php-general Digest 27 Aug 2010 15:50:24 -0000 Issue 6913
Topics (messages 307715 through 307717):
Re: Web application architecture (subdomain vs. sub directory)
307715 by: Per Jessen
Re: Does array_splice() fit for case ?
307716 by: Richard Quadling
Re: two questions on serverside validation
307717 by: Jan G.B.
Administrivia:
To subscribe to the digest, e-mail:
[email protected]
To unsubscribe from the digest, e-mail:
[email protected]
To post to the list, e-mail:
[email protected]
----------------------------------------------------------------------
--- Begin Message ---
Tim Martens wrote:
> Based on advice here and elsewhere, I think we're tending toward a an
> "no framework" MVC approach and sub-directory model to get started. As
> Per so elegantly stated "The subdirectory approach is easily rewritten
> to an internal subdomain
> structure." So if we need to pivot to a subdomain model we can do so.
Just to clarify - I meant rewritten as in Apache URL rewriting.
--
Per Jessen, Zürich (20.4°C)
--- End Message ---
--- Begin Message ---
On 26 August 2010 15:15, Alfredo Palhares <[email protected]> wrote:
> Hello,
>
> This is kinda a noob question, but that's what i am :)
>
> I have a 2 dimensions array (the first dimension are "normal" keys ) and in
> the second dimension haves custom arrays but they all have a comon key that
> is *id.
> *The array comes ascending ordered by the numbers of *id* .
>
> When i receive this array i need to look for and array that haves the
> *id*== 0, so i do a for loop looking for it and i unset this values
> after
> that.
> But need i need that the unset array looks like this sub-array never existed
> ( eg. if the key that with id = 0 was "5", the "5" will the number "6" and
> "6" the "7" and so on).
> Here is the code:
>
> <?php
>
> // $data the name of the array
>
> //Look for the main email
> for ($i = 0; $i < count($data); $i++) {
> if ($data[$i]['id'] === 0) {
> // It can't be empty
> if (!empty($data[$i])) {
> $this->email = $data[$i]['contact'];
> $main_email_found = true;
> }
> unset($data[$i]);
> }
> }
> ?>
>
> I have tree ways of doing this:
>
> - Use a method that i that looks from duplicate entru based on the *id *key
> as index and after and return the array ordered by this index.
> - Adding a new entry to another array in this loop that not haves the
> *id*== 0. and after that reverse the order
> - Use the array_splice native function.
>
> What do you recommend me ?
> Sorry by the bad English.
>
>
> --
> Regards,
> Alfredo Palhares
>
Once you've cleared out the array of the data you don't want, would
the following output the right result?
sort($data);
foreach($data as $id => $node) {
$node['id'] = $id;
}
print_r($data);
--
Richard Quadling.
--- End Message ---
--- Begin Message ---
2010/8/25 Paul M Foster <[email protected]>:
> On Wed, Aug 25, 2010 at 01:05:12PM -0400, David Mehler wrote:
>
>> Hello,
>> Thanks to all who answered my quotes question. I've got another one.
>> I've got several combo boxes that are sticky, below is an example of
>> one and the function. Now i'd like to tighten it up by ensuring that
>> an external user can't inject values other than value1 or value2 in to
>> the script. This sounds like an array.
>>
>> <select name="box1" id="box1">
>> <option value="value1" <?php set_selected('box1', 'value1');
>> ?>>Value1</option>
>> <option value="value2" <?php set_selected('box2', 'value2');
>> ?>>Value2</option>
>> </select>
>>
>> function set_selected($fieldname, $value)
>> {
>> if ($_POST[$fieldname] == $value)
>> echo 'selected="selected"';
>> }
>>
>> Thanks.
>> Dave.
>
> What you've done is fine, but don't believe a user can't inject values
> here, regardless of what you've done. All they have to do is call the
> URL that's in the "action" attribute of your form tag, and give it any
> values they like.
>
> If you simply want to control a normal user's choices, the above will do
> it fine. If you want to prevent hacking, you'll have to sanitize the
> values once they're received from the form.
>
> Paul
>
>
Hi Paul, hi David,
I must correct Paul here.. a malicious user might be able to send a
value which is not "value1" or "value2", but this will not have any
impact for this snippet of code.
This snipped of code just set's a checkbox to being checked when the
value is the one expected. That's fine, so far. A classic whitelist.
But make sure the other code which we don't see
- does not outpot any _POST / _GET / _REQUEST / _COOKIE variables
without encoding the contents (f.e. htmlspecialchars), or
- does not send and user supplied data without scaping the sb-related
special chars.. (f.e. mysql_real_escape-string).
Regards,
Jan
--- End Message ---
