I've checked a condition in my script, but am having problems with the if statement. Please check my code:
function __construct($user=null)
{
parent::__construct();
require_once 'model/chanell_model.php';
$this->theme->msg='.....';
$this->db = new chanell_model();
if ($user==null && !parent::isLog()){
$this->themes=2;
}elseif ($user===null){
echo 'print';
$this->db->getChanellData();
}elseif($user!==null){
echo 'print';
}else{
$this->db->getChanellData($user);
}
}
How could be possible in same time $user == null and also $user != null.
In this code both echo commands will work .
I've also used == instead of === .
Sorry for my English. Any help would be great.
Take a long breath
if ($user===null){ echo 'bye'; }else{ echo 'hi'; }
if this piece of code will write 'bye' and 'hi' at the same time, so it's time to change your computer... :)
More seriously,
Try to debug your code and XDEBUG will be your friend for life :)
And for the immediate test, you can run your constructor as follow
function __construct($user = NULL) {
parent::__construct();
require_once 'model/chanell_model.php';
$this->theme->msg = '.....';
$this->db = new chanell_model();
$debug = TRUE;
$executionId = uniqid();
$debugMessage = '';
if ((is_null($user)) && (!parent::isLog())){
$this->themes=2;
if ($debug) {
$debugMessage .= "First condition executed, id: <" . $executionId . ">\n";
}
}
elseif ($user===null){
echo 'print';
$this->db->getChanellData();
if ($debug) {
$debugMessage .= "Second condition executed, id: <" . $executionId . ">\n";
}
}
elseif($user!==null){
echo 'print';
if ($debug) {
$debugMessage .= "Third condition executed, id: <" . $executionId . ">\n";
}
}
else{
$this->db->getChanellData($user);
if ($debug) {
$debugMessage .= "Fourth condition executed, id: <" . $executionId . ">\n";
}
}
if ($debug) {
print $debugMessage;
}
}
You will see, that the same execution id (simulated by uniid) can not run twice
Also :
use `NULL` instead of `null`
to test if value is null use `is_null()`
Fourth condition will never run!!
Do not forget to remove the debug mess once you've finished
Related
So I'm trying to make a website, and I'm using a php file as the index (index.php) and pretty much as the page that controls the whole website.
Since it recieves all the requests and returns the pages using str_replace, it's all working as it should (as in, it's making the web template work as it should) but the problem is I can't have php code inside the files that are part of the template, only in index.php.
So my question is, is there any way to prevent str_replace from turning the php code into comments?
Index.php:
<?php
//dirs
$pagesDir = "pages/";
$templatesDir = "templates/";
$errorsDir = "errors/";
if (isset($_REQUEST['page'])) {
if ($_REQUEST['page'] != "")
if (file_exists($pagesDir . $_REQUEST['page'] . ".html"))
$page_content = file_get_contents($pagesDir . $_REQUEST['page'] . ".html");
else
if (file_exists($_REQUEST['page'] . ".html"))
$page_content = file_get_contents($_REQUEST['pages'] . ".html");
else
echo "<h1>Page:" . $_REQUEST['page'] . " does not exist! Please check the url and try again!</h1>";
} else {
$page_content = file_get_contents($pagesDir . "home.html");
}
//PLACEHOLDER REPLACEMENT
$page_content = str_replace("!!HEAD!!", file_get_contents($templatesDir . "head.html"), $page_content);
$page_content = str_replace("!!BODY!!", file_get_contents($templatesDir . "body.html"), $page_content);
$page_content = str_replace("!!FOOT!!", file_get_contents($templatesDir . "eofScripts.html"), $page_content);
//RETURN THE CONTENT OF THE PAGE
echo $page_content;
New dispatcher after changes(this one works):
<?php
$templatesDir = "templates/";
$pagesDir = "pages/";
$loggedPagesDir = "templates/logged";
$pageExists = false;
$pageContent = null;
require_once('scripts/php/db_conn.php');
if (isset($_REQUEST['page'])) {
$page = $_REQUEST['page'] . ".php";
}
if (isset($_SESSION['redirect_reason'])) {
$dialogs->alertDialog("warningDialog", $_SESSION['redirect_reason']);
unset($_SESSION['redirect_reason']);
}
if (isset($_SESSION['user_action'])) {
$dialogs->alertDialog("infoDialog", $_SESSION['user_action']);
unset($_SESSION['user_action']);
}
if ($user->is_logged()) { //Only runs beyond this point if user is logged, if not, it will run the other one.
if (isset($_POST['logout_btn'])) {
$user->logout();
$user->redirect("pageDispatcher.php");
}
if (isset($page)) {
if ($page != "") {
if (file_exists($pagesDir . $page)) {
$pageExists = true;
$pageContent = ($pagesDir . $page);
} else {
echo "<h1>Page: " . $page . "does not exist! Please check the url and try again</h1>";
}
} else {
$pageExists = true;
$pageContent = ($pagesDir . "loggedhome.php");
}
} else {
$pageExists = true;
$pageContent = ($pagesDir . "loggedhome.php");
}
} else { //Only runs beyond this point if user isn't logged.
if (isset($_POST['login_btn'])) {
if ($user->login($_POST['email'], $_POST['password']) == false) {
$dialogs->loginFailed();
} else {
$_SESSION['user_action'] = "Welcome back " . $_SESSION['user_name'];
$user->redirect("pageDispatcher.php");
}
}
if (isset($page)) {
if ($page != "") {
if (file_exists($pagesDir . $page)) {
$pageExists = true;
$pageContent = ($pagesDir . $page);
} else {
echo "<h1>Page: " . $page . " does not exist! Please check the url and try again!</h1>";
}
} else {
$pageExists = true;
$pageContent = ($pagesDir . "home.php");
}
} else {
$pageExists = true;
$pageContent = ($pagesDir . "home.php");
}
}
?>
<html>
<?php include($templatesDir . "head.html"); ?>
<body>
<?php
if ($user->is_logged()) {
include($templatesDir . "loggedBody.html");
} else {
include($templatesDir . "body.html");
}
include($pageContent);
?>
</body>
</html>
NOTE: Do not use this method unless it's for learning purposes, its bad, can turn out to be quite hard to maintain, and probably will end up being slow since I have so many server side methods of things that I can do client side.
You read the content of page and echo it! Don't do that. Use include('file.html') instead. Just for sake of explanation, (if you have to) do sth like this:
$pages=['head.html','body.html','eofScripts.html'];
$page=$_REQUEST['page'];
if(in_array($page,$pages)) include($page);
else echo "<h1>Page: $page does not exist!</h1>";
But generally this is bad programming practice. As suggested in comments before do use a template engine.
At the end of all of my scripts, I run a function closeConnection, i.e.:
closeConnection("success");
function closeConnection($note) {
if ($note === "success") { $append = "?success"; }
if ($note === "blank") { $append = "?blank"; }
mysql_close();
header("Location: index.php" . $append . "");
exit();
}
This runs smoothly.
However, I now want my closeConnection() function to take two arguments, so that I can choose a different page to redirect to. This is how it looks the second time around:
closeConnection("updated", "view");
function closeConnection($note, $header) {
$header = $header; // Not sure if needed, doesn't work with or without.
if ($note === "updated") { $append = "?updated"; }
if ($note === "blank") { $append = "?blank"; }
mysql_close();
header("Location: " . $header . ".php" . $append . "");
exit();
}
Desired result: Redirect to view.php?updated
Actual result: Redirect to .php?blank
In my experience, you are calling closeConnection("updated"); somewhere before the closeConnection("updated", "view"); and you forgot to remove it or something.
Make sure you didn't forget previous commands, and that you are in fact saving the right file.
I'm working on a little project and I've gone brain dead, so I'm hoping someone here can help me defeat my coders block.
I'm trying to create a page using php that changes its content display depending on what (if any) value is passed to the page (Locations). I have created a safelist array which I've stored the different locations. First I check any value passed against the safe list, if its a match I display one set of content.
If it doesn't match I'm running a similarity test to check if theres maybe a simple typo and can still navigate people to the page I think they wanted but this is where I'm getting stuck.
I'm hoping that someone could type
www.example.co.uk/location.php <---- to load a generic location page
www.example.co.uk/location.php?loc=Bishops-Stortford <---- to load a targeted location page
www.example.co.uk/location.php?loc=Bishop-Stortford <---- to load a targeted location page despite mispelling providing its a 90% or more match
www.example.co.uk/location.php?loc=?php echo "I hacked your site"; ?> ---- hopefully my system will disarm nasty code injection
I'll post my code below so you can see what I've got.
<?php
$loc = "";
$safelist = array("Bishops Stortford", "Braintree", "Chelmsford", "Dunmow", "Harlow", "Hertford", "Saffron Walden", "Sawbridgeworth", "Stansted", "Ware",
"Essex", "Hertfordshire");
if(isset($_GET["loc"])) {
/* Gets the value of loc if set, replaces hyphens with spaces and capitalises first letters of words converting the rest to lowercase. */
$loc = ucwords(strtolower(str_replace("-", " ", $_GET["loc"])));
}
/* Is word in safelist */
if (in_array($loc, $safelist)) {
/* Yes */
if (($loc == "Essex") or ($loc == "Hertfordshire")) {
$county = True;
} else {
$county = False;
}
if ($county == False) {
echo "\"" . $loc . "\" is not a county";
}else{
echo "\"" . $loc . "\" is a county";
}
} else {
/* No, Is string 90% similar to any entry within the safelist? */
foreach ($safelist as $safeword) {
similar_text($safeword, $loc, $percent);
echo $safeword . " " . $loc . " " . $percent . "<br />";
if ($percent >= 90) {
}
}
?>
I can't think what to do for the if ($percent >=90). I know I want to exit the loop and get the result from the first 90% or more match I find but am not 100% sure how to do this.
Also whats the best way to deal with code injection like www.example.co.uk/location.php?loc=?php echo "I hacked your site"; ?>
I think this is what you want:
foreach ($safelist as $safeword) {
similar_text($safeword, $loc, $percent);
echo $safeword . " " . $loc . " " . $percent . "<br />";
if ($percent >= 90) {
$loc = $safeword;
$county = true;
break;
}
}
As long as you don't call eval() on user input, you don't have to worry about them injecting PHP statements. When you echo something, it's sent to the browser, it's not executed again by PHP. However, you should still sanitize the output, because it might contain HTML markup, perhaps even Javascript, which could hijack the user's browser. When displaying output on the page, use htmlentities() to encode it:
echo "Greetings, " . htmlentities($first_name);
To answer the second part of your question, I use htmlentities to output data directly to the screen from input and something like this function on the data before a save to a database:
function escape_value($value)
{
if($this->real_escape_string_exists)
{
if($this->magic_quotes_active){$value = stripslashes($value);}
$value = mysql_real_escape_string($value);
}
else
{
if(!$this->magic_quotes_active){$value = addslashes($value);}
}
return $value;
}
I think I would restructure it, something like this:
$loc = "";
$safelist = array("Bishops Stortford", "Braintree", "Chelmsford", "Dunmow", "Harlow", "Hertford", "Saffron Walden", "Sawbridgeworth", "Stansted", "Ware",
"Essex", "Hertfordshire");
if(isset($_GET["loc"])) {
/* Gets the value of loc if set, replaces hyphens with spaces and capitalises first letters of words converting the rest to lowercase. */
$loc = ucwords(strtolower(str_replace("-", " ", $_GET["loc"])));
}
$good = '';
if (in_array($loc, $safelist)) {
$good = $loc;
} else {
foreach ($safelist as $safeword) {
similar_text($safeword, $loc, $percent);
echo $safeword . " " . $loc . " " . $percent . "<br />";
if ($percent >= 90) {
$good = $safeword;
}
}
}
if ( ! empty($good)){
/* Yes */
if (($good == "Essex") or ($good == "Hertfordshire")) {
$county = True;
} else {
$county = False;
}
if ($county == False) {
echo "\"" . $good . "\" is not a county";
}else{
echo "\"" . $good . "\" is a county";
}
//And whatever else you want to do with the good location...
}
Like Barmar said, since you're not doing anything with the input value except for comparing it to an array, there's no risk of an attack in that way.
Not sure what im doing wrong here, but the out come is always null. The script should output "you did not select an answer" only if no answer was selected but otherwise it should output the answer given:
I have updated the script as mentioned but still getting the empty output even when answer is given :/
Thanks for all the help so far guys, but even the below code doesnt work, it now just outputs as blank if no anwser, but if you do fill it in, it correctly echos the answer.
if (empty( $a1 )) {
echo"<li>\n<h2>1. " . $q1[0] . "</h2>\n"
. "<p>You did not select an answer</p>\n"
. "</li>\n";
}
else {
echo"<li>\n<h2>1. " . $q1[0] . "</h2>\n"
. "<p><strong>" . $q1[$a1] . ":</strong></p>\n"
. "<p>" . $r1[$a1] . "</p>\n"
. "</li>\n";
}
Completely forgot to show this part!!
// get local copies of single answers
$a1 = trim(isset($_POST['a1'])?$_POST['a1']:99);
$a3 = trim(isset($_POST['a3'])?$_POST['a3']:99);
$a4 = trim(isset($_POST['a4'])?$_POST['a4']:99);
$a5 = trim(isset($_POST['a5'])?$_POST['a5']:99);
Don't use if($a1 == null) use if(empty($a1)) or if(isset($a1))
An empty string is not null
$a1 = '';
if ($a1 == null) // is wrong
should be
$a1 = '';
if ($a1 === '')
or
if (empty($a1))
an empty is not the same as null try
if ($a === '') this respects also the type which is better for code quality
if (empty( $a1 )) {
echo"<li>\n<h2>1. " . $q1[0] . "</h2>\n"
. "<p>You did not select an answer</p>\n"
. "</li>\n";
}
else {
echo"<li>\n<h2>1. " . $q1[0] . "</h2>\n"
. "<p><strong>" . $q1[$a1] . ":</strong></p>\n"
. "<p>" . $r1[$a1] . "</p>\n"
. "</li>\n";
}
Use empty instead of null checking
'null' is not same as false or ''.'null' is an object.
In PHP, empty string ($a) & empty array ($b) will return true if you test following express:
$a = ''; $b = array();
$a == null -> TRUE $b == null -> TRUE
also,
$a == 0 -> TRUE
So you should use '===' to test, or there's always unexpected result in your code.
I'm using PHP and JavaScript, and I got a problem when deal with the confirm() function in JavaScript.
Say I have a page add.php, firstly I receive some parameters passed from another page, and I check to see if they are valid or not. If yes, I just insert the data into db and return to another page, if they are not valid, there'll be a confirm() window popped up and let the user to choose whether to continue or not. If the user still choose to continue, I want the page to be reloaded with all the parameters sent again. But the problems is that I cannot get the parameter the second time add.php is loaded.
Previously I didn't use a window.onload function and confirm() pop up, but an < a href> link instead, everything worked fine (Please see the attached code at the end). But when I tried to use the following code, the same url stopped working
echo "<script type=\"text/javascript\">";
echo "window.onload = function() {
var v = confirm(\"$name is not alive, do you want to add it into system?\");
if (v) {
window.location.href= \"add.php?type=room&name=$name&area\"
+ \"=$area&description=$description&\"
+ \"capacity=$capacity&confirm=Y\";
} else {
window.location.href= \"admin.php?area=$area\";
}
}";
echo "</script>";
Following is the previous version, instead of using window.onload(), I used < a href="..." /> link, everything worked fine at that time. get_form_var is a function in functions.inc, which is to get the parameter using $_GET arrays.
<?php
require_once "functions.inc";
// Get non-standard form variables
$name = get_form_var('name', 'string');
$description = get_form_var('description', 'string');
$capacity = get_form_var('capacity', 'string');
$type = get_form_var('type', 'string');
$confirm = get_form_var('confirm','string');
$error = '';
// First of all check that we've got an area or room name
if (!isset($name) || ($name === ''))
{
$error = "empty_name";
$returl = "admin.php?area=$area"
. (!empty($error) ? "&error=$error" : "");
header("Location: $returl");
}
// we need to do different things depending on if its a room
// or an area
elseif ($type == "area")
{
$area = mrbsAddArea($name, $error);
$returl = "admin.php?area=$area"
. (!empty($error) ? "&error=$error" : "");
header("Location: $returl");
}
elseif ($type == "room")
{
if (isset($confirm)){
$dca_osi = getOsiVersion($name);
$room = mrbsAddRoom(
$name,
$area,
$error,
$description,
$capacity,
$dca_osi,
1
);
$returl = "admin.php?area=$area"
. (!empty($error) ? "&error=$error" : "");
header("Location:$returl");
}
else {
$dca_status= pingAddress($name);
$dca_osi = getOsiVersion($name);
if( $dca_status == 0){
$room = mrbsAddRoom(
$name,
$area,
$error,
$description,
$capacity,
$dca_osi,
0
);
$returl = "admin.php?area=$area"
. (!empty($error) ? "&error=$error" : "");
header("Location:$returl");
}
else {
print_header(
$day,
$month,
$year,
$area,
isset($room) ? $room : ""
);
echo "<div id=\"del_room_confirm\">\n";
echo "<p>\n";
echo "$name is not alive, are you sure to add it into system?";
echo "\n</p>\n";
echo "<div id=\"del_room_confirm_links\">\n";
echo "<a href=\"add.php?type=room&name"
. "=$name&area=$area&description"
. "=$description&capacity=$capacity&confirm"
. "=Y\"><span id=\"del_yes\">"
. get_vocab("YES") . "!</span></a>\n";
echo "<a href=\"admin.php?area=$area\"><span id=\"del_no\">"
. get_vocab("NO") . "!</span></a>\n";
echo "</div>\n";
echo "</div>\n";
}
}
}
function pingAddress($host)
{
$pingresult = exec("/bin/ping -c 1 $host", $outcome, $status);
if ($status==0) {
return $status;
}
else {
return 1;
}
}
function getOsiVersion($host)
{
$community = 'public';
$oid = '.1.3.6.1.4.1.1139.23.1.1.2.4';
$sysdesc = exec("snmpwalk -v 2c -c $community $host $oid");
$start = strpos($sysdesc, '"');
if ($start!==false) {
$sysdesc = substr($sysdesc, $start+1,$sysdesc.length-1);
return $sysdesc;
}
else {
return "not available";
}
}
I've solved the problem, just simply by using "&" instead of " & amp;" in the url link... it works fine now...
You try location.reload() javascript call?