This question already has answers here:
How can I sanitize user input with PHP?
(16 answers)
Closed 9 years ago.
hi i just reinstalled all my server for a virus.
in my php o ckeck string from users with this function:
function make_safe($variable)
{
$variable=nl2br($variable);
$variable=mysql_real_escape_string(trim(strip_tags($variable, '<span><p><b><strong><i><u><br><hr><a><img>')));
return $variable;
}
is this function safe enuoght?
should i have to change something... any problems with images that i link form external websites?
I don't see how an image you don't download on your serveur could possibly damage it.
It seems safe to me.
If you still need to check for a faulty code, that's probably somewhere else ;)
Related
This question already has answers here:
Reference Guide: What does this symbol mean in PHP? (PHP Syntax)
(24 answers)
Closed 3 years ago.
My company has asked me to analyse backend code for one the live websites that our company maintains. I have run into a problem. I can't quite figure what '#' is doing here in this code if(#($_SESSION['user'])){...}
I looked everywhere what this means and haven't found anything even remotely resembling this. I hope someone on this forum can help me out. Below is the entire code snippet.
if(#($_SESSION['user']))
{
$usrid=$_SESSION['user'];
$getprflimg=$db->singlerec("select img from register where
id='$usrid'");
$imgurlprl=$getprflimg['img'];
if(file_exists($url))
$imgurlprl=$siteurl."uploads/user_images/".$imgurlprl;
else
$imgurlprl=$siteurl."/uploads/user_images/no_image.png";
}
# before the variable is used to suppress the warning generated for that variable. This is also relevant to 'At' symbol before variable name in PHP: #$_POST.
This question already has answers here:
Can I create a PHP function that I can call without parentheses?
(6 answers)
Closed 6 years ago.
all php functions need () in the end. However, exit doesnt need that.
Can I create a function manually, which I can later execute without () ?
Even more, If I have full access to php installation?
p.s. please dont tell me answers "exit is not function" or etc (My question is not if "exit" is function or not). I want to know HOW TO ACHIEVE like that.
No you can't. You have to edit Base of PHP language to accomplish this.
exit , echo , print and etc are not function .
This question already has answers here:
What is the difference between POST and GET? [duplicate]
(7 answers)
Closed 7 years ago.
I have no time and too tired to struggle with this, so I decided to ask here: I've created the file my.php which contains only:
<?php var_dump( $_POST ); ?>
And then I open the file using browser like this:
www.domain.com/my.php?post1=hey&post2=ho&post3=letsgo
And in the browser I have array(0) { } as a response.
Question: What could I possibly done wrong??
Thanks!
In URL are GET parameters, not POST.
echo $_GET['post1']; // hey
echo $_GET['post2']; // ho
echo $_GET['post3']; // letsgo
You cant pass POST variables through URL.
u r using GET method..
This question already has answers here:
What does it mean to start a PHP function with an ampersand?
(3 answers)
Closed 7 years ago.
I'm using a CMS package written in PHP. In one of it's core files I saw following line that is for defining a function in a class body.
public static function &getLib($sClass, $aParams = array()) {
// Code
}
I didn't understand why the function name 'getLib' has been prepended with the ampersand(&) sign? I've never seen such thing before.
Can someone please explain me in detail why such thing has been done and what's the benefit it has over simply using the function name?
It means the function should return a reference to a variable rather than just the value itself.
This question already has answers here:
"slash before every quote" problem [duplicate]
(6 answers)
Closed 9 years ago.
My shared web hosting adds \ to JSON. I use ExtJS and it normally sends this data
[{"property":"id","direction":"ASC"}]
Howere PHP receives or chages it as [{\"property\":\"id\",\"direction\":\"ASC\"}]
Thus I cannot use json_decode($_REQUEST['sort'])
I think this is because they wanted to prevent SQL injection but now they break my application. What I have to do?
Edit:
$sort = json_decode($_GET['sort']);
print_r($_GET); // [sort] => [{\"property\":\"id\",\"direction\":\"ASC\"}]
print_r($sort); //
Please check, if you vHost has magic quotes enabled.
Someone over here proposed this to get the unchanged values:
if (get_magic_quotes_gpc()) {
function strip_array($var) {
return ( is_array($var)
? array_map("strip_array", $var)
: stripslashes($var)
);
}
$_POST = strip_array($_POST);
$_SESSION = strip_array($_SESSION);
$_GET = strip_array($_GET);
}