Re: [PHP] Stripslashes

2010-11-17 Thread Adam Richardson 
>
> Adam
>
> Thanks for your reply.  So if I disable magic_quotes, and I assume I can do
> that a script, then the stripslashes would work as the manuel said it
> would,
> meaning
>
> G\\a//r\y\\ becomes G\a//r'y\
>
> I also assume that until php 6 is out and or I upgrade to it, I will have
> to
> deal with magic_quotes?
>
> Thank you for your help.
>
> Gary
>

You can disable magic quotes with php.ini or htaccess or toss in the example
#2 code on this page if you don't have access to php.ini (each of these
examples are listed within the page below):
http://php.net/manual/en/security.magicquotes.disabling.php

Additionally,
it doesn't look like you'll have to wait long before you can stop worrying
about magic quotes (actually, several distros ship with them turned off:
http://www.pubbs.net/201011/php/27311-php-dev-magic-quotes-in-trunk.html

Keep
coding,

Adam


-- 
Nephtali:  PHP web framework that functions beautifully
http://nephtaliproject.com

Re: [PHP] Stripslashes

2010-11-17 Thread Gary 

"Adam Richardson"  wrote in message 
news:aanlktin_9_tfe9q+dc2hoynsavccoyuecudkqd919...@mail.gmail.com...
> On Tue, Nov 16, 2010 at 10:10 PM, Gary  wrote:
>
>> I was doing a test of stripslashes on a $_POST, when I recieved the 
>> email,
>> all of the slashes were still in the data posted.
>>
>> I used :
>>
>> $fname = stripslashes($_POST['fname']);
>>
>> I input G\\a//r\y\\, and was expecting, according to the manuel 
>> G\a//r*y\,
>> but got the original spelling.
>>
>
> In this case, you should get the original, if I'm understanding correctly.
> Think of it like a basic math problem:
>
> Step 1: Happens automatically when you submit the form and PHP receives 
> the
> form variables
> input + slashes = slashed_input
>
> Step 2: This happens when you call stripslashes.
> slashed_input - slashes = input
>
> The goal of stripslashes is that it will undo what happened automatically
> using magic_quotes_gpc (which essentially calls addslashes on the GPC vars
> behind the scenes) so you'll end up with the original input.
>
> So, working through your example:
>
>   1. You inputted into a form G\\a//r\y\\ and submitted the form.
>   2. PHP received G\\a//r\y\\ and added slashes (Ga//r\\y).
>   3. You called stripslashes (G\\a//r\y\\).
>
>
>
>
>>
>> I added:
>>
>> echo stripslashes($fname); and did get the expected result on the page, 
>> but
>> not in the email from the $_POST.
>>
>
> Here, you called stripslashes on something already stripped once, so you 
> now
> have a new value (G\a//ry\).
>
>
>>
>> I also tried
>>
>> $fname = (stripslashes($_POST['fname']));
>>
>
> This would be no different than your attempt without enclosing 
> parentheses.
>
> Now, let me just say that I detest magic_quotes, and it's best to run with
> them disabled so you  don't even have to worry about this kind of issue
> (they've been deprecated.)  But, perhaps you were just trying to learn 
> about
> some piece of legacy code.
>
> Hope the explanation helps, Gary.
>
> Adam
>
> -- 
> Nephtali:  PHP web framework that functions beautifully
> http://nephtaliproject.com
>

Adam

Thanks for your reply.  So if I disable magic_quotes, and I assume I can do 
that a script, then the stripslashes would work as the manuel said it would, 
meaning

G\\a//r\y\\ becomes G\a//r'y\

I also assume that until php 6 is out and or I upgrade to it, I will have to 
deal with magic_quotes?

Thank you for your help.

Gary



__ Information from ESET Smart Security, version of virus signature 
database 5627 (20101117) __

The message was checked by ESET Smart Security.

http://www.eset.com





-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Updating a GET variable

2010-11-17 Thread Tommy Pham 
> -Original Message-
> From: Marc Guay [mailto:marc.g...@gmail.com]
> Sent: Wednesday, November 17, 2010 8:59 AM
> To: PHP General
> Subject: Re: [PHP] Updating a GET variable
> 
> > Nathan previously mention what if instead of a language specific
> > request, you have request for multiple languages.
> 
> I get it now, multiple _simultaneous_ languages.
> 
> Cheers,
> Marc
> 

Also FYI, if you do support multiple languages, don't depend on entirely on
$_SERVER["HTTP_ACCEPT_LANGUAGE"].  I know many folks who are fluent in more
than 1 languages but clueless on technology, specifically configuring their
system and browser on how to read & write those languages.  As for myself, I
don't configure the web browser because of privacy issue ;)

Regards,
Tommy


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] DOMDocument/DOMElement problem

2010-11-17 Thread David Harkness 
On Wed, Nov 17, 2010 at 10:27 AM, Peter Lind  wrote:

> Quick note, in case anyone has similar problems: make sure that the
> data you feed into DOMDocument is UTF8 encoded
>

I can attest to this as well. I just fixed a bug in our sitemap-building
code that was producing some items with empty titles for Google News. it
turned out they had smart quotes from Word in them because the title field
wasn't being passed through the filter. Once I filtered and converted to
UTF-8, all is well again.

The strange thing is that we just upgraded to PHP 5.3, and I can't believe
no one had accidentally pasted in a smart quote before the upgrade. We're
running 5.3.3 in fact, and I wouldn't be surprised if something changed in
DOMElement.

David

Re: [PHP] DOMDocument/DOMElement problem

2010-11-17 Thread Peter Lind 
On 16 November 2010 21:30, Adam Richardson  wrote:
> Hmmm...
>
> Nothing really stands out to me, but as my wife would attest, I'm often less
> than observant.
>
> I would probably try sifting through fixes/upgrades in the change logs for
> possible conflicts and/or changes in behavior.  Nothing jumped out at me
> after a quick glance.
>
> Sorry,
>
> Adam
>

Thanks for having a look. Far as I can tell, the main problem was
related to the encoding of the input data - and as such, the problem
was as likely to be in libxml as in php. I haven't seen any updates to
the DOM* extensions that would explain the change in behaviour and
really find it weird - but, at least I found a solution to the
problems :)

Quick note, in case anyone has similar problems: make sure that the
data you feed into DOMDocument is UTF8 encoded

Regards
Peter

-- 

WWW: plphp.dk / plind.dk
LinkedIn: plind
BeWelcome/Couchsurfing: Fake51
Twitter: kafe15


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] database design in a survey/poll system

2010-11-17 Thread Tamara Temple 

On Nov 17, 2010, at 7:42 AM, 肖晗 wrote:


I plan to design a small survey/poll system similar to
polldaddy
.

And I have some confusion in designing the database for the multiple/ 
single
choice questions. Of course, it is possible to use one table to  
store the
question title and  another table to store the choice item(one  
record for

each choice item).


As you have a many-to-one relationship of answers to questions, two  
tables would be necessary in a normalized database.


My main concern is that whether we can place the choices together in  
the
same table(and in one ) with the question title. I guess it can be  
faster to

read from one table than reading from two table.


It is possible, but really, why bother? It's not a very time consuming  
function whether you join two tables or read from one and end up  
parsing the results. String parsing can be expensive, too.


And my idea is to use  a delimiter to separate the choices. And the  
handling
of the choices are done in the php script. But what delimiter should  
be

used?


You can easily choose any character and just make sure your responses  
never include that character, or escape it somehow (eg. via \ )



Can anyone help? Thanks!


I really don't think you gain much, if anything, by having a single  
table in this instance. The retrieval is trivial for the sql engine,  
vs creating parsing code in PHP which may be trouble-prone or  
convoluted.



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Updating a GET variable

2010-11-17 Thread Marc Guay 
> Nathan previously mention what if instead of a language specific request,
> you have request for multiple languages.

I get it now, multiple _simultaneous_ languages.

Cheers,
Marc

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Updating a GET variable

2010-11-17 Thread Tommy Pham 
> -Original Message-
> From: Marc Guay [mailto:marc.g...@gmail.com]
> Sent: Wednesday, November 17, 2010 6:30 AM
> To: PHP General
> Subject: Re: [PHP] Updating a GET variable
> 
> > A bit late in the thread.  However, IMO, I don't think session is
> > necessary, unless you intend to save it for later use, during that
> > same visit from the user.  If it's just a 1 time request, you can just
> > use (example) $_GET['lang']=en,de,fr,...
> > Then just split up individual languages, process the request of each
> > supported language, and place each relevant localization in its own
> > tab panel, div (non js), etc...
> 
> Hi Tommy,
> 
> I read this at least 5 times and still don't quite get your meaning, but
I'm
> curious enough to ask:  Could you repeat in other words or give a short
> example?
> 
> Marc
> 

Marc,

Nathan previously mention what if instead of a language specific request,
you have request for multiple languages.  I don't know if that's part of you
web app feature/service or not but you don't need session to process that
request unless you need the results for something else.  This example based
upon that you use URL query parameter to permit the users to change/select
the languages.  I don't know how your app is designed but you can process it
via $_POST also.

$languages = $_GET['lang']=en,de,fr;
$langArray = explode(',', $languages);  // you can use another separator
such as - or _

Than you can process for each of the language:

foreach ($langArray as $lang)
process_request_func ($lang); 

results of process_request_func() for language en
results of process_request_func() for language de
results of process_request_func() for language fr

Or if you have jqueryui or something similar, use tabs for each of those
html content where  each language goes in its own tab.  If you need to save
the results for later use, then you'll need the session.

Regards,
Tommy


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] database design in a survey/poll system

2010-11-17 Thread Adam Richardson 
On Wed, Nov 17, 2010 at 8:42 AM, 肖晗  wrote:

> I plan to design a small survey/poll system similar to
> polldaddy
> .
>
> And I have some confusion in designing the database for the multiple/single
> choice questions. Of course, it is possible to use one table to store the
> question title and  another table to store the choice item(one record for
> each choice item).
>
> My main concern is that whether we can place the choices together in the
> same table(and in one ) with the question title. I guess it can be faster
> to
> read from one table than reading from two table.
>
> And my idea is to use  a delimiter to separate the choices. And the
> handling
> of the choices are done in the php script. But what delimiter should be
> used?
> Can anyone help? Thanks!
>

When you denormalize like this, it's important to make sure that you don't
need to perform more complex queries on the items (sorting, max, min, etc.),
as most DB's will outperform PHP for this type of work even if it does
require one or more table relationships.

That said, when the query needs are simple enough to merit this type of
approach, I tend to JSON-encode the data (
http://php.net/manual/en/function.json-encode.php), leaving a simple
JSON-decode operation (http://www.php.net/manual/en/function.json-decode.php)
to get the queried data back into PHP form.

Adam

-- 
Nephtali:  PHP web framework that functions beautifully
http://nephtaliproject.com

Re: [PHP] Updating a GET variable

2010-11-17 Thread Marc Guay 
> A bit late in the thread.  However, IMO, I don't think session is necessary,
> unless you intend to save it for later use, during that same visit from the
> user.  If it's just a 1 time request, you can just use (example)
> $_GET['lang']=en,de,fr,...
> Then just split up individual languages, process the request of each
> supported language, and place each relevant localization in its own tab
> panel, div (non js), etc...

Hi Tommy,

I read this at least 5 times and still don't quite get your meaning,
but I'm curious enough to ask:  Could you repeat in other words or
give a short example?

Marc

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Securing Use of PHP site

2010-11-17 Thread Bastien Koert 
On Wed, Nov 17, 2010 at 8:21 AM, Nicholas Kell  wrote:
>
>
> On Nov 17, 2010, at 6:51 AM, Don Wieland  wrote:
>
>> Hello all,
>>
>> I have recently built a site using PHP. I was a little loose with GET and 
>> POST methods because I was using it for personal/private use. Now I am 
>> thinking of going public and allow different companies to use the site. I 
>> want to secure and hide as much data as possible to guard against user abuse.
>>
>> I have several instances where I use the GET method to pass IDS. I can use a 
>> POST but even that is visible in the source. How does one allow for 
>> processing but never really let the user see that actual ID? Do I use a HASH 
>> for IDs? Do I need to get more familiar with SESSION VARS.
>>
>> I am doing some experimenting. Any words of wisdom or resources would be 
>> helpful. Thanks!
>>
>> Don Wieland
>> D W   D a t a   C o n c e p t s
>> ~
>> d...@dwdataconcepts.com
>> Direct Line - (949) 336-4828
>>
>> Integrated data solutions to fit your business needs.
>>
>> Need assistance in dialing in your FileMaker solution? Check out our 
>> Developer Support Plan at:
>> http://www.dwdataconcepts.com/DevSup.html
>>
>> Appointment 1.0v9 - Powerful Appointment Scheduling for FileMaker Pro 9 or 
>> higher
>> http://www.appointment10.com
>>
>> For a quick overview -
>> http://www.appointment10.com/Appt10_Promo/Overview.html
>>
>
> A hash is useful, but I think you are on the right track with session vars.
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

I use both. Hashes to id the record, and session vars to hold the user
permission sets.

-- 

Bastien

Cat, the other other white meat

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] database design in a survey/poll system

2010-11-17 Thread 肖晗 
I plan to design a small survey/poll system similar to
polldaddy
.

And I have some confusion in designing the database for the multiple/single
choice questions. Of course, it is possible to use one table to store the
question title and  another table to store the choice item(one record for
each choice item).

My main concern is that whether we can place the choices together in the
same table(and in one ) with the question title. I guess it can be faster to
read from one table than reading from two table.

And my idea is to use  a delimiter to separate the choices. And the handling
of the choices are done in the php script. But what delimiter should be
used?
Can anyone help? Thanks!

Re: [PHP] Securing Use of PHP site

2010-11-17 Thread Nicholas Kell 


On Nov 17, 2010, at 6:51 AM, Don Wieland  wrote:

> Hello all,
> 
> I have recently built a site using PHP. I was a little loose with GET and 
> POST methods because I was using it for personal/private use. Now I am 
> thinking of going public and allow different companies to use the site. I 
> want to secure and hide as much data as possible to guard against user abuse.
> 
> I have several instances where I use the GET method to pass IDS. I can use a 
> POST but even that is visible in the source. How does one allow for 
> processing but never really let the user see that actual ID? Do I use a HASH 
> for IDs? Do I need to get more familiar with SESSION VARS.
> 
> I am doing some experimenting. Any words of wisdom or resources would be 
> helpful. Thanks!
> 
> Don Wieland
> D W   D a t a   C o n c e p t s
> ~
> d...@dwdataconcepts.com
> Direct Line - (949) 336-4828
> 
> Integrated data solutions to fit your business needs.
> 
> Need assistance in dialing in your FileMaker solution? Check out our 
> Developer Support Plan at:
> http://www.dwdataconcepts.com/DevSup.html
> 
> Appointment 1.0v9 - Powerful Appointment Scheduling for FileMaker Pro 9 or 
> higher
> http://www.appointment10.com
> 
> For a quick overview -
> http://www.appointment10.com/Appt10_Promo/Overview.html
> 

A hash is useful, but I think you are on the right track with session vars.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Securing Use of PHP site

2010-11-17 Thread Don Wieland 

Hello all,

I have recently built a site using PHP. I was a little loose with GET  
and POST methods because I was using it for personal/private use. Now  
I am thinking of going public and allow different companies to use the  
site. I want to secure and hide as much data as possible to guard  
against user abuse.


I have several instances where I use the GET method to pass IDS. I can  
use a POST but even that is visible in the source. How does one allow  
for processing but never really let the user see that actual ID? Do I  
use a HASH for IDs? Do I need to get more familiar with SESSION VARS.


I am doing some experimenting. Any words of wisdom or resources would  
be helpful. Thanks!


Don Wieland
D W   D a t a   C o n c e p t s
~
d...@dwdataconcepts.com
Direct Line - (949) 336-4828

Integrated data solutions to fit your business needs.

Need assistance in dialing in your FileMaker solution? Check out our  
Developer Support Plan at:

http://www.dwdataconcepts.com/DevSup.html

Appointment 1.0v9 - Powerful Appointment Scheduling for FileMaker Pro  
9 or higher

http://www.appointment10.com

For a quick overview -
http://www.appointment10.com/Appt10_Promo/Overview.html