Posts by ShawnCplus

No, they can't. That's all stored on the server. Either in the DB or on the filesystem depending on your settings.

My opinion is that the foreach method is insecure, difficult to follow and overall bad practice. I don't believe it should ever be used A) because a method exists to do that already ie., extract($_REQUEST); is the same as foreach($_REQUEST as $key => $val) $$key = $val; B) it makes it hard to search for the initialization of a variable.

With the filter_input method it is easy to see where the variable comes from, what type it is (email, string, int, etc.), it has built in validation and sanitization based on what filter you used.

As for "I'd still have to manually enter each attribute in the array?" yes, yes you will. That's the point is that you should KNOW exactly which variables are coming in from GET. If you're trying to do it automatically because there are a lot of them or you don't know what it will be then there is something wrong with your application design.

As far as concatenation goes, I prefer that style, I find it cleaner and if you use an editor/IDE with any form of decent syntax highlighting it is much easier to read/debug (though more verbose than keeping it in the string). Some people will say something about performance but it's negligible either way so don't believe that one. It all boils down to preference, if you really don't want to concatenate you can still do echo "I have a string with $somearray[key]";

no, foreach would go away. The way I usually do it is use a "clean" variable and filter_input_array_array to save time like.,

$clean = filter_input_array(INPUT_GET, array(
  'page' => FILTER_VALIDATE_INT,
  'email' => FILTER_VALIDATE_EMAIL
));

echo 'My page is ' . $clean['page'];

Here's the safe alternative

$myvar = filter_var($_GET['myvar'], FILTER_VALIDATE_INT, array('options' => array('default' => 15)));

I said nothing about _REQUEST being deprecated, I said register_globals is being deprecated. I said it was the reason WHY register_globals was deprecated because

foreach($_REQUEST as $key => $value)
$$key = $value;

is exactly what register_globals did which is a massive security risk. If you clean your variables that's different but in my opinion variable variables ( $$var ) and extract() are bad practices that make code hard to follow anyway.

I'm having some issues.

Please elaborate.

it means your query failed. use mysqli_error to figure out what went wrong.

PHP Cookbook (Amazon) Is a good start since it's less "Here's how to program in PHP" and more "You know how to program here are some nifty 'recipes' that you can use to build stuff with PHP" It is actually extremely comprehensive it covers everything from building basic forms to full-on AJAX applications with a robust backend

Any place that you would like asynchronous operations and don't want to send the user to another page.

* Submitting a form
* Login
* Voting/ranking/etc.
* Commenting
* Pagination
* Image galleries
* Chat/messaging
* etc. inf.

You don't need a while loop to make a loop, just use setInterval(<repeat every N milliseconds>, <function to execute>);

You WANT it to create an infinite loop? And what is the purpose of the outer loop? What is setTimeout _supposed_ to be doing (you're missing a function parameter to setTimeout)?

Try looking for ajax calls on timers (settimeout, etc.). Loop is a bad way to describe what you want to do

A great thing about PHP is that because it's so chock-full of crap functions sometimes you find one that's useful :P

php.net/wordwrap

Do you mean create an image from a php page that outputs image data, or create an image from a php page that just outputs data?

The first case is easy, just put header('Content-Type: image/png'); at the top. The second one is a bit strange.

Other than notepad++ and Netbeans I haven't heard of many other popular programs or none that I can think of.

*cough* vim/gvim/macvim > all *cough* unfortunately : [img]http://www.terminally-incoherent.com/blog/wp-content/uploads/2006/08/curves.jpg[/img]

php.net is your friend http://php.net/array_diff

See also
# array_ diff_ assoc
# array_ diff_ key
# array_ diff_ uassoc
# array_ diff_ ukey

In IE8 there are the IE Developer Tools which, while not as good at inspecting elements and CSS, has a very powerful built-in Javascript debugger. Note that Firebug console.* calls are, for the most part, compatible with the IE Developer Tools.

<disclaimer>This being said, use Firebug</disclaimer>

Take a look at how the serialization is built and emulate it for a LIKE clause

$search_field = 'tstate';
$search_field = 's' . strlen($search_field) . '"' . $search_field . '"';

$search_value = 'MI';
$search_value = 's' . strlen($search_value) . '"' . $search_value . '"';
// s:6:"tstate";s:2:"MI";
$search_string = $search_string . ';' . $search_value;

$query = 'SELECT blah FROM blah WHERE blah LIKE \'%' . $search_string . '%\'';

Firstly, where is the $directory variable coming from? As for your original question, take a look at php.net/substr and php.net/strpos

i=15 Should be i <= 15

is MD5 secure? Every place i read of hashing, md5 is being bashed of being insecure

Well if this is true then 99% of the PHP websites out there that do authentication are fucked. :P

Please, explain a little bit

The only use-case for encryption during securing a PHP site is if you want to encrypt passwords rather than hash them. If you encrypt them you can decrypt them and email them back to the user if they lose it. If you hash it you can't do that because it's one way, you'll just have to send a random password back to the user.

What books or tutorial (online/downloadable) shall i learn to be able to make secure page? I need to know different technique and algorithms

There aren't really that many techniques (and 0 algorithms to remember) to secure your site. MD5 your passwords, scrub your inputs AND outputs, use prepared queries (PDO). I'm all for being strong in CS but as far as PHP goes unless you're hell-bent on being able to give the user their password back on reset you're not going to be using cryptographic algorithms too much.

Wait, I have to do a talk on encryption tomorrow and I've chosen to do MD5 :P but I'm talking about how it encrypts data in a database like passwords etc and how the form checks the details for integrity. Would this be ok?

Yup, as long as you specify that MD5 is a hash function rather than a cipher IE., there isn't a particular key which the data is encrypted and decrypted against.

Thanks,

So it wouldn't be right to encrypt a whole file using MD5 because it wouldn't be easy to decrypt it?

Well MD5 isn't encryption, it's one way. Technically both are just as hard to "decrypt". Not sure why you'd MD5 a whole file since you'd never be able to get that data back unless you're checking for integrity I.E.,

* I upload Document A
     `- MD5(Document A) => 3fab79ac...
 * I want to download/sell/distribute/something else Document A
 * Prepare Document A
 * MD5(Document A) => 7bd96ca3...
 * Whoops, somehow Document A changed, integrity failure

I'm not sure I understand the second part of the question. As to the first part, correct. So far no one has figured out a way to decrypt MD5. There are things like rainbow tables, however, that are essentially massive databases of strings and their corresponding MD5 hashes which are used as lookups.

Can't do that, has to be a local file. If you do an include() on a remote file it'll pretty much just gets the file like you would hit it in the browser. Remote file includes are just a bad idea all around.

So I'm using InnoDB and so far it is ok and I will see when I have to restart the mysql service. Because hopefully if it is inserting a record while the mysql service is restarting it shouldn't corrupt the table like myisam does. That is still to be tested. But as for now, I will ask appart from obvious performance what is the difference between InnoDB and Myisam? And yes I read the earlier posts but some of those long words are confusing.

Foreign key constraints, atomic transactions, row-level locking. All-around win.

whoops, change document.write(images[index]); to document.write(images[i]);

// don't use new Array(3), just use []
var i, images = [];

// use push, don't manually assign the index
images.push("somelink1");
images.push("somelink2");

// shuffle the array
images.sort(function ()
{
    return 0.5 - Math.random();
});

for(var i = 0; i < images.length; i++)
{
    document.write(images[index]);
}

(GD) You'll want a combination of http://php.net/imagecopymerge, imagecreatefrom<type> , and php.net://imagefilter

1) http://php.net/mysql
2) Manage in what way? Revision control, file structure, etc.?

What is your question exactly? Pasting a homework assignment isn't a question.

try this

function search_highlight($needle, $replace, $haystack)
{
 $haystack = eregi_replace($needle,$replace,$haystack);
 return $haystack;
}
echo search_highlight($searchtext, "<b><font style='color:white; background-color:grey;'>" . $searchtext . "</font></b>", total description);

DON'T use ereg* functions. There's a reason why there are GIANT RED WARNINGS at the top of every page of the PHP documentation with these functions in them. Use preg_*

If you're looking to avoid row corruption you'll definitely want to look into atomic transactions http://dev.mysql.com/doc/refman/5.5/en/ansi-diff-transactions.html

But the issue still remains if you restart mysql while updates are still running there's really nothing you can do, you killed the thread it can't recover if it doesn't exist :P

The only situation this solution doesn't handle is when someone kills the threads in the middle of an update. In that case, all locks are released but some of the updates may not have been executed.

Show the code you have right now

$bes is a three-dimensional array My bet is that isn't the case, var_dump($bes); before that to see what $bes actually is. That error happens when you try to do something like this.

$some_string = "Hello";
echo $some_string[0][1]; // PHP Fatal error: Cannot use string offset as an array

If tArea is a <textarea> then .value won't work, you'll have to user innerHTML

I am making a little forum and while trying to add the quote post functionality have come across a problem that has me stumped. Here is my js:

function addQuote(text)
	{
		var tArea = document.getElementById('forumReply_message');
		tArea.value = text;
	
	}

Here is sample HTML (one that doesn't work):

<a href="#replyArea" onclick="addQuote('Got a random playlist on right now.  All sorts of stuff... Miike Snow, Galactic, Danger Mouse, Bon Iver, Marlena Shaw, Dirty Projectors... it's eclectic to say the least.');">Quote</a>

I really can't figure out why this won't pass the addQuote() value into the textarea. It does work for some posts but most of them it doesn't. I appreciate any help.

That's why you should comment your code clearly :-)

Comments or not, extract is by definition obfuscating the initialization of multiple variables. In addition using extract on superglobals (_GET, _POST, etc.) is a massive security risk (You didn't provide this in your example, I'm just pointing out that wanton use of extract is dangerous)

Extract is almost always bad practice, especially in the use case provided. Case in point: You worked on some code at a job and it uses extract and you leave the job and someone else comes along and inherits the code. "Hmm, there's this bug involving $somevar but I don't see it defined anywhere..."

3 hours later extract($some_random_array); // I'm awesome "FFFFUUUUUUUU"

You can't, that simple.

No, it's very possible but it's just a plain bad idea. IDs are unique identifiers for the DOM, changing the ID is like giving your social security number to someone else; sure it might work but it's bound to cause issues.

Use css to hide/show either the select or the input and update whatever function is dependent on the ID to support two separate IDs.

Is this your way of saying that you don't know if it's possible to change the id of an element?

Situation is as follows:

Jsp uses xsl to render xhtml. I use java helper method in xsl to create a number of <option> elements inside a <select>. I want to swap / replace this <select> with an <input type="text"> according to an <option> selected by the user in another <select>. For the purposes of submitting the form, the <select> or the <input type="text"> need to be a particular id. Thus, I need to set the id of the elements as one becomes active and visible, whilst the other is hidden and inactive.

If it is not possible to change the id of an element then obviously I will look at another way of doing this.

If you have to change the ID of an element you're probably doing something else wrong.

So I don't have to define them in the function parameters to be able to use them?

Nope.

function somefunction()
{
   $somefile = $_FILES['hello']; // works perfectly fine.
}

The variables $_FILES, $_GET, $_POST, $_REQUEST, etc. are what's known as super-globals. They are special PHP variables that are available everywhere and are based on the current request PHP so even if the function is in a different file as long as it is the same request they'll be populated with the correct data.

You don't need a loop.

if (!in_array($fileExt, array('doc', 'docx', 'pdf'))) {
// your stuff

You have the object inside a <noscript> block so it's not being rendered if you have javascript enabled.

How would I go about passing a user agent when requesting an external xml feed from a 3rd party web service. Need to pass the user agent or else the feed produces an error. I am using DOM

<?php
$request1 = 'http://www.abc123.com/webservice/this.xml';

$requestIT1 = $request1;
$response1 = new DOMDocument();
$response1->load($requestIT1);
?>

Thanks in advance!

Google is your friend, 2nd result.
http://www.php.net/manual/en/domdocument.load.php#91384

Don't combine logic like that into one giant `if`. Here's a quick example.

<?php
$fields = array('Flavours', 'Sizes', 'Product_Name');
$errors = array();
foreach ($fields as $field) {
	if (!isset($_POST[$field])) {
		$errors[] = 'Missing required field ' . $field;
		continue;
	}

	if (!strlen(trim($_POST[$field]))) {
		$errors[] = $field . ' cannot be empty.';
		continue;
	}
}

if (empty($errors))
{
	// I'm assuming you're cleaning these appropriately.... *hint hint wink wink*
	$flav = explode('-', $_POST['Flavours']);
	$flavours = $flav[0];
	$sizes = $_POST['Sizes'];
	$product_name = $_POST['Product_Name'];

	$result = mysql_query('SELECT Products_ID FROM products WHERE Size = "' . $sizes . '" AND Flavour = "' . $flavours . '" AND Product_Name = "' . $product_name . '"');
	$row = mysql_fetch_array($result);
	$product_id = $row['Products_ID'];
	$message = 'Blahity blah successful!';
}
else
{
	$message = 'YOU HAVE ERRORS! ' . join('<br />', $errors);
}

A) PHP7 doesn't exist, PHP6 doesn't exist yet for that matter. B) IE8 is the _newest_ IE browser, and even Google is halting support for browsers older than IE7 in March. C) Feel free but you should know that the particular code I linked to won't work in PHP4 even remotely

No, it's most certainly not impossible, I've written one myself http://github.com/shawncplus/lzHilight/blob/master/tokenizers/html.php. My reaction is as zealous as it is because supporting PHP4 is like intentionally driving a car with an engine made of duct-tape when you have a Porsche sitting in the garage.