LLLLLLL
-
Posts
306 -
Joined
-
Last visited
Posts posted by LLLLLLL
-
-
I'm curious to get opinions on using strip_tags() for fields that will be encrypted in a database. I often see websites that say "choose a password that contains X certain characters but not Z other characters." And I got curious.
Let's say there's a registration form where a new user creates a username and password, and the server will store the password as ...
sha1( $user_entered_value )
... or some other sort of hashed/encrypted string.
In this case, why would it ever matter that a user had entered <div> or some other such text in their password? The password will only ever be hashed into something before it is matched... so why would you bother stripping tags? Why bother preventing any "special" characters?
Thoughts?
-
The only Apache setting I know to allow PHP to apply to HTML is AddHandler application/x-httpd-php5 .html
That's already there.
-
This is not the common "I don't know how to set Apache to handle PHP in an HTML file" type of issue. That works. AddHandler application/x-httpd-php5 .html
I don't usually configure things like this, but I'm working with an existing site and I don't really want to make a change to URLs here. (If all else fails I'll just add a rewrite in .htaccess.)
Here are two examples of what's happening:
- I have some files that are PHP, and they include HTML files. The HTML partial files sometimes have PHP code. That code works.
- If I simply try to access somefile.html, and that file includes only PHP code, the raw PHP code will be displayed, instead of being executed as code.
Why would that first bullet point be true if that second one is false?
Again, I wouldn't have structured things how they are structured now, if starting from scratch. I'll probably do something a little bit different but I would like to know, as general knowledge, why the current setup would fail. Does it matter that in one example a PHP code is being called first, where as the other example calls a .html file directly (as opposed to being included)?
-
Yes yes, fine. Why does every PHPFreaks answer have to be some show of chest-thumping? Gosh, I thanked you for your answer. I'm well aware that "the attribute isn't limited to strings and ints", but hey, if you feel better about yourself with your guru-like knowledge-dropping, then congrats.
Again, thank you for your initial response.
-
I'm aware of how strongly typed languages work, and I would write different code. Sometimes weakly-typed languages have advantages. (mp_size has other reasons to be ints)
You're saying that ...
0 == (int)"LARGE"
... when I would have thought that
"0" != "LARGE"
So I guess it's a matter of what gets converted to what, and I was thinking about it the opposite way of what actually occurs. Thanks.
-
class ufo { const MP_SIZE_LARGE = 600; const MP_SIZE_MEDIUM = 400; const MP_SIZE_SMALL = 250; const LARGE = 'LARGE'; const MEDIUM = 'MEDIUM'; const SMALL = 'SMALL'; public $mp_size; public function desired_width() { switch ( $this->mp_size ) { case ufo::LARGE : return ufo::MP_SIZE_LARGE; case ufo::MEDIUM : return ufo::MP_SIZE_MEDIUM; case ufo::SMALL : return ufo::MP_SIZE_SMALL; default: return 0; } } }
So check out the class and function above. What should "desired width" return if mp_size is 0? It makes no sense that the value is anything but 0. Instead, it returns 600. In fact, it will return 400 if I put the "medium" case first. Why would it do that?
The function returns expected values if I put strval() around the mp_size. Can someone explain that? This makes absolutely no sense to me. I can't see how the order of the cases could possibly matter, and I also can't see how any case would be "true" when 0 doesn't equal "LARGE".
-
As I pointed out, browsers don't attempt to do it. Somehow, the browser and the OS decide together. Same version of Chrome does on ChromeOS/Windows, but not Mac.
Sorry that I pointed this out and it might have helped someone.
-
The arrogance on PHP Freaks is why I rarely visit.
-
But... it is a Mac issue.
Chromebook, Chrome on Windows, Firefox, IE, Edge (whatever that nonsense is!) all showed bold without the colon:weight thing. Only Mac did not.
-
I guess PHPFreaks won't let me edit more than once? Indeed, this is a Mac issue: Chrome, Safari, and Firefox on Mac all had the issue.
-
A website user was telling me that text wasn't appearing on bold when the CSS called for font-weight:bold. She's using a Mac desktop, with Safari (and possibly Chrome; I don't have all info yet). The font is Raleway:
<link href="https://fonts.googleapis.com/css?family=Raleway" rel="stylesheet" type="text/css">
From what I was able to find -- no one on Google seemed to have this exact issue -- sometimes Safari won't show bold unless you specifically reference a font for it? Is that right? So the solution seems to be changing the stylesheet reference to:
<link href="https://fonts.googleapis.com/css?family=Raleway:400,700" rel="stylesheet" type="text/css">
This just seems incredibly odd to me. I've never heard of a user having this issue before. Is this known? Is that the actual fix? Am I to assume all browsers on Chromebook (my preferred platform) and Linux and Windows just create an ad-hoc "faux bold" to display, if bold isn't specified?
A lot of questions, but this is just a weird issue, especially since I haven't heard of it until June 2016.
-
It looks like this isn't a mainstream property: https://developer.mozilla.org/en-US/docs/Web/CSS/break-inside
I know how to use Google, thanks. I just didn't use the proper phrases to get me a result.
-
break-inside: avoid-column;
That is quite excellent information. Like I said, I'm new to column-count, so I didn't know little things like this. Quite perfect, thank you!
-
Check out the (very incomplete new) website at http://mainlypiano.com/artists
I'm using column-count of 3 (or 2 based on responsive size).
On a normal desktop screen, you can type artist text in the search box, and the filter works just fine. The results stay in the columns and that's just fine. But if the screen is narrower (about 660px, for example) and you search for one of the longer names...
- fiona
- saen
... you'll see that the ONE entry that is available has its text split over the two columns. I don't want that. I'm also curious why the text of the second column displays higher than the first column text after typing those names.
Not sure what I can do to make the text stay in one column. The A element is already a BLOCK style, so why the heck would it wrap into that column?
I don't do much with column-count, but I don't know why it would be special. Or especially weird.
Ideas? Thank you.
-
I have requirements from a client for a code repository, or just a file repository, and I'm not sure that I can find one that matches. Here's what's needed:
- A way to upload files directly, either with FTP or via browser. No git commands, etc.
- A way to search those files (filenames and text within files) from the browser
- A way to compare files (preferably between two folder roots and including all subfolders/files) from the browser
I think that's it. A bonus would be to upload a zip and be able to unzip it on the server, but that seems like a stretch.
Does something like this exist?
-
FWIW: I've found that the easiest way to make the code clean when mixing HTML and PHP is to keep the entire page in PHP and echo the output at the bottom:
<?php // includes, sessions, etc. // some logic here. call functions, db, set variables, etc. $a = some text result; $b = some other div or something; $c = blah blah; echo ' <html> <div>This is the greatest website ever because ' . $a . ' and yada. ' . $b . '</div> <div>Some text div</div> ' . $c . ' </html> '; ?>
For me, it makes things much easier to read because there's just one HTML blob. The downside of this of course is inserting all the strings into the blob. The alternative is similar, where you get all the variables at the top and then put raw HTML below the closing PHP, with some <?php echo $a ?> type tags in that. Of course if you're actually using includes as you displayed then using variables isn't as helpful.
-
Can I rely on the $_SERVER variable of HTTP_ACCEPT_LANGUAGE to get the language of the browser? I know that some browsers don't send things the same way, and even some servers may not use all variables. Is this the most common way to determine the user's language? Is there another or more preferred way?
Thank you.
-
Did you see the second post, 19 minutes after the first, that says "correction, the query WOULD HAVE RUN."?
Lol for Trustwave's PCI compliance tests? What's your point on this thread? To offer help or to show how superior you are, oh god of PHP?
-
Jacques and mac_gyver, as I stated that's the query that WOULD run but the code checks that the $_GET is an int. If it's not, the query doesn't run.I guess I just don't know what is trying to be accomplished by this, had it executed...WHERE p.id = 139\' and benchmark(20000000,sha1(1))--... just an attempt to slowdown the server?Jacques, since you didn't read the post that said the query didn't execute, your "I'm smarter than thou" remarks are really, really unwarranted. My gosh, this isn't the first time you've liked to show your arrogance on here. Calm down.This application has been PCI-compliant and is tested monthly. It always passes compliance for injection and other hacks. I should have worded the topic better but the question was really... what does someone gain with this type of hack?
-
Mysql is depreciated you should use mysqli or PDO in PHP.
Um, this adds nothing to the topic. MySQL is the database. I didn't say if I was using mysql_query() (I am not) or mysqli_query() (which I am).
-
I wasn't clear here. This is the query that WOULD run but the code knows better.
-
(I'm putting this in PHP since it's not a question specific to MySQL or other DB stuff.)
I have a page that uses the GET id to find a product. GET variables are sanitized, and the SQL string is escaped even though it's expecting a number only. So the code seems safe to me. I'm getting some error_log results that appear to be hack attempts:
SELECTp.*, t.id as blahFROM some_table pleft outer join some_other_table ton p.id = t.product_idWHERE p.id = 139\' and benchmark(20000000,sha1(1))--Should I be worried about something like this? Anything more (or less) that I should be doing? -
kicken said:
And yes, that was the whole point of the thread. How can I implement a shared cache?
I think the answer is that there's no good answer in PHP. Not for what I want; things in C# cache easier because of the architecture (services running that hold stuff in memory). I can't use things like MemCache because some of this would be too tricky for an average user to set up on their server. That's why I was hoping there was a way to add to $_SERVER or something like that. Something universal.
The solutions like "read from a file" really don't apply to what I need. I have objects, arrays, other things that are eventually loaded. I just wish could load them once, not once per user, to reduce some DB calls. That's all.
-
This post was not about my specific string caching. When asked what's being cached, I replied A bunch of application-specific stuff. There are all sorts of things that are loaded the first time they are needed. Display Preferences, Checkout Preferences, Shipping Preferences, etc. There's little performance problem with the strings (under .4 seconds, it turns out) and I don't know why you're trying to dissect an application that you know nothing about, when his wasn't my question in the first place.
Basically, I'm trying to reduce some DB calls (with what I mentioned, there are four calls the first time, if all those things are needed on a page) by finding a caching layer.
My question was about caching arrays of things in $_SERVER or something that's not $_SESSION. "Don't want to get my hands dirty"? Thanks for the insult.
Opinion: strip_tags on field that will be encrypted in the database
in PHP Coding Help
Posted · Edited by timneu22
I agree with these replies but... I guess I wonder why SO MANY websites still say that some characters are unallowed. Mmmph. And I'm talking about major websites like large banks, financial institutions, or other similar corporations