linus72982

I'm going to assume you're using mysql: From the PHP.net page on rowCount (http://www.php.net/manual/en/pdostatement.rowcount.php): This has been a known issue with rowCount for some time now.

I am writing a script that will parse my PHP classes and check for things like coupling, visualize my objects and connections, dependencies, check for convention usage, etc. So, I have a simple file upload. I'm never saving the files, just get contents and dump the file and work with the string version. I'm writing it for me, but I figure I might want to open it for others to use in the future, so I may as well write it that way to begin with -- so I need to validate user input. Problem is, the user input is supposed to be valid PHP code. I'm thinking that, as long as I'm careful, I shouldn't be executing any code contained in strings, but I'm no security expert and I want a warm fuzzy that my thought on this is correct. What kinds of things do I need to look out for? Is it possible to inject when working with strings? My initial thought is to regex the entire file and replace key portions with known replacements. So ( and ) would become !* and !^ or $ would become @~ (combinations that -- I think -- don't make sense to php?) But that may be completely unnecessary processing time if I'm not in any danger, here. Thanks ahead of time for any help. PS - as a side question -- what's the best way to verify a file is a php file? I know of getimagesize for images, but should I just check for <? to verify it's php? That seems like it would be too easy to fool -- then again, it might not matter much. -Adam

A forum, for instance - any sort of website that lives on user-generated content - how would you go about getting it started? I've run through (a rather bleak) scenario in my head: 1. User sees new website, let's check it out. 2. It's brand new, little to no content yet 3. User leaves and probably will never click the link again due to negative experience so...do you have all your friends on facebook go and create some content? Do you manually generate what looks to be legit content? Do you just hope you catch a few people that love the idea of the site and are willing to endure the early slow-growth? I'm curious because I have a good website idea and it's content driven - I'm not sure I'd like the idea of spending a month generating content that clearly comes from the same person or at the best, clearly is an attempt to NOT come from the same person. Thanks for any pushes in the right direction.

Fixed it, thanks.

I have an "offer suggestions" script attached to an input text element. The text box has an onblur that changes the visibility of the suggestions div to display:none and then an onclick of each suggestion div in the main suggestion div that is supposed to fill the textbox with its value. Fairly standard functionality for an offer suggestion script I would think, the problem is that the onblur of the textbox hides the suggestion div before the onclick of one of its child divs can fire and fill the textbox making the onclick meaningless. How would I get around this? I tried doing it with a timer delaying the disappearance of the div for a few milliseconds, but then it just waits and the onclick doesn't fire in the meantime as the script is held up. Then I got into some janky code whereby I put in a dummy div that was display:none and changed its value when the user mouses over one of the suggestion divs and to change it back to default when they mouseout, then added a line to the onblur of the textbox to check the value of the dummy div and essentially check whether or not the onblue click came from a click on a suggestion div, it it did, it would call the fill textbox function first and then return to disappear the suggestion div, if it didn't, it would just disappear the suggestion div. Janky as all hell and didn't work anyway - so... Does anyone have any suggestions? Here's the relevant parts of the code if you need it: This is the input textbox and the suggestion div: <input type="text" name="pmTo" id="pmTo" onkeyup="offerSuggs('none');" onfocus="showSelect();" onblur="hideSelect();" /> <div name="nameSugg" id="nameSugg" style="display:none;"> This is the individual suggestion child divs that the ajax call puts in the suggestion div based on user input (they're created from a PHP script that the ajax calls): $suggString .= '<div name="'.$value.'" id="'.$value.'" class="suggMouseOver" onmouseover="highlightDivs(this);" onmouseout="blurDivs(this);" onclick="fillInput(this);">'.$value.'</div>'; And then finally the functions that handle the events regarding the textbox and the suggestion divs: function showSelect() { document.getElementById('nameSugg').style.display="block"; offerSuggs('none'); } function hideSelect() { offerSuggs('checkFinal'); document.getElementById('nameSugg').style.display='none'; } function highlightDivs(elemName) { document.getElementById(elemName.id).style.backgroundColor="#FFFF00"; } function blurDivs(elemName) { document.getElementById(elemName.id).style.backgroundColor="#FFFFFF"; } function fillInput(elemName) { document.getElementById('pmTo').value=elemName.id; offerSuggs('checkFinal'); }

Yep, I figured it out by going crazy on echoing and var_dumping values. It just turns out that I was deleting the reference to the message in the database, but I would add it right back in when it was called again because I never deleted the variable in the array that pointed to it. Each time it ran it would see that message as valid and it had already been deleted and since the script "makes" the new comma strings from scratch and uploads them, they would reappear in further calls. Thanks for the help. I know it was a hard one without a bunch more code but I was pulling my hair out and stackoverflow had failed me, etc - it was a desperation move

I was under the impression that if brackets were excluded that the if or foreach or whatever it is only looks at the next line so they aren't needed for one line conditionals and the like? I thought that's how it worked. But anyway, yeah, I'll have to go in and inject some troubleshooting hints along the way to see what's going on. I did that a bit and found nothing, I guess I need to go back and check everything.

but never on the first call. Okay, I posted this on StackOverflow but no one there seems to have an answer either. I have this simple function: public function delete($messageID) { $type = $this->findType($messageID); if ($type == 'in') { foreach ($this->inArr as $key => $value) { if ($this->inArr[$key]->messageID != $messageID) $implodeData[$key] = $this->inArr[$key]->messageID; } if (!isset($implodeData)) $imploded = '0'; else $imploded = implode(',', $implodeData); $result = $this->_database->updatePMUser('inArr', $imploded, 'UID', $this->UID); $result2 = $this->_database->deletePM('messageID', $messageID); return; } else { foreach ($this->sentArr as $key => $value) { if ($this->sentArr[$key]->messageID != $messageID) $implodeData[$key] = $this->sentArr[$key]->messageID; } if (!isset($implodeData)) $imploded = '0'; else $imploded = implode(',', $implodeData); $result = $this->_database->updatePMUser('sentArr', $imploded, 'UID', $this->UID); $result2 = $this->_database->deletePM('messageID', $messageID); return; } } It is a delete function for a private messaging program for a forum script I'm writing. Anyway, here's the issue - it works! But only sometimes. It is called in 3 different places, always from a form processing class I have, once in the view message section to delete a message you're viewing, in a foreach from the sentbox options section and then a foreach in the inbox options section. The inbox and sentbox option sections do that whole "delete the checked messages" for the mass removal functionality. The delete function above works in all ways shapes and forms when I use it in single calls - like when I'm deleting a message while viewing it or when I only check one message from the inbox, etc - but when I call it multiple times (as in I have checked multiple messages) - it fully deletes one (both the message and the reference to the message in the user's db row) and then only deletes the actual message on the others (deleting the message is the call to deletePM - deleting the reference is the call to updatePMUser). Okay, if you need further information - the function above checks the type the message is (in the inbox or in the sentbox) and then uses that to foreach through that array (inArr or sentArr) of the user. It logs in all the messageIDs of the those that DON'T match the one we're deleting and then at the end it implodes those caught IDs into a string that is then updated in the user's row as a comma separated string of values each representing a message in the DB - you get the picture. I realize I have some trimming to do (for one I can cut the above function down by about half by using variable variables) but I'll get to that after I get the thing working. I can't figure out why it's doing what it's doing. If you need the function that calls this in the foreach, I have it below. Oh, and the thing that really boggles me is that this function is called fully for each checked message in the foreach - it fully returns and then loops - if it works once, I don't see how it wouldn't work on a second call from a loop - the variables it uses should be trashed when it leaves the function, they aren't global or object properties or anything. Color me confused. Thanks for any help, oh, here's one of the functions that calls it to delete checked messages (this one is for the sentbox, there is another for the inbox): private function _processSelectedSent() { $pmObj = unserialize(base64_decode($_POST['pmObj'])); $i=1; foreach ($_POST as $key => $value) { if ($value == 'marked') { $checkedArray[$i] = $key; $i++; } } if ($_POST['submitter'] == 'Delete Selected') { if (is_array($checkedArray)) { foreach ($checkedArray as $key => $value) $pmObj->delete($value); } else $pmObj->delete($checkedArray[1]); header("Location: ".HOME_PAGE.PM_PAGE."?view=sentbox&nocache=".time()); } }

I figured it out. The escapeString function was fine as I suspected as it was being called many times before this point without issue. The problem was that the function being called at the point in question works off of an unserialized version of the object - and I didn't realize serialization destroys connections. I had to add a __wakeup function that restores the connection variable after unserialization.

Okay, I have a section of code to delete a message in a private message mailbox-like script. Before this section of the script fires, I use $this->_database-> many times to pull the names of the messages, etc - that all works fine, but when my program gets to the delete section of my database class, I get the following error: Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user '*private*'@'localhost' (using password: NO) in /var/www/html/evoHTDOCS/tinUser_database.php on line 25 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /var/www/html/evoHTDOCS/tinUser_database.php on line 25 Warning: mysql_query(): supplied argument is not a valid MySQL-Link resource in /var/www/html/evoHTDOCS/tinUser_database.php on line 210 Access denied for user '*private*'@'localhost' (using password: NO)ERROR2 Disregard the "ERROR2" at the end, that's just the catch for a non-result and it tells me which part of the script went wrong. Anyway - I use the same link-resource ($this->connection) many times in this same instance of this same class without error - but for some reason this one brings up that error. Also, what's odd to me is that in the error messages the username is different than the username that I am using to login (they are constants defined in a config file) - it's using the primary username instead of mine and yes, I checked the permissions and they are all set (and again, it links just fine with the same information many times before this function.) It sounds like all the sudden it says it can't connect to the database it has proved it was already connected to. If you need it, here is the database section that starts the link and then the function that is causing the error: public function __construct() { $this->connection = mysql_connect(DB_HOST, DB_USERNAME, DB_PASSWORD) or die(mysql_error()); mysql_select_db(DB_NAME, $this->connection) or die(mysql_error()); public function updatePMUser($field, $data, $whereField, $whereData) { $data = $this->escapeString($data); $query = "UPDATE ".PM_USERS_TABLE." SET ".$field." = '$data' WHERE ".$whereField." = '$whereData'"; $result = mysql_query($query, $this->connection); if ($result) return $result; else { echo mysql_error(); die("ERROR2"); } } It's all still in production so yes there is some trimming to do (and making the connection static, etc), but what could be causing the exact same connection to suddenly fail at a specific function? I've checked and rechecked spelling and all that. Thanks for any help.

Oh, I see what he was doing. I'm used to seeing echo'd lines looking like this: echo "blah blah" ."more html"; It's confusing to see the tags in there without quotes to start out like the convention above. I see the where the quotes begin and end now, though.

There really isn't a way to do this as PHP is run on the server and has stopped interpreting by the time javascript takes over on the browser. You CAN pass a PHP variable to a webpage and use it via javascript with AJAX, but it would have to be it's own separate AJAX call just to grab one variable at a time - would be a bunch of overhead just to do this. I'm sure there might be a way to inject the variable into the GET variables in the address and pull them from javascript but that is beyond my slim knowledge of javascript.

I would go through and check your index file and make sure you aren't accidentely calling the logout script when you shouldn't. I've had conditionals that did this before that were written incorrectly and called things when I didn't intend them to. If you have a header file, check that too as it seems more likely it's in a header that is included at the top of every page. I'm not sure why it wouldn't do it on local testing but would when uploaded, maybe the logout script was in the incorrect directory on the local side? Assuming everything is kosher with the actual code and conditionals, etc, the only thing i can think of is that godaddy has some weird configuration dealing with files named logout. Doesn't make sense, but I guess anything is possible. Try changing the name of the file and all the references, of course? I'm willing to bet it's an accidental call to logout in the code.

I may not be up on the latest things that HTML can do, but it looks like you are mixing php and html without ending and closing tags (<?php and ?>). Granted, you can use things like while loops and if statements with HTML, but you have to do it like so: <?php if (condition): ?> <html tags> content <more tags> <?php endif; ?> Also, you use rows['id'] at one point and row['id'] at another - one with an s and one without. The main error you are getting, however, is that foreach is supplied a non array to iterate, I believe. Looking through the code, I only see one input attached to the name "checkbox" and then in the PHP you are trying to iterate through an array of that name. Oh, this is the line that uses the checkbox name, and the only one that I saw: <td><input name=\"checkbox[]\" type=\"checkbox\" id=\"checkbox[]\" value=\"{$rows['id']} \"></td>

Oh, by the way, check http://us3.php.net/manual/en/function.date.php to see all the formatting options for the date function.