everyone here ..
now i got an problem , so please help me , because I am new with php code. I want to get value from url but the result is Undefined index
this is url : http://4you4me.com/admin/index_edit_form.php?edit=76
php code :
if(isset($_REQUEST['edit']) === TRUE && ! empty($_REQUEST['edit']))
$con_id_update = mysql_real_escape_string((int)$_REQUEST['edit']);
print_r($con_id_update);
The result is undefined Variable:con_id_update
what is wrong with this script? thank for your answer.
try this :
$con_id_undate ='';// to initialize
if(isset($_GET['edit']) && !empty($_GET['edit']))
$con_id_update = (int)$_GET['edit'];
print_r($con_id_undate);
You shouldn't use $_REQUEST
Also you should use msqli instead of mysql. Since you cast the value to an int you don't need to use mysql_real_escape_string.
mysql_real_escape_string (mysqli_real_escape_string) tends to work only when their is already an open connection
It looks like you're missing the curly braces:
if(isset($_REQUEST['edit']) === TRUE && ! empty($_REQUEST['edit'])) {
$con_id_update = mysql_real_escape_string((int)$_REQUEST['edit']);
print_r($con_id_update );
}
If you don't wrap the curly bracers around the entire statement, only the line after the if statement will be executed.
You should get value from url using $_GET instead of $_REQUEST if you know exactly what you want, good luck!
Related
I was wondering what is the correct procedure when it comes to security and practicality. Should you use htmlspecialchars() on a variable before you check if it's set and empty?
Examples:
Use htmlspecialchars() on use or storage of post data:
$field = $_POST['field'];
if(isset($field)){
//store or use: htmlspecialchars($field);
}
Or should you use htmlspecialchars() on retrieval of the post data:
$field = htmlspecialchars($_POST['field']);
if(isset($field)){
//store or use: $field
}
This is probably a silly question, but I wanted to know which is correct.
Well, think about it this way. Why do we use isset in the first place? The answer is to protect our code from trying to do things with something that doesn't exist.
For example, using php -a in your console, you can see:
php > $temp
php > echo htmlspecialchars($temp);
Parse error: parse error in php shell code on line 2
php >
Clearly you don't want your code throwing parse errors. So, you need to check that the value exists first (using isset), then do things with that value.
You should use both isset and empty if you want to make your condition fully secure, Because isset checks that variable is defined or not and empty checks for the value of variable is empty or not.
So you should use your if condition like this,
$field = $_POST['field'];
if(isset($field) && !empty($field)){
//store or use: htmlspecialchars($field);
}
For example, if I want to use the code:
$foo = $_POST['foo']. $_GET['foo'];
to get a value whether passed by POST or GET, is this acceptable or bad practice?
Don't see anything in your answer which is to be unsetted, though you can use $_REQUEST['foo'], as that will consider $_POST as well as $_GET but again, your code will be dirty, say for example I tweaked the method value, for login form, users can easily attack your website...
So be wise, use $_GET[] and $_POST[] instead of using loose $_REQUEST[]
If for any means, you are using $_REQUEST thank make sure you use conditions to check whether the request is GET or POST using $_SERVER['REQUEST_METHOD']
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
//Do something
}
I would go with:
$foo = isset($_REQUEST['foo']) ? $_REQUEST['foo'] : null;
More at: http://php.net/manual/pt_BR/reserved.variables.request.php
to get value whether passeb by POS or GET use this
$foo = $_REQUEST['foo'];
If you configure your development server PHP to throw all warnings, you will find out.
why are you using . operator, if i am not wrong this would concatenate the result, as the above suggested using $_REQUEST would be the better approach.
Yes, it's terrible. There are two problems:
It will raise a warning
Concatenation is not suited for this use case
If you want to get a key from either $_POST, or $_GET, and you don't care which one the key is present in, you can use the $_REQUEST superglobal with the following idiom:
$var = isset($_REQUEST['foo']) ? $_REQUEST['foo'] : null;
$_REQUEST is the union of $_GET and $_POST.
PHP newbie here
Can anyone please tell me what is wrong with the below syntax. I have a maximum of 4 files - $created_page1, $created_page2 each with a corresponding page title etc and would like to process these in a loop. However PHP throws a wobbly every time I try to concatenate the string and loop number - specifically $created_page.$num_pages doesn't result in sending $created_page1 or $created_page2 to the function, instead it just converts the string and number to an integer. Very basic I am sure but I would be very grateful for any help or a nicer solution that I can easily understand. Thanks in advance!
$addit_pages == 4;
for ($num_pages=1;$num_pages<=$addit_pages ;$num_pages++) {
replaceFileContent ($dir,$created_page.$num_pages,"*page_title*",$page_title.$num_pages);
//replaceFileContent ($dir,$created_page2,"*page_title*",$page_title2);
//replaceFileContent ($dir,$created_page1,"*page_title*",$page_title3);
//replaceFileContent ($dir,$created_page3,"*page_title*",$page_title4);
}
Your code to get the variable name should be:
${'created_page'.$num_pages}
This is because you have to evaluate the string inside the braces before you attempt to access the variable.
Your previous code was trying to access the variables $created_page and $num_pages, and simply concatenate their values into a string.
Of course, the same goes for the page_title variable
${'page_title'.$num_pages}
you could try this:
$addit_pages == 4;
for ($num_pages=1;$num_pages<=$addit_pages ;$num_pages++) {
replaceFileContent ($dir,$created_page.strval($num_pages),"*page_title*",$page_title.strval($num_pages));
//replaceFileContent ($dir,$created_page2,"*page_title*",$page_title2);
//replaceFileContent ($dir,$created_page1,"*page_title*",$page_title3);
//replaceFileContent ($dir,$created_page3,"*page_title*",$page_title4);
}
the PHP strval function makes any integer into a string
I think what you are asking is you want the variables $created_page1; $created_page2, $created_page3 but php is probably throwing a notice that $created_page doesn't exist.
You need to use variable variables (is this what they're called?)
$addit_pages == 4;
for ($num_pages=1;$num_pages<=$addit_pages ;$num_pages++) {
$createdVar = 'created_page'.$num_pages;
$titleVar = 'page_title'.$num_pages;
replaceFileContent ($dir,$$createdVar,"*page_title*",$$titleVar);
}
When you use $$ this first evaluates the variable $createdVar turns that into created_page1 and then evaluates created_page1 as if you had typed in $created_page1
might be a silly question nonetheless:
I'm playing around with the following code:
$a='a';
if ($_GET['a'] == $a)
echo 'true';
else
echo 'false';
Now, is there any way to send data to break the verification? Obviously the way it could've been done in an SQL injection won't go.
Just wondering how secure this way of validation is.
Thanks in advance.
EDIT:
My question was, is there anything that can be passed thorugh $_GET that could 'break' the comparison and always output 'true'.
If you are looking to validate that $_GET['a'] really in face equals to "a" and nothing else, than yes, that's the code.
However, if you're expecting "a" and only "a" it probably shouldn't be a user input.
Validation (or sanitation), means to take whatever string they might throw at you, and make sure it's valid for whatever purpose you want it to. If it's sent to the database, pass it through mysql_escape_string() or use prepared statements. If it's to be displayed as HTML make sure there aren't any harmful tags by using html_entities() or strip_tags().
Your verification isn't very good for anything else other than saying the user has inputted "a". But yes, nothing other than "a" would be able to get through.
Well, if you knew exactly what was coming in, you could compare without type coercion and check for an empty parameter:
$a = 'a';
if( !empty( $_GET['a'] ) && $_GET['a'] === $a )
{
//do more validation using your data model
}
else
{
//output error msg
}
You could use Prepared-Statements from the mysqli extension this already prevents every possible injection.
If you don't want to use such mysql and mysqli also have "real_escape_string"-methods which you can use in your Query when putting in Userinput
Example
$sql = "SELECT `name` FROM `example` WHERE `id` = '".mysql_real_escape_string($YOURVAR)."'";
real_escape_string method from standart mysql extension
mysqli real_escape_string
Hey guys, it's kind of hard to explain but basically I want to detect if any variables have been set through the URL. So with my IF statement all of the following should return true:
http://domain.com/index.php?m=100
http://domain.com/index.php?q=harhar
http://domain.com/index.php?variable=poo&crazy=yes
and all the following return false:
http://domain.com/index.php
http://domain.com/test.php
http://domain.com/no_variables.php
Any ideas?
I would test for QUERY_STRING:
if (!empty($_SERVER["QUERY_STRING"]))
should in effect be no different from checking $_GET, though - either way is fine.
if( !empty( $_GET ) ) {
//GET variables have been set
}
(count($_GET) > 0)
If you want to do it with the exception of (a) variable(s), use this if statement before it checks it:
if (!isset($_GET['getvariable'])) {
if (!empty($_SERVER["QUERY_STRING"])) {
echo "do something";
}
}
If you mean taking a string and checking if it has a query string, you can use parse_url.
If you mean checking if the current request has a query string, you can just check the length of $_SERVER['QUERY_STRING'].
If you mean to get a count of the number of variables parsed from the query string, you can do count($_GET);
isset($_GET['m'])
or if anything, I believe count($_GET) might work.