Re: [PHP] Comparing strings (revisited)
On Mon, 25 May 2009 02:11:24 -0400, pa...@quillandmouse.com (Paul M Foster)
wrote:
.
This is why I originated a thread along these lines some time ago. I
sympathize with your pain, being a C programmer as well. Apparently, PHP
plays fast and loose with types when doing == comparisons. And empty()
has a really wild way of determining if something is empty (an integer
0 is empty?). Which is why I originally asked if strcmp() was the
preferred method of comparison for the list members.
In any case, strcmp() does what you want and is the safest way to
compare strings, which is what PHP passes around a lot (data comes out
of databases as strings, comes back from forms as strings, etc.). And
since most of the syntax and library functions of PHP are based on C
paradigms, I'm guessing that the PHP strcmp() function is a thin veneer
over the actual C function.
Thanks, Paul.
I have done some more experimenting, and have a better handle on what is going
on now, so
I don't think I will fall into any unexpected holes (apart from by being
careless!)
If you enter a value directly (eg. $a[0] = 000a; ) it tries to convert the
input to a
number, and rejects any input it cannot convert (such as 000a). However if the
value is
quoted it is stored internally as a string.
If the data is stored as elements of a string, and is exploded into an array no
attempt is
made to interpret them, and they are stored as strings in their original form.
They appear
to retain this form, but if they are compared with some other value the two
values are
adjusted until they are of the same type, and then they are compared. The
results often
seem absurd at first glance. For example 000A 2 10, but A . I think
the reason
for this is that if the values can be treated as numbers they are compared
directly, but
otherwise the one with less characters is right padded with spaces, and then
there are
compared as strings. Thus '000A' '2 ', and 'A ' ''.
If the values are compared as strings (using strcmp or SORT_STRING) the results
are
entirely logical if all the strings are of the same length. If the strings are
of
different lengths the shorter one is again right padded (probably with spaces)
and then
the two are compared.
These points are illustrated in the following test programs.
?php
// Test one data:
$a[] = 2000;$a[] = 20e2;$a[] = 2.e3;$a[] = 2.E3;
$a[] = 2.000e3; $a[] = 4000/2; $a[] = 4.0e3/2.0; $a[] =
'20E2';
$a[] = ;$a[] = ''; $a[] = '000A'; // $a[] = 000A;
echo 'pnbsp;/pTest 1. Values entered directlypnbsp;/p';
$i = 0; $n = count ($a);
while ($i $n)
{
echo 'p $a['.$i.']: '.$a[$i].' = ';
$j = 0; while ($j $n)
{
if (($i != $j) ($a[$i] == $a[$j])) { echo $a[$j].',
'; }
++$j;
}
++$i; echo '/p';
}
// Test two data:
$ss = 2000;20e2;2.e3;2.E3;2.000e3;4000/2;4.0e3/2.0;20E2;;000A;A000;2;0010;
A;10;20;21';
$a = explode (';',$ss);
echo 'pnbsp;/pTest 2. Values exploded into arraypnbsp;/p';
$i = 0; $n = count ($a);
while ($i $n)
{
echo 'p $a['.$i.']: '.$a[$i].' = ';
$j = 0; while ($j $n)
{
if (($i != $j) ($a[$i] == $a[$j])) { echo $a[$j].',
'; }
++$j;
}
++$i; echo '/p';
}
// Test 3.
$b = $a;
sort ($b, SORT_STRING);
sort ($a);
echo 'pnbsp;/pp Sort normal./p';
$i = 0; while ($i $n)
{
echo 'p$a['.$i.'] = '.$a[$i].'/p';
++$i;
}
echo 'pnbsp;/pp Sort string./p';
$i = 0; while ($i $n)
{
echo 'p$b['.$i.'] = '.$b[$i].'/p';
++$i;
}
?
Results:
Test 1. Values entered directly. All values are converted to the simplest form
on input.
$a[0]: 2000 = 2000, 2000, 2000, 2000, 2000, 2000, 20E2,
$a[1]: 2000 = 2000, 2000, 2000, 2000, 2000, 2000, 20E2,
$a[2]: 2000 = 2000, 2000, 2000, 2000, 2000, 2000, 20E2,
$a[3]: 2000 = 2000, 2000, 2000, 2000, 2000, 2000, 20E2,
$a[4]: 2000 = 2000, 2000, 2000, 2000, 2000, 2000, 20E2,
$a[5]: 2000 = 2000, 2000, 2000, 2000, 2000, 2000, 20E2,
$a[6]: 2000 = 2000, 2000, 2000, 2000, 2000, 2000, 20E2,
$a[7]: 20E2 = 2000, 2000, 2000, 2000, 2000, 2000, 2000,
$a[8]: = ,
$a[9]: = ,
$a[10]: 000A =
Test 2. Values exploded into array. Values are preserved as strings until
compared.
$a[0]: 2000 = 20e2, 2.e3, 2.E3, 2.000e3, 20E2,
$a[1]: 20e2 = 2000, 2.e3, 2.E3, 2.000e3, 20E2,
$a[2]: 2.e3 = 2000, 20e2, 2.E3, 2.000e3, 20E2,
$a[3]: 2.E3 = 2000, 20e2, 2.e3, 2.000e3, 20E2,
$a[4]: 2.000e3 = 2000, 20e2,
Re: [PHP] Comparing strings (revisited)
On Mon, May 25, 2009 at 12:46:16PM +1000, Clancy wrote:
For some time I have been working on a text based database, in which each
entry contains
one or more lines of data, with the various fields delimited by semicolons,
e.g.
A;b;20GM;Restaurant;090508
n;;;Arintji;;
a;Federation Square;;;
p;9663 9900;;;9663 9901;;i...@arintji.com.au;
All was going well but recently I decided to allocate every entry a unique
identifier,
and, in what with hindsight was clearly misguided enthusiasm, decided that
each identifier
should be a four digit base 36 number (the 20GM in the first line). This
did not cause any
problems until yesterday, when I tried to load a name beginning with 'R',
and got the
first name on the list. When I investigated I found that I was searching
the array
containing the data using:
if ($ident == $data[$i]['group']['ident']) { ..
I then found that I was searching for 20E2, but was getting a match on
2000. I tried
'if ((string) $ident == (string) $data[$i]['group']['ident'])',
but this still matched. However
'if($ident === '
worked, as did
'if (!strcmp($ident, $data[$i])) {...'.
After puzzling about this for a long time, I realised that the comparison
process must
have been treating the second value as a floating point number, and
converting it to
integer, or vice versa. (In floating point notation 20E2 = 20*10^^2 = 2000).
I had
thought that the (string) override meant to treat the actual value as a
string, but in
this case it must be converting the (assumed) actual value to a string,
and then comparing
the results.
This surprised me considerably as it is clear from the results I achieve
in other
circumstances that the data is actually stored as a raw string.
$data is a variable format array, and when the original data is read each
line is exploded
into a term of the data array: $data[][] = explode(';',$line[$i]);.
If I print the value
of the ident (or any other field) it is always shown as the original string,
and when I
save an updated version of the data, each term of the data array is imploded
into a line
of the data file in its original format. However if this value were actually
converted to
a floating point number when it was entered I would have to specify a
format before I
could write it out again, and as 20E2 is a rather non-standard format it
is most unlikely
that it would come out as this unaided.
Is there any way to specify that each field is always to be treated as a
string when I
originally explode the input file into the data array?For someone
brought
up on rigidly
defined data types dynamic typing can be very confusing!
This is why I originated a thread along these lines some time ago. I
sympathize with your pain, being a C programmer as well. Apparently, PHP
plays fast and loose with types when doing == comparisons. And empty()
has a really wild way of determining if something is empty (an integer
0 is empty?). Which is why I originally asked if strcmp() was the
preferred method of comparison for the list members.
In any case, strcmp() does what you want and is the safest way to
compare strings, which is what PHP passes around a lot (data comes out
of databases as strings, comes back from forms as strings, etc.). And
since most of the syntax and library functions of PHP are based on C
paradigms, I'm guessing that the PHP strcmp() function is a thin veneer
over the actual C function.
Paul
--
Paul M. Foster
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Comparing strings (revisited)
With the initial explode, I may be wrong but I don't think it's possible to
force every entry to be string-typed. However, this little snippet could
help:
$foo = explode(';', $db);
foreach($foo as $bar) {
$bar = settype($bar, 'string);
}
which will set each element's type to string, but is hardly a fast or
elegant solution, but a solution it is nonetheless. Alternatively, every
time you reference a field that ought to be an element but isn't, you can
use strval($element), but that's even uglier!
On an aside, coming from strict typing to loose typing is certainly an
enormous transition, you grow to learn these little things and work around
them. The benefits and ease of the loose typing, at least to me, seem to
outweigh the overhead handling fringe type cases like these. For a
performance nut like myself, though, it certainly drives me insane!
On Sun, May 24, 2009 at 10:46 PM, Clancy clanc...@cybec.com.au wrote:
For some time I have been working on a text based database, in which each
entry contains
one or more lines of data, with the various fields delimited by semicolons,
e.g.
A;b;20GM;Restaurant;090508
n;;;Arintji;;
a;Federation Square;;;
p;9663 9900;;;9663 9901;;i...@arintji.com.au9901%3b%3bi...@arintji.com.au
;
All was going well but recently I decided to allocate every entry a unique
identifier,
and, in what with hindsight was clearly misguided enthusiasm, decided that
each identifier
should be a four digit base 36 number (the 20GM in the first line). This
did not cause any
problems until yesterday, when I tried to load a name beginning with 'R',
and got the
first name on the list. When I investigated I found that I was searching
the array
containing the data using:
if ($ident == $data[$i]['group']['ident']) { ..
I then found that I was searching for 20E2, but was getting a match on
2000. I tried
'if ((string) $ident == (string) $data[$i]['group']['ident'])',
but this still matched. However
'if($ident === '
worked, as did
'if (!strcmp($ident, $data[$i])) {...'.
After puzzling about this for a long time, I realised that the comparison
process must
have been treating the second value as a floating point number, and
converting it to
integer, or vice versa. (In floating point notation 20E2 = 20*10^^2 =
2000). I had
thought that the (string) override meant to treat the actual value as a
string, but in
this case it must be converting the (assumed) actual value to a string, and
then comparing
the results.
This surprised me considerably as it is clear from the results I achieve in
other
circumstances that the data is actually stored as a raw string.
$data is a variable format array, and when the original data is read each
line is exploded
into a term of the data array: $data[][] = explode(';',$line[$i]);. If I
print the value
of the ident (or any other field) it is always shown as the original
string, and when I
save an updated version of the data, each term of the data array is
imploded into a line
of the data file in its original format. However if this value were
actually converted to
a floating point number when it was entered I would have to specify a
format before I
could write it out again, and as 20E2 is a rather non-standard format it
is most unlikely
that it would come out as this unaided.
Is there any way to specify that each field is always to be treated as a
string when I
originally explode the input file into the data array? For someone brought
up on rigidly
defined data types dynamic typing can be very confusing!
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Comparing strings... need advice. :)
On Mon, 28 Aug 2006 19:39:49 -0400, Robert Cummings wrote: On Mon, 2006-08-28 at 16:50 +0200, Ivo F.A.C. Fokkema wrote: On Mon, 28 Aug 2006 09:47:02 +0100, Stut wrote: Micky Hulse wrote: I am looking for the most secure/efficient way to compare these two strings: /folder1/folder2/folder3/folder4/ /folder1/folder2/folder3/folder4/file.php Basically I am trying to setup as many security features as possible for a simplistic (home-grown/hand-coded) CMS... This appears to work: $haystack = '/folder1/folder2/folder3/folder4/someFileName.php'; $needle = '/folder1/folder2/folder3/folder4/'; if(substr_count($haystack, $needle) === 1) echo yea; Before making changes to someFileName.php I want to make sure it is within the allowed path ($needle). First of all make sure you are sending both strings through realpath (http://php.net/realpath) to remove any symbolic links and relative references. Then you can compare the two strings. The way you're doing it will work but it's probably not very efficient. This is what I use... $valid = (strcmp($needle, substr($haystack, 0, strlen($needle))) == 0); Personally, this seems simpler to me: $valid = (dirname($haystack) == $needle); But the way the above folders are presented, it should become $valid = (dirname($haystack) == rtrim($needle, '/')); less simple already... Possibly, this is not the best solution for some reason I don't know. If so, I would like to know :) The above technique doesn't allow for sub-directories. It only allows for files within the needle directory. Ah, thanks. Misunderstood the question, then. Thought just checking if it's a file in that directory was what's needed. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Comparing strings... need advice. :)
Ivo F.A.C. Fokkema wrote: Ah, thanks. Misunderstood the question, then. Thought just checking if it's a file in that directory was what's needed. You were right. :) I did not plan on looking-in anything other than one or two hard-coded folder locations. But, it is good to know the details. ;) Thanks again for the help... Time for me to hit the hay. I have een geeking-out for way too long today. Cheers, Micky -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Comparing strings... need advice. :)
Micky Hulse wrote: I am looking for the most secure/efficient way to compare these two strings: /folder1/folder2/folder3/folder4/ /folder1/folder2/folder3/folder4/file.php Basically I am trying to setup as many security features as possible for a simplistic (home-grown/hand-coded) CMS... This appears to work: $haystack = '/folder1/folder2/folder3/folder4/someFileName.php'; $needle = '/folder1/folder2/folder3/folder4/'; if(substr_count($haystack, $needle) === 1) echo yea; Before making changes to someFileName.php I want to make sure it is within the allowed path ($needle). First of all make sure you are sending both strings through realpath (http://php.net/realpath) to remove any symbolic links and relative references. Then you can compare the two strings. The way you're doing it will work but it's probably not very efficient. This is what I use... $valid = (strcmp($needle, substr($haystack, 0, strlen($needle))) == 0); -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Comparing strings... need advice. :)
Stut wrote: First of all make sure you are sending both strings through realpath (http://php.net/realpath) to remove any symbolic links and relative references. Then you can compare the two strings. The way you're doing it will work but it's probably not very efficient. This is what I use... $valid = (strcmp($needle, substr($haystack, 0, strlen($needle))) == 0); Awsome! Thanks for the info. Reading-up on realpath right now. I appreciate the tips/example code. :) Have a great day/night. Cheers, Micky -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Comparing strings... need advice. :)
Micky Hulse wrote:
Hi,
I am looking for the most secure/efficient way to compare these two
strings:
/folder1/folder2/folder3/folder4/
/folder1/folder2/folder3/folder4/file.php
Basically I am trying to setup as many security features as possible for
a simplistic (home-grown/hand-coded) CMS...
This appears to work:
$haystack = '/folder1/folder2/folder3/folder4/someFileName.php';
$needle = '/folder1/folder2/folder3/folder4/';
if(substr_count($haystack, $needle) === 1) echo yea;
Before making changes to someFileName.php I want to make sure it is
within the allowed path ($needle).
I would appreciate any advice. Even RTFM is cool. :D
Using your technique I would try an attack like:
'/etc/passwd;/folder1/folder2/folder3/folder4/' or
'/folder1/folder2/folder3/folder4/../../../../etc/passwd'
or some other variant depending on how you then use the file.
I'm a big fan of lists of allowed files, typically I use aliases too.
$allow_files = array('page' = '/folder/.../filename.php').
This list can be automatically generated and used by mod_rewrite to
boost speed.
By using a fixed list of files like this it's impossible to be attacked
on your filename.
Assuming you don't want to go that strong and want to allow your users
to set the filename you have to try and lock down the path. By not
allowing them to change the path you can hold them in the directory you set.
Check for any / characters and reject or strip them out.
Use '/folder1/folder2/.../'.$file.
It's vital if you do this that you don't allow any way to upload files
in to the directory you execute from.
If you want to allow them to set the path or part of the path then the
check gets far more complicated. You have to catch .. and // patterns,
ensuring that you don't combine to form a // and catch cases like
'.\./'. If you need to have multiple directories I would strongly
suggest using dynamically generated fixed lists.
David
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Comparing strings... need advice. :)
On Mon, 28 Aug 2006 09:47:02 +0100, Stut wrote: Micky Hulse wrote: I am looking for the most secure/efficient way to compare these two strings: /folder1/folder2/folder3/folder4/ /folder1/folder2/folder3/folder4/file.php Basically I am trying to setup as many security features as possible for a simplistic (home-grown/hand-coded) CMS... This appears to work: $haystack = '/folder1/folder2/folder3/folder4/someFileName.php'; $needle = '/folder1/folder2/folder3/folder4/'; if(substr_count($haystack, $needle) === 1) echo yea; Before making changes to someFileName.php I want to make sure it is within the allowed path ($needle). First of all make sure you are sending both strings through realpath (http://php.net/realpath) to remove any symbolic links and relative references. Then you can compare the two strings. The way you're doing it will work but it's probably not very efficient. This is what I use... $valid = (strcmp($needle, substr($haystack, 0, strlen($needle))) == 0); Personally, this seems simpler to me: $valid = (dirname($haystack) == $needle); But the way the above folders are presented, it should become $valid = (dirname($haystack) == rtrim($needle, '/')); less simple already... Possibly, this is not the best solution for some reason I don't know. If so, I would like to know :) Ivo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Comparing strings... need advice. :)
On Mon, 2006-08-28 at 09:47 +0100, Stut wrote:
Micky Hulse wrote:
I am looking for the most secure/efficient way to compare these two
strings:
/folder1/folder2/folder3/folder4/
/folder1/folder2/folder3/folder4/file.php
Basically I am trying to setup as many security features as possible for
a simplistic (home-grown/hand-coded) CMS...
This appears to work:
$haystack = '/folder1/folder2/folder3/folder4/someFileName.php';
$needle = '/folder1/folder2/folder3/folder4/';
if(substr_count($haystack, $needle) === 1) echo yea;
Before making changes to someFileName.php I want to make sure it is
within the allowed path ($needle).
First of all make sure you are sending both strings through realpath
(http://php.net/realpath) to remove any symbolic links and relative
references. Then you can compare the two strings. The way you're doing
it will work but it's probably not very efficient. This is what I use...
$valid = (strcmp($needle, substr($haystack, 0, strlen($needle))) == 0);
?php
function isAllowedPath( $needle, $haystack )
{
$needle = realpath( $needle ).'/';
$haystack = realpath( $haystack );
return (strpos( $haystack, $needle ) === 0);
}
?
It is VERY important that you append the trailing slash onto the needle
path returned by realpath otherwise it will match more than you expect.
Stut didn't point that out so I thought I'd make sure you caught it.
Also I'm not sure why Stut used 3 function calls when one suffices :)
Cheers,
Rob.
--
..
| InterJinn Application Framework - http://www.interjinn.com |
::
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`'
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Comparing strings... need advice. :)
Wow, thanks for all the great information folks (Stut, Ivo, Rob, and David.) I really appreciate all of the top-notch advice and expert information. :D Looks like I have a lot to think about... Currently, I hard-code the paths to the folders that house the files I want my CMS to edit (via a config file.) The script then iterates through the directory and adds all files of a specific type to a dropdown menu. The user can then choose one of the files to edit and load that file into a textarea... After changes are made, the content/code gets saved back to the same file/location. I do have an uploads folder, but it is in a different location on the server. I do not allow the user to create new files (I would have to do that manually)... it is a /very/ basic CMS. Anyway, looks like I have some great info to work with. Thanks again everyone for sharing your expertise. Much appreciated all. Have an excellent day. Cheers, Micky -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Comparing strings... need advice. :)
On Mon, 2006-08-28 at 16:50 +0200, Ivo F.A.C. Fokkema wrote: On Mon, 28 Aug 2006 09:47:02 +0100, Stut wrote: Micky Hulse wrote: I am looking for the most secure/efficient way to compare these two strings: /folder1/folder2/folder3/folder4/ /folder1/folder2/folder3/folder4/file.php Basically I am trying to setup as many security features as possible for a simplistic (home-grown/hand-coded) CMS... This appears to work: $haystack = '/folder1/folder2/folder3/folder4/someFileName.php'; $needle = '/folder1/folder2/folder3/folder4/'; if(substr_count($haystack, $needle) === 1) echo yea; Before making changes to someFileName.php I want to make sure it is within the allowed path ($needle). First of all make sure you are sending both strings through realpath (http://php.net/realpath) to remove any symbolic links and relative references. Then you can compare the two strings. The way you're doing it will work but it's probably not very efficient. This is what I use... $valid = (strcmp($needle, substr($haystack, 0, strlen($needle))) == 0); Personally, this seems simpler to me: $valid = (dirname($haystack) == $needle); But the way the above folders are presented, it should become $valid = (dirname($haystack) == rtrim($needle, '/')); less simple already... Possibly, this is not the best solution for some reason I don't know. If so, I would like to know :) The above technique doesn't allow for sub-directories. It only allows for files within the needle directory. Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Comparing strings... need advice. :)
On Mon, 2006-08-28 at 16:28 -0700, Micky Hulse wrote: Wow, thanks for all the great information folks (Stut, Ivo, Rob, and David.) I really appreciate all of the top-notch advice and expert information. :D Looks like I have a lot to think about... Currently, I hard-code the paths to the folders that house the files I want my CMS to edit (via a config file.) The script then iterates through the directory and adds all files of a specific type to a dropdown menu. The user can then choose one of the files to edit and load that file into a textarea... After changes are made, the content/code gets saved back to the same file/location. I do have an uploads folder, but it is in a different location on the server. I do not allow the user to create new files (I would have to do that manually)... it is a /very/ basic CMS. Anyway, looks like I have some great info to work with. Thanks again everyone for sharing your expertise. How are these saved files then imported into the content? Are they included or do you retrieve the contents using something like file(), file_get_contents(), or fread() and then echo it? If you are using include or require on a file whose contents are based on web input content then you are opening up a can of security worms since anyone with access tot he CMS could embed PHP code in the content and do anything for which the webserver has permissions. Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Comparing strings... need advice. :)
Hi Robert, Robert Cummings wrote: How are these saved files then imported into the content? Are they included or do you retrieve the contents using something like file(), file_get_contents(), or fread() and then echo it? If you are using Currently I am using readfile() (plus some other security checking) to display the contents of the edited files. I setup my script to only allow specific file types (txt, html, htm). include or require on a file whose contents are based on web input content then you are opening up a can of security worms since anyone with access tot he CMS could embed PHP code in the content and do anything for which the webserver has permissions. Thanks for pointing that out. Now that you mention it, I should probably re-work my code to use a different method of page inclusion. I am pretty concerned about security breaches... what are your thoughts on readfile()? Would you suggest I use file(), file_get_contents(), or fread() instead? Thanks for the help Robert, I really appreciate your time. :) Cheers, Micky -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Comparing strings... need advice. :)
On Mon, 2006-08-28 at 17:07 -0700, Micky Hulse wrote: Hi Robert, Robert Cummings wrote: How are these saved files then imported into the content? Are they included or do you retrieve the contents using something like file(), file_get_contents(), or fread() and then echo it? If you are using Currently I am using readfile() (plus some other security checking) to display the contents of the edited files. I setup my script to only allow specific file types (txt, html, htm). include or require on a file whose contents are based on web input content then you are opening up a can of security worms since anyone with access tot he CMS could embed PHP code in the content and do anything for which the webserver has permissions. Thanks for pointing that out. Now that you mention it, I should probably re-work my code to use a different method of page inclusion. I am pretty concerned about security breaches... what are your thoughts on readfile()? Would you suggest I use file(), file_get_contents(), or fread() instead? Readfile works great, it's the same as file_get_contents() and then issuing an echo. You may want to also stored content generated by web users outside of the web tree. There may not be any issue with how you have things now, but imagine down the road someone using your system enables PHP processing on .html files and then someone created content with PHP tags and accesses it directly from their browser... boom, same security hole. Thanks for the help Robert, I really appreciate your time. :) No problem :) Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Comparing strings... need advice. :)
Robert Cummings wrote: Readfile works great, it's the same as file_get_contents() and then Ah, good to hear. :D issuing an echo. You may want to also stored content generated by web users outside of the web tree. There may not be any issue with how you [...] with PHP tags and accesses it directly from their browser... boom, same security hole. Ah! Yes, good idea. :) I think I will work this in to my script/system. Like I said, I am very concerned about security. I would have used a pre-built CMS like Textpattern or Wordpress, but the server I am on does not have database support. :( Anyway, many thanks for the tips Rob and all! You guys/gals rock! Cheers, Micky -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] comparing strings does not work
strcmp returns 0 if the two strings are equal. In any case, why not just do if ($city == $city_new) $error = true; -Original Message- From: andy [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 11, 2002 9:10 AM To: [EMAIL PROTECTED] Subject: [PHP] comparing strings does not work Hi there, I would like to compare 2 strings. I do always get a 0 return (not equal) but they are difinatelly equal, I double checked it. They are just in two different vars. Here is how I did it: if (strcmp($city, $city_new) != 0) $error = true; Does anybody see the error? Or am I going the wrong way? Andy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Comparing strings
I feel fairly new to this as well but I think that, whilst your logic is
right, the syntax may be a little off.
if ($action == textstring)
{
echo true;
}
else
{
echo false;
}
Above should show how the syntax will rok.
Good luck
Michael
phantom wrote:
Bear with me, new to PHP and got a beginner's questions
How do I run an if statement and the if statement compares a String?
IN ASP (yes I Know, ASP is evil) I would have wrote
if (String(Request(Action))==Submit)
do this
In PHP I have tried
if ($Action == Submit) but I get a parse error in that statement.
What am I doing wrong? Thank you. I did an echo $Action to confirm
that it's value is Submit.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
