php-general Digest 13 Feb 2007 15:49:49 -0000 Issue 4624
Topics (messages 248793 through 248807):
Re: Filtering _REQUEST.. Why is this bad?
248793 by: Robert Cummings
248794 by: J R
248795 by: Chris Shiflett
Re: Iterators
248796 by: Marc Weber
static functions and array_map - why not allowed?
248797 by: Marc Weber
248798 by: Jochem Maas
Where would you look for documentation about interface RecursiveIterator?
RecursiveIteratorAggregate - suggestion
248799 by: Marc Weber
248803 by: Marc Weber
248804 by: Roman Neuhauser
Array to Object
248800 by: Eli
248801 by: Marc Weber
248802 by: Daniel Kullik
illegal characters
248805 by: M.Ozan Hazer
248806 by: Hidayet Dogan
print() or echo
248807 by: Danial Rahmanzadeh
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[email protected]
----------------------------------------------------------------------
--- Begin Message ---
On Mon, 2007-02-12 at 21:20 -0500, Travis Doherty wrote:
> Hello.
>
> Came across some code that startled me. Mostly because it goes against
> the generally accepted idea of detecting and rejecting bad input instead
> of trying to escape it, secondly because "it just feels wrong."
>
> The only technical case I have so far is for inserting a double/single
> quote into the database. It will get inserted as its htmlentities equiv
> of '"' for example. In the future if they wanted to display the
> data in the database in a format other than html it will be messy.
>
> So... the question is: What else is wrong with this? or.. Why is this so
> bad?
It's probably prone to character-set attacks.
As for storing the content like that in the database, sometimes it is
done as an optimization... so that on every future retrieval the
encoding doesn't have to be redone. Sure, it decreases the flexibility
of the content, but it also decreases processing time for the future.
Given that they're inserting the content into the database without
proper escaping, they're probably not aware of optimization and it's
just an example of poor coding.
Cheers,
Rob.
--
.------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`------------------------------------------------------------'
--- End Message ---
--- Begin Message ---
here's my opinion on the matter.
it is not adviced to do filtering on _REQUEST getting data in general from
it actually. It is much better to specify where your data is coming from (
e.g. _POST or _GET). This is because variable _REQUST contains all the data
from the cookies, get and post. and if ever you have the same variable name
on two or more of those variable you might get the wrong one.
and as we all know there is a security risk with cookies. users can easily
replace you data for example in post using cookies.
hth,
john
On 2/13/07, Travis Doherty <[EMAIL PROTECTED]> wrote:
Hello.
Came across some code that startled me. Mostly because it goes against
the generally accepted idea of detecting and rejecting bad input instead
of trying to escape it, secondly because "it just feels wrong."
The only technical case I have so far is for inserting a double/single
quote into the database. It will get inserted as its htmlentities equiv
of '"' for example. In the future if they wanted to display the
data in the database in a format other than html it will be messy.
So... the question is: What else is wrong with this? or.. Why is this so
bad?
<?php
// blindly run everything in _REQUEST through htmlentities
function recursiveFilter($array)
{
foreach ($array as $key => $val)
{
if (is_array($val))
{
$return[$key] = recursiveFilter($val);
} else {
$return[$key] = htmlentities($val,ENT_QUOTES);
}
}
return $return;
}
$_REQUEST = recursiveFilter($_REQUEST);
// queries directly inserting from $_REQUEST
// echo'ing of data directly from $_REQUEST
?>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
GMail Rocks!!!
--- End Message ---
--- Begin Message ---
Travis Doherty wrote:
> Why is this so bad?
>
> <?php
> // blindly run everything in _REQUEST through htmlentities
1. That's escaping, not filtering.
2. http://shiflett.org/archive/178
3. Using $_REQUEST is sloppy and makes CSRF attacks easier.
Maybe more? This is bad for all the reasons magic_quotes_gpc is bad...
Chris
--
Chris Shiflett
http://shiflett.org/
--- End Message ---
--- Begin Message ---
What did I miss here?
In case somebody else wants to know.
I've found some examples in php sources ( ext/spl/tests/array_009.phpt )
This is the way to accomplish this:
$array = array(1, 2 => array(21, 22 => array(221, 222), 23 => array(231)),
3);
$dir = new RecursiveIteratorIterator(new RecursiveArrayIterator($array),
RecursiveIteratorIterator::LEAVES_ONLY);
foreach ($dir as $file) {
print "$file\n";
}
Would be really nice to have some hints in documentation.
Marc
--- End Message ---
--- Begin Message ---
Why can't I use static functions in array_map?
Example:
<?php
class Dummy
{
static public function T($a)
{
echo "T called with $a\n";
return $a+2;
}
}
function t($a)
{
echo "t called with $a\n";
return $a*2;
}
echo 'invoking Dummy::T works fine : ', Dummy::T(3),"\n";
var_dump(array_map('t',array(1,2)));
var_dump(array_map('Dummy::T',array(1,2)));
?>
Marc
--- End Message ---
--- Begin Message ---
Marc Weber wrote:
>
> Why can't I use static functions in array_map?
>
> Example:
>
> <?php
> class Dummy
> {
> static public function T($a)
> {
> echo "T called with $a\n";
> return $a+2;
> }
> }
>
> function t($a)
> {
> echo "t called with $a\n";
> return $a*2;
> }
>
> echo 'invoking Dummy::T works fine : ', Dummy::T(3),"\n";
> var_dump(array_map('t',array(1,2)));
> var_dump(array_map('Dummy::T',array(1,2)));
do it like this:
var_dump(array_map(array("Dummy","T"), array(1,2)));
> ?>
>
> Marc
>
> --PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--- End Message ---
--- Begin Message ---
http://de.php.net/~helly/php/ext/spl/interfaceRecursiveIterator.html
This piece of code
------------------------
<?php
$array = array(1, 2 => array(21, 22 => array(221, 222), 23 => array(231)),
3);
$dir = new RecursiveIteratorIterator(new ArrayIterator($array));
foreach ($dir as $file) {
print "$file\n";
}
?>
------------------------
results in
------------------------
Fatal error: Uncaught exception 'InvalidArgumentException' with message
'An instance of *RecursiveIterator* or IteratorAggregate creating it is
required' in /tmp/t3.php:4
Stack trace:
/tmp/t3.php|4|
RecursiveIteratorIterator->__construct(Object(ArrayIterator))
#1 {main}
thrown in /tmp/t3.php on line 4
------------------------
So this interface exists.
Why am I asking?
I've written a small html combinator library where each tag is represented
as object.
Now I want to iterate over them using RecursiveIteratorIterator.
To be able to iterate over subElements I have to provide subIterator
by exposing the interface RecursiveIterator, right?
I'd like to also implement IteratorAggregate instead
of Iterator because subtags are stored in arrays.
This doesn't work because RecursiveIterator does inherit from Iterator.
Thus I have to implement current, next, etc as well just beeing dummy
functions calling an internal iterator iterating over those elements?
Or is this much easier and there is a RecursiveIteratorAggregate interface?
Marc
--- End Message ---
--- Begin Message ---
On Tue, Feb 13, 2007 at 11:54:41AM +0100, Marc Weber wrote:
>
I've implemented a simple walk function which seems to be even easier
using php.
So consider this thread beeing no longer a problem :)
Marc
--- End Message ---
--- Begin Message ---
# [EMAIL PROTECTED] / 2007-02-13 11:54:41 +0100:
>
> http://de.php.net/~helly/php/ext/spl/interfaceRecursiveIterator.html
>
> This piece of code
>
> ------------------------
> <?php
> $array = array(1, 2 => array(21, 22 => array(221, 222), 23 => array(231)),
> 3);
>
> $dir = new RecursiveIteratorIterator(new ArrayIterator($array));
untested:
$dir = new RecursiveIteratorIterator(new RecursiveArrayIterator($array));
--
How many Vietnam vets does it take to screw in a light bulb?
You don't know, man. You don't KNOW.
Cause you weren't THERE. http://bash.org/?255991
--- End Message ---
--- Begin Message ---
Hi,
Having this array:
$arr = array(
'my var'=>'My Value'
);
Notice the space in 'my var'.
Converted to object:
$obj = (object)$arr;
How can I access $arr['my var'] in $obj ?
-thanks!
--- End Message ---
--- Begin Message ---
On Tue, Feb 13, 2007 at 12:02:10PM +0200, Eli wrote:
> Hi,
>
> Having this array:
> $arr = array(
> 'my var'=>'My Value'
> );
> Notice the space in 'my var'.
>
> Converted to object:
> $obj = (object)$arr;
>
> How can I access $arr['my var'] in $obj ?
This works but there may be much better ways.
$n='my var';
echo ($obj->$n);
Marc
--- End Message ---
--- Begin Message ---
Eli wrote:
Hi,
Having this array:
$arr = array(
'my var'=>'My Value'
);
Notice the space in 'my var'.
Converted to object:
$obj = (object)$arr;
How can I access $arr['my var'] in $obj ?
-thanks!
print $obj->{'my var'};
$obj->{'my var'} = 'My New Value';
print $obj->{'my var'};
--- End Message ---
--- Begin Message ---
Hi all,
I'm getting these errors:
[04-Dec-2006 18:21:56] PHP Warning: Unknown: The session id contains
illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in Unknown
on line 0
[04-Dec-2006 18:21:56] PHP Warning: Unknown: Failed to write session data
(files). Please verify that the current setting of session.save_path is
correct (/var/lib/php5) in Unknown on line 0
[04-Dec-2006 18:22:09] PHP Warning: session_start() [<a
href='function.session-start'>function.session-start</a>]: The session id
contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in
/web/fotokritik.com/lib/main.php on line 24
[04-Dec-2006 18:22:20] PHP Warning: Unknown: The session id contains
illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in Unknown
on line 0
[04-Dec-2006 18:22:20] PHP Warning: Unknown: Failed to write session data
(files). Please verify that the current setting of session.save_path is
correct (/var/lib/php5) in Unknown on line 0
The project was running for a long time without any problems, today these
errors show up...
I installed ZendPlatform trial and uninstalled maybe related but I don't
knwo where to start.
I checked session.save_path and other options. Seems to be normal.
Do you have any ideas?
--- End Message ---
--- Begin Message ---
You may check same discussion at
http://bugs.php.net/bug.php?id=31184&edit=1
On Mon, 4 Dec 2006, M.Ozan Hazer wrote:
Hi all,
I'm getting these errors:
[04-Dec-2006 18:21:56] PHP Warning: Unknown: The session id contains
illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in Unknown
on line 0
[04-Dec-2006 18:21:56] PHP Warning: Unknown: Failed to write session data
(files). Please verify that the current setting of session.save_path is
correct (/var/lib/php5) in Unknown on line 0
[04-Dec-2006 18:22:09] PHP Warning: session_start() [<a
href='function.session-start'>function.session-start</a>]: The session id
contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in
/web/fotokritik.com/lib/main.php on line 24
[04-Dec-2006 18:22:20] PHP Warning: Unknown: The session id contains
illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in Unknown
on line 0
[04-Dec-2006 18:22:20] PHP Warning: Unknown: Failed to write session data
(files). Please verify that the current setting of session.save_path is
correct (/var/lib/php5) in Unknown on line 0
The project was running for a long time without any problems, today these
errors show up...
I installed ZendPlatform trial and uninstalled maybe related but I don't
knwo where to start.
I checked session.save_path and other options. Seems to be normal.
Do you have any ideas?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
is it true that echo is a bit faster than print()? in general, when we don't
need a return value, which one is better to choose?
Cheers,
Danial Rahmanzadeh
--- End Message ---
