|
PHP - How To Get Value Of All $_request Variable So That We Can Validate
Hi
How to get value of all $_Request variable so that we can validate for cross scripting. see below http://srijanlinux.com/consentRequestNew.php?requestId=24753 print count($_GET); // return ---------- 1 print_r($_GET); // return ----------- Array ( [requestId] => 24753 ) Now I want to validate value of requestId. I know I can validate by getting using $_GET['requestId']. But there are changes that I don't know variable name then How validate unknown variable which might be put by hacker. Thanks akash Similar Tutorialsi've been programming in PHP for years, and have done a substantial amount of work on applications of this nature. this problem has me stumped, not because i can't fix it (i did), but because i have no idea what the problem is. there are hundreds of lines of code involved here, so i'll break it down into a post-friendly format. take this for example, and forgive any typos. it's late, and i've been beating my head against this for over two hours... =\ this is from my form: Code: [Select] /* ... numerous form fields being passed as $_REQUEST arrays */ <input type="hidden" name="option_id[]" value="<?php print $query_result->option_id; ?>" /> /* a couple hundred more lines */ here's the DB update handler: Code: [Select] if (!empty($_REQUEST['option_name'])) { foreach ($_REQUEST['option_name'] as $k => $v) { if ($v != '') { $option_id = $_REQUEST['option_id'][$k]; $option_name = $_REQUEST['option_name'][$k]; $option_price = $_REQUEST['option_price'][$k]; $option_desc = htmlentities($_REQUEST['option_desc'][$k], ENT_QUOTES); if (!$option_id = '') { $sql_options = "UPDATE table SET" . " option_name = '" . $option_name . "', option_price = '" . $option_price . "', option_desc = '" . $option_desc . "' WHERE option_id = '" . $option_id "'"; if (!$query_function($sql_options)) { $error = true; } } else { $sql_options = "INSERT INTO table (option_name, option_price, option_desc)" . " VALUES ('" . $option_name . "', '" . $option_price . "', '" . $option_desc . "')"; if (!$query_function($sql_options)) { $error = true; } } } } } the above code doesn't post to the database because the $option_id variable returns a null value. however, if i replace the $option_id variable where i build the query string with $_REQUEST['option_id'], it works just fine. Code: [Select] /* in relevant part */ $sql_options = "UPDATE table SET" . " option_name = '" . $option_name . "', option_price = '" . $option_price . "', option_desc = '" . $option_desc . "' WHERE option_id = '" . $_REQUEST['option_id'] . "'"; needless to say i was infuriated by having spent a couple of hours to come to this conclusion. i only used the variables in the first place because i need to expand the function that this lives inside and i don't want to have to type $_REQUESTs over and over. the only thing i can think is that it might be a type issue. the data is coming out of the mysql table from an INT field and being placed into the value for the hidden field straight from the row collection. would forcing a variant data type by not strongly typing my variable have caused this problem? i haven't tested the theory because i'm still too ticked off to open my code editor. i'm bouncing this off the community and posting my experience in the hope that it might help someone who comes after. Hi: Can anyone tell me why the following is not working: Code: [Select] a_Photo_Delete.php <?php $photo_id = $_REQUEST['photo_id']; mysql_query("DELETE FROM gallery_photos WHERE photo_id = $photo_id"); header("Location: a_Photo_Edit.php"); ?> <!DOCTYPE HTML> <html> <head> <meta charset="ISO-8859-1" /> <title></title> </head> <body> </body> </html> ------------------------------ a_Photo_Edit.php <p> <?php if ($_REQUEST['URL'] == 'a_Photo_Delete.php') { echo "<span class=\"textError\">Photo successfully deleted!</span>"; } ?> </p> The photo gets deleted OK, and the HEADER goes to the "a_Photo_Edit.php" page properly, but the "Photo successfully deleted!" message does not show up .. Confused why .. ?? Hi I am trying to send a company name to a form for users to report errors. Code: [Select] echo "<a href=\"http://www.example.com/suppliers.php?companyName=$compName\">$compName</a>"; In the form, I have the usual code which I use to fill in the value of a field... $companyName = $_REQUEST['companyName']; This works fine - except if there is an ampersand in the name. A & B Products...., becomes just A I have tried htmlentitles to convert to & but the problem still exists. Any thoughts on how I could correct this? Thanks Any ideas on how to make this code usable without using the $_REQUEST superglobal? Here is my code: <!DOCTYPE html> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title></title> </head> <body> <?php if($_GET['submit'] == "Change Background Color") { $bgcolor = strval($_POST['thecolor']); } else { $bgcolor = "red"; } ?> <body bgcolor="<?= $bgcolor; ?>"> <form name="color" method="get" action="<?= $_SERVER['PHP_SELF']; ?>"> Enter a color: <input type="text" name="thecolor" value=""> <input type ="submit" value="Change Background Color"> </form> I like to use $_REQUEST to get something from either $_POST or $_GET. Annoying though, it also includes values from cookie, like the PHP session id, FCK editor cookies and the google tracking code. Is there anyway to remove cookie values from request, besides looping through cookie and unsetting the values I don't want? So I have an existing picklist that i am trying to tweak - I am making it into a multiselect and trying to return multiple values
I have been able to accomplish the first part by adding select 'multiple' but when i submit it only returns results for the last value selected.
Here is the code for the form (Left out the picklists that do not need to be multiple select)
<td align="center" valign="top"> <? // base64_encode(base64_encode( 'test1'))?> <br /> <br /> <form id='report_form' action="driverreport_sd.php" method="post" name="report_form"> <!--<div class="criteria_div">--> <table align="center" class="table_border" cellpadding="5" cellspacing="0" width="80%"> <tr> <td align="right" class="first_td"> Status: </td> <td align="left"> <select multiple name='Status' id='Status'> <? $statuslist=$ObjReport->ObjStatus->get_Status_List(); while($status=mysql_fetch_object($statuslist)) { if($status->Status=="Please Select") { ?> <option value="<?=$status->Status?>" <?=($status->Status==$_REQUEST['Status']?"selected=selected":"")?>> <?=$status->Status?></option> <? } else { ?> <option value="<?=$status->Status?>" <?=($status->Status==$_REQUEST['Status']?"selected=selected":"")?>> <?=$status->Status?></option> <? } } ?> </select> </td> </tr> <td align="center" colspan="2"> <input type="hidden" id='sort_by' name='sort_by' value="<?=$_REQUEST['sort_by']?>" /> <input type="hidden" name='search_val' id='search_val' value="<?=$_REQUEST['search_val']?>" /> <input type="hidden" name='search_by' id='search_by' value="<?=$_REQUEST['search_by']?>" /> <input type="hidden" name="report_submited" value='report_submited' /> <button type="submit" id="report_submited" name="" value='submit'>Submit</button> </td> and here is the return request <? if($_REQUEST['report_submited']) { $ReportData=$ObjReport->generate_report($_REQUEST['Status'],$_REQUEST['School'],$_REQUEST['Campaign'],$_REQUEST['State'],$_REQUEST['Stdtype'],$_REQUEST['Primbad'],$_REQUEST['Rep'],$_REQUEST['From_Date'],$_REQUEST['To_Date'],$_REQUEST['sort_by'],$_REQUEST['search_by'],$_REQUEST['search_val']); $currentTotalRow=mysql_num_rows($ReportData); if($currentTotalRow>0) { ?> Any suggestions would be appreciated Thanks! NEWBIE ALERT: New to Programming Newer to PHP Bad at formulating coherent questions.....so here it goes.... Could someone explain Code: [Select] $fieldname = $_REQUEST['fieldname'] I understand "$_REQUEST An associative array that by default contains the contents of $_GET, $_POST and $_COOKIE" I also understand you call the member of an array like so: Code: [Select] <?php $arr = array("foo" => "bar", 12 => true); echo $arr["foo"]; // bar echo $arr[12]; // 1 ?> So I would expect that if someone wants to use something from the $_REQUEST Array they would use: Code: [Select] $fieldname = $_REQUEST['$_GET']So I do not understand why "$fieldname" is inside the brackets.I suspect they might be setting this up to use $fieldname instead of $_REQUEST maybe...but why, that would be redundant? so I suspect I suspect wrong.... Hi, I want to control a variable (decide whether to track click if coming from a specific site oppose to hitting the final site (destination) directly. For example: www.portal.com - this will be a management site that will redirect viewers to the the final destination based on variable info - for exmample $a=123 or $a= 567 - which would come in as www.portal.com?a=123 or www.portal.com?a=567 Note: 123 would redirect to www.abc.com?a=123 and/or 567 would redirect to www.xyz.com?a=567 with said variable(s). ------ My question is this: What is the best method to authenticate (both on) www.abc.com and/or www.xyz.com that the referred viewer came from www.portal.com? I know about the super globals (HTTP_REFERER) but want to know if there are other (more) secure method to manage this interaction between external domains /websites? Any insight on this appreciated - thanks! Where should I validate the return value?
In the function should I validate the value before returning it.
Or once the value has been returned, should I check it?
Is it really necessary to validate the return value?
Thank you.
Hi Everyone..
I am not sure if I should post this question here. I would like to fix this problem using PHP rather than HTML. I am new to PHP. This code is part of an old PHP gallery file. I am trying to validate my site but the site's links have some characters that makes the link throw errors in W3C Validator. So I tried to replace the characters with HTML characters for example ? are now replaced by ?
so my original link before using valid HTML characters looked like
www.awebsite.com/viewgallery.php?cname=Colorado-Fall&pcaption=Lost-In-The-artAnd now it looks like this ... www.awebsite.com/viewgallery.php?cname=Colorado-Fall&pcaption=Lost-In-The-artBut now W3C Validator shows an error like this Line 32, Column 240: an attribute value must be a literal unless it contains only name characters …n class='next'><a href=viewgallery.php?cname=Colorado-Journeys&pca…✉ You have used a character that is not considered a "name character" in an attribute value. Which characters are considered "name characters" varies between the different document types, but a good rule of thumb is that unless the value contains only lower or upper case letters in the range a-z you must put quotation marks around the value. In fact, unless you have extreme file size requirements it is a very very good idea to always put quote marks around your attribute values. It is never wrong to do so, and very often it is absolutely necessary. Hello
I have a PHP page that sends text entered by a user to our database which we use to display news. This system supports various languages but occasionally we get issues with odd characters being entered...
For example, the premade glyph for ellipsis which is normally represented by 3 .'s broke our system today
How can I check that each character is valid and within range?
These are our character ranges
ExtendedLatin_c_iLowerAlphaChar = 0x00C0;
ExtendedLatin_c_iUpperAlphaChar = 0x01FF;
Arabic_c_iLowerChar = 0x600;
Arabic_c_iUpperChar = 0x6FF;
Arabic_c_iLowerAlphaChar = 0x621;
Arabic_c_iUpperAlphaChar = 0x64A;
Arabic_c_iLowerNumericChar = 0x660;
Arabic_c_iUpperNumericChar = 0x669;
So each character must fall within one of these ranges... but I have no idea how to get the hex value of a character in PHP
Thanks
Hey everyone, im building my first newsletter sign up and wanted to add the validation of checking if the email is already in the database. This is the top part of the code that works. <?php switch ($_REQUEST['action']) { default: foreach($_POST as $key=>$value){ $$key = $value; } if ($email == ''){ $error_msg = 'email required'; } elseif (!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email)) { $error_msg = 'Invalid email address'; } echo ""; if ($error_msg == ''){ foreach($_POST as $key=>$value){ $$key = htmlentities(stripslashes($value)); } $Q = mysql_query("INSERT INTO newsletter (`email`) VALUES ('$email')"); But when i add my attempted validation it doesn't work. $check = mysql_query("SELECT FROM newsletter WHERE email = '$email'") or die(mysql_error()); $check2 = mysql_num_rows($check); if ($check2 != 1) { $error_msg = 'email exists'; Could someone be so kind to add this code where it should go, iv tried everything. Hi, I am fairly new to php and I wanted to know whether you could validate a "input type = text ". I have made a class where i've made functions to validate test fields but i dont know how to call them with the html form. Any suggestions or tips .... Thanks in advance. I am working on a script for a simple form with only 2 options that are dropdowns. I need to validate these two options that there is a selection made. I have gotten the first one to validate, but I cannot get the second one to validate. Can anyone steer me in the right direciton why only one is working? I get no errors in the script, so I assume I am just missing something. Code: [Select] <?php // options for drop-down menu $choices = array('-- Choose Your Item','Anniversary Jacket', 'Anniversary T-Shirt'); $sizes = array('-- Choose Your Size','L', 'XL'); if($_SERVER['REQUEST_METHOD'] == 'GET'){ // display form when GET showForm(array()); } else{ // process form if POST $errors = validateForm(); if(count($errors)) showForm($errors); // if errors show again else print 'Form submitted succesfully!'; // no errors } // function generating form function showForm($errors){ global $choices,$sizes; // set defaults $defaults = array(); foreach($choices as $key => $choice){ if(isset($_POST['item']) && ($_POST['item'] == $key)) $defaults['item'][$key] = 'selected'; else $defaults['item'][$choice] = ''; } foreach($sizes as $key => $size){ if(isset($_POST['size']) && ($_POST['size'] == $key)) $defaults['size'][$key] = 'selected'; else $defaults['size'][$size] = ''; } // print form print "<form action='{$_SERVER['SCRIPT_NAME']}' method='post'>"; print "<div>"; print "<select name='item'>"; foreach($choices as $key => $choice){ print "<option value='{$key}' {$defaults['item'][$key]}>{$choice}</option>"; } print "</select>"; showError('item', $errors); print "</div>"; print "<div>"; print "<select name='size'>"; foreach($sizes as $key => $size){ print "<option value='{$key}' {$defaults['size'][$key]}>{$size}</option>"; } print "</select>"; showError('size', $errors); print "</div>"; print "<input type='submit'/>"; print "</form>"; } // display error function showError($type, $errors){ if(isset($errors[$type])) print "<b>{$errors[$type]}</b>"; } // validate data function validateForm(){ global $choices,$sizes; // start validation and store errors $error = array(); // validate drop-down if(!(isset($_POST['item']) && (array_key_exists($_POST['item'], $choices)) && $_POST['item'] != 0)) $errors['item'] = 'Select Item'; return $errors; // validate drop-down if(!(isset($_POST['size']) && (array_key_exists($_POST['size'], $choices)) && $_POST['size'] != 0)) $errors['size'] = 'Select Size'; return $errors; } ?> How do I make email, name and phone required fields? thanks in advance <?php $email = $_POST['email']; $name = trim($_POST['name']); $phone = trim($_POST['phone']); $time = trim($_POST['time']); $zipcode = trim($_POST['zipcode']); $date = trim($_POST['date']); $EmailTo = "myemail@somedomain.com"; $Subject = "form"; /// Add a subject $Body = ""; $Body .= "Full name:\n$name\n\n"; $Body .= "Primary phone:\n$phone\n\n"; $Body .= "time:\n$time\n\n"; $Body .= "Zip code:\n$zipcode\n\n"; $Body .= "date:\n$date\n\n"; if($Subject == NULL) {$Subject = "From $EmailFrom";} $success = mail($EmailTo, $Subject, $Body, "From: <$EmailFrom>"); if ($success){ header ('Location: confirm.html');} else{ echo "Error! Your e-mail was not sent!";} ?> I do not know whats going on. I have tried two different methods of validating and email and it keeps saying invalid email I have even tried to debug it by putting errors and nothing i have tried preg_match("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$^", $e) and fliter_var($e, FLITER_VALIDATE_EMAIL); the email i am trying to debug is a valid one. its one I use daily. I have tried different emails and still no luck.... someone help me please! This is probably a simple one, but I'm not experienced with arrays. I have a form with looped dropdowns for items from a database. On submit it goes to a second page. Before I run any script I want to make sure the array created from the dropdowns contains anything greater than 0... I thought this would do it: if (isset($_POST['participantqty']) && ($_POST['participantqty']) > 0){ But it does nothing. I also tried: if (isset($_POST['participantqty[]']) && ($_POST['participantqty[]']) > 0){ I need to validate the POST fields below except a few hidden inputs like User_id & category: They are not huge but i would not like to write for each a line of code like if(empty($_popst['field'])) ... How can simplify this by checking only if they are empty and display a message that lists all fields that were not filled? Code: [Select] array('user_id'=>$data['Id'], 'surname'=>$_POST['surname'], 'firstname'=>$_POST['firstname'], 'middlename'=>$_POST['middlename'], 'id_number'=>$_POST['id_number'], 'pin_number'=>$_POST['pin_number'], 'street'=>$_POST['street'], 'estate'=>$_POST['estate'], 'hse_number'=>$_POST['hse_number'], 'town'=>$_POST['town'], 'tele'=>$_POST['tele'], 'mobi'=>$_POST['mobi'], 'work_street'=>$_POST['work_street'], 'work_building'=>$_POST['work_building'], 'company'=>$_POST['company'], 'work_town'=>$_POST['work_town'], 'work_tele'=>$_POST['work_tele'], 'work_fax'=>$_POST['work_fax'], 'cont_surname'=>$_POST['cont_surname'], 'cont_firstname'=>$_POST['cont_firstname'], 'cont_middlename'=>$_POST['cont_middlename'], 'cont_street'=>$_POST['cont_street'], 'cont_building'=>$_POST['cont_building'], 'cont_company'=>$_POST['cont_company'], 'cont_home_tele'=>$_POST['cont_home_tele'], 'cont_office_tele'=>$_POST['cont_office_tele'], 'cont_mobi'=>$_POST['cont_mobi']); |
|||||||