this may seem like a stupid question, but it is stumping me nontheless. I'm sure that the answer is something small. I think it's just one of those situations where I have been looking at the code for too long.
I am trying to compare two PHP variables to see if they are the same. As you can see below, I am comparing $verification_answer with strrev(date("Ymd")) which is today's date, reversed. So today, $verification_answer would be 31700102. Every time I try to do the comparison, however, the if statement executes (as a non-match).
$verification_answer = strrev(date("Ymd"));
if($verification != $verification_answer){
$failed .= "<h2>Attention:</h2><p>The verification code is incorrect. Please try again.</p>";
}
Can anyone see the issue? Thanks!
UPDATE: $verification is from HTML user input:
$verification = mysql_escape_string($_POST['verification']);
There's nothing wrong with the if statement. Display the two values and you should see some sort of difference:
var_dump($verification);
var_dump($verification_answer);
Perhaps $verification doesn't contain what you think it does, or you misspelled it earlier and assigned to a different variable, or...
I am comparing $verification_answer with strrev(date("Ymd"))
If that's actually what you intended to do, I think you messed up the name of the variable in the first line; it should be:
$verification = strrev(date("Ymd"));
If you accidentally overwrote the value of $verification_answer and used $verification in a comparison when it's undefined, the comparison will always be false. PHP will emit a warning, but if you have them disabled you won't see it
I must have spelled verification wrong somewhere...I copy and pasted 'verification' over each existing variable name and it fixed the problem. Thanks!
Related
I ran into the snippet online
https://www.quora.com/Why-is-PHP-hated-by-so-many-developers
when I was doing some research about PHP, and I simply have no idea how the codes work.
Can anyone kindly explain what happens in the snippet and how one can log in without knowing the password?? or just give me some relevant articles to read. Thanks in advance.
See the manual:
Returns ... 0 if they [strings] are equal.
So, by the snippet logic, you should compare 0 to 0 in the end. But when you send password[]=wrong, you actually send an array, forcing strcmp to throw a warning, completely bypassing the function call and perceive the condition as true
You should always use strict comparison, just in case. So in the snippet above it would be enough to compare strictly by type and value (with ===):
if(strcmp($POST['password'], "sekret") === 0)
In this case password[]=wrong would not work anymore.
$newOrders is an array and contains order objects...
order_id is an objects variable. I want to compare the order_id value to another variable($orderId) in If loop...
but it fails
Here is my code:
if($newOrders[$i]->order_id == $orderId){
echo "voila, found it:".$newOrders[$i]."<br>";
return $newOrders[$i];
}
Whenever I come across a piece of code that does not work - especially comparisons - I print out both sides of the variables (and often break down more complex variables, like your array) and actually look at the information, rather than assume I know from looking at the code.
It is inevitably a problem that is obvious as to what is wrong when the data is dumped out or otherwise manually examined. Tools such as Symfony VarDumper or just print_r, or an IDE with breakpoints and variable inspection are all suitable to see exactly what is going on.
Are you sure this array contains object, have you checked? If yes, then how ?
What is the variable $i there, could you please put full code (I believe snippet should be in some loop for or foreach)
You can always check for a valid object of a class by
if ($newOrders[$i] instanceof Order) { //Presuming Order is your class name
//do your stuff
}
You can also check by using var_dump() function to check the variables inside the object.
I hope it'll help.
I ran across some interesting code today. I tried to find out if this is a feature of PHP or if I am missing something, but was unable to find anything on Google. Probably because I don't know the name of it.
Code
if($logo = \Repositories\Logo::getLogoData($id)){
$logo_href = $logo->link;
}
The variable $logo is not being set anywhere else. It seems like the expression in this if statement is checking to see if the that class method is returning anything and simultaneously setting the variable $logo to be used in the statement.
Is this true? If so, what in the world is this called!?!
You can make an assignment like that in a conditional. What happened logically is that the value is assigned to $logo and then $logo is evaluated as to whether it is truthy. If it is truthy, the code in the conditional executes.
You will oftentimes see this sort of assignment/evaluation in the case of looping through database result sets, but generally I would suggest that it should be avoided outside such a common use case for sake of clarity in reading g code.
Yes, this is a feature. It's like:
$a=$b=5;
But in this case, imagine the bool result of if as var $a.
However, IDE's are used to complain about solutions like this because of == vs. = as a very common possible bug source.
Does anyone know anything about this problem, I have the following code:
if (strtotime($unlockInfo->UnlockReviewDate) < time()) {
echo "<h3>Please review your details and ensure they are accurate and up to date.</h3>";
$verifState = validateUnlockCode($db_conn, $unlockInfo->UnlockCode);
}
Now as is it seems to work fine but there was a problem that I seemed to be chasing around for ages.
Essentially $unlockInfo is an object returned from a mySql query which as you can probably see is evaluated against the current time. Now the validateUnlockCode function has the ability under specific circumstances to modify the database and therefore the $unlockInfo object.
Nothing, however, should be modified until after the if statement is evaluated. but when I miss the space out from the if statement, ie.
if(strto....
this seems to cause the $verifState to be set before the if is evaluated therefore calling the validate function and modifying the database premeturely.
Is this normal? is that supposed to happen? Sorry, I'm a bit confused on this one.
The space after the if does not affect anything.
If strtotime($unlockInfo->UnlockReviewDate) fails, then it (false == 0) will surely be less than the current UNIX timestamp. That'd be the first thing I check.
What does strtotime return? What is the format of UnlockReviewDate?
I found this line of code in the Virtuemart plugin for Joomla on line 2136 in administrator/components/com_virtuemart/classes/ps_product.php
eval ("\$text_including_tax = \"$text_including_tax\";");
Scrap my previous answer.
The reason this eval() is here is shown in the php eval docs
This is what's happening:
$text_including_tax = '$tax ...';
...
$tax = 10;
...
eval ("\$text_including_tax = \"$text_including_tax\";");
At the end of this $text_including_tax is equal to:
"10 ..."
The single quotes prevents $tax being included in the original definition of the string. By using eval() it forces it to re-evaluate the string and include the value for $tax in the string.
I'm not a fan of this particular method, but it is correct. An alternative could be to use sprintf()
This code seems to be a bad way of forcing $text_including_tax to be a string.
The reason it is bad is because if $text_including_tax can contain data entered by a user it is possible for them to execute arbitrary code.
For example if $text_include_tax was set to equal:
"\"; readfile('/etc/passwd'); $_dummy = \"";
The eval would become:
eval("$text_include_tax = \"\"; readfile('/etc/passwd'); $_dummy =\"\";");
Giving the malicious user a dump of the passwd file.
A more correct method for doing this would be to cast the variable to string:
$text_include_tax = (string) $text_include_tax;
or even just:
$text_include_tax = "$text_include_tax";
If the data $text_include_tax is only an internal variable or contains already validated content there isn't a security risk. But it's still a bad way to convert a variable to a string because there are more obvious and safer ways to do it.
I'm guessing that it's a funky way of forcing $text_including_tax to be a string and not a number.
Perhaps it's an attempt to cast the variable as a string? Just a guess.
You will need the eval to get the tax rate into the output. Just moved this to a new server and for some reason this line caused a server error. As a quick fix, I changed it to:
//eval ("\$text_including_tax = \"$text_including_tax\";");
$text_including_tax = str_replace('$tax', $tax, $text_including_tax);
It is evaluating the string as PHP code.
But it seems to be making a variable equal itself? Weird.
As others have pointed out, it's code written by someone who doesn't know what on earth they're doing.
I also had a quick browse of the code to find a total lack of text escaping when putting HTML/URIs/etc. together. There are probably many injection holes to be found here in addition to the eval issues, if you can be bothered to audit it properly.
I would not want this code running on my server.
I've looked through that codebase before. It's some of the worst PHP I have seen.
I imagine you'd do that kind of thing to cover up mistakes you made somewhere else.
No, it's doing this:
Say $text_including_tax = "flat". This code evaluates the line:
$flat = "flat";
It isn't necessarily good, but I did use a technique like this once to suck all the MySQL variables in an array like this:
while ($row = mysql_fetch_assoc($result)) {
$var = $row["Variable_name"];
$$var = $row["Value"];
}