RE: [PHP] User Authentication Continued....
Good advice! Thanks! Jeff > -Original Message- > From: Chris Shiflett [mailto:[EMAIL PROTECTED] > Sent: Friday, October 03, 2003 5:19 PM > To: Jeff McKeon; php > Subject: RE: [PHP] User Authentication Continued > > > > --- Jeff McKeon <[EMAIL PROTECTED]> wrote: > > > $query="SELECT * from tickets where VesselID='$_GET['vesselid']' > > > order by Status DESC, Created ASC"; > > > > $query = "select * from tickets where vesselid = > '{$_GET['vesselid']}' > > order by status desc, created asc"; > > > > Note the curly braces. > > I am trying to start making a conscious effort to alert > people to potential security risks associated with certain > examples. So, I should have mentioned that constructing an > SQL statement with client data is terrible. While my example > was only meant to illustrate how to interpolate arrays within > a string, I do not want anyone to copy/paste this code and > create a security vulnerability. > > So, what should really be done is something like this: > > 1. Validate $_GET['vesselid'] > 2. If it is valid, $clean['vesselid'] = $_GET['vesselid'] > 3. Construct the SQL statement using $clean['vesselid'] > > Hope that helps. > > Chris > > = > My Blog > http://shiflett.org/ > HTTP Developer's Handbook > http://httphandbook.org/ > RAMP Training Courses > http://www.nyphp.org/ramp > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] User Authentication Continued....
> --- Jeff McKeon <[EMAIL PROTECTED]> wrote: > > $query="SELECT * from tickets where VesselID='$_GET['vesselid']' > > order by Status DESC, Created ASC"; > > $query = "select * from tickets where vesselid = '{$_GET['vesselid']}' > order by status desc, created asc"; > > Note the curly braces. I am trying to start making a conscious effort to alert people to potential security risks associated with certain examples. So, I should have mentioned that constructing an SQL statement with client data is terrible. While my example was only meant to illustrate how to interpolate arrays within a string, I do not want anyone to copy/paste this code and create a security vulnerability. So, what should really be done is something like this: 1. Validate $_GET['vesselid'] 2. If it is valid, $clean['vesselid'] = $_GET['vesselid'] 3. Construct the SQL statement using $clean['vesselid'] Hope that helps. Chris = My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] User Authentication Continued....
One more mystery solved. Thanks one and all Jeff > -Original Message- > From: Robert Cummings [mailto:[EMAIL PROTECTED] > Sent: Friday, October 03, 2003 4:55 PM > To: Jeff McKeon > Cc: PHP-General; [EMAIL PROTECTED] > Subject: RE: [PHP] User Authentication Continued > > > On Fri, 2003-10-03 at 16:44, Jeff McKeon wrote: > > Actually, here's the problem I get with using global variables in a > > mysql_query string.. > > > > [error begin] > > PHP Parse error: parse error, unexpected T_ENCAPSED_AND_WHITESPACE, > > expecting T_STRING or T_VARIABLE or T_NUM_STRING [error end] > > > > [code begin] > > $query="SELECT * from tickets where > VesselID='$_GET['vesselid']' order > > by Status DESC, Created ASC"; [code end] > > The following will work: > > $query= > "SELECT * " >."FROM tickets " >."WHERE VesselID='".$_GET['vesselid']."' " >."ORDER BY Status DESC, Created ASC"; > > Cheers, > Rob. > -- > .. > | InterJinn Application Framework - http://www.interjinn.com | > :: > | An application and templating framework for PHP. Boasting | a > | powerful, scalable system for accessing system services | such as > | forms, properties, sessions, and caches. InterJinn | > | also provides an extremely flexible architecture for | > | creating re-usable components quickly and easily. | > `' > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User Authentication Continued....
* Thus wrote Jeff McKeon ([EMAIL PROTECTED]): > Actually, here's the problem I get with using global variables in a > mysql_query string.. > > [error begin] > PHP Parse error: parse error, unexpected T_ENCAPSED_AND_WHITESPACE, > expecting T_STRING or T_VARIABLE or T_NUM_STRING > [error end] > > [code begin] > $query="SELECT * from tickets where VesselID='$_GET['vesselid']' order > by Status DESC, Created ASC"; > [code end] Enclose the var in curly brackets: $query="SELECT * from tickets where VesselID='{$_GET['vesselid']}' order Curt -- List Stats: http://zirzow.dyndns.org/html/mlists/php_general/ "I used to think I was indecisive, but now I'm not so sure." -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] User Authentication Continued....
On Fri, 2003-10-03 at 16:44, Jeff McKeon wrote: > Actually, here's the problem I get with using global variables in a > mysql_query string.. > > [error begin] > PHP Parse error: parse error, unexpected T_ENCAPSED_AND_WHITESPACE, > expecting T_STRING or T_VARIABLE or T_NUM_STRING > [error end] > > [code begin] > $query="SELECT * from tickets where VesselID='$_GET['vesselid']' order > by Status DESC, Created ASC"; > [code end] The following will work: $query= "SELECT * " ."FROM tickets " ."WHERE VesselID='".$_GET['vesselid']."' " ."ORDER BY Status DESC, Created ASC"; Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] User Authentication Continued....
--- Jeff McKeon <[EMAIL PROTECTED]> wrote: > $query="SELECT * from tickets where VesselID='$_GET['vesselid']' > order by Status DESC, Created ASC"; $query = "select * from tickets where vesselid = '{$_GET['vesselid']}' order by status desc, created asc"; Note the curly braces. Hope that helps. Chris = My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] User Authentication Continued....
Actually, here's the problem I get with using global variables in a mysql_query string.. [error begin] PHP Parse error: parse error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING [error end] [code begin] $query="SELECT * from tickets where VesselID='$_GET['vesselid']' order by Status DESC, Created ASC"; [code end] Jeff > -Original Message- > From: Chris Shiflett [mailto:[EMAIL PROTECTED] > Sent: Friday, October 03, 2003 3:45 PM > To: Jeff McKeon; php > Subject: Re: [PHP] User Authentication Continued > > > --- Jeff McKeon <[EMAIL PROTECTED]> wrote: > > The problem I'm having is with the $_GET variables. I guess I'm not > > declaring them correctly. Do I need to set them as soon as the page > > loads, and outside of any functions like so.. > > > > [code start] > > $custid = $_GET['custid']; > > $custname = $_GET['custname']; > > [code end] > > > > Or do I need to declare them in each funtion? > > > > [code start] > > Function blah(){ > > global $custname, $custid; > > > > $custid = $_GET['custid']; > > $custname = $_GET['custname']; > > DO SOME STUFF > > } > > $_GET is a superglobal, which just means that it is always > available everywhere. If you assign $custname to > $_GET['custname'], you now have a regular global variable (if > the assignment is done outside a function) or a local > variable (if the assignment is done within a function). > > So, either just use $_GET['custname'] everywhere you need it, > or work with the variable scope like you would have to if it > was anything else. For example: > > 1. $foo = $_GET['foo']; > 2. $foo = 'bar'; > > The variable scope of $foo would be the same, regardless of > which of those assignments were made. > > Hope that helps. > > Chris > > = > My Blog > http://shiflett.org/ > HTTP Developer's Handbook > http://httphandbook.org/ > RAMP Training Courses > http://www.nyphp.org/ramp > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User Authentication Continued....
--- Jeff McKeon <[EMAIL PROTECTED]> wrote: > The problem I'm having is with the $_GET variables. I guess I'm not > declaring them correctly. Do I need to set them as soon as the page > loads, and outside of any functions like so.. > > [code start] > $custid = $_GET['custid']; > $custname = $_GET['custname']; > [code end] > > Or do I need to declare them in each funtion? > > [code start] > Function blah(){ > global $custname, $custid; > > $custid = $_GET['custid']; > $custname = $_GET['custname']; > DO SOME STUFF > } $_GET is a superglobal, which just means that it is always available everywhere. If you assign $custname to $_GET['custname'], you now have a regular global variable (if the assignment is done outside a function) or a local variable (if the assignment is done within a function). So, either just use $_GET['custname'] everywhere you need it, or work with the variable scope like you would have to if it was anything else. For example: 1. $foo = $_GET['foo']; 2. $foo = 'bar'; The variable scope of $foo would be the same, regardless of which of those assignments were made. Hope that helps. Chris = My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User Authentication Continued....
I guess you would either need to make the vars global or else keep redeclaring them. Obviously, redeclaring them in each function $var=$_GET["whatever"] is technically the more secure method. Kris Jeff McKeon wrote: Ok, I've got the user authentication thing down and now I'm continuing to build my trouble ticket tracking system. So from a "customer profile" page there is a link to "Open Ticket" which brings up a page to open a trouble ticket. [html code] HREF=./open_ticket.php?custid=$custid&custname=$custname [html code] The user is validated for permissions and timeout based on the $_SESSION variables established before the "open ticket"" page is loaded. I then have a form that they fill in with the minimum info to create a new ticket. Some info is passed to the open ticket page from the customer profile page via a GET method and enterred into hidden form fields. [html code] HREF=./open_ticket.php?custid=$custid&custname=$custname [html code] On the "open ticket" page I have 2 functions, the first is a form for entering in the ticket info, the second is a function to take the information and update the database with it when the form is submitted, then reload the page with a display of the ticket info. The problem I'm having is with the $_GET variables. I guess I'm not declaring them correctly. Do I need to set them as soon as the page loads, and outside of any functions like so.. [code start] $custid = $_GET['custid']; $custname = $_GET['custname']; [code end] Or do I need to declare them in each funtion? [code start] Function blah(){ global $custname, $custid; $custid = $_GET['custid']; $custname = $_GET['custname']; DO SOME STUFF } Function foo(){ global $custname, $custid; $custid = $_GET['custid']; $custname = $_GET['custname']; DO SOME STUFF } [code end] Or am I way off and there is another way of doing it? Also I've noticed that when I do an mysql_query("select name from foo where name='$somevariable'") I cannot use $_GET['somevariable'] or $_POST['somevariable'] in the sql string, I find I need to do a $name = $_GET['somevariable'] first and then use $name. Why is this? Thanks, Jeff -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] User Authentication Continued....
Ok, I've got the user authentication thing down and now I'm continuing to build my trouble ticket tracking system. So from a "customer profile" page there is a link to "Open Ticket" which brings up a page to open a trouble ticket. [html code] HREF=./open_ticket.php?custid=$custid&custname=$custname [html code] The user is validated for permissions and timeout based on the $_SESSION variables established before the "open ticket"" page is loaded. I then have a form that they fill in with the minimum info to create a new ticket. Some info is passed to the open ticket page from the customer profile page via a GET method and enterred into hidden form fields. [html code] HREF=./open_ticket.php?custid=$custid&custname=$custname [html code] On the "open ticket" page I have 2 functions, the first is a form for entering in the ticket info, the second is a function to take the information and update the database with it when the form is submitted, then reload the page with a display of the ticket info. The problem I'm having is with the $_GET variables. I guess I'm not declaring them correctly. Do I need to set them as soon as the page loads, and outside of any functions like so.. [code start] $custid = $_GET['custid']; $custname = $_GET['custname']; [code end] Or do I need to declare them in each funtion? [code start] Function blah(){ global $custname, $custid; $custid = $_GET['custid']; $custname = $_GET['custname']; DO SOME STUFF } Function foo(){ global $custname, $custid; $custid = $_GET['custid']; $custname = $_GET['custname']; DO SOME STUFF } [code end] Or am I way off and there is another way of doing it? Also I've noticed that when I do an mysql_query("select name from foo where name='$somevariable'") I cannot use $_GET['somevariable'] or $_POST['somevariable'] in the sql string, I find I need to do a $name = $_GET['somevariable'] first and then use $name. Why is this? Thanks, Jeff -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php