SitePoint Sponsor

User Tag List

Page 2 of 3 FirstFirst 123 LastLast
Results 26 to 50 of 59
  1. #26
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,260
    Mentioned
    196 Post(s)
    Tagged
    2 Thread(s)
    It's expecting parentheses i.e.
    PHP Code:
        if ( isset($_POST[$postName]) ) { 

  2. #27
    Non-Member bronze trophy
    Join Date
    Nov 2009
    Location
    Keene, NH
    Posts
    3,760
    Mentioned
    23 Post(s)
    Tagged
    0 Thread(s)
    Line 4 is a my bad. where it says
    if isset($_POST[$postName]) {

    should say
    if (isset($_POST[$postName])) {

    PHP's a real prig about that, and I've been updating some old Paradox code where the extra () aren't necessary. (sad when I'm still providing support for software I wrote almost twenty years ago) In php, ALL binary comparisons even when resolved need to be wrapped for 'if' -- really stupid the language isn't smart enough to work without the extra wrapping parenthesis.

    Really funny because I pointed out you did that in your original -- then I go and do it myself

    PHP 5.2 is old at this point (2006)... even with .17 being a security patch from january this year, I'd SERIOUSLY be asking the provider to get you up to 5.3.6; the latest recommended version... since 5.2 is officially no longer supported, with 5.2.17 being the last official update.

    PDO isn't really all that much difficult from the normal mysql_ functions. The most fundamental difference is prepared queries -- if you can use double-quote strings or the printf function, you shouldn't get too lost on how to use those.

  3. #28
    SitePoint Evangelist
    Join Date
    Apr 2009
    Location
    South Carolina
    Posts
    458
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I have it working now and will start adding additional requirements, including checking for a valid email address.
    Each day is a learning experience.

  4. #29
    Non-Member bronze trophy
    Join Date
    Nov 2009
    Location
    Keene, NH
    Posts
    3,760
    Mentioned
    23 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by CSU-Bill View Post
    including checking for a valid email address.
    Try this on for size:

    Code:
    function isValidEmail($address) {
    	if (filter_var($address,FILTER_VALIDATE_EMAIL)==FALSE) {
    		return false;
    	}
    	/* explode out local and domain */
    	list($local,$domain)=explode('@',$address);
    
    	$localLength=strlen($local);
    	$domainLength=strlen($domain);
    
    	return (
    		/* check for proper lengths */
    		($localLength>0 && $localLength<65) &&
    		($domainLength>3 && $domainLength<256) &&
    		(
    			checkdnsrr($domain,'MX') ||
    			checkdnsrr($domain,'A')
    		)
    	);
    }
    Something a group of us working together on another forums came up with. Checks it for valid characters, then valid lengths, and then finally that it's pointed at a valid domain.

  5. #30
    SitePoint Member
    Join Date
    Oct 2004
    Location
    Bath
    Posts
    1
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Very useful:

    @ is the error suppression character, you can avoid Warnings displaying on specific function calls by prepending the call with @

    For example:

    @mysql_num_rows(mysql_query("..."));

    Bear in mind this hides any error from that function, so only use it on num_rows (where a warning is expected if there are no results to the query) or other locations where the same applies, not all over the place or you'll end with pages showing no error and no idea what is wrong!

  6. #31
    SitePoint Evangelist
    Join Date
    Apr 2009
    Location
    South Carolina
    Posts
    458
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    deathshadow60,

    Thanks. I will put that in the code.

    Are there other places the sanitizeFromPost function can be used?
    Would it be a good idea to have it sanitize the userid during login?

    Should I validate an email in a forgot password/userid form?
    Each day is a learning experience.

  7. #32
    Non-Member bronze trophy
    Join Date
    Nov 2009
    Location
    Keene, NH
    Posts
    3,760
    Mentioned
    23 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by CSU-Bill View Post
    Are there other places the sanitizeFromPost function can be used?
    Would it be a good idea to have it sanitize the userid during login?
    If you are using a non-prepared query, where basically you are running anything from the user side ($_POST) into your query directly building it as a string, you should sanitize the values so as to prevent script injections.

    If you switch to mysqli or PDO, and use prepared queries, it sanitizes for you and you can forget that function.

  8. #33
    SitePoint Evangelist
    Join Date
    Apr 2009
    Location
    South Carolina
    Posts
    458
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I have started looking at PDO. Now I get to see how much new information this old brain can adsorb.
    Each day is a learning experience.

  9. #34
    SitePoint Evangelist
    Join Date
    Apr 2009
    Location
    South Carolina
    Posts
    458
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Would it make sense to run everything through sanitizeFromPost first, then isValidEmail, followed by any other checks such as strlen.
    Each day is a learning experience.

  10. #35
    SitePoint Evangelist
    Join Date
    Apr 2009
    Location
    South Carolina
    Posts
    458
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I thought I had it working, but if I put in a bad user name (<5 characters) I get a blank page, and the $msg does not display.
    PHP Code:
    <?php 
    // file name is test_form_ck_r01.php
    ini_set('display_errors',1); 
    error_reporting(E_ALL); 


    function 
    sanitizeFromPost($postName){
        if (isset(
    $_POST[$postName])) {
            
    $str=(
                
    get_magic_quotes_gpc() ?
                
    stripslashes($_POST[$postName]) :
                
    $_POST[$postName]
            );
            return (
                
    function_exists('mysql_real_escape_string') ?
                
    mysql_real_escape_string($str) :
                
    addslashes($str)
            );
        } else return 
    '';
    }

    function 
    isValidEmail($address) {
        if (
    filter_var($address,FILTER_VALIDATE_EMAIL)==FALSE) {
            return 
    false;
        }
        
    /* explode out local and domain */
        
    list($local,$domain)=explode('@',$address);

        
    $localLength=strlen($local);
        
    $domainLength=strlen($domain);

        return (
            
    /* check for proper lengths */
            
    ($localLength>&& $localLength<65) &&
            (
    $domainLength>&& $domainLength<256) &&
            (
                
    checkdnsrr($domain,'MX') ||
                
    checkdnsrr($domain,'A')
            )
        );
    }

    include 
    "include/db_login.php";// database connection details stored here
    // Collect the data from post method of form submission // 

    echo '
    <!doctype html>
    <html><head>

    <meta charset="UTF-8">

    <title>TEST Signup FORM</title>

    </head><body>'
    ;

    if (
        isset(
    $_POST['todo']) &&
        (
    $_POST['todo']=="post")
    ) {
        
    $msg='';    // set the error message to empty

        
    $userid=sanitizeFromPost('userid');
        if (
    strlen($userid)<5) {
            
    $msg.='User ID should be 5 or more than 5 char length<br>';
        }
        if (
    mysql_num_rows(mysql_query("SELECT user_id FROM member_tbl WHERE user_id = '$userid'"))) {
            
    $msg.'Userid already assigned. Please select another userid.<br>';
        }                    
        if (empty(
    $msg)) {

            
    $password=sanitizeFromPost('password');
            
    $password2=sanitizeFromPost('password2');
            if (
    strlen($password)<8) {
                
    $msg.='Password should be 8 or more than 8 char length<br>';
            }
            if ( 
    $password <> $password2 ){
                
    $msg."Both passwords do not match.<br>";
            }
        }    
            if (empty(
    $msg)) {

                
    $email=sanitizeFromPost('email');
                if (!
    isValidEmail($email)) {
                    
    $msg."You must use a valid email address.<br>";
                }
            }
            if (empty(
    $msg)) {

                
    $name_last=sanitizeFromPost('name_last');
                
    $name_first=sanitizeFromPost('name_first');
                
    $query=mysql_query("
                    INSERT INTO member_tbl
                    (user_id,password,email,name_last,name_first)
                    VALUES
                    ('
    $userid','$password','$email','$name_last','$name_first')
                "
    );
            echo 
    'You have successfully submitted new member information<br><br>
            <p>Add another member? <input type="button" value="yes" onClick="history.go(-1)"></p>'
    ;
            }

        } else {
            echo 
    $msg.'<br><input type="button" value="Retry" onClick="history.go(-1)">';
        
    }

    echo 
    '
    </body></html>'
    ;

    ?>
    At least, I have it running without errors.
    Each day is a learning experience.

  11. #36
    Keeper of the SFL StarLion's Avatar
    Join Date
    Feb 2006
    Location
    Atlanta, GA, USA
    Posts
    3,748
    Mentioned
    73 Post(s)
    Tagged
    0 Thread(s)
    Spaces wouldnt hurt.

    $msg.'Userid already assigned. Please select another userid.<br>';

    This line is invalid. Would probably be more noticable if there were spaces in there ;P

  12. #37
    SitePoint Evangelist
    Join Date
    Apr 2009
    Location
    South Carolina
    Posts
    458
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    StarLion,

    Thanks for pointing out that error. It now works for the user name.

    What do you mean by more spaces? Do you mean blank lines or spaces in the lines?

    I found other spots where I made the same mistake. I will fix that and test it again.
    Each day is a learning experience.

  13. #38
    Keeper of the SFL StarLion's Avatar
    Join Date
    Feb 2006
    Location
    Atlanta, GA, USA
    Posts
    3,748
    Mentioned
    73 Post(s)
    Tagged
    0 Thread(s)
    Which looks more readable - and would have made the error easier to spot?
    PHP Code:
        if (strlen($userid)<5) {
            
    $msg.='User ID should be 5 or more than 5 char length<br>';
        }
        if (
    mysql_num_rows(mysql_query("SELECT user_id FROM member_tbl WHERE user_id = '$userid'"))) {
            
    $msg.'Userid already assigned. Please select another userid.<br>';
        } 
    PHP Code:
        if ( strlen($userid) < ) {
            
    $msg .= 'User ID should be 5 or more than 5 char length<br>';
        }
        if (
    mysql_num_rows(mysql_query("SELECT user_id FROM member_tbl WHERE user_id = '$userid'"))) {
            
    $msg 'Userid already assigned. Please select another userid.<br>';
        } 

  14. #39
    SitePoint Evangelist
    Join Date
    Apr 2009
    Location
    South Carolina
    Posts
    458
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    StarLion,

    Got it. I have modified my code to add the spaces.

    If you have any other hints for best practices, I would appreciate it.
    Each day is a learning experience.

  15. #40
    Keeper of the SFL StarLion's Avatar
    Join Date
    Feb 2006
    Location
    Atlanta, GA, USA
    Posts
    3,748
    Mentioned
    73 Post(s)
    Tagged
    0 Thread(s)
    Be careful using that sanitize function if you ever end up using something other than mysql - it will break if you dont have a mysql connection instantiated.

  16. #41
    SitePoint Evangelist
    Join Date
    Apr 2009
    Location
    South Carolina
    Posts
    458
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks. At this time, PHP and MySQL is about all I have thought about. Once I get a couple of projects completed, I will take a closer look at PDO.
    Each day is a learning experience.

  17. #42
    SitePoint Zealot Dorsey's Avatar
    Join Date
    Feb 2004
    Location
    NJ
    Posts
    103
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Aside from sanitizing input, etc., this is a beginner's mistake. I suggest this as an alternative:

    if( ( $result = mysql_query(...) ) && mysql_num_rows( $result ) )
    do this with the result set;
    else
    use mysql_error() to figure out what went wrong;

    Now you're only invoking mysql_num_rows() on a valid result set. Doing it your way, you're assuming that the select statement actually returned a valid result set which obviously isn't the case.

  18. #43
    Keeper of the SFL StarLion's Avatar
    Join Date
    Feb 2006
    Location
    Atlanta, GA, USA
    Posts
    3,748
    Mentioned
    73 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Dorsey View Post
    Aside from sanitizing input, etc., this is a beginner's mistake. I suggest this as an alternative:

    if( ( $result = mysql_query(...) ) && mysql_num_rows( $result ) )
    do this with the result set;
    else
    use mysql_error() to figure out what went wrong;

    Now you're only invoking mysql_num_rows() on a valid result set. Doing it your way, you're assuming that the select statement actually returned a valid result set which obviously isn't the case.
    Mmmh not quite.
    If the query returns a valid result of 0 rows, you will trigger mysql_error() and get... nothing.

    Just because a query returns nothing, doesnt mean it threw an error.

  19. #44
    SitePoint Evangelist
    Join Date
    Apr 2009
    Location
    South Carolina
    Posts
    458
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I think I will have other uses for the sanitizeFromPost function. I moved this code:
    PHP Code:
    function sanitizeFromPost($postName){
        if (isset(
    $_POST[$postName])) {
            
    $str=(
                
    get_magic_quotes_gpc() ?
                
    stripslashes($_POST[$postName]) :
                
    $_POST[$postName]
            );
            return (
                
    function_exists('mysql_real_escape_string') ?
                
    mysql_real_escape_string($str) :
                
    addslashes($str)
            );
        } else return 
    '';

    I now have it in a file named sanitize_from_post.inc.php.

    I tried using an include

    include $_SERVER['DOCUMENT_ROOT'] . '/include/sanitize_from_post.inc.php';

    That did not work, and gave me an error on a line that reads :

    $userid=sanitizeFromPost('userid');

    The error was that sanitizeFromPost is not a valid function. I also tried using include_once, but that did not do any better.

    Did I fail to copy something to the include file?
    Each day is a learning experience.

  20. #45
    Keeper of the SFL StarLion's Avatar
    Join Date
    Feb 2006
    Location
    Atlanta, GA, USA
    Posts
    3,748
    Mentioned
    73 Post(s)
    Tagged
    0 Thread(s)
    Try echoing $_SERVER['DOCUMENT_ROOT'] to make sure your server isnt blocking this value. if it is, try just "include('include/sanitize_from_post.inc.php')" as this will cause it to use the relative pathing, rather than absolute.

  21. #46
    SitePoint Evangelist
    Join Date
    Apr 2009
    Location
    South Carolina
    Posts
    458
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I have been using includes to handle my repeating parts of pages, and use the document root.

    I did run the echo and it displayed the document root properly.

    Do I need to have <?php at the start of the sanitize_from_post.inc.php file? It is included inside the php of the page I am working on.
    Each day is a learning experience.

  22. #47
    Keeper of the SFL StarLion's Avatar
    Join Date
    Feb 2006
    Location
    Atlanta, GA, USA
    Posts
    3,748
    Mentioned
    73 Post(s)
    Tagged
    0 Thread(s)
    Yes. It must have PHP tags to be interpreted as PHP.

  23. #48
    SitePoint Evangelist
    Join Date
    Apr 2009
    Location
    South Carolina
    Posts
    458
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The day is just beginning, and I have already learned something new.

    I do not understand what you and Dorsey are talking about on my userid check. Is what I have good, or do I need to change something. The current code is:
    PHP Code:
        if (mysql_num_rows(mysql_query("SELECT user_id FROM member_tbl WHERE user_id = '$userid'"))) {
            
    $msg .= 'Userid already assigned. Please select another userid.<br>';
        } 
    Thank you.
    Each day is a learning experience.

  24. #49
    Keeper of the SFL StarLion's Avatar
    Join Date
    Feb 2006
    Location
    Atlanta, GA, USA
    Posts
    3,748
    Mentioned
    73 Post(s)
    Tagged
    0 Thread(s)
    You're not sanitizing $userid;

    Consider this. What if i put in for my userid the string
    "'; DROP TABLE member_tbl; SELECT '1'='1"

    Now your query reads:
    SELECT user_id FROM member_tbl WHERE user_id = ''; DROP TABLE member_tbl; SELECT '1'='1'

    Yay, i deleted your members.

    mysql_real_escape_string is highly recommended for preventing this primitive form of attack.

    The mysql_error bit is something that theoretically should never come up once you've established the sanity of your query. It's essentially the try-catch theory for querying.

    PHP Code:
    if(!$result mysql_query($sql)) {
      
    //There was an error in our query and it returned FALSE.
      
    echo mysql_error();
    } elseif(
    mysql_num_rows($result) == 0) {
      
    //The query executed successfully (it returned a Result Resource), but had no results to return.
    } else {
      
    //The query both executed successfully, and returned at least 1 row of data.


  25. #50
    SitePoint Evangelist
    Join Date
    Apr 2009
    Location
    South Carolina
    Posts
    458
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I think I understand what you are saying, but doesn't the previous code sanitize $userid?

    PHP Code:
        $userid=sanitizeFromPost('userid');
        if (
    strlen($userid)<5) {
            
    $msg .= 'User ID should be 5 or more than 5 char length.<br>';
        }
        if (
    mysql_num_rows(mysql_query("SELECT user_id FROM member_tbl WHERE user_id = '$userid'"))) {
            
    $msg .= 'Userid already assigned. Please select another userid.<br>';
        } 
    I will make modifications later this evening and post the new code.
    Each day is a learning experience.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •