On Sun, Aug 31, 2008 at 10:45 PM, Gav <ipv6guru@xxxxxxxxx> wrote: > > > On Sun, Aug 31, 2008 at 10:36 PM, Evert Lammerts <evert.lammerts@xxxxxxxxx > > wrote: > >> In PHP5 register_globals defaults to "off". You can either switch it >> back on through your php.ini and restart your webserver, or change all >> PHP_SELF references to $_SERVER['PHP_SELF']. See if that fixes your >> problem. > > > I already have > > php_admin_flag register_globals 1 > > in the VirtualHost config for that site, so it should be on already. > So I guess I'll try changing the references anyway jic. > Well, with E_ALL still on I have cleared all errors now so no more errors on screen. However, problem persists, still looking but its now 3am so I should just try again later. Gav... > > > >> >> >> I hope you understood the SQL injection problem I pointed out. Anybody >> can drop your database, so do fix it! > > > Will do, thanks. > > Gav... > > >> >> >> On 8/31/08, Gav <ipv6guru@xxxxxxxxx> wrote: >> > On Sun, Aug 31, 2008 at 9:27 PM, Evert Lammerts >> > <evert.lammerts@xxxxxxxxx>wrote: >> > >> >> You don't need to print the query anymore - I already did that. You >> >> need to change your code because right now it is open for SQL >> >> injection attacks: I added some SQL to the url and generated an SQL >> >> error (http://www.iwdp.co.uk/list.php?region=1&start=30,2). When you >> >> retrieve start, e.g. $_GET['start'], do a check to make sure the value >> >> is an integer. >> >> >> >> The good news is that the query looks fine: >> >> SELECT d.id AS id FROM designers d, designer_regions dr WHERE >> >> dr.region_id=1 AND dr.designer_id=d.id AND d.view=1 ORDER BY d.id ASC >> >> LIMIT 0, 30; >> >> >> >> Can you run this query directly on the database and see what the result >> >> is? >> > >> > >> > *SQL query:* SELECT d.id AS id FROM designers d, designer_regions dr >> WHERE >> > dr.region_id=1 AND dr.designer_id=d.id AND d.view=1 ORDER BY d.id ASC >> LIMIT >> > 0, 30; >> > *Rows:* 30 id 2 4 5 11 43 63 86 99 117 119 158 165 233 >> 272 >> > 290 305 328 335 363 396 414 425 430 436 459 489 490 518 >> 536 >> > 554 >> > >> >> >> >> >> >> Also check if you get an error after setting error_reporting to E_ALL. >> > >> > >> > Yup, I left it up there at http://www.iwdp.co.uk/list.php >> > >> > The PHP_SELF being referred to as undefined is in the included file >> > generic.php :- >> > >> > class DropNav >> > { >> > var $items =array(); >> > var $head; >> > var $body; >> > >> > // CONSTRUCTOR >> > function DropNav() >> > { >> > } >> > >> > // PUBLIC >> > function renderHead() >> > { >> > $this->buildHTML(); >> > print $this->head; >> > } >> > >> > // PUBLIC >> > function renderBody() >> > { >> > $this->buildHTML(); >> > print $this->body; >> > } >> > >> > // PUBLIC >> > function addItem( $url, $desc ) >> > { >> > $this->items[] = array( "url" => $url, "desc"=>$desc ); >> > } >> > >> > // PRIVATE >> > function buildHTML() >> > { >> > global $PHP_SELF; >> > $this->body = "<form action=\"$PHP_SELF\">\n"; >> > $this->body .= "\t<p><select name=\"newLocation\" >> > onchange=\"jumpPage(this.form.newLocation)\">\n"; >> > foreach ( $this->items as $item ) >> > { >> > $this->body .="\t\t<option value=\"".$item[url]."\">"; >> > $this->body .= $item[desc]; >> > $this->body .="</option>\n"; >> > } >> > >> > $this->body .= "\t</select></p>\n</form>\n"; >> > >> > $this->head = "<script type=\"text/javascript\">\n"; >> > $this->head .= "<!-- >> > function jumpPage( newLoc ) >> > { >> > newPage = newLoc.options[newLoc.selectedIndex].value; >> > if ( newPage != \"\" ) >> > { >> > window.location.href=newPage; >> > } >> > } // -->\n"; >> > $this->head .= "</script>\n\n"; >> > } >> > } >> > >> > Thanks >> > >> > Gav... >> > >> > >> >> >> >> On Sun, Aug 31, 2008 at 1:16 PM, Evert Lammerts >> >> <evert.lammerts@xxxxxxxxx> wrote: >> >> > The code you've sent seems to be fine, and if I check your website it >> >> > does everything it should do in terms of filtering - if I select >> >> > Tayside as a region I get a development company with the region set >> to >> >> > Tayside. It seems to me that this means the problem is not in one of >> >> > the subclasses of ProfileList, so not a compatibility issue on that >> >> > level ($this->query works fine). >> >> > >> >> >> while( $row = $db->getrow() ) >> >> > seems to stop after one loop. This is either because there are no >> more >> >> > results - the query is limited to 1, so $count=1 - or because >> >> > $db->getRow generates an error. >> >> > >> >> >> COUNT and $count look like they have different roles to me, COUNT is >> >> >> the >> >> amount of >> >> >> designers to be listed per page, $count is the number of designers >> to >> >> >> be >> >> listed altogether, >> >> >> so 150 designers would give me 5 pages of 30 designers. >> >> > >> >> > In ProfileList::render the query is appended with "LIMIT $start, >> >> > $count", and the results of the query all seem to be rendered. This >> >> > probably means that $count and COUNT should have the same value - 30 >> - >> >> > and that the render function is initially called with the global >> >> > variable COUNT as parameter. >> >> > >> >> > To check what goes wrong you first need to set error_reporting to >> >> > E_ALL in php.ini and restart your webserver, or add the line >> >> > error_reporting(E_ALL); at the beginning of you code. After that you >> >> > need to print the query from ProfileList::render. Can you adjust the >> >> > function and add var_dump($q); after the line $q = $q." LIMIT $start, >> >> > $count ";? >> >> > >> >> > Evert >> >> > >> >> >> > >> > >> > >> > -- >> > Gav... >> > >> > [LinkedIn : http://www.linkedin.com/in/ipv6guru] >> > >> > www.16degrees.com.au | www.iwdp.co.uk | www.minitutorials.com >> > >> > (Sponsorship slots available on above three sites!) >> > >> > > > > -- > Gav... > > [LinkedIn : http://www.linkedin.com/in/ipv6guru] > > www.16degrees.com.au | www.iwdp.co.uk | www.minitutorials.com > > (Sponsorship slots available on above three sites!) > -- Gav... [LinkedIn : http://www.linkedin.com/in/ipv6guru] www.16degrees.com.au | www.iwdp.co.uk | www.minitutorials.com (Sponsorship slots available on above three sites!)
