands using the htmlspecialchars function. Otherwise you're enabling the user to alter the HTML.

     

    http://www.exploit-db.com/exploits/10512/

     

    http://uk2.php.net/manual/en/function.htmlspecialchars.php

    Thanks for your quick reply,porl

    I am happy to do that, but it still leaves me mind goggling what someone could do to others besides himself. I am not willing to hack r anything, but I just have difficulty understandig this. Because the data doesn't get send to a database or anything it's just the action of the page. and if the page is not correct the action fails.

     

    -edit oh wait i see you linked some extra info, i am going to read that right away thank you.

    -edit 2 lol i read the first one and i think i am just not made for this, lol i think i am going to buy a book on this, because this is total abracadabra for me.

    filter PHP_SELF

    in PHP Coding Help

    Posted

    hi all i just read an article at http://www.phpro.org/tutorials/PHP-Security.html

    about not trusting server variables like $_SERVER['PHP_SELF']

     

    so they explain, it can't be trusted and so on, but when it comes to a real life example i have difficulty understandig what someone could do with it since i assume it only has effect at client side.  they use a form and say that

    <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
   ...
</form>

     

    They give as example that someone could do the following: add

    <script>alert("XSS HERE");</script>

    But i don't see how that would have effect to anyone except for the one that inserts that.

    Could someone maybe explain this a little to me.

    feeling a little stupid

    in Regex Help

    Posted

    hehe your awesome! I already thought that would be the name of it (because you mentioned it sneaky in the post above this one), just landed on this page:http://www.regular-expressions.info/lookaround.html

     

    Never heard of it, but it sure look nice.

     

    Thanks a lot for the help Crayon, and thanks for showing the array filter way. never seen that either. Bookkmarked it :)

     

    Cheers!

    ::)

    feeling a little stupid

    in Regex Help

    Posted

    thanks alot Crayon Violent,

     

    hehe i made this for someone else, wasn't my idea to be that user unfriendly ::)

     

    oh I didn't forget that someone could have ie. Aa!aAb1 that's why i got here, because i wasn't able to figure out how to match also that.

     

    but the function you madecould you maybe review my comment? because i hoped it was easy to do with a single pattern.

    function validatePassword($password) {
  preg_match_all('~([a-z])|([A-Z])|([^a-zA-Z])~',$password,$matches);
  if (
    (count(array_filter($matches[1]))>1) && //if part 1 has more than 1 occurences: part is the stuff between ()
    (count(array_filter($matches[2]))>1) && //if part 2 has more than 1 occurences
    (count(array_filter($matches[3]))>1) //if part 3 has more than 1 occurences
  ) return true; 
  return false;
} // end validatePassword

     

     

    -edit: oh i just looked in a regex library and i saw someone using this (?=.*[a-z]) where i am particularry interested in ?=.* i have a feeling this could help with the above in some way. look this is wwhat someone made 

    ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).{4,8}$

    feeling a little stupid

    in Regex Help

    Posted

    Hi all, i just helped someone in the php part with a form to check if a password contains some stuff (2 Uppercase 2 lowercase 2 special character or number). so i reccomended to use regex and came up with the following, but it seems it requires that exact same order so not perfect.

    preg_match('~[A-Z]{2,}[a-z]{2,}[^a-zA-Z]{2,}~',$password)

    I thought when leaving out the ^ at the start and $ at the end the order wouldn't matter, but it seems it does.

    any ideas?

    Password Validation

    in PHP Coding Help

    Posted

    maybe try this out i used regular expresions for it.

     

    <body>
        <?php
        if (isset($_POST['submit'])&& !empty($_POST['password'])){ // simple check if pressed submit and value of password is not empty
            $password = $_POST['password']; //assign value of form value to php variable

            if(preg_match('~[A-Z]{2,}[a-z]{2,}[^a-zA-Z]{2,}~',$password)){ //atleast 2 uppercase 2 lowercase 2 special character or number
                echo 'nice password';
            }else{
                echo 'password must contain bla bla bla';
            }
        }else{
            echo 'enter a password'; //default message
        }

        ?>
        <form action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?>" method="post">
            <input type="text" name="password" value="" />
            <input type="submit" name="submit" value="submit" />
        </form>

    </body>

    the nice thing about regular expression is is that you can also use them exactly the same in javascript to give some extra cool realtime validation (but that's just as an extra, never rely on client side validation)

    there is a slight error in my regex because it reuires that exact order :) but i hope you get the idea.

    Password Validation

    in PHP Coding Help

    Posted

    maybe try this out i used regular expresions for it.

     

    <body>
        <?php
        if (isset($_POST['submit'])&& !empty($_POST['password'])){ // simple check if pressed submit and value of password is not empty
            $password = $_POST['password']; //assign value of form value to php variable

            if(preg_match('~[A-Z]{2,}[a-z]{2,}[^a-zA-Z]{2,}~',$password)){ //atleast 2 uppercase 2 lowercase 2 special character or number
                echo 'nice password';
            }else{
                echo 'password must contain bla bla bla';
            }
        }else{
            echo 'enter a password'; //default message
        }

        ?>
        <form action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?>" method="post">
            <input type="text" name="password" value="" />
            <input type="submit" name="submit" value="submit" />
        </form>

    </body>

    the nice thing about regular expression is is that you can also use them exactly the same in javascript to give some extra cool realtime validation (but that's just as an extra, never rely on client side validation)

    Security help

    in PHP Coding Help

    Posted

    banning people by computer is impossible at least i hope, because if not it would also be an extreme privacy breach.

    Did you try anything like a captcha or stuff? What maybe also is a solution is to verify accounts. if an account is verified there posts become visible and otherwise they need moderation. I pretty much assume, that ones the bad guys see their post are not shown at all, they will find another victim. besides that normal users can have a verified sign on there account which might even make them happy. :) This last solution might seem pretty intensive, but it wont give spammers the opportunity to get free marketing.

    Could someone maybe explain what happends here

    in Javascript Help

    Posted

    Hi all, i am using a little snippet to mimic the hover effect to other elements than A for IE 6 and lower. But since i am a complete noob in javascript i thought i ask some guru's what is happening here. The code is part of the suckerfish menu script.

     

    I made some comments in the script of what i think that happends. but i am not sure. its a wild uneducated guess.

    sfHover = function() { //declare function
var sfEls = document.getElementById(“nav”).getElementsByTagName(“LI”); //assign variable sfEls with the 
                                                                                                 //value of <LI> element in a menu with id #nav
for (var i=0; i
sfEls[i].onmouseover=function() {
this.className+=" sfhover"; // looks like a classname is assigned on mouseover to the LI inside #nav?
}
sfEls[i].onmouseout=function() {
this.className=this.className.replace(new RegExp(" sfhover\b"), ""); // no idea what \b means
}
}
}
if (window.attachEvent) window.attachEvent("onload", sfHover); // no idea either

     

     

    Any explanation would be great, since i rather not implement snippets i don't fully understand.

    pdo security

    in PHP Coding Help

    Posted

    hi php freaks

     

    I am using pdo as the driver for my new app the issue is I can't seem to find a clear answer. I want to sanise the vars that

    are coming  into the database but pdo is suppose to fix all the issues. Is this true what other things do I need to watch for when using pdo they must have some flaws.

     

    Thanks

     

    Just to make sure, even if you use pdo or mysqli_real_escape_string.  Keep in mind that garbage in means garbage out. So make sure you also sanitize on output. And i am not sure if i am correct but mysqli_real_escape_string only makes 1 call to the database, where pdo, make 2 calls. Which is a bit much for a simple non returning select query.

     

    This is what the friends of google give: http://stackoverflow.com/questions/3101307/mysqli-prepared-statements-and-mysqli-real-escape-string

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.