[PHP] User Authentication Continued....
Ok,
I've got the user authentication thing down and now I'm continuing to
build my trouble ticket tracking system.
So from a customer profile page there is a link to Open Ticket which
brings up a page to open a trouble ticket.
[html code]
HREF=./open_ticket.php?custid=$custidcustname=$custname
[html code]
The user is validated for permissions and timeout based on the $_SESSION
variables established before the open ticket page is loaded.
I then have a form that they fill in with the minimum info to create a
new ticket. Some info is passed to the open ticket page from the
customer profile page via a GET method and enterred into hidden form
fields.
[html code]
HREF=./open_ticket.php?custid=$custidcustname=$custname
[html code]
On the open ticket page I have 2 functions, the first is a form for
entering in the ticket info, the second is a function to take the
information and update the database with it when the form is submitted,
then reload the page with a display of the ticket info.
The problem I'm having is with the $_GET variables. I guess I'm not
declaring them correctly. Do I need to set them as soon as the page
loads, and outside of any functions like so..
[code start]
$custid = $_GET['custid'];
$custname = $_GET['custname'];
[code end]
Or do I need to declare them in each funtion?
[code start]
Function blah(){
global $custname, $custid;
$custid = $_GET['custid'];
$custname = $_GET['custname'];
DO SOME STUFF
}
Function foo(){
global $custname, $custid;
$custid = $_GET['custid'];
$custname = $_GET['custname'];
DO SOME STUFF
}
[code end]
Or am I way off and there is another way of doing it?
Also I've noticed that when I do an mysql_query(select name from foo
where name='$somevariable') I cannot use $_GET['somevariable'] or
$_POST['somevariable'] in the sql string, I find I need to do a $name =
$_GET['somevariable'] first and then use $name. Why is this?
Thanks,
Jeff
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User Authentication Continued....
I guess you would either need to make the vars global or else keep
redeclaring them. Obviously, redeclaring them in each function
$var=$_GET[whatever] is technically the more secure method.
Kris
Jeff McKeon wrote:
Ok,
I've got the user authentication thing down and now I'm continuing to
build my trouble ticket tracking system.
So from a customer profile page there is a link to Open Ticket which
brings up a page to open a trouble ticket.
[html code]
HREF=./open_ticket.php?custid=$custidcustname=$custname
[html code]
The user is validated for permissions and timeout based on the $_SESSION
variables established before the open ticket page is loaded.
I then have a form that they fill in with the minimum info to create a
new ticket. Some info is passed to the open ticket page from the
customer profile page via a GET method and enterred into hidden form
fields.
[html code]
HREF=./open_ticket.php?custid=$custidcustname=$custname
[html code]
On the open ticket page I have 2 functions, the first is a form for
entering in the ticket info, the second is a function to take the
information and update the database with it when the form is submitted,
then reload the page with a display of the ticket info.
The problem I'm having is with the $_GET variables. I guess I'm not
declaring them correctly. Do I need to set them as soon as the page
loads, and outside of any functions like so..
[code start]
$custid = $_GET['custid'];
$custname = $_GET['custname'];
[code end]
Or do I need to declare them in each funtion?
[code start]
Function blah(){
global $custname, $custid;
$custid = $_GET['custid'];
$custname = $_GET['custname'];
DO SOME STUFF
}
Function foo(){
global $custname, $custid;
$custid = $_GET['custid'];
$custname = $_GET['custname'];
DO SOME STUFF
}
[code end]
Or am I way off and there is another way of doing it?
Also I've noticed that when I do an mysql_query(select name from foo
where name='$somevariable') I cannot use $_GET['somevariable'] or
$_POST['somevariable'] in the sql string, I find I need to do a $name =
$_GET['somevariable'] first and then use $name. Why is this?
Thanks,
Jeff
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User Authentication Continued....
--- Jeff McKeon [EMAIL PROTECTED] wrote:
The problem I'm having is with the $_GET variables. I guess I'm not
declaring them correctly. Do I need to set them as soon as the page
loads, and outside of any functions like so..
[code start]
$custid = $_GET['custid'];
$custname = $_GET['custname'];
[code end]
Or do I need to declare them in each funtion?
[code start]
Function blah(){
global $custname, $custid;
$custid = $_GET['custid'];
$custname = $_GET['custname'];
DO SOME STUFF
}
$_GET is a superglobal, which just means that it is always available
everywhere. If you assign $custname to $_GET['custname'], you now have a
regular global variable (if the assignment is done outside a function) or a
local variable (if the assignment is done within a function).
So, either just use $_GET['custname'] everywhere you need it, or work with the
variable scope like you would have to if it was anything else. For example:
1. $foo = $_GET['foo'];
2. $foo = 'bar';
The variable scope of $foo would be the same, regardless of which of those
assignments were made.
Hope that helps.
Chris
=
My Blog
http://shiflett.org/
HTTP Developer's Handbook
http://httphandbook.org/
RAMP Training Courses
http://www.nyphp.org/ramp
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] User Authentication Continued....
Actually, here's the problem I get with using global variables in a
mysql_query string..
[error begin]
PHP Parse error: parse error, unexpected T_ENCAPSED_AND_WHITESPACE,
expecting T_STRING or T_VARIABLE or T_NUM_STRING
[error end]
[code begin]
$query=SELECT * from tickets where VesselID='$_GET['vesselid']' order
by Status DESC, Created ASC;
[code end]
Jeff
-Original Message-
From: Chris Shiflett [mailto:[EMAIL PROTECTED]
Sent: Friday, October 03, 2003 3:45 PM
To: Jeff McKeon; php
Subject: Re: [PHP] User Authentication Continued
--- Jeff McKeon [EMAIL PROTECTED] wrote:
The problem I'm having is with the $_GET variables. I guess I'm not
declaring them correctly. Do I need to set them as soon as the page
loads, and outside of any functions like so..
[code start]
$custid = $_GET['custid'];
$custname = $_GET['custname'];
[code end]
Or do I need to declare them in each funtion?
[code start]
Function blah(){
global $custname, $custid;
$custid = $_GET['custid'];
$custname = $_GET['custname'];
DO SOME STUFF
}
$_GET is a superglobal, which just means that it is always
available everywhere. If you assign $custname to
$_GET['custname'], you now have a regular global variable (if
the assignment is done outside a function) or a local
variable (if the assignment is done within a function).
So, either just use $_GET['custname'] everywhere you need it,
or work with the variable scope like you would have to if it
was anything else. For example:
1. $foo = $_GET['foo'];
2. $foo = 'bar';
The variable scope of $foo would be the same, regardless of
which of those assignments were made.
Hope that helps.
Chris
=
My Blog
http://shiflett.org/
HTTP Developer's Handbook
http://httphandbook.org/
RAMP Training Courses
http://www.nyphp.org/ramp
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] User Authentication Continued....
--- Jeff McKeon [EMAIL PROTECTED] wrote:
$query=SELECT * from tickets where VesselID='$_GET['vesselid']'
order by Status DESC, Created ASC;
$query = select * from tickets where vesselid = '{$_GET['vesselid']}'
order by status desc, created asc;
Note the curly braces.
Hope that helps.
Chris
=
My Blog
http://shiflett.org/
HTTP Developer's Handbook
http://httphandbook.org/
RAMP Training Courses
http://www.nyphp.org/ramp
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] User Authentication Continued....
On Fri, 2003-10-03 at 16:44, Jeff McKeon wrote: Actually, here's the problem I get with using global variables in a mysql_query string.. [error begin] PHP Parse error: parse error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING [error end] [code begin] $query=SELECT * from tickets where VesselID='$_GET['vesselid']' order by Status DESC, Created ASC; [code end] The following will work: $query= SELECT * .FROM tickets .WHERE VesselID='.$_GET['vesselid'].' .ORDER BY Status DESC, Created ASC; Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User Authentication Continued....
* Thus wrote Jeff McKeon ([EMAIL PROTECTED]):
Actually, here's the problem I get with using global variables in a
mysql_query string..
[error begin]
PHP Parse error: parse error, unexpected T_ENCAPSED_AND_WHITESPACE,
expecting T_STRING or T_VARIABLE or T_NUM_STRING
[error end]
[code begin]
$query=SELECT * from tickets where VesselID='$_GET['vesselid']' order
by Status DESC, Created ASC;
[code end]
Enclose the var in curly brackets:
$query=SELECT * from tickets where VesselID='{$_GET['vesselid']}' order
Curt
--
List Stats: http://zirzow.dyndns.org/html/mlists/php_general/
I used to think I was indecisive, but now I'm not so sure.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] User Authentication Continued....
One more mystery solved. Thanks one and all Jeff -Original Message- From: Robert Cummings [mailto:[EMAIL PROTECTED] Sent: Friday, October 03, 2003 4:55 PM To: Jeff McKeon Cc: PHP-General; [EMAIL PROTECTED] Subject: RE: [PHP] User Authentication Continued On Fri, 2003-10-03 at 16:44, Jeff McKeon wrote: Actually, here's the problem I get with using global variables in a mysql_query string.. [error begin] PHP Parse error: parse error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING [error end] [code begin] $query=SELECT * from tickets where VesselID='$_GET['vesselid']' order by Status DESC, Created ASC; [code end] The following will work: $query= SELECT * .FROM tickets .WHERE VesselID='.$_GET['vesselid'].' .ORDER BY Status DESC, Created ASC; Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | a | powerful, scalable system for accessing system services | such as | forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] User Authentication Continued....
--- Jeff McKeon [EMAIL PROTECTED] wrote:
$query=SELECT * from tickets where VesselID='$_GET['vesselid']'
order by Status DESC, Created ASC;
$query = select * from tickets where vesselid = '{$_GET['vesselid']}'
order by status desc, created asc;
Note the curly braces.
I am trying to start making a conscious effort to alert people to potential
security risks associated with certain examples. So, I should have mentioned
that constructing an SQL statement with client data is terrible. While my
example was only meant to illustrate how to interpolate arrays within a string,
I do not want anyone to copy/paste this code and create a security
vulnerability.
So, what should really be done is something like this:
1. Validate $_GET['vesselid']
2. If it is valid, $clean['vesselid'] = $_GET['vesselid']
3. Construct the SQL statement using $clean['vesselid']
Hope that helps.
Chris
=
My Blog
http://shiflett.org/
HTTP Developer's Handbook
http://httphandbook.org/
RAMP Training Courses
http://www.nyphp.org/ramp
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] User Authentication Continued....
Good advice! Thanks!
Jeff
-Original Message-
From: Chris Shiflett [mailto:[EMAIL PROTECTED]
Sent: Friday, October 03, 2003 5:19 PM
To: Jeff McKeon; php
Subject: RE: [PHP] User Authentication Continued
--- Jeff McKeon [EMAIL PROTECTED] wrote:
$query=SELECT * from tickets where VesselID='$_GET['vesselid']'
order by Status DESC, Created ASC;
$query = select * from tickets where vesselid =
'{$_GET['vesselid']}'
order by status desc, created asc;
Note the curly braces.
I am trying to start making a conscious effort to alert
people to potential security risks associated with certain
examples. So, I should have mentioned that constructing an
SQL statement with client data is terrible. While my example
was only meant to illustrate how to interpolate arrays within
a string, I do not want anyone to copy/paste this code and
create a security vulnerability.
So, what should really be done is something like this:
1. Validate $_GET['vesselid']
2. If it is valid, $clean['vesselid'] = $_GET['vesselid']
3. Construct the SQL statement using $clean['vesselid']
Hope that helps.
Chris
=
My Blog
http://shiflett.org/
HTTP Developer's Handbook
http://httphandbook.org/
RAMP Training Courses
http://www.nyphp.org/ramp
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
