Re: [PHP-DB] currency out of postgresql

2001-09-14 Thread Justin Buist 

While the proposed solution below may very well indeed work for this
situation it's a far better practice to strip the variable down to "known
to be good" values rather than "known to be bad" ones.  Rather than strip
$ and , marks from the variable it's far better to strip out anything
other than 0-9 and the '.' character.

In this given situation it may or may not have any advantage -- just a
different paradigm; and one that often improves application security.
Rather than think of what's disallowed think only of what is allowed.  A
"recent" example of this would be to follow the BugTraq postings on the
Unicode directory transversal exploits of MS IIS toward the latter end of
2000.  The patch was released to prevent certain attacks from coming
through but it proved to be patch developed by somebody with rather
elementary security skills.  They preventyed only -known- attacks from
working; workarounds surfaced within a day, if not hours.  Eventually they
put a competent coder on the job and things were fixed.

But, like I said, this probably isn't a security issue here -- just one of
robustness.  The two are rather similar in practice though.  As I said
before, the original poster's idea may very well work 100% of the time,
but I thought I'd take the opportunity to point out the difference.  I
posted a private reply to the orignal author that went something like
this:

Strip out anything except 0-9 characters (after formatting), add them,
divide by 100 and reformat.  I don't imagine any locale settings that
would cause this to error.

I don't mean to nit-pick at anybody here, that's my last objective.  Just
something to think about when coding.  Admittedly I've done the exact
opposite approach (stripping known bad vs. allowing known good) many times
and have been burned because of it.

Justin Buist
Trident Technology, Inc.
4700 60th St. SW, Suite 102
Grand Rapids, MI  49512
Ph. 616.554.2700
Fx. 616.554.3331
Mo. 616.291.2612

On Fri, 14 Sep 2001, David Balatero wrote:

> I suppose you could just remove the $ and/or the comma with a regexp...
> www.php.net/eregi_replace


-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP-DB] currency out of postgresql

2001-09-14 Thread David Balatero 

I suppose you could just remove the $ and/or the comma with a regexp...
www.php.net/eregi_replace

-- David Balatero
- Original Message -
From: "Rick Eicher II" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, September 14, 2001 3:00 PM
Subject: [PHP-DB] currency out of postgresql


> After I do the add $money comes out to be 0. The data comes out as $0 and
> $5,217.00, I need to add these two to get $5,217.00. How do you add money
> with the dollor sign in the data?
>
> rick
>
> -Original Message-
> From: Bas Jobsen [mailto:[EMAIL PROTECTED]]
> Sent: Friday, September 14, 2001 7:24 AM
> To: Rick Eicher II
> Cc: [EMAIL PROTECTED]
> Subject: Re: [PHP-DB] currency out of postgresql
>
>
> > $formatted = sprintf("%01.2f", $money);
> > printf ("%01.2f\n", $formatted);
>
> maybe twice, try:
> $formatted = sprintf("%01.2f", $money);
> echo "$formatted\n";
>
>
> - Original Message -----
> From: "Rick Eicher II" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, September 14, 2001 6:48 PM
> Subject: [PHP-DB] currency out of postgresql
>
>
> > I am trying to get two currency values from out of the database, add
them
> > together and print the to the screen. I am using the following code.
> >
> > $money = $myrow[6] + $myrow[7];
> > $formatted = sprintf("%01.2f", $money);
> > printf ("%01.2f\n", $formatted);
> >
> > $myrow[] is the array that I load the database records into.
> >
> > I can echo $myrow[6] & $myrow[7], which will show like $4.00 and
$4000.00.
> > But when I add them together the come out as 0 every time. The columns
in
> > the database are of type money. This is a postgresql database.
> >
> > Does any one see the errors of my ways?
> >
> > thanks,
> > Rick Eicher II
> > www.pbol.net
> >
> >
> > --
> > PHP Database Mailing List (http://www.php.net/)
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> > To contact the list administrators, e-mail: [EMAIL PROTECTED]
> >
>
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
>


-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

[PHP-DB] currency out of postgresql

2001-09-14 Thread Rick Eicher II 

After I do the add $money comes out to be 0. The data comes out as $0 and
$5,217.00, I need to add these two to get $5,217.00. How do you add money
with the dollor sign in the data?

rick

-Original Message-
From: Bas Jobsen [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 14, 2001 7:24 AM
To: Rick Eicher II
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP-DB] currency out of postgresql


> $formatted = sprintf("%01.2f", $money);
> printf ("%01.2f\n", $formatted);

maybe twice, try:
$formatted = sprintf("%01.2f", $money);
echo "$formatted\n";


- Original Message -
From: "Rick Eicher II" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, September 14, 2001 6:48 PM
Subject: [PHP-DB] currency out of postgresql


> I am trying to get two currency values from out of the database, add them
> together and print the to the screen. I am using the following code.
>
> $money = $myrow[6] + $myrow[7];
> $formatted = sprintf("%01.2f", $money);
> printf ("%01.2f\n", $formatted);
>
> $myrow[] is the array that I load the database records into.
>
> I can echo $myrow[6] & $myrow[7], which will show like $4.00 and $4000.00.
> But when I add them together the come out as 0 every time. The columns in
> the database are of type money. This is a postgresql database.
>
> Does any one see the errors of my ways?
>
> thanks,
> Rick Eicher II
> www.pbol.net
>
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>


-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP-DB] currency out of postgresql

2001-09-14 Thread Bas Jobsen 

> $formatted = sprintf("%01.2f", $money);
> printf ("%01.2f\n", $formatted);

maybe twice, try:
$formatted = sprintf("%01.2f", $money);
echo "$formatted\n";


- Original Message -
From: "Rick Eicher II" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, September 14, 2001 6:48 PM
Subject: [PHP-DB] currency out of postgresql


> I am trying to get two currency values from out of the database, add them
> together and print the to the screen. I am using the following code.
>
> $money = $myrow[6] + $myrow[7];
> $formatted = sprintf("%01.2f", $money);
> printf ("%01.2f\n", $formatted);
>
> $myrow[] is the array that I load the database records into.
>
> I can echo $myrow[6] & $myrow[7], which will show like $4.00 and $4000.00.
> But when I add them together the come out as 0 every time. The columns in
> the database are of type money. This is a postgresql database.
>
> Does any one see the errors of my ways?
>
> thanks,
> Rick Eicher II
> www.pbol.net
>
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>


-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

[PHP-DB] currency out of postgresql

2001-09-14 Thread Rick Eicher II 

I am trying to get two currency values from out of the database, add them
together and print the to the screen. I am using the following code.

$money = $myrow[6] + $myrow[7];
$formatted = sprintf("%01.2f", $money);
printf ("%01.2f\n", $formatted);

$myrow[] is the array that I load the database records into.

I can echo $myrow[6] & $myrow[7], which will show like $4.00 and $4000.00.
But when I add them together the come out as 0 every time. The columns in
the database are of type money. This is a postgresql database.

Does any one see the errors of my ways?

thanks,
Rick Eicher II
www.pbol.net


-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]