Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
If I have a query string such as: http://mywebsite.co.uk/charge.php?val=5768
how can I validate this query string to throw an error with php if the user changes the value of the 'val' in the query string. Could I write some code on the charge.php page to do this?
It seems to me you're barking up the wrong tree. You cannot detect if someone "changes" something. All you get is a request for a URL, and that's it. You typically have no idea where that request came from or who provided the URL; you need to evaluate the request on its own merits.
I'm guessing you have some confidential action that's taking place when someone visits that URL. And the value changes some important part of that action. Then you need to create server-side checks and bounds that confirm whether the user is currently allowed to do whatever he requests to do there. You need to have enough information stored on the server to be able to confirm whether the action the user is about to make is allowed or not. You cannot simply trust the information in the URL, because anyone can tamper with it.
How to do this specifically in your case is not clear, since I have no concrete idea what's supposed to be happening there.
You can check if the val is an integer and if the val exists in the database. I use a function like following to check integer:
// CHECK IF VALID INTEGER
function valid_integer($str)
{
if (strlen($str) == strlen(preg_replace('#[^0-9]#i', '', $str) + 0) AND $str > 0 AND $str < 9999999999999)
{
return true;
}
}
so then I can check the val like following
if (valid_integer($_GET['val']))
{
echo 'valid int';
}
else
{
echo 'not valid int';
}
Then you have to check if the val exist in the database. If you use a db.
Related
Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 8 years ago.
Improve this question
I need to access the input value of a dynamic variable based on another input field.
Sample code:
$upid=$_GET['upid'];
$check_box_name='c'.$upid;
echo $upid;
$check=$_GET[$check_box_name];
any idea how do i access it??...Please help
The code you entered should work, but, it is vulnerable to errors, as you are dealing with a user input, you should either do a validation or a failover value.
If you are using PHP5.3+, you can easily do this as follows:
if ($check = #$_GET['c' . (#$_GET['upid'])]? : false !== false) {
//do something with $check
} else {
//failed
}
The # sign is used to omit any error or exception from being thrown. Also, it maybe a good thing to escape the $check variable for more security.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
In php, how do I check if a variable is a string or digit?
I'm doing a count() using mysql, and wanted to know if the output is a string or a digit.
I know about is_numeric() and other functions in php, but is there something, if supplied a value will echo if the value is a digit or string?
Just try with gettype function.
gettype('foo'); // string
gettype(1.23); // double
gettype(155); // integer
The problem is if you use a framework or a data abstraction layer, and this treat the output of the database, customarily data type is lost along the way and everything becomes string.
is_numeric is the most indicated in this cases!!!
Short answer:
Use:
echo $gettype($YourValueFromDB);
and in your situation it will output:
string
OR
if(is_int($YourValueFromDB))
{
echo 'we have an integer type!';
}
elseif(is_string($YourValueFromDB))
{
echo 'we have a string type!';
}
else
{
echo 'Not sure: '.gettype($YourValueFromDB);
}
Long answer:
MySQL produces a number value with this query:
select count(*) as total from table
// can range from 0 - infinity (or exhausted memory limit, whichever comes first)
// for this post, pretend this count() returns a 9
When this data is passed back to PHP it is automatically converted into a string due to PHP's extremely relaxed type-casting.
Running this:
var_dump($row);
would produce something like this:
array
'total' => string '9' (length=1)
indicating that you are working with a literal string but it's value is a number so things like if($row['total'] > 1){ } would go inside the curly braces without a problem.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 9 years ago.
Improve this question
if(preg_match('/^[0-9]{1,2}\-[0-9]{1,2}\-[0-9]{4}$/', '10-30-2013')){
echo 'true';
}
else {
echo 'false';
}
This not give me true. I think I'm wrong with regex. please tell how to correct this regex
I suggest not using regex at all for this -- date validation with regex is a surprisingly difficult thing to get right, due to the variations possible in the number of days in any given month.
Far better to simply use PHP's DateTime class to actually parse it into a date object. This will also validate it; if it doesn't meet the specified format, then it won't parse.
$dateObj = DateTime::CreateFromFormat('m-d-Y',$inputString);
See PHP manual page for CreateFromFormat().
You should use dedicate functions to parse date ie.:
if (strptime ('10-30-2013' , 'm-d-Y') !== false) {
echo 'true'.PHP_EOL;
} else {
echo 'true'.PHP_EOL;
}
Actually as the others confirmed, your regex works fine and returns true.
But as you made your code shrunken, I think the input string you're trying to show us isn't exactly just a date and it's within a string or maybe has trailing spaces!
So using ^ and $ at your regex will result in failure.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 9 years ago.
Improve this question
I was just wondering if it was possible to add random characters to the variable I am passing to the second page. I want this because if the user changes the value in the url, then the system is gonna mess up because I am inserting data to database based on the message id. I can't use session because the first session is overriding the others.
If I have something like view_inbox.php?messageid=2 then the user can change it to something view_inbox.php?message=4.
So is it possible to have some random characters like
view_inbox.php?messageid=GXLSsd2sdcds? The id is coming from database.
echo"<a href='view_inbox.php?messageid=".$row['id']."'>".$row['from_user']."</a>";
view_inbox.php
$id = $_GET['messageid'];
There are a couple of approaches.
You should be checking security rules on which rows/entities the user is allowed to access. Put these rules in a common procedure/function in your code, so you can check them consistently.
You can also "obfuscate" or encrypt the ID, in a way the server can reverse but is not easy/obvious for the client. Operations could include multiplying by a prime number (say 23) modulo 2^32, XOR by a constant, outputting it in base-64, perhaps with a lowercase 'x' in front.
For the second approach:
function encodeKey ($key) {
$multiplied = $key * 23;
$packed = pack( "N", $multiplied);
$base64 = base64_encode( $packed);
return $base64;
}
function decodeKey ($text) {
$packed = base64_decode( $text);
// then unpack, divide etc.
return $key;
}
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions concerning problems with code you've written must describe the specific problem — and include valid code to reproduce it — in the question itself. See SSCCE.org for guidance.
Closed 9 years ago.
Improve this question
i have javascript function and it returns a sum variable. But i couldnt reach it from php code.
my function is :
function add()
{
var sum = 0; // sum initially equals to zero.
var newNumber = 0; // Since textfields are initially text format, I convert them into integer and equalled to newNumber variable.
if(document.RodeoForm.checkbox.checked == true) // If checkbox changed to true,
{
for(var i=0;i<<?php echo $_SESSION['us']; ?>;i++) // Since we have 3 numbers, loop will work 3 times.
{
newNumber = parseInt(document.getElementById("fiyat"+i).value); // Take the number from field and convert it into an integer.
sum += newNumber; // Add the numbers into each other.
}
}
document.RodeoForm.tf.value = sum; // Print the sum onto the screen.
}
JavaScript runs on client side, whereas PHP runs on server side. They can't communicate directly with each other.
Once the page is rendered (and sent to the user), all PHP code was executed and is no longer visible in the source. The JavaScript however is sent along with the HTML and will be executed in the browser of the client. If you want PHP to be aware of a value generated by JavaScript, you have to manually send the data using AJAX.
You can only reach PHP from JavaScript using AJAX. Google how to do AJAX calls from Javascript.
Make sure you have session_start(); to the beginning of that php file, or in the php file which includes that code.
You can add PHP into Javascript but not the other way around because PHP is server side, so it can echo information into client slide.
Depending on what you're using this for , you can use AJAX to send the information to a PHP page.