Acmlm's Board - I2 Archive - Programming - Need PHP help!
| User | Post |
Cellar Dweller
Posts: 186/269 |
The preg_* functions use a Perl compatible syntax, so usable information on them can be found in the perl manual section on regular expressions.
PHP code cannot be injected unless user input is somehow fed into eval(), require, include or similar functions/keywords.
SQL injection can be avoided by using is_numeric() to check or explicitly convert to numbers all numeric user input and addslashes() to escape all strings before using them in an SQL query. Due to the way PHP interprets the numeric value of strings, it is not sufficient to perform a numeric bounds check on values that might be a string before using them in an SQL query. Also, do not use internal variables in a way that they can be set from unchecked submitted data.
Do not underestimate the danger of SQL injection. If an attacker knows, or can correctly guess, the table structure, even a seemingly innocuous SQL injection vulnerability can be used in creative ways to obtain sensitive data. Repeatedly injecting a comparison clause into the WHERE portion of a SELECT query, and checking to see what data was returned, can be used to glean data that is not displayed.
Ideally, submitted HTML should be processed by by an SGML validator with a list of acceptable tags, attributes, and tag nesting rules. Doing that way is hard, so many people use regular expressions to validate submitted data. Regular expression validators might be more susceptible to circumvention attempts. |
HyperLamer
Posts: 2389/8210 |
True, but it's a bit hard to use. You pretty much have to know at least part of the function name you want.  Their search doesn't limit to the current language, so even searching from the English page I get results in french - easily fixable (change '\fr' to '\en'), but annoying.
Originally posted by labmaster
Are you familiar with Regular Expressions? If not, it'd be worth reading up on them.
That's like "foo*b?r" would match "foo bar", "football bar", "foo bor" etc right? I'll research a bit later but I've got to go to school in 25 minutes.  (I shouldn't even be up this early, but I just woke up for whatever reason, figured no point in trying to go back to sleep.)
Also, it's probably gonna be a long time before I do anything database-related, but I'll need to know for when I do: If I take user input and store it in a database, then display it later, what all ways could they screw things up? Anything, like accidentally crash the script, hide Javascript code in it for unsuspecting viewers, inject PHP/SQL code, etc. I intend to filter all but a few HTML tags. (I recall seeing an HTML-filtering function, very nice! This stuff's cool once you get to learn the functions.  ) |
Gavin
Posts: 344/799 |
true. i never bothered to check if it was in any way optimized as i never used it myself.
mixed str_replace ( mixed search, mixed replace, mixed subject [, int &count])
PHP has one of the most thorough sets of documentation i've ever seen, basically all the questions you could ever ask should be answered in the documentation |
labmaster
Posts: 9/43 |
Are you familiar with Regular Expressions? If not, it'd be worth reading up on them.
ereg_replace (POSIX style) and preg_replace (Perl style) should be able to do what you want - if need be, you may need to use them alongside their splitting counterparts (?reg_split). |
HyperLamer
Posts: 2384/8210 |
Thank, but I actually managed to get it using file() to grab it into an array.
Now the next step, some kinda database.
Also how do I do string replacements (like replace all instances of 'foo' with 'bar')? |
Gavin
Posts: 343/799 |
well, windwaker had a similar problem a little bit ago with PHP.. or pretty close anyway.
my solution was just a simple set of code to put the selected file into an array of lines:
$filename = 'file.txt';
$contents = fread (fopen($filename, 'r'), filesize ($filename));
$file_array = split ('\n', $contents);
$line_count = count($file_array);
echo ("Lines in file: " . ($line_count + 1));
echo ("
Line 3 and 4 added: " . $file_array[3] . $file_array[4]) . "\n";
for ($x = 0; $x < $line_count; $x++) {
$occur_count = substr_count($file_array[$x], '/');
if ($occur_count > 0) {
echo ("$occur_count matches in file $filename, on line $x");
}
}
?>
i didn't bother to change the code from the last usage, but it should be pretty self explanatory. perhaps i could have used a while command but i'm too lazy to optimize. i just ment to show the general workings of it anway.
I'm sure there are other solutions, but this one worked easiest for me. hope it helps
(edit: blah, < code > tags didn't let me indent) |
HyperLamer
Posts: 2383/8210 |
I need to grab one specific line out of a text file into a variable. Like just grab line 4 or whatever. Is there a function for that? I know how to read a line using fgets(), just not how to specify which one. |
|
