On Jan 18, 2008 12:20 PM, Zoltán Németh <znemeth@xxxxxxxxxxxxxx> wrote:
> 2008. 01. 18, péntek keltezéssel 12.10-kor Wolf ezt írta:
>
> > ---- Eric Butera <eric.butera@xxxxxxxxx> wrote:
> > > On Jan 18, 2008 11:38 AM, Wolf <lonewolf@xxxxxxxxx> wrote:
> > > > Steve,
> > > >
> > > > This should work as some basic sudo code. You are running into a number of issues with your usage of the foreach as it sounds like what you really want to do is walk through one array and grab the corresponding value from another.
> > > >
> > > > <?php
> > > > // First check to make sure you are getting both fields
> > > > if(isset($_POST['name']) && is_array($_POST['name']) && isset($_POST['order']) && is_array($_POST['order']))
> > > > {
> > > > // Now assign them to easier to play with variables
> > > > $names=$_POST['name'];
> > > > $orders=$_POST['orders'];
> > > > // This tests for the same number of items as names
> > > > if (count($names) == count($orders))
> > > > {
> > > > $i=0;
> > > > while($i<=count($names))
> > > > {
> > > > $update_data = "UPDATE sections SET `order` = '$orders[$i]' WHERE name = '$names[$i]'";
> > > > $response = mysql_query( $update_data, $cnx );
> > > > if(mysql_error()) die ('database error<br>'.mysql_error());
> > > > }
> > > > }
> > > > }
> > > > ?>
> > > >
> > > > HTH,
> > > > Wolf
> > > >
> > > >
> > > > --
> > > > PHP General Mailing List (http://www.php.net/)
> > > > To unsubscribe, visit: http://www.php.net/unsub.php
> > > >
> > > >
> > >
> > > Hi Wolf,
> > >
> > > Your code is missing data validation! Hopefully you don't do stuff
> > > like that either.
> > >
> > > function super_duper_escaper($value, $db) {
> > > if (!get_magic_quotes_gpc()) {
> > > $value = mysql_real_escape_string($value, $db);
> > > }
> > > return $value;
> > > }
> > >
> > > $_sql = "UPDATE sections SET `order` = %d WHERE name = '%s'";
> > > $sql = sprintf(
> > > $_sql,
> > > (int)$orders[$i],
> > > super_duper_escaper($names[$i], $cnx)
> > > );
> > >
> > > What we're doing here is making sure that the order is a number and
> > > that the name is a string that properly escapes out the quotes to make
> > > sure people can't break out of the context of data and into commands.
> > > Look up SQL injection for more information.
> > >
> > > Don't rely on magic quotes, etc as it is a server specific setting, is
> > > going away in php6, and does not take character sets into
> > > consideration. The mysql extension is just as bad as it wont allow
> > > you to update the character set context from the mysql server default.
> > > So use mysqli or pdo unless everything matches across the board.
> >
> >
> > Of course it was missing the data validation, I don't write a whole page/app for anyone just out of the blue. I was expecting Steve to make sure he handled the data validation on his side before implementing the code fully. As it is, I would have used a function and array_walk to check the validness of each field and assign it to a new array if it was valid, then use the new arrays to actually be pushed into the mysql queries. :)
> >
> > I also tend to put in a referrer checker to make sure the page is coming where it should be coming from and depending on how nice I am either redirecting back to my page and my form, or heading them off to other fun places (like ratemypoo or something similar) :)
>
> I wouldn't do that as the referer value can be set on the client side to
> anything... I just simply don't trust it.
>
> greets
> Zoltán Németh
>
> >
> > Wolf
> >
>
>
Nonetheless as I keep re-iterating, people will copy and paste this
stuff as is because they don't know better. It is the responsibility
of people writing the answers to make sure their code is validated and
as "secure" as possible unless there is some glaringly obvious comment
saying {get your data here} with a link to how to validate it
properly.
Using session based form tokens is a better approach to make sure the
post came from within your application.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
