| |
|
|
| |
|
|
| |
 |
[php] School project, just finished
06.20.06, 16:42:31
|
|
|
|
Post #1 (permalink) |
|
|
| |
|
|
http://72.29.90.39/~ffomega/todo/index.php
Here's a project for school I just finished. As you can see (and it should be obvious) it's some kinda online todo list. It's written in PHP (the PHP version on the host is PHP 4, but I've originally made it in 5), etcetera.
The design is all by me, with the basic structure etc by Kio, so I can't take all the credit for that  . It's not the best on the net, but I'm not a designer. I'd say it looks pretty good from my point of view  . Any suggestions for layout perfections are also welcome, it shouldn't be too much of a problem to change colors and such (I actually tried to use CSS as much as possible.)
I have to turn it in this Friday, so if you find any bugs I missed, please lemme know.
Known bugs so far
- Usernames with quotes (and probably other MySQL special characters) aren't able to log in, need to check that tomorrow. |
______________________________________
|
|
|
|
|
|
stripslashes();
when u enter something from POST method php automatically add slashes before quotes, to prevent sql injection etc. |
______________________________________
|
|
|
|
|
|
Hey works cool.
But I'll stick to my outlook-agenda. :P |
______________________________________
[ Status: Former Super Moderator ]
|
|
|
|
|
|
Quote:
|
Quoth NeaQuan:
stripslashes();
when u enter something from POST method php automatically add slashes before quotes, to prevent sql injection etc.
|
Yar, I know that one. Good chance I forgot that here and there, I haven't really paid attention to that one yet.
I got an 8 / 10 on that todo list thingy, and we got a 7 / 10 for that art project, which also includes documentation, presentation, and probably some other stuff. |
|
|
|
|
|
|
Ummmm... you want to AddSlashes before you run an SQL Query, not StripSlashes. Stripping slashing will take out any escaped ( i.e. turn /" into " ). You want to escape out illegal characters before running an SQL Query by either using "addslashes" or "mysql_escape_string." Stripping slashes before entering data into a database is what causes a major hole for SQL Injections. feel free to correct me if I'm wrong, I've been developing in JSP/Java for the past quarter and I'm a bit rusty on my PHP.
By the way, not bad for a beginner. I'd look at it more but I'm not much awake at the moment.
Edt: Quick Function you can run your strings through:
Code:
function mkStrSQLSafe($value) {
if( get_magic_quotes_gpc() )
{
$value = stripslashes($value);
}
if(function_exists( "mysql_real_escape_string" ))
{
$value = mysql_real_escape_string( $value );
} else {
$value = addslashes( $value );
}
return $value;
}
This checks to see if Magic Quotes is enabled (if it is you have to strip slashes as certain things are already escaped). Then it checks to see if mysql_real_escape_string exsists, if it does it escapes it with that function elsewise it uses addslashes. To call this whilst doing an SQL statement do something like.
Code:
$uName=$_POST['username'];
$query="SELECT * FROM users WHERE uName='".mkStrSQLSafe($uName)."'";
Again correct me if I'm wrong. If you know your server has Magic Quotes on or if you know it has the mysql_real_escape_string then you can avoid half of this; this is simply a quick catch all function. |
______________________________________
[drifter]
"CAUTION: Proper use of the brain is not endorsed by federal governments nor huge corporations involved in serious financial profit from a brainwashed and enslaved population."
~ T. Leary
Last edited by Drifter : 07.07.06 at 00:07:30.
|
|
|
|
|
|
I know about all that, yes. And my stripslashes function is a bit cleaner/neater/multi-purpose, IMO.
Code:
class parse
{
public static function RemoveSlashes($var)
{
return (is_array($var)) ? array_map("stripslashes", $var) : stripslashes($var);
}
public static function DoSlashes($var)
{
return (is_array($var)) ? array_map("mysql_real_escape_string", $var) : mysql_real_escape_string($var);
}
}
This'll walk through an array and add (or remove) slashes to each element and return it with escaped elements, and escapes the string if it's just a single string. All that in just a single line, too.
Oh, and I always assume that magic_quotes_gpc is off, you should never make code assuming that's on.
And your example would be a bit quicker if made like this:
Code:
$uName = parse::doSlashes ( $_POST['username'] );
$query = "SELECT * FROM users WHERE username = '$uName'";
Basically puts the escaped username in the variable, instead of just copying the $_POST variable into it (uses a bit moar memory) and then again run it through that function.
Or, more direct yet not that readable,
Code:
$query = "SELECT * FROM users WHERE username = '" . parse::doSlashes ( $_POST['username'] ) . "'";
|
Last edited by YopY : 07.08.06 at 08:56:41.
|
|
|
|
|
|
| Aye agreed, I've been doing JSP and Java (I must say, JSP/Java is so much better than PHP, I wish it would actually catch on)... for the past quater+ so my mind is gone with PHP. Was just throwing together quick stuff. As far as Magic Quotes being off, it's generally safe to assume but it's always good to test it out just to be sure. I've seen some odd server configs in the past. *shrugs* |
|
|
|
|
|
|
Meh, magic_quotes is off by default since PHP 4.1.something, so not a lot of hosts still have it on by default. I prefer to just manually do it all.
And we're supposed to get Java next year, looking forward to it  . |
|
|
|
|
|
|
| Java is a ****ing good language. Hopefully you don't have some ***** ass teacher though. I've found that most Java teachers aren't that great (mainly focusing on projects that have no relevance and such yet teach random Java classes and general OOP Design). I never liked PHP because it always seemed messy, with JSP is is essentially Java with a little web syntax and special objects/classes. Very structured (albeit slightly overkill on some projects). |
|
|
|
|
| |
