[PHP] Magic Quotes
Am I correct in thinking Magic Quotes automatically adds quotes to all posted variables, therefore if you are displaying post variables on a form you have to remove the quotes. They are only needed if you are actually inserting/updating into the database. Whether magic quotes are on or not you do not actually have to do anything to data fetched from the database. If magic quoted are not on you have to add slashes before you add to the database. There is also another function you need pass stuff through if you are going to use it in an input type=text or textarea, what is that function? Ben -- Ben Edwards - Poole, UK, England If you have a problem sending me email use this link http://www.gurtlush.org.uk/profiles.php?uid=4 (email address this email is sent from may be defunct) signature.asc Description: This is a digitally signed message part
Re: [PHP] Magic Quotes
On Thu, 2005-02-10 at 13:28 +0100, Jochem Maas wrote: Ben Edwards (lists) wrote: Am I correct in thinking Magic Quotes automatically adds quotes to all posted variables, therefore if you are displaying post variables on a form you have to remove the quotes. They are only needed if you are actually inserting/updating into the database. Whether magic quotes are on or not you do not actually have to do anything to data fetched from the database. If magic quoted are not on you have to add slashes before you add to the database. you get the gist of it bare in mind _many_ people including actual php developers avoid magic_quotes like the plague cos its a PITA. Yes, it seems like they were invented by the Powers of Darkness ;). I think I am going to put stuff in my common code that is run on at the beginning of every page to remove magic quotes from $_REQUEST, and run all data being put into the database through addslashes first. I can see it is only any to trivial pages where you are taking user input and putting it stright into the database with out validation or re-displaying it. There for it is useless. Regards, Ben basically your input to the DB should be properly escaped (there are special functions for this also, depending on your DB, I use alot of firebird and its capable of parameterized queries - making it impossible to do SQL injection if you use the parameterized markup). AND anything you output to the browser should be sanitized properly as well... goto phpsc.net and read everything there - its a good/solid introduction to writing secure php code (e.g. how to combat XSS etc). phpsc.net is headed by Chris Shiflett - a veritable goldmine of php related knowledge do yourself a favor... read his stuff :-) any questions that arise from reading that are welcome here :-) There is also another function you need pass stuff through if you are going to use it in an input type=text or textarea, what is that function? htmlentities() Ben -- Ben Edwards - Poole, UK, England If you have a problem sending me email use this link http://www.gurtlush.org.uk/profiles.php?uid=4 (email address this email is sent from may be defunct) signature.asc Description: This is a digitally signed message part
Re: [PHP] Magic Quotes
On Thu, 2005-02-10 at 13:45 +0100, Jochem Maas wrote:
Ben Edwards (lists) wrote:
PS phpsc.net seems to be down, or is the domain wrong?
er yes, oops. as Jeffery pointed out it should have been
phpsec.org. had a brainfreeze sorry.
OK, trying to do a function to remove magic quotes from the post
variable. Something like:-
function remove_magic_quotes( $array ) {
foreach( $array as $index = $value ) {
if ( is_array( $array[$index] ) ) {
remove_magic_quotes( $array[$index] );
} else {
if ( magic_quotes_runtime() ){
$array[$index] = stripslashes( $value );
}
}
}
But not quite there. Any ideas?
Ben
Ben
On Thu, 2005-02-10 at 13:28 +0100, Jochem Maas wrote:
Ben Edwards (lists) wrote:
Am I correct in thinking Magic Quotes automatically adds quotes to all
posted variables, therefore if you are displaying post variables on a
form you have to remove the quotes. They are only needed if you are
actually inserting/updating into the database. Whether magic quotes
are on or not you do not actually have to do anything to data fetched
from the database. If magic quoted are not on you have to add slashes
before you add to the database.
you get the gist of it bare in mind _many_ people including actual php
developers avoid magic_quotes like the plague cos its a PITA.
basically your input to the DB should be properly escaped (there are special
functions for this also, depending on your DB, I use alot of firebird and
its capable
of parameterized queries - making it impossible to do SQL injection if you
use
the parameterized markup).
AND anything you output to the browser should be sanitized properly as
well...
goto phpsc.net and read everything there - its a good/solid introduction to
writing secure php code (e.g. how to combat XSS etc). phpsc.net is headed
by Chris
Shiflett - a veritable goldmine of php related knowledge do yourself a
favor...
read his stuff :-) any questions that arise from reading that are welcome
here :-)
There is also another function you need pass stuff through if you are
going to use it in an input type=text or textarea, what is that
function?
htmlentities()
Ben
--
Ben Edwards - Poole, UK, England
If you have a problem sending me email use this link
http://www.gurtlush.org.uk/profiles.php?uid=4
(email address this email is sent from may be defunct)
signature.asc
Description: This is a digitally signed message part
[PHP] Magic Quotes Removal code - almost there
The following code is passed $_POST to clean magic quotes code out ;_
function remove_magic_quotes( $array ) {
foreach( $array as $index = $value ) {
if ( is_array( $array[$index] ) ) {
remove_magic_quotes( $array[$index] );
} else {
if ( magic_quotes_runtime() ){
echo removing slashes $valuebr /;
$array[$index] = stripslashes( $value );
}
}
}
}
The cleaning works but magic_quotes_runtime is false even if magic codes
are on, any ideas?
Ben
--
Ben Edwards - Poole, UK, England
If you have a problem sending me email use this link
http://www.gurtlush.org.uk/profiles.php?uid=4
(email address this email is sent from may be defunct)
signature.asc
Description: This is a digitally signed message part
[PHP] Creating a varable with a name held in a string
I have the following code;_
$sql = select * from text where id= '$id' ;
$row = fetch_row_row( $sql, $db );
$img_loc= $row[img_loc];
$text_type = $row[text_type];
$seq= $row[seq];
$rec_type = $row[rec_type];
$section= $row[section];
$code = $row[code];
$repeat = $row[repeat];
$description= $row[description] );
$text = $row[text] );
Was wondering if there was a clever way of doing this with foreach on
$row. something like
foreach( $row as $index = value ) {
create_var( $index, $value );
}
So the question is is there a function like create_var which takes a
string and a value and creates a variable?
Ben
--
Ben Edwards - Poole, UK, England
If you have a problem sending me email use this link
http://www.gurtlush.org.uk/profiles.php?uid=4
(email address this email is sent from may be defunct)
--
Ben Edwards - Poole, UK, England
If you have a problem sending me email use this link
http://www.gurtlush.org.uk/profiles.php?uid=4
(email address this email is sent from may be defunct)
signature.asc
Description: This is a digitally signed message part
[PHP] Problem using return from a class.
I am having a really odd problem. I have a class and if I do a return nothing is returned. If I do an echo of the variable that is being returned I can see it so there is something to return. Is there some strange bug in PHP? Ben -- Ben Edwards - Poole, UK, England If you have a problem sending me email use this link http://www.gurtlush.org.uk/profiles.php?uid=4 (email address this email is sent from may be defunct) -- Ben Edwards - Poole, UK, England If you have a problem sending me email use this link http://www.gurtlush.org.uk/profiles.php?uid=4 (email address this email is sent from may be defunct) signature.asc Description: This is a digitally signed message part
RE: [PHP] Problem using return from a class.
On Tue, 2005-02-08 at 16:47 +, Chris Ramsay wrote: [snip] I am having a really odd problem. I have a class and if I do a return nothing is returned. If I do an echo of the variable that is being returned I can see it so there is something to return. Is there some strange bug in PHP? [/snip] What is it you are doing - are you echoing the call i.e. echo $myclass-function(); Or something else? Maybe you should post a bit of code to illustrate your problem ;) I'me just doing:- return $radio_html; as the last line of the method. If I do echo $radio_html; The condense of the variable gets outputted. I could post the method here but its a bit long. Ben -- Ben Edwards - Poole, UK, England If you have a problem sending me email use this link http://www.gurtlush.org.uk/profiles.php?uid=4 (email address this email is sent from may be defunct) signature.asc Description: This is a digitally signed message part
[PHP] Is there a function to c if a php function exists
I have been implementing a system on a different ISP than I normally use and have got:- Fatal error: Call to undefined function: cal_days_in_month() in /home/hosted/www.menublackboard.com/public_html/dev/classes/validator.class.php on line 134 I found a reference to this an the web and it seems PHP is not compiled with calender support. recompile php with the --enable-calendar option. Cant see being able to get the to re-compile PHP so I guess I am going to have to disable the feature. I seem to remember a while ago seeing a function to test weather a function exists in PHP. That way I can have the relevant validation skipped if the function is missing (I will tell the client if they get decent hosting it will start working). So something like function_exists( cal_days_in_month() ) Anyone know what the function is called. Ben -- Ben Edwards - Poole, UK, England If you have a problem sending me email use this link http://www.gurtlush.org.uk/profiles.php?uid=4 (email address this email is sent from may be defunct) signature.asc Description: This is a digitally signed message part
[PHP] Loading all clases always
I have all my classes in a single directory. I was thinking of automatically loading them all at the beginning of every page. The logic being that the class definitions will get cached (I guess PHP uses filesize/date/time) so the overhead would not be that great. Also at any given time they will all probably be needed by one of the visitors. Ben -- Ben Edwards - Poole, UK, England If you have a problem sending me email use this link http://www.gurtlush.org.uk/profiles.php?uid=4 (email address this email is sent from may be defunct) -- Ben Edwards - Poole, UK, England If you have a problem sending me email use this link http://www.gurtlush.org.uk/profiles.php?uid=4 (email address this email is sent from may be defunct) signature.asc Description: This is a digitally signed message part
[PHP] Problem with hidden form input values
I know this is not strictly speaking a PHP question but it is to do with a PHP app. I have a form with a number of hidden values in it. After the post print_r( $_POST ) shows all the values except these (this is copied from 'Show Source' in the browser. input type=hidden name=keyField[mb_memberships][0] value=mb_e_id input type=hidden name=keyValue[mb_memberships][0] value=10 input type=hidden name=keyField[mb_memberships][1] value=mb_id input type=hidden name=keyValue[mb_memberships][1] value=1 Any idea why they wont post? Ben -- Ben Edwards - Poole, UK, England If you have a problem sending me email use this link http://www.gurtlush.org.uk/profiles.php?uid=4 (email address this email is sent from may be defunct) signature.asc Description: This is a digitally signed message part
[PHP] Problem with foreatch()
I have the following Code:
foreatch( $_POST[mtype] as $akey = $avalue ) {
echo $akey, $avaluebr;
}
When I run it I get:
Parse error: parse error, unexpected T_AS
in /var/www/mb/mb_estab_update.php on line 58
58 is the line with the foreatch on it. However if I replace it with:
print_r( $_POST[mtype] );
I get:
Array ( [1] = RESTAURANT [2] = BEVERAGEWINE [3] = MAIN )
so the array is populated, what am I doing Wrong?
Regards,
Ben
--
Ben Edwards - Poole, UK, England
If you have a problem sending me email use this link
http://www.gurtlush.org.uk/profiles.php?uid=4
(email address this email is sent from may be defunct)
signature.asc
Description: This is a digitally signed message part
[PHP] Finding position of New line in string
I am trying to find the position of the first occurrence on new line in a string that comes from a database. I tried $pos = strpos( $list_text, /n ); But it never returns anything. Any help would be much appreciated. Ben -- Ben EdwardsTel +44 (0)1179 553 551 ICQ 42000477 Homepage - nothing of interest here http://gurtlush.org.uk Webhosting for the masses http://www.serverone.co.uk criticalSite Builder CMS http://www.criticaldistribution.com Get alt news/views films online http://www.cultureshop.org i-Contact Progressive Video http://www.videonetwork.org Fun with corporate graphicshttp://www.subvertise.org -- * Ben Edwards Tel +44 (0)1179 553 551 ICQ 42000477 * * Homepage - nothing of interest here http://gurtlush.org.uk * * Webhosting for the masses http://www.serverone.co.uk * * Critical Site Builderhttp://www.criticaldistribution.com * * online collaborative web authoring content management system * * Get alt news/views films online http://www.cultureshop.org * * i-Contact Progressive Video http://www.videonetwork.org * * Fun corporate graphics http://www.subvertise.org * * Bristol Indymedia http://bristol.indymedia.org * * Bristol's radical news http://www.bristle.org.uk * -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
