darkfreaks Posted October 8, 2007 Share Posted October 8, 2007 ok im trying to include a function into a script. the scriptuses $_REQUEST instead of $_POST so i end up including the functions pagethen doing something like FUNCTION NAME($_REQUEST[variable]) even though thecode is right i get error: can not return function ???? any ideas? Quote Link to comment Share on other sites More sharing options...
MmmVomit Posted October 8, 2007 Share Posted October 8, 2007 This syntax defines a function. function func_name() When you want to actually use, or call, a function, you use this syntax. func_name(); Quote Link to comment Share on other sites More sharing options...
The Little Guy Posted October 8, 2007 Share Posted October 8, 2007 Im lost, could you explain some more... maybe throw some color in with some code. Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted October 8, 2007 Author Share Posted October 8, 2007 ok here is the function: <?php function RemoveXSS($val) { // remove all non-printable characters. CR(0a) and LF(0b) and TAB(9) are allowed // this prevents some character re-spacing such as <java\0script> // note that you have to handle splits with \n, \r, and \t later since they *are* allowed in some inputs $val = preg_replace('/([\x00-\x08][\x0b-\x0c][\x0e-\x20])/', '', $val); // straight replacements, the user should never need these since they're normal characters // this prevents like <IMG SRC=@avascript:alert('XSS')> $search = 'abcdefghijklmnopqrstuvwxyz'; $search .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'; $search .= '1234567890!@#$%^&*()'; $search .= '~`";:?+/={}[]-_|\'\\'; for ($i = 0; $i < strlen($search); $i++) { // ;? matches the ;, which is optional // 0{0,7} matches any padded zeros, which are optional and go up to 8 chars // @ @ search for the hex values $val = preg_replace('/(&#[x|X]0{0,8}'.dechex(ord($search[$i])).';?)/i', $search[$i], $val); // with a ; // @ @ 0{0,7} matches '0' zero to seven times $val = preg_replace('/(�{0,8}'.ord($search[$i]).';?)/', $search[$i], $val); // with a ; } // now the only remaining whitespace attacks are \t, \n, and \r $ra1 = Array('javascript', 'vbscript', 'expression', 'applet', 'meta', 'xml', 'blink', 'link', 'style', 'script', 'embed', 'object', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound', 'title', 'base'); $ra2 = Array('onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdate', 'onblur', 'onbounce', 'oncellchange', 'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavailable', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdate', 'onfilterchange', 'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhelp', 'onkeydown', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onpaste', 'onpropertychange', 'onreadystatechange', 'onreset', 'onresize', 'onresizeend', 'onresizestart', 'onrowenter', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll', 'onselect', 'onselectionchange', 'onselectstart', 'onstart', 'onstop', 'onsubmit', 'onunload'); $ra = array_merge($ra1, $ra2); $found = true; // keep replacing as long as the previous round replaced something while ($found == true) { $val_before = $val; for ($i = 0; $i < sizeof($ra); $i++) { $pattern = '/'; for ($j = 0; $j < strlen($ra[$i]); $j++) { if ($j > 0) { $pattern .= '('; $pattern .= '(&#[x|X]0{0,8}([9][a][b]);?)?'; $pattern .= '|(�{0,8}([9][10][13]);?)?'; $pattern .= ')?'; } $pattern .= $ra[$i][$j]; } $pattern .= '/i'; $replacement = substr($ra[$i], 0, 2).'<x>'.substr($ra[$i], 2); // add in <> to nerf the tag $val = preg_replace($pattern, $replacement, $val); // filter out the hex tags if ($val_before == $val) { // no replacements were made, so exit the loop $found = false; } } } return $val; } ?> Quote Link to comment Share on other sites More sharing options...
MmmVomit Posted October 8, 2007 Share Posted October 8, 2007 Now show us the code that calls that function. Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted October 8, 2007 Author Share Posted October 8, 2007 well to call the function on each posted field i use <?php include('functions.php'); RemoveXSS($_REQUEST[variable]); ?> which returns this error: cannot return function value on line 32 Quote Link to comment Share on other sites More sharing options...
MmmVomit Posted October 8, 2007 Share Posted October 8, 2007 Give us the full error text, not a paraphrased version. Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted October 8, 2007 Author Share Posted October 8, 2007 for some reason it isnt returning the value or $val if you look in the function it is sposed to do that. but it is saying it cant? oddly on my other script which uses $_POST it works fine when i do RemoveXSS($comment); which comment is $comment= $_POST[comment]; Quote Link to comment Share on other sites More sharing options...
Cagecrawler Posted October 8, 2007 Share Posted October 8, 2007 RemoveXSS() needs to be assigned to a variable. ie. $input = RemoveXSS($_REQUEST['input']); Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted October 8, 2007 Author Share Posted October 8, 2007 Edit: nevermind i already have that and it still returning the erro Quote Link to comment Share on other sites More sharing options...
Cagecrawler Posted October 8, 2007 Share Posted October 8, 2007 You can live without them, I was referring to the fact that the function is returning a value but you're not doing anything with it. You either need to echo it or assign it to a variable. Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted October 8, 2007 Author Share Posted October 8, 2007 the problem is my script looks like this: <? ## v5.24 -> may. 10, 2006 session_start(); include_once ("config/config.php"); include ("themes/".$setts['default_theme']."/header.php"); if ($_GET['start'] == "") $start = 0; else $start = $_GET['start']; $limit = 20; if ($_GET['view'] == "") $view = "all"; else $view = $_GET['view']; $additionalVars = ("&owner=".$_GET['owner']."&auction=".$_GET['auction']); $a_month = 60*60*24*30; $time_month = time() - 60*60*24*30; $date_month = date("Y-m-d H:i:s",$time_month); header5("$lang[viewfeedback]"); ?> <table width="100%" border="0" cellspacing="2" cellpadding="2"> <tr> <td valign="top"><table width="100%" border="0" cellpadding="2" cellspacing="1"> <tr height="30"> <td><b> <? echo $lang[feedbackfor]." "; echo getSqlField("SELECT username FROM probid_users WHERE id='".$_GET['owner']."'","username")." "; echo getFeedback($_GET['owner']); $sellerDetails = getSqlRow("SELECT * FROM probid_users WHERE id='".$_GET['owner']."'"); ?> </b></td> </tr> <tr class="c5"> <td><img src="themes/<?=$setts['default_theme'];?>/img/pixel.gif" width="1" height="1"></td> </tr> <tr class="c2"> <td><? if ($sellerDetails['regdate']!=0) echo $lang[regsince]." ".date(substr($setts['date_format'],0,7),$sellerDetails['regdate'])." in the ".$sellerDetails['country']; ?></td> </tr> </table> <table width="100%" border="0" cellspacing="2" cellpadding="2"> <tr class="c2"> <td><strong> <?=$lang[total_feedback];?> </strong></td> <td nowrap><? echo getSqlNumber("SELECT userid FROM probid_feedbacks WHERE userid='".$_GET['owner']."' AND submitted=1"); ?></td> </tr> <tr class="c3"> <td width="100%"><strong> <?=$lang[positive_feedback];?> </strong></td> <td nowrap><? echo calcFeedback($_GET['owner']);?></td> </tr> </table> <table width="100%" border="0" cellspacing="1" cellpadding="2" class="contentfont border"> <tr class="c2"> <td><a href="otheritems.php?owner=<?=$_GET['owner'];?>"><img src="themes/<?=$setts['default_theme'];?>/img/system/ma_bidding.gif" border="0" align="absmiddle" hspace="3"><strong> <?=$lang[view_my_auction];?> </strong></a></td> <td><? $shopDets = getSqlRow("SELECT aboutpage_type, store_active, store_name FROM probid_users WHERE id='".$_GET['owner']."'"); if ($shopDets['aboutpage_type']==2&&$shopDets['store_active']==1) { ?> <a href="<?=processLink('shop', array('store' => $shopDets['store_name'], 'userid' => $_GET['owner'])); ?>"><img src="themes/<?=$setts['default_theme'];?>/img/system/ma_store.gif" border="0" align="absmiddle" hspace="3"><strong> <?=$lang[view_my_store]?> </strong></a> <? } ?></td> </tr> </table></td> <td width="55%" valign="top"><table width="100%" border="0" cellspacing="2" cellpadding="2" class="border"> <tr class="c1"> <td colspan="6" align="center"><?=$lang[recent_ratings];?></td> </tr> <tr class="c4"> <td align="center"> </td> <td align="center" class="positive"><img src="images/5stars.gif" hspace="3"></td> <td align="center" class="positive"><img src="images/4stars.gif" hspace="3"></td> <td align="center" class="neutral"><img src="images/3stars.gif" hspace="3"></td> <td align="center" class="negative"><img src="images/2stars.gif" hspace="3"></td> <td align="center" class="negative"><img src="images/1stars.gif" hspace="3"></td> </tr> <? $one_month = date("Y-m-d H:i:s",time()-($a_month*1)); $six_months = date("Y-m-d H:i:s",time()-($a_month*6)); $twelwe_months = date("Y-m-d H:i:s",time()-($a_month*12)); ?> <tr class="c2"> <td align="center" width="25%"><?=$lang[rate_1_month];?></td> <td align="center" width="15%" class="positive"><? echo getSqlNumber("SELECT userid FROM probid_feedbacks WHERE userid='".$_GET['owner']."' AND date>='$one_month' AND submitted=1 AND rate=5"); ?></td> <td align="center" width="15%" class="positive"><? echo getSqlNumber("SELECT userid FROM probid_feedbacks WHERE userid='".$_GET['owner']."' AND date>='$one_month' AND submitted=1 AND rate=4"); ?></td> <td align="center" width="15%" class="neutral"><? echo getSqlNumber("SELECT userid FROM probid_feedbacks WHERE userid='".$_GET['owner']."' AND date>='$one_month' AND submitted=1 AND rate=3"); ?></td> <td align="center" width="15%" class="negative"><? echo getSqlNumber("SELECT userid FROM probid_feedbacks WHERE userid='".$_GET['owner']."' AND date>='$one_month' AND submitted=1 AND rate=2"); ?></td> <td align="center" width="15%" class="negative"><? echo getSqlNumber("SELECT userid FROM probid_feedbacks WHERE userid='".$_GET['owner']."' AND date>='$one_month' AND submitted=1 AND rate=1"); ?></td> </tr> <tr class="c3"> <td align="center"><?=$lang[rate_6_month];?></td> <td align="center" width="15%" class="positive"><? echo getSqlNumber("SELECT userid FROM probid_feedbacks WHERE userid='".$_GET['owner']."' AND date>='$six_months' AND submitted=1 AND rate=5"); ?></td> <td align="center" width="15%" class="positive"><? echo getSqlNumber("SELECT userid FROM probid_feedbacks WHERE userid='".$_GET['owner']."' AND date>='$six_months' AND submitted=1 AND rate=4"); ?></td> <td align="center" width="15%" class="neutral"><? echo getSqlNumber("SELECT userid FROM probid_feedbacks WHERE userid='".$_GET['owner']."' AND date>='$six_months' AND submitted=1 AND rate=3"); ?></td> <td align="center" width="15%" class="negative"><? echo getSqlNumber("SELECT userid FROM probid_feedbacks WHERE userid='".$_GET['owner']."' AND date>='$six_months' AND submitted=1 AND rate=2"); ?></td> <td align="center" width="15%" class="negative"><? echo getSqlNumber("SELECT userid FROM probid_feedbacks WHERE userid='".$_GET['owner']."' AND date>='$six_months' AND submitted=1 AND rate=1"); ?></td> </tr> <tr class="c2"> <td align="center"><?=$lang[rate_12_month];?></td> <td align="center" class="positive"><? echo getSqlNumber("SELECT userid FROM probid_feedbacks WHERE userid='".$_GET['owner']."' AND date>='$twelwe_months' AND submitted=1 AND rate=5"); ?></td> <td align="center" class="positive"><? echo getSqlNumber("SELECT userid FROM probid_feedbacks WHERE userid='".$_GET['owner']."' AND date>='$twelwe_months' AND submitted=1 AND rate=4"); ?></td> <td align="center" class="neutral"><? echo getSqlNumber("SELECT userid FROM probid_feedbacks WHERE userid='".$_GET['owner']."' AND date>='$twelwe_months' AND submitted=1 AND rate=3"); ?></td> <td align="center" class="negative"><? echo getSqlNumber("SELECT userid FROM probid_feedbacks WHERE userid='".$_GET['owner']."' AND date>='$twelwe_months' AND submitted=1 AND rate=2"); ?></td> <td align="center" class="negative"><? echo getSqlNumber("SELECT userid FROM probid_feedbacks WHERE userid='".$_GET['owner']."' AND date>='$twelwe_months' AND submitted=1 AND rate=1"); ?></td> </tr> <tr class="c5"> <td colspan="6" align="center"><img src="themes/<?=$setts['default_theme'];?>/img/pixel.gif" width="1" height="1"></td> </tr> <tr class="c3"> <td align="center"><?=$lang[rating_as_seller];?></td> <td align="center" class="positive"><? echo getSqlNumber("SELECT userid FROM probid_feedbacks WHERE userid='".$_GET['owner']."' AND type='sale' AND submitted=1 AND rate=5"); ?></td> <td align="center" class="positive"><? echo getSqlNumber("SELECT userid FROM probid_feedbacks WHERE userid='".$_GET['owner']."' AND type='sale' AND submitted=1 AND rate=4"); ?></td> <td align="center" class="neutral"><? echo getSqlNumber("SELECT userid FROM probid_feedbacks WHERE userid='".$_GET['owner']."' AND type='sale' AND submitted=1 AND rate=3"); ?></td> <td align="center" class="negative"><? echo getSqlNumber("SELECT userid FROM probid_feedbacks WHERE userid='".$_GET['owner']."' AND type='sale' AND submitted=1 AND rate=2"); ?></td> <td align="center" class="negative"><? echo getSqlNumber("SELECT userid FROM probid_feedbacks WHERE userid='".$_GET['owner']."' AND type='sale' AND submitted=1 AND rate=1"); ?></td> </tr> <tr class="c3"> <td align="center"><?=$lang[rating_as_buyer];?></td> <td align="center" class="positive"><? echo getSqlNumber("SELECT userid FROM probid_feedbacks WHERE userid='".$_GET['owner']."' AND type='purchase' AND submitted=1 AND rate=5"); ?></td> <td align="center" class="positive"><? echo getSqlNumber("SELECT userid FROM probid_feedbacks WHERE userid='".$_GET['owner']."' AND type='purchase' AND submitted=1 AND rate=4"); ?></td> <td align="center" class="neutral"><? echo getSqlNumber("SELECT userid FROM probid_feedbacks WHERE userid='".$_GET['owner']."' AND type='purchase' AND submitted=1 AND rate=3"); ?></td> <td align="center" class="negative"><? echo getSqlNumber("SELECT userid FROM probid_feedbacks WHERE userid='".$_GET['owner']."' AND type='purchase' AND submitted=1 AND rate=2"); ?></td> <td align="center" class="negative"><? echo getSqlNumber("SELECT userid FROM probid_feedbacks WHERE userid='".$_GET['owner']."' AND type='purchase' AND submitted=1 AND rate=1"); ?></td> </tr> </table></td> </tr> </table> <br> <? if ($fb_type=="sale") echo $lang[sale]; else echo $lang[purchase]; if ($view=="all") $searchPattern = " userid='".$_GET['owner']."' "; else if ($view=="positive") $searchPattern = " userid='".$_GET['owner']."' AND rate>3 "; else if ($view=="neutral") $searchPattern = " userid='".$_GET['owner']."' AND rate=3 "; else if ($view=="negative") $searchPattern = " userid='".$_GET['owner']."' AND rate<3 "; else if ($view=="frombuyers") $searchPattern = " userid='".$_GET['owner']."' AND type='sale' "; else if ($view=="fromsellers") $searchPattern = " userid='".$_GET['owner']."' AND type='purchase' "; else if ($view=="left") $searchPattern = " fromid='".$_GET['owner']."' "; $getFeedbacks = mysql_query("SELECT * FROM probid_feedbacks WHERE ".$searchPattern." AND submitted=1 ORDER BY date DESC LIMIT ".$start.",".$limit) or die(mysql_error()); $totFbs = getSqlNumber("SELECT * FROM probid_feedbacks WHERE ".$searchPattern." AND submitted=1"); ?> <table width="100%" border="0" cellspacing="2" cellpadding="2" class="contentfont"> <tr align="center" height="21"> <td class="<? if ($view=="all") { echo "c1"; } else { echo "c4";} ?>"><? echo "<a href=\"viewfeedback.php?view=all&start=".$start."$additionalVars\">".$lang[all_ratings]."</a>"; ?></td> <td class="<? if ($view=="frombuyers") { echo "c1"; } else { echo "c4";} ?>"><? echo "<a href=\"viewfeedback.php?view=frombuyers&start=".$start."$additionalVars\">".$lang[from_buyers]."</a>";?></td> <td class="<? if ($view=="fromsellers") { echo "c1"; } else { echo "c4";} ?>"><? echo "<a href=\"viewfeedback.php?view=fromsellers&start=".$start."$additionalVars\">".$lang[from_sellers]."</a>";?></td> <td class="<? if ($view=="left") { echo "c1"; } else { echo "c4";} ?>"><? echo "<a href=\"viewfeedback.php?view=left&start=".$start."$additionalVars\">".$lang[left_for_others]."</a>";?></td> </tr> <tr> <td colspan="7" class="c5"><img src="themes/<?=$setts['default_theme'];?>/img/pixel.gif" width="1" height="1"></td> </tr> </table> <table width="100%" border="0" cellspacing="2" cellpadding="4" class="contentfont"> <? while ($fb = mysql_fetch_array($getFeedbacks)) { $fromId = ($view=="left") ? $fb['userid'] : $fb['fromid']; ?> <tr class="<? echo (($count++)%2==0)?"c2":"c3";?>"> <td><? $isCRF = getSqlNumber("SELECT id FROM probid_custom_rep WHERE active=1"); echo showFeedback($fb['rate'])." | <strong>$lang[date]</strong>: ".displaydatetime($fb['date'],$setts['date_format'])." | <strong>$lang[type]</strong>: ".$fb['type']." | <strong>".(($view=="left") ? $lang[to] : $lang[from])."</strong>: <a href=\"viewfeedback.php?owner=".$fromId."&auction=".$_REQUEST['auction']."\">".getSqlField("SELECT username FROM probid_users WHERE id='".$fromId."'","username")." ".getFeedback($fromId)."</a> | <strong>$lang[item]</strong>: <a href=\"".processLink('auctiondetails', array('id' => $fb['auctionid']))."\">".$fb['auctionid']."</a> ".(($isCRF) ? " | [ <strong><a href=\"javascript://\" onclick=\"popUp('repdetails.php?fbid=".$fb['id']."');\">$lang[details]</a></strong> ]":"")." <br>".$fb['feedback']; ?></td> </tr> <? } ?> <tr> <td colspan="7" class="contentfont c4" align="center"><? paginate($start,$limit,$totFbs,"viewfeedback.php","&view=$view".$additionalVars);?></td> </tr> </table> <? if ($_GET['auction']!=0) { echo "<br><div align=\"center\" class=\"contentfont\">\n"; echo "<a href=\"".processLink('auctiondetails', array('id' => $_GET['auction']))."\">$lang[retdetailspage]</a></div>"; } include ("themes/".$setts['default_theme']."/footer.php"); ?> Quote Link to comment Share on other sites More sharing options...
Cagecrawler Posted October 8, 2007 Share Posted October 8, 2007 That doesn't have the function or the include in anywhere... Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted October 8, 2007 Author Share Posted October 8, 2007 i know that? the problem is is that when i do have the include in it and call it everywhere like the SQL requests and even inside the requests in the if statements it tells me it cannot return the function and i want to know why? Quote Link to comment Share on other sites More sharing options...
rlindauer Posted October 8, 2007 Share Posted October 8, 2007 How exactly are you using the function? Give us a test case that we can use to troubleshoot this. What is the variable name you are passing to the function and what is the value of that variable? What is the exact error message? Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted October 8, 2007 Author Share Posted October 8, 2007 <?php include('functions.php'); $additionalVars = RemoveXSS("&owner=".$_GET['owner']."&auction=".$_GET['auction']); ?> which gives me something like "cannot return function RemoveXSS on line 7" Quote Link to comment Share on other sites More sharing options...
rlindauer Posted October 8, 2007 Share Posted October 8, 2007 It's working just fine for me. Using the function you posted and your example, it prints out just fine with no errors. What version of PHP are you using? Also, I can't quite grasp why you are passing an entire query string to the function, instead of just the value you need from the query string, ie: $owner= RemoveXSS($_GET['owner']); Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted October 8, 2007 Author Share Posted October 8, 2007 ill try passing it through a variable and see what happens Quote Link to comment Share on other sites More sharing options...
rlindauer Posted October 8, 2007 Share Posted October 8, 2007 Post your code too Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted October 8, 2007 Author Share Posted October 8, 2007 <?php include_once ("functions.php"); $owner= RemoveXSS($_GET['owner']); $auction=RemoveXSS($_GET['auction']);?> would this even work just defining variables then not calling them in the script? because right now everything is just $_REQUEST['auction'] setup like that instead of $auction Quote Link to comment Share on other sites More sharing options...
rlindauer Posted October 8, 2007 Share Posted October 8, 2007 You have to call them in the script. Did you get any errors this time? For example, in your script, you would use the RemoveXSS like this: <?php echo getSqlField("SELECT username FROM probid_users WHERE id='".RemoveXSS($_GET['owner'])."'","username")." "; ?> Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted October 8, 2007 Author Share Posted October 8, 2007 i did that it keeps telling me it cant write or return it :-\ Quote Link to comment Share on other sites More sharing options...
rlindauer Posted October 8, 2007 Share Posted October 8, 2007 What is the exact error? Are you sure that this is an issue with RemoveXSS? Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted October 8, 2007 Author Share Posted October 8, 2007 im pretty sure it works with no errors on my guestbook then again i use $_POST instead of $_REQUEST and its alot easier to deal with blah! Quote Link to comment Share on other sites More sharing options...
rlindauer Posted October 8, 2007 Share Posted October 8, 2007 Please post the exact error as you receive it. And if you could post the line the error is at, plus a few above and below, that would help. The test you did above worked right? <?php include_once ("functions.php"); $owner= RemoveXSS($_GET['owner']); $auction=RemoveXSS($_GET['auction']);?> This produced no errors right? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.