Jump to content

vampke

Members
  • Posts

    82
  • Joined

  • Last visited

Profile Information

  • Gender
    Not Telling

vampke's Achievements

Member

Member (2/5)

0

Reputation

  1. hello, I am writing an application that stores values in a session. At the end of the session, the session variables are stored in the db, there is some magic with these data and then a result is generated after which the session is destroyed. Everything is running as expected but for one thing. When the session is destroyed, I get to another page (eg by mistakingly clicking on something) and then want to go back to the result, the result gets destroyed as well. This is not what I want, I want the users to be able to keep the result (which is a page containing about 1000 words). I'd prefer not to store the complete result (again: 1000 words) in the database or in a new session, because when things are up and running there may be hundreds of users using the app simultaneously. I thought it would be possible to create a new session after the previous one is destroyed and setting the db id connected to the stored variables in a session variable so that the result could be recalculated every time the user gets back to the page. I am in doubt is this is the best way to handle this. What would be the best way to handle this situation?
  2. thank you guru! it was a redirect!
  3. Hi people, I am trying to cross domain post an html form. When I post the form on the domain itself (form action="test.php" method="post") and I return echo $_SERVER['REQUEST_METHOD']; it returns "POST" however when I put the very same file on a different domain and post it (form action="http://www.domain.invalid/test.php" method="post") it returns "GET" ! Does anybody understand why?
  4. @requinix: I understand the language evolves, but there really is no logical explanation to changing these kind of things is there? @christian: which setting would i need to be looking at?
  5. thanks for your reply requinix. I was not aware of this. It seems like very poor consistency in php... I already came up with a solution similar to yours, however I was looking for a reason for the incongruity. Very surprised to find it out.
  6. Hi peepz, I am writing a script that seems to be doing what I mean it to except for one thing. I have a file in a subdirectory (uri/includes) which I include in my php files of the parent directory (uri): include 'firstfile.inc.php'; The firstfile.inc.php file includes another file in the same includes directory. include 'secondfile.inc.php'; On my local windows machine this works fine. On my linux webserver not so much: in stead of including the file in 'uri/includes/secondfile.inc.php' it tries to include 'uri/secondfile.inc.php' Could anyone be so kind to explain why this is happening (a server setting I need to be looking at?) and how to overrun this setting in the code? I am on a shared hosting account with no access to php.ini. Cheers. v.
  7. My original question was supposed to be "how can I get a variable's name without the $", but then I found a topic on stackoverflow about this where most people are saying this is not the way to do it, so I would like to rephrase the question to "what is the best way to handle the below situation". I have a script where users can go and modify the result later. The script contains mainly checkboxes. The code: function outRow($question, $answer){ return "<input type=\"checkbox\" id=\"fieldnamewithoutthestring\" name=\"fieldnamewithoutthestring\" value=\"1\" />".($answer==1?$checked:$unchecked).$question; } $qry = "SELECT * FROM mehtable WHERE id=$id"; $qry_result = mysql_query($qry) or die(mysql_error()); $info = mysql_fetch_array($qry_result); $firstfield = $info['firstfield']; $secondfield = $info['secondfield']; $out = outRow("the result of the first field=", $firstfield); $out .= outRow("second field's result=", $secondfield); echo $out; Above code is simplified. I need the fieldname so I can update the db table accordingly. I have specifically given the variables the same name as the corresponding db fieldnames. What would be the right way to handle this? edit: obviously the $checked and $unchecked are correctly defined but not shown here.
  8. Hi cyberrobot, there shouldn't be any special characters. In any case they are not allowed at all because of a javascript on the input box
  9. ok thanks, I was expecting there wasn't but the message concerned me somehow. I know where the 302 goes to. I don't think it is relevant however. My main concern is that this program returned a fail message which does not seem to be the correct wording. If the 302 page handles the injection attempt, there is no risk, right? What about the string values: are they sufficiently protected with my function?
  10. Hello, I am writing a script that I am trying to protect against mysql injection. I have installed the firefox add-on SQL Inject Me and it returns some fails. and many more similar items. My question is: is this always a problem? I would think a 302 return code only means the script is returning a valid page. But a valid page does not necessarily mean a vulnerable page, right? The tested values all concern checkboxes with following html: <input type=\"checkbox\" id=\"checkboxvalue\" name=\"checkboxvalue\" value=\"1\" /> The $_POST of the checkboxes are interpreted as: $myValue = (int)isset($_POST['checkboxvalue'])?1:0; I would assume this completely limits the possibility for sql injection or am I missing something? The (int) is probably not needed since I don't even store the post value in the variable. My strings do not generate a warning. I use the following function to validate them, is this sufficient protection? function validateInput($in){ if(get_magic_quotes_gpc()) { $in = stripslashes($in); } $out = mysql_real_escape_string(strip_tags($in)); if(preg_match('/^[a-zA-Z0-9 ^$.*+\[\]{,}]{1,32}$/u', $out)) { return $out; } else return ""; }
  11. Psycho, Thank you very much for your reply. I know I should urgently polish my sql skills, it has been a while :/ ... I got it working with the one query solution (there actually already was a JOIN involved which I skipped because it didn't have anything to do with the problem. I am still wondering why the resultset is empty after the first iteration. Isn't it just a variable that should keep it's array?
  12. Hi guys, I have this simple script that I am struggling with for hours.... I want to show an editable list of submitted checkboxes: a user selects a couple of widgets from a list. When submitted I want to show the same list with the selected checkboxes checked. Could someone please explain to me why this code works (difference is the location of the selectedwidgets_qry in or out the while loop): $widget_result = mysql_query("SELECT id, description FROM widget_item") or die(mysql_error()); while ($info = mysql_fetch_array($widget_result)) { $selected = ""; $selectedwidgetsqry_result=mysql_query("select item_id from selected_widgets where sessionId = '$sessionid'") or die(mysql_error()); while($arr = mysql_fetch_array($selectedwidgetsqry_result)){ if($info['id'] == $arr['item_id']){ $selected = " checked=\"checked\""; } } $out .="<input name=\"items[]\" type=\"checkbox\" value=\"".$info['id']."\" id=\"".$info['id']."\"".$selected." /><label for=\"".$info['id']."\">".$info['description']."</label><br />"; } and why this code does not? $widget_result = mysql_query("SELECT id, description FROM widget_item") or die(mysql_error()); $selectedwidgetsqry_result=mysql_query("select item_id from selected_widgets where sessionId = '$sessionid'") or die(mysql_error()); while ($info = mysql_fetch_array($widget_result)) { $selected = ""; while($arr = mysql_fetch_array($selectedwidgetsqry_result)){ if($info['id'] == $arr['item_id']){ $selected = " checked=\"checked\""; } } $out .="<input name=\"items[]\" type=\"checkbox\" value=\"".$info['id']."\" id=\"".$info['id']."\"".$selected." /><label for=\"".$info['id']."\">".$info['description']."</label><br />"; } It took me hours to figure this out but I still don't understand why the difference.
  13. Hi guys, I am struggling with a form containing multiple checkboxes with corresponding textboxes. Eg.: there are 5 checkboxes (XS, S, M, L, XL) and 5 textboxes (with values 3,4,5,6, that correspond to the checkboxes. I give all the checkboxes the name 'size[]' and the textboxes the name 'price[]'. The aim is to have my script set a boolean to true and update the corresponding price if the checkbox is selected. Unfortunately it does not work this way: checkboxes are only put in the array when they are selected, meaning that if I select only checkbox S and L, the array length is 2 only, but array length price is always 5, so size[1] does not correspond to price[1] necessarily. There probably is a better way to achieve what I need. Could anyone point me in the right direction? edit: BTW the number of items is dynamic: sometimes there will also be XXL or some items will be missing and I also need to set the price for items where the checkbox is not checked.
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.