Re: [PHP] elegant way of doing something else the last timethrough a loop? SOLVED

2003-07-16 Thread Petre Agenbag 
Hi

Yes, I see your point.
Guess I'm way too trusting a person, should think like a criminal...

So you're basically saying I should always place sensible "default
values" in my script and then compare the $_POST vars, else stick to the
default, ie, have the $_POST overwrite your default before the script
can use it?

Petre




On Tue, 2003-07-15 at 17:39, David Otton wrote:
> On Tue, 15 Jul 2003 16:47:22 +0200, you wrote:
> 
> >Well, it should never be, it comes from a drop down that only has 3 options,
> >any, all or exact
> >Any caveats there?
> 
> "You can't trust the client". I can submit any data I want to your script,
> most easily by knocking up my own form:
> 
> http://domain.com/yourform.php";>
> 
> 
> 
> 
> In this particular case, it's no big deal - your script exits gracelessly,
> but no real harm is done. However, the same class of attack (injecting
> unexpected data into a script) can cause far more serious problems.
> 
> What I'm trying to say is that it will pay off in the future if you learn a
> defensive coding style now. Assume that all input from the outside world is
> potentially malicious.
> 
> The code we're takling about can easily be made safe:
> 
> $logic = "exact";
> if ($_POST[any_all] == "any") {
>   $logic = "or";
> } elseif ($_POST[any_all] == "all") {
>   $logic = "and";
> }
> 
> BTW, try putting
> 
> error_reporting(E_ALL);
> 
> at the top of the script to flag the string literal problem I mentioned
> originally, and see what happens if any_all isn't in the $_POST array at
> all.
> 


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] elegant way of doing something else the last timethrough a loop? SOLVED

2003-07-14 Thread Petre Agenbag 
Following works nicely for me now, thanks all!


connect("localhost","user","password","table");
$table_name = "main";
if ($_POST[any_all] == "any") {
$logic = "or";
}
elseif ($_POST[any_all] == "all") {
$logic = "and";
}
elseif ($_POST[any_all] == "exact") {
$logic = "exact";
}
$string = $_POST[text];
$phrases = explode(" ", $string);

$sql = "select * from $table_name where ";

if (($logic == "or") || ($logic == "and")) {
$temp = '';
foreach ($phrases as $key=>$val) {
if (($val != "the") && ($val != "and") && ($val != " ") && ($val !=
"")) {
if (!empty($temp)) $temp .= ' '.$logic.' ';
$temp.= "name like '%$val%' ";  
}   
}
$sql.=$temp;
} elseif ($logic == "exact") {
$sql.="name like'%$string%'";
}
$sql.= " order by name";
//echo $sql;
$db->query($sql);
$db->draw_table();
 
?>


On Mon, 2003-07-14 at 14:00, Marek Kilimajer wrote:
> I always do it this way:
> 
> $condition='';
> foreach ($phrases as $key=>$val) {
>  if (($val != "the") && ($val != "and")) {
>  $condition.= "name like '%$val%'  $logic";
>  }
> }
> $condition=substr($condition, 0, strlen($condition) - strlen($logic));
> $sql .= $condition;
> > 
> > $length = strlen($sql);
> > $newlen = $length - 4;
> > $sql[$newlen].= " order by name";
> > echo $sql; 
> > 
> > 
> > 
> 


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php