[PHP] User Authentication Continued....
Ok, I've got the user authentication thing down and now I'm continuing to build my trouble ticket tracking system. So from a customer profile page there is a link to Open Ticket which brings up a page to open a trouble ticket. [html code] HREF=./open_ticket.php?custid=$custidcustname=$custname [html code] The user is validated for permissions and timeout based on the $_SESSION variables established before the open ticket page is loaded. I then have a form that they fill in with the minimum info to create a new ticket. Some info is passed to the open ticket page from the customer profile page via a GET method and enterred into hidden form fields. [html code] HREF=./open_ticket.php?custid=$custidcustname=$custname [html code] On the open ticket page I have 2 functions, the first is a form for entering in the ticket info, the second is a function to take the information and update the database with it when the form is submitted, then reload the page with a display of the ticket info. The problem I'm having is with the $_GET variables. I guess I'm not declaring them correctly. Do I need to set them as soon as the page loads, and outside of any functions like so.. [code start] $custid = $_GET['custid']; $custname = $_GET['custname']; [code end] Or do I need to declare them in each funtion? [code start] Function blah(){ global $custname, $custid; $custid = $_GET['custid']; $custname = $_GET['custname']; DO SOME STUFF } Function foo(){ global $custname, $custid; $custid = $_GET['custid']; $custname = $_GET['custname']; DO SOME STUFF } [code end] Or am I way off and there is another way of doing it? Also I've noticed that when I do an mysql_query(select name from foo where name='$somevariable') I cannot use $_GET['somevariable'] or $_POST['somevariable'] in the sql string, I find I need to do a $name = $_GET['somevariable'] first and then use $name. Why is this? Thanks, Jeff -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User Authentication Continued....
I guess you would either need to make the vars global or else keep redeclaring them. Obviously, redeclaring them in each function $var=$_GET[whatever] is technically the more secure method. Kris Jeff McKeon wrote: Ok, I've got the user authentication thing down and now I'm continuing to build my trouble ticket tracking system. So from a customer profile page there is a link to Open Ticket which brings up a page to open a trouble ticket. [html code] HREF=./open_ticket.php?custid=$custidcustname=$custname [html code] The user is validated for permissions and timeout based on the $_SESSION variables established before the open ticket page is loaded. I then have a form that they fill in with the minimum info to create a new ticket. Some info is passed to the open ticket page from the customer profile page via a GET method and enterred into hidden form fields. [html code] HREF=./open_ticket.php?custid=$custidcustname=$custname [html code] On the open ticket page I have 2 functions, the first is a form for entering in the ticket info, the second is a function to take the information and update the database with it when the form is submitted, then reload the page with a display of the ticket info. The problem I'm having is with the $_GET variables. I guess I'm not declaring them correctly. Do I need to set them as soon as the page loads, and outside of any functions like so.. [code start] $custid = $_GET['custid']; $custname = $_GET['custname']; [code end] Or do I need to declare them in each funtion? [code start] Function blah(){ global $custname, $custid; $custid = $_GET['custid']; $custname = $_GET['custname']; DO SOME STUFF } Function foo(){ global $custname, $custid; $custid = $_GET['custid']; $custname = $_GET['custname']; DO SOME STUFF } [code end] Or am I way off and there is another way of doing it? Also I've noticed that when I do an mysql_query(select name from foo where name='$somevariable') I cannot use $_GET['somevariable'] or $_POST['somevariable'] in the sql string, I find I need to do a $name = $_GET['somevariable'] first and then use $name. Why is this? Thanks, Jeff -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User Authentication Continued....
--- Jeff McKeon [EMAIL PROTECTED] wrote: The problem I'm having is with the $_GET variables. I guess I'm not declaring them correctly. Do I need to set them as soon as the page loads, and outside of any functions like so.. [code start] $custid = $_GET['custid']; $custname = $_GET['custname']; [code end] Or do I need to declare them in each funtion? [code start] Function blah(){ global $custname, $custid; $custid = $_GET['custid']; $custname = $_GET['custname']; DO SOME STUFF } $_GET is a superglobal, which just means that it is always available everywhere. If you assign $custname to $_GET['custname'], you now have a regular global variable (if the assignment is done outside a function) or a local variable (if the assignment is done within a function). So, either just use $_GET['custname'] everywhere you need it, or work with the variable scope like you would have to if it was anything else. For example: 1. $foo = $_GET['foo']; 2. $foo = 'bar'; The variable scope of $foo would be the same, regardless of which of those assignments were made. Hope that helps. Chris = My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] User Authentication Continued....
Actually, here's the problem I get with using global variables in a mysql_query string.. [error begin] PHP Parse error: parse error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING [error end] [code begin] $query=SELECT * from tickets where VesselID='$_GET['vesselid']' order by Status DESC, Created ASC; [code end] Jeff -Original Message- From: Chris Shiflett [mailto:[EMAIL PROTECTED] Sent: Friday, October 03, 2003 3:45 PM To: Jeff McKeon; php Subject: Re: [PHP] User Authentication Continued --- Jeff McKeon [EMAIL PROTECTED] wrote: The problem I'm having is with the $_GET variables. I guess I'm not declaring them correctly. Do I need to set them as soon as the page loads, and outside of any functions like so.. [code start] $custid = $_GET['custid']; $custname = $_GET['custname']; [code end] Or do I need to declare them in each funtion? [code start] Function blah(){ global $custname, $custid; $custid = $_GET['custid']; $custname = $_GET['custname']; DO SOME STUFF } $_GET is a superglobal, which just means that it is always available everywhere. If you assign $custname to $_GET['custname'], you now have a regular global variable (if the assignment is done outside a function) or a local variable (if the assignment is done within a function). So, either just use $_GET['custname'] everywhere you need it, or work with the variable scope like you would have to if it was anything else. For example: 1. $foo = $_GET['foo']; 2. $foo = 'bar'; The variable scope of $foo would be the same, regardless of which of those assignments were made. Hope that helps. Chris = My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] User Authentication Continued....
--- Jeff McKeon [EMAIL PROTECTED] wrote: $query=SELECT * from tickets where VesselID='$_GET['vesselid']' order by Status DESC, Created ASC; $query = select * from tickets where vesselid = '{$_GET['vesselid']}' order by status desc, created asc; Note the curly braces. Hope that helps. Chris = My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] User Authentication Continued....
On Fri, 2003-10-03 at 16:44, Jeff McKeon wrote: Actually, here's the problem I get with using global variables in a mysql_query string.. [error begin] PHP Parse error: parse error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING [error end] [code begin] $query=SELECT * from tickets where VesselID='$_GET['vesselid']' order by Status DESC, Created ASC; [code end] The following will work: $query= SELECT * .FROM tickets .WHERE VesselID='.$_GET['vesselid'].' .ORDER BY Status DESC, Created ASC; Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User Authentication Continued....
* Thus wrote Jeff McKeon ([EMAIL PROTECTED]): Actually, here's the problem I get with using global variables in a mysql_query string.. [error begin] PHP Parse error: parse error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING [error end] [code begin] $query=SELECT * from tickets where VesselID='$_GET['vesselid']' order by Status DESC, Created ASC; [code end] Enclose the var in curly brackets: $query=SELECT * from tickets where VesselID='{$_GET['vesselid']}' order Curt -- List Stats: http://zirzow.dyndns.org/html/mlists/php_general/ I used to think I was indecisive, but now I'm not so sure. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] User Authentication Continued....
One more mystery solved. Thanks one and all Jeff -Original Message- From: Robert Cummings [mailto:[EMAIL PROTECTED] Sent: Friday, October 03, 2003 4:55 PM To: Jeff McKeon Cc: PHP-General; [EMAIL PROTECTED] Subject: RE: [PHP] User Authentication Continued On Fri, 2003-10-03 at 16:44, Jeff McKeon wrote: Actually, here's the problem I get with using global variables in a mysql_query string.. [error begin] PHP Parse error: parse error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING [error end] [code begin] $query=SELECT * from tickets where VesselID='$_GET['vesselid']' order by Status DESC, Created ASC; [code end] The following will work: $query= SELECT * .FROM tickets .WHERE VesselID='.$_GET['vesselid'].' .ORDER BY Status DESC, Created ASC; Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | a | powerful, scalable system for accessing system services | such as | forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] User Authentication Continued....
--- Jeff McKeon [EMAIL PROTECTED] wrote: $query=SELECT * from tickets where VesselID='$_GET['vesselid']' order by Status DESC, Created ASC; $query = select * from tickets where vesselid = '{$_GET['vesselid']}' order by status desc, created asc; Note the curly braces. I am trying to start making a conscious effort to alert people to potential security risks associated with certain examples. So, I should have mentioned that constructing an SQL statement with client data is terrible. While my example was only meant to illustrate how to interpolate arrays within a string, I do not want anyone to copy/paste this code and create a security vulnerability. So, what should really be done is something like this: 1. Validate $_GET['vesselid'] 2. If it is valid, $clean['vesselid'] = $_GET['vesselid'] 3. Construct the SQL statement using $clean['vesselid'] Hope that helps. Chris = My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] User Authentication Continued....
Good advice! Thanks! Jeff -Original Message- From: Chris Shiflett [mailto:[EMAIL PROTECTED] Sent: Friday, October 03, 2003 5:19 PM To: Jeff McKeon; php Subject: RE: [PHP] User Authentication Continued --- Jeff McKeon [EMAIL PROTECTED] wrote: $query=SELECT * from tickets where VesselID='$_GET['vesselid']' order by Status DESC, Created ASC; $query = select * from tickets where vesselid = '{$_GET['vesselid']}' order by status desc, created asc; Note the curly braces. I am trying to start making a conscious effort to alert people to potential security risks associated with certain examples. So, I should have mentioned that constructing an SQL statement with client data is terrible. While my example was only meant to illustrate how to interpolate arrays within a string, I do not want anyone to copy/paste this code and create a security vulnerability. So, what should really be done is something like this: 1. Validate $_GET['vesselid'] 2. If it is valid, $clean['vesselid'] = $_GET['vesselid'] 3. Construct the SQL statement using $clean['vesselid'] Hope that helps. Chris = My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php