RE: [PHP] User Authentication Continued....

2003-10-03 Thread Jeff McKeon
Good advice! Thanks!

Jeff

> -Original Message-
> From: Chris Shiflett [mailto:[EMAIL PROTECTED] 
> Sent: Friday, October 03, 2003 5:19 PM
> To: Jeff McKeon; php
> Subject: RE: [PHP] User Authentication Continued
> 
> 
> > --- Jeff McKeon <[EMAIL PROTECTED]> wrote:
> > > $query="SELECT * from tickets where VesselID='$_GET['vesselid']' 
> > > order by Status DESC, Created ASC";
> > 
> > $query = "select * from tickets where vesselid = 
> '{$_GET['vesselid']}'
> >   order by status desc, created asc";
> > 
> > Note the curly braces.
> 
> I am trying to start making a conscious effort to alert 
> people to potential security risks associated with certain 
> examples. So, I should have mentioned that constructing an 
> SQL statement with client data is terrible. While my example 
> was only meant to illustrate how to interpolate arrays within 
> a string, I do not want anyone to copy/paste this code and 
> create a security vulnerability.
> 
> So, what should really be done is something like this:
> 
> 1. Validate $_GET['vesselid']
> 2. If it is valid, $clean['vesselid'] = $_GET['vesselid']
> 3. Construct the SQL statement using $clean['vesselid']
> 
> Hope that helps.
> 
> Chris
> 
> =
> My Blog
>  http://shiflett.org/
> HTTP Developer's Handbook
>  http://httphandbook.org/
> RAMP Training Courses
>  http://www.nyphp.org/ramp
> 
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 
> 

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] User Authentication Continued....

2003-10-03 Thread Chris Shiflett
> --- Jeff McKeon <[EMAIL PROTECTED]> wrote:
> > $query="SELECT * from tickets where VesselID='$_GET['vesselid']'
> > order by Status DESC, Created ASC";
> 
> $query = "select * from tickets where vesselid = '{$_GET['vesselid']}'
>   order by status desc, created asc";
> 
> Note the curly braces.

I am trying to start making a conscious effort to alert people to potential
security risks associated with certain examples. So, I should have mentioned
that constructing an SQL statement with client data is terrible. While my
example was only meant to illustrate how to interpolate arrays within a string,
I do not want anyone to copy/paste this code and create a security
vulnerability.

So, what should really be done is something like this:

1. Validate $_GET['vesselid']
2. If it is valid, $clean['vesselid'] = $_GET['vesselid']
3. Construct the SQL statement using $clean['vesselid']

Hope that helps.

Chris

=
My Blog
 http://shiflett.org/
HTTP Developer's Handbook
 http://httphandbook.org/
RAMP Training Courses
 http://www.nyphp.org/ramp

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] User Authentication Continued....

2003-10-03 Thread Jeff McKeon
One more mystery solved.

Thanks one and all

Jeff

> -Original Message-
> From: Robert Cummings [mailto:[EMAIL PROTECTED] 
> Sent: Friday, October 03, 2003 4:55 PM
> To: Jeff McKeon
> Cc: PHP-General; [EMAIL PROTECTED]
> Subject: RE: [PHP] User Authentication Continued
> 
> 
> On Fri, 2003-10-03 at 16:44, Jeff McKeon wrote:
> > Actually, here's the problem I get with using global variables in a 
> > mysql_query string..
> > 
> > [error begin]
> > PHP Parse error: parse error, unexpected T_ENCAPSED_AND_WHITESPACE, 
> > expecting T_STRING or T_VARIABLE or T_NUM_STRING [error end]
> > 
> > [code begin]
> > $query="SELECT * from tickets where 
> VesselID='$_GET['vesselid']' order 
> > by Status DESC, Created ASC"; [code end]
> 
> The following will work:
> 
> $query=
> "SELECT * "
>."FROM tickets "
>."WHERE VesselID='".$_GET['vesselid']."' "
>."ORDER BY Status DESC, Created ASC";
> 
> Cheers,
> Rob.
> -- 
> ..
> | InterJinn Application Framework - http://www.interjinn.com |
> ::
> | An application and templating framework for PHP. Boasting  | a 
> | powerful, scalable system for accessing system services  | such as 
> | forms, properties, sessions, and caches. InterJinn |
> | also provides an extremely flexible architecture for   |
> | creating re-usable components quickly and easily.  |
> `'
> 
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 
> 

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] User Authentication Continued....

2003-10-03 Thread Curt Zirzow
* Thus wrote Jeff McKeon ([EMAIL PROTECTED]):
> Actually, here's the problem I get with using global variables in a
> mysql_query string..
> 
> [error begin]
> PHP Parse error: parse error, unexpected T_ENCAPSED_AND_WHITESPACE,
> expecting T_STRING or T_VARIABLE or T_NUM_STRING 
> [error end]
> 
> [code begin]
> $query="SELECT * from tickets where VesselID='$_GET['vesselid']' order
> by Status DESC, Created ASC";
> [code end]

Enclose the var in curly brackets:

$query="SELECT * from tickets where VesselID='{$_GET['vesselid']}' order


Curt
-- 
List Stats: http://zirzow.dyndns.org/html/mlists/php_general/

"I used to think I was indecisive, but now I'm not so sure."

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] User Authentication Continued....

2003-10-03 Thread Robert Cummings
On Fri, 2003-10-03 at 16:44, Jeff McKeon wrote:
> Actually, here's the problem I get with using global variables in a
> mysql_query string..
> 
> [error begin]
> PHP Parse error: parse error, unexpected T_ENCAPSED_AND_WHITESPACE,
> expecting T_STRING or T_VARIABLE or T_NUM_STRING 
> [error end]
> 
> [code begin]
> $query="SELECT * from tickets where VesselID='$_GET['vesselid']' order
> by Status DESC, Created ASC";
> [code end]

The following will work:

$query=
"SELECT * "
   ."FROM tickets "
   ."WHERE VesselID='".$_GET['vesselid']."' "
   ."ORDER BY Status DESC, Created ASC";

Cheers,
Rob.
-- 
..
| InterJinn Application Framework - http://www.interjinn.com |
::
| An application and templating framework for PHP. Boasting  |
| a powerful, scalable system for accessing system services  |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for   |
| creating re-usable components quickly and easily.  |
`'

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] User Authentication Continued....

2003-10-03 Thread Chris Shiflett
--- Jeff McKeon <[EMAIL PROTECTED]> wrote:
> $query="SELECT * from tickets where VesselID='$_GET['vesselid']'
> order by Status DESC, Created ASC";

$query = "select * from tickets where vesselid = '{$_GET['vesselid']}'
  order by status desc, created asc";

Note the curly braces.

Hope that helps.

Chris

=
My Blog
 http://shiflett.org/
HTTP Developer's Handbook
 http://httphandbook.org/
RAMP Training Courses
 http://www.nyphp.org/ramp

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] User Authentication Continued....

2003-10-03 Thread Jeff McKeon
Actually, here's the problem I get with using global variables in a
mysql_query string..

[error begin]
PHP Parse error: parse error, unexpected T_ENCAPSED_AND_WHITESPACE,
expecting T_STRING or T_VARIABLE or T_NUM_STRING 
[error end]

[code begin]
$query="SELECT * from tickets where VesselID='$_GET['vesselid']' order
by Status DESC, Created ASC";
[code end]

Jeff

> -Original Message-
> From: Chris Shiflett [mailto:[EMAIL PROTECTED] 
> Sent: Friday, October 03, 2003 3:45 PM
> To: Jeff McKeon; php
> Subject: Re: [PHP] User Authentication Continued
> 
> 
> --- Jeff McKeon <[EMAIL PROTECTED]> wrote:
> > The problem I'm having is with the $_GET variables. I guess I'm not 
> > declaring them correctly. Do I need to set them as soon as the page 
> > loads, and outside of any functions like so..
> > 
> > [code start]
> > $custid = $_GET['custid'];
> > $custname = $_GET['custname'];
> > [code end]
> > 
> > Or do I need to declare them in each funtion?
> > 
> > [code start]
> > Function blah(){
> > global $custname, $custid;
> > 
> > $custid = $_GET['custid'];
> > $custname = $_GET['custname'];
> > DO SOME STUFF
> > }
> 
> $_GET is a superglobal, which just means that it is always 
> available everywhere. If you assign $custname to 
> $_GET['custname'], you now have a regular global variable (if 
> the assignment is done outside a function) or a local 
> variable (if the assignment is done within a function).
> 
> So, either just use $_GET['custname'] everywhere you need it, 
> or work with the variable scope like you would have to if it 
> was anything else. For example:
> 
> 1. $foo = $_GET['foo'];
> 2. $foo = 'bar';
> 
> The variable scope of $foo would be the same, regardless of 
> which of those assignments were made.
> 
> Hope that helps.
> 
> Chris
> 
> =
> My Blog
>  http://shiflett.org/
> HTTP Developer's Handbook
>  http://httphandbook.org/
> RAMP Training Courses
>  http://www.nyphp.org/ramp
> 

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] User Authentication Continued....

2003-10-03 Thread Chris Shiflett
--- Jeff McKeon <[EMAIL PROTECTED]> wrote:
> The problem I'm having is with the $_GET variables. I guess I'm not
> declaring them correctly. Do I need to set them as soon as the page
> loads, and outside of any functions like so..
> 
> [code start]
> $custid = $_GET['custid'];
> $custname = $_GET['custname'];
> [code end]
> 
> Or do I need to declare them in each funtion?
> 
> [code start]
> Function blah(){
>   global $custname, $custid;
> 
>   $custid = $_GET['custid'];
>   $custname = $_GET['custname'];
>   DO SOME STUFF
> }

$_GET is a superglobal, which just means that it is always available
everywhere. If you assign $custname to $_GET['custname'], you now have a
regular global variable (if the assignment is done outside a function) or a
local variable (if the assignment is done within a function).

So, either just use $_GET['custname'] everywhere you need it, or work with the
variable scope like you would have to if it was anything else. For example:

1. $foo = $_GET['foo'];
2. $foo = 'bar';

The variable scope of $foo would be the same, regardless of which of those
assignments were made.

Hope that helps.

Chris

=
My Blog
 http://shiflett.org/
HTTP Developer's Handbook
 http://httphandbook.org/
RAMP Training Courses
 http://www.nyphp.org/ramp

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] User Authentication Continued....

2003-10-03 Thread Kris Yates
I guess you would either need to make the vars global or else keep 
redeclaring them.  Obviously, redeclaring them in each function 
$var=$_GET["whatever"] is technically the more secure method.

Kris

Jeff McKeon wrote:

Ok,

I've got the user authentication thing down and now I'm continuing to
build my trouble ticket tracking system.
So from a "customer profile" page there is a link to "Open Ticket" which
brings up a page to open a trouble ticket.  

[html code]
HREF=./open_ticket.php?custid=$custid&custname=$custname
[html code]
The user is validated for permissions and timeout based on the $_SESSION
variables established before the "open ticket"" page is loaded.
I then have a form that they fill in with the minimum info to create a
new ticket.  Some info is passed to the open ticket page from the
customer profile page via a GET method and enterred into hidden form
fields. 

[html code]
HREF=./open_ticket.php?custid=$custid&custname=$custname
[html code]
On the "open ticket" page I have 2 functions, the first is a form for
entering in the ticket info, the second is a function to take the
information and update the database with it when the form is submitted,
then reload the page with a display of the ticket info.
The problem I'm having is with the $_GET variables.  I guess I'm not
declaring them correctly.  Do I need to set them as soon as the page
loads, and outside of any functions like so..
[code start]
$custid = $_GET['custid'];
$custname = $_GET['custname'];
[code end]
Or do I need to declare them in each funtion?

[code start]
Function blah(){
global $custname, $custid;
$custid = $_GET['custid'];
$custname = $_GET['custname'];
DO SOME STUFF
}
Function foo(){
global $custname, $custid;
$custid = $_GET['custid'];
$custname = $_GET['custname'];
DO SOME STUFF
}
[code end]
Or am I way off and there is another way of doing it?

Also I've noticed that when I do an mysql_query("select name from foo
where name='$somevariable'") I cannot use $_GET['somevariable'] or
$_POST['somevariable'] in the sql string, I find I need to do a $name =
$_GET['somevariable'] first and then use $name.  Why is this?
Thanks,

Jeff

 

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[PHP] User Authentication Continued....

2003-10-03 Thread Jeff McKeon
Ok,

I've got the user authentication thing down and now I'm continuing to
build my trouble ticket tracking system.

So from a "customer profile" page there is a link to "Open Ticket" which
brings up a page to open a trouble ticket.  

[html code]
HREF=./open_ticket.php?custid=$custid&custname=$custname
[html code]

The user is validated for permissions and timeout based on the $_SESSION
variables established before the "open ticket"" page is loaded.

I then have a form that they fill in with the minimum info to create a
new ticket.  Some info is passed to the open ticket page from the
customer profile page via a GET method and enterred into hidden form
fields. 

[html code]
HREF=./open_ticket.php?custid=$custid&custname=$custname
[html code]

On the "open ticket" page I have 2 functions, the first is a form for
entering in the ticket info, the second is a function to take the
information and update the database with it when the form is submitted,
then reload the page with a display of the ticket info.

The problem I'm having is with the $_GET variables.  I guess I'm not
declaring them correctly.  Do I need to set them as soon as the page
loads, and outside of any functions like so..

[code start]
$custid = $_GET['custid'];
$custname = $_GET['custname'];
[code end]

Or do I need to declare them in each funtion?

[code start]
Function blah(){
global $custname, $custid;

$custid = $_GET['custid'];
$custname = $_GET['custname'];
DO SOME STUFF
}

Function foo(){
global $custname, $custid;

$custid = $_GET['custid'];
$custname = $_GET['custname'];
DO SOME STUFF
}
[code end]

Or am I way off and there is another way of doing it?

Also I've noticed that when I do an mysql_query("select name from foo
where name='$somevariable'") I cannot use $_GET['somevariable'] or
$_POST['somevariable'] in the sql string, I find I need to do a $name =
$_GET['somevariable'] first and then use $name.  Why is this?

Thanks,

Jeff

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php