validation script

[Spydie]

I'm wondering how to get this portion of a script I'm writing to work correctly...

 

if(!preg_match('/\days\/',$length))
    die('Error: Length must be either Days or Enc');

[Adam]

The PHP appears to be fine, but the regex probably isn't. What exactly are you trying to do? What errors do you get, or what currently happens when you run the code?

[Spydie]

I'm tryin to make it so when someone tries to bring up the encounter graph they HAVE to type in enc.

The daily graph would have to have days inputted with the string, like so...

 

http://parse.reclamationeq2.com/graph_all.php?length=days.php

 

but say I input hours instead of days. It still works. I don't want that to happen!

 

the error says "Parse error: syntax error, unexpected T_IF in /home2/rogleete/public_html/parse/graph_all.php on line 52"

[Spydie]

the whole script looks like so...

<?php

include 'actdb.php';
include 'phpgraphlib.php';
     
//If encid is not specified, get latest encounter.
    $encid = mysql_real_escape_string( $_GET['encid'] );

//count the number of people to be graphed.
if(!isset($_GET['count']))
    $count = 8;
else
    $count = intval(mysql_real_escape_string( $_GET['count'] ));

//validate $count
is_int($count)
    or die('Error: Count has to be a valid integer.');

//count the number of people to be graphed.
if(!isset($_GET['encounter']))
    $encounter = encid;
else
    $encounter = intval(mysql_real_escape_string( $_GET['count'] ));

//days to look into the past
if(!isset($_GET['days']))
    $days = 7;
else
    $days = mysql_real_escape_string( $_GET['days'] );

//validate $days
is_numeric($days)
    or die('Error: Days has to be a valid number.');

//extdps or exthps?
if(!isset($_GET['type']))
    $type = "extdps";
else
    $type = strtolower(mysql_real_escape_string( $_GET['type'] ));

//validate $type
if(!preg_match('/\bext[dh]ps\b/',$type))
    die('Error: Type must be either EXTDPS or EXTHPS');

//encounter or weekly?
if(!isset($_GET['length']))
    $length = "days";
else
    $length = strtolower(mysql_real_escape_string( $_GET['length'] ));
    
//validate $length
if(!ctype_alpha($length))
    die('Error: Length must be either Days or Enc');
   
    
If($length == 'enc') {
$query = "SELECT name, (" . $type . ") FROM combatant_table
    WHERE encid = '$encid' AND ally = 'T'
    ORDER BY (" . $type . ") DESC LIMIT $count";}
else   
    {$query = "SELECT b.name, AVG(b." . $type . ")
    FROM encounter_table AS a,combatant_table AS b
    WHERE a.encid = b.encid
    AND b.ally = 'T'
    AND a.title != 'All'
    AND a.starttime > DATE_SUB(NOW(),INTERVAL '" . $days . "' DAY)
    GROUP BY b.name
    ORDER BY AVG(b." . $type . ") DESC LIMIT " . $count;};


$result = mysql_query($query)
    or die('Query failed: ' . mysql_error());

$data = array();

while($row = mysql_fetch_row($result))
{
    $name = $row[0];
    $extdps = intval($row[1]);
    $data[$name] = $extdps;
}

//create the graph
If($length == 'enc') {
$query = "SELECT title,starttime FROM encounter_table WHERE encid = '$encid' LIMIT 1";
$result = mysql_query($query);
$row = mysql_fetch_row($result);
$title = $row[0] . " " . substr($row[1],0,10);}
else
{$title = "Top " . $count . " "
    . strtoupper(substr($type,3,1))
    . "PSers from the last " . $days . " days";};

$graph = new PHPGraphLib(800,300);

$graph->addData($data);
$graph->setGrid(false);
$graph->setTitle($title);
$graph->setTitleColor("white");
$graph->setupXAxis(28, "white");
$graph->setupyAxis("", "white");
($type == 'exthps') ? $graph->setGradient("0,200,0", "0,100,0", "black") : $graph->setGradient("200,0,0", "100,0,0", "black");
$graph->setDataValues(true);
($type == 'exthps') ? $graph->setDataValueColor("0,200,0", "0,100,0", "black") : $graph->setDataValueColor("200,0,0", "100,0,0", "black");
$graph->setBarOutline(false);
$graph->setBackgroundColor("11,13,13");
$graph->setTextColor("white");
$graph->setLegend(false);
$graph->createGraph();  

?> 

[nrg_alpha]

I'm not sure why you use die.. so if the user puts in something that doesn't match, you kill the script? (don't get Daniel0 started on die either )

The link you provided is a dead one.

 

And why are you escaping the d (as well as the closing delimiter) the pattern?

I'm also not sure what you mean by 'Error: Length must be either Days or Enc'... does this mean 3 or 4 characters long as in strlen or it has to be literally $length = 'Days' or 'Enc'?

[Spydie]

notice I change the length back to what it was before, so at least it worked but with that leak in it...

[Spydie]

I'm not sure why you use die.. so if the user puts in something that doesn't match, you kill the script? (don't get Daniel0 started on die either )

The link you provided is a dead one.

 

And why are you escaping the d (as well as the closing delimiter) the pattern?

I'm also not sure what you mean by 'Error: Length must be either Days or Enc'... does this mean 3 or 4 characters long as in strlen or it has to be literally $length = 'Days' or 'Enc'?

literally $length = 'Days' or 'Enc'

[nrg_alpha]

So instead of using preg, why not simply do a simple if statement?

 

if($length == 'days' || $length == 'Enc'){
// do this
} else {
// do something else, but definitly don't die() over it :/
}

 

In fact, I would eliminate all the die() parts from your script... You're diehard trigger happy it seems...

[nrg_alpha]

And since I can forsee you using die() in conjunction with mysql at some point, perhaps you should have a look at Dan's latest article...

[Andy-H]

  AND a.starttime > DATE_SUB(NOW(),INTERVAL '" . $days . "' DAY)
    GROUP BY b.name
    ORDER BY AVG(b." . $type . ") DESC LIMIT " . $count;}[b];[/b]

Whats with the semicolon?

 

[Spydie]

  AND a.starttime > DATE_SUB(NOW(),INTERVAL '" . $days . "' DAY)
    GROUP BY b.name
    ORDER BY AVG(b." . $type . ") DESC LIMIT " . $count;}[b];[/b]

Whats with the semicolon?

I don't know....

[Spydie]

ok, so instead of the "or die" parts I wanna make it so it runs back to the days graph and gives a little error below the graph sayin you didn't enter such and such then, eh?

[nrg_alpha]

ok, so instead of the "or die" parts I wanna make it so it runs back to the days graph and gives a little error below the graph sayin you didn't enter such and such then, eh?

 

It sounds better than die()ing all over the place, don't you think? It just doesn't make sense to kill a script because of a variable not matching something you want. It's simply poor design TBH.

[Spydie]

It sounds better than die()ing all over the place, don't you think? It just doesn't make sense to kill a script because of a variable not matching something you want. It's simply poor design TBH.

 

I'd have to agree, but being a beginner I have to do some searching to find out what I should do to fix it all...

 

I had a bit of help to create what I've got now. lol

[Andy-H]

<?php

include 'actdb.php';
include 'phpgraphlib.php';
     
//If encid is not specified, get latest encounter.
    $encid = mysql_real_escape_string( $_GET['encid'] );

//count the number of people to be graphed.
if(!isset($_GET['count']))
    $count = 8;
else
    $count = intval( $_GET['count'] );

//count the number of people to be graphed.
if(!isset($_GET['encounter']))
    $encounter = encid;
else
    $encounter = intval( $_GET['count'] );

//days to look into the past
if(!isset($_GET['days']))
    $days = 7;
else
    $days = intval( $_GET['days'] );

//extdps or exthps?
if(!isset($_GET['type']))
    $type = "extdps";
else
    $type = strtolower(mysql_real_escape_string( $_GET['type'] ));

//validate $type
if(!preg_match('/ext[dh]ps/',$type))
    $err = ('Error: Type must be either EXTDPS or EXTHPS');

//encounter or weekly?
if(!isset($_GET['length']))
    $length = "days";
else
    $length = strtolower(mysql_real_escape_string( $_GET['length'] ));
    
//validate $length
if(!ctype_alpha($length))
    $err = ('Error: Length must be either Days or Enc');
   
    
If($length == 'enc') {
   $query = "SELECT name, (" . $type . ") FROM combatant_table
    WHERE encid = '$encid' AND ally = 'T'
    ORDER BY (" . $type . ") DESC LIMIT $count";}
else   
    {$query = "SELECT b.name, AVG(b." . $type . ")
    FROM encounter_table AS a,combatant_table AS b
    WHERE a.encid = b.encid
    AND b.ally = 'T'
    AND a.title != 'All'
    AND a.starttime > DATE_SUB(NOW(),INTERVAL '" . $days . "' DAY)
    GROUP BY b.name
    ORDER BY AVG(b." . $type . ") DESC LIMIT " . $count;
}


$result = mysql_query($query)
    or trigger_error('Query failed: ' . mysql_error(), E_USER_ERROR);

$data = array();

while($row = mysql_fetch_row($result))
{
    $name = $row[0];
    $extdps = intval($row[1]);
    $data[$name] = $extdps;
}

//create the graph
If($length == 'enc') {
   $query = "SELECT title,starttime FROM encounter_table WHERE encid = '$encid' LIMIT 1";
   $result = mysql_query($query);
   $row = mysql_fetch_row($result);
   $title = $row[0] . " " . substr($row[1],0,10);}
else
   {$title = "Top " . $count . " "
    . strtoupper(substr($type,3,1))
    . "PSers from the last " . $days . " days";};
if ( !isSet($err) )
{

$graph = new PHPGraphLib(800,300);

$graph->addData($data);
$graph->setGrid(false);
$graph->setTitle($title);
$graph->setTitleColor("white");
$graph->setupXAxis(28, "white");
$graph->setupyAxis("", "white");
($type == 'exthps') ? $graph->setGradient("0,200,0", "0,100,0", "black") : $graph->setGradient("200,0,0", "100,0,0", "black");
$graph->setDataValues(true);
($type == 'exthps') ? $graph->setDataValueColor("0,200,0", "0,100,0", "black") : $graph->setDataValueColor("200,0,0", "100,0,0", "black");
$graph->setBarOutline(false);
$graph->setBackgroundColor("11,13,13");
$graph->setTextColor("white");
$graph->setLegend(false);
$graph->createGraph();  
}else{

echo $err;
}?> 

[Spydie]

Ya didn't have to do the whole thing for me, what am I learning then?

[Andy-H]

lol well I can explain the changes, you do not need to escape a value using mysql_real_escape_string() as well as using intval on it or casting it as an integer using

(int) $foo;

 

rather than using or die ('blah'); on your mysql queries use

or trigger_error('Error with query on line: ' . __LINE__ . '<br ><br >In file: ' .__FILE__);

or something along those lines as killing the script is no good and giving the mysql_error reading makes your scripts more vunerable. One alternative method is setting an error variable and checking if it is set, if it is handle the output for the error display.

[Spydie]

can't I put an if statement within an if statement?, like this...

 

If($length == 'days' || $length == 'enc'){
    
If($length == 'enc') {
   $query = "SELECT name, (" . $type . ") FROM combatant_table
    WHERE encid = '$encid' AND ally = 'T'
    ORDER BY (" . $type . ") DESC LIMIT $count";
    }else{
    $query = "SELECT b.name, AVG(b." . $type . ")
    FROM encounter_table AS a,combatant_table AS b
    WHERE a.encid = b.encid
    AND b.ally = 'T'
    AND a.title != 'All'
    AND a.starttime > DATE_SUB(NOW(),INTERVAL '" . $days . "' DAY)
    GROUP BY b.name
    ORDER BY AVG(b." . $type . ") DESC LIMIT " . $count;
    }else{
 $err = ('Error: Length must be either Days or Enc');
 }
}

[Spydie]

ignore that, I figured it out!

[Andy-H]

Yes, but you haveto nest them correctly, you would be better of using if/elseif/else for that.

 

ie.

if ($length == "?")
{
//blah...
}
elseif ($length == "??")
{
//blah blah
}
else
{
$err = "..?";
}

[Spydie]

yea, I ended up doing it all like this...

 

//validate $length and get the information from the database
If($length == 'days' || $length == 'enc'){
    
If($length == 'enc') {
   $query = "SELECT name, (" . $type . ") FROM combatant_table
    WHERE encid = '$encid' AND ally = 'T'
    ORDER BY (" . $type . ") DESC LIMIT $count";
    }else{
    $query = "SELECT b.name, AVG(b." . $type . ")
    FROM encounter_table AS a,combatant_table AS b
    WHERE a.encid = b.encid
    AND b.ally = 'T'
    AND a.title != 'All'
    AND a.starttime > DATE_SUB(NOW(),INTERVAL '" . $days . "' DAY)
    GROUP BY b.name
    ORDER BY AVG(b." . $type . ") DESC LIMIT " . $count;
    }
    $result = mysql_query($query)
    or trigger_error('Query failed: ' . mysql_error(), E_USER_ERROR);
    
    $data = array();
    
    while($row = mysql_fetch_row($result))
    {
	    $name = $row[0];
	    $extdps = intval($row[1]);
	    $data[$name] = $extdps;
	}

}else{
 $err = ('Error: Length must be either Days or Enc');
 }