PHP - Security Issues In The Extract ( ) In Php Coding ?

Hi all, if someone of you has a little spare time i would love to hear what you find about the small code below. I combined some scattered stuff around the internet. and was hoping some guru could tell me if its ok to output without any sneaky javascript to get inserted within the tags or other nasty stuff.

Its a bb code that first trims the string, applies html entities than puts newlines to breaks and finishes it of with a little bbcode in the end. I was hoping if this is secure enough to output text in this case a post var but am aiming for data from the database.
Thanks in advance

Code: [Select]
<?php
       //replace stuff
       //bb function
       function bbcode($data)
  {
          $input = array(
                  '/\[b\](.*?)\[\/b\]/is',
                  '/\[i\](.*?)\[\/i\]/is',
                  '/\[u\](.*?)\[\/u\]/is',
                  '/\[img\](.*?)\[\/img\]/is',
                  '/\[url\](.*?)\[\/url\]/is',
                  '/\[url\=(.*?)\](.*?)\[\/url\]/is'
                  );

          $output = array(
                  '<strong>$1</strong>',
                  '<em>$1</em>',
                  '<u>$1</u>',
                  '<img src="$1" />',
                  '<a href="$1">$1</a>',
                  '<a href="$1">$2</a>'
                  );

          $rtrn = preg_replace ($input, $output, $data);

          return $rtrn;
       }
       //
       if(isset($_POST['submit'])&& !empty($_POST['textvar'])){
           $error_message = '';
           $string = trim(htmlentities($_POST['textvar'], ENT_QUOTES));
           $clean = nl2br($string);
           $super_clean = bbcode($clean);
       }else{
           $error_message = 'enter some text';
           $clean = '';
           $super_clean ='';
       }

I have made a classified website. it works and I am proud of it. But as far as securing it goes, I have done almost nothing and I am sure, if in case the site becomes popular, it would be compromised with ease.

So I have started reading a book ' essential php security' and am reading several articles on php security online , but am still unable to wrap my head around the whole security issue.

Can someone help me ? there are a lot of unfamiliar topics, filtering, escaping , validating, session hijacking etc etc and it all goes over my head.

Its a classified website , considering this on what should I concentrate on as far as security goes ? 
btw what I have managed to do is use mysql_real_escape_string on every var going into a mysql $query.

Thanks

This topic has been moved to Third Party PHP Scripts.

http://www.phpfreaks.com/forums/index.php?topic=321546.0

So I have been working on my website for a while which all is php&mysql based, now working on the social networking part building in similar functions like Facebook has. I encountered a difficulty with getting information back from a link. I've checked several sources how it is possible, with title 'Facebook Like URL data Extract Using jQuery PHP and Ajax' was the most popular answer, I get the scripts but all of these scripts work with html links only. My site all with php extensions and copy&paste my site links into these demos do not return anything . I checked the code and all of them using file_get_contents(), parsing through the html file so if i pass 'filename.php' it returns nothing supposing that php has not processed yet and the function gets the content of the php script with no data of course. So my question is that how it is possible to extract data from a link with php extension (on Facebook it works) or how to get php file executed for file_get_contents() to get back the html? here is the link with code&demo iamusing: http://www.sanwebe.c...-php-and-jquery thanks in advance.

So I make a colum in my table called "friends"

Is there a way to update using mysql that colum for each user, so let's say friend 1 adds friends 2 with the id of 25

so the query puts the id "25" into the friends column, then if friend 1 adds friend 5 with the id of 26 it puts "26" into the friends column and so on...

So it would have like commas in the colum, 25,26,30,31,31 and all those represent the id's of the person who is wanting to add people to his friends list!


If so how do I accomplish that, and then what If I want to use mysql to list all those id's and Code: [Select]
SELECT name,avatar,etc from userstable WHERE id = "25,26,3,31,31"
Is this even possible or am i thinking to harD?

Folks,

from the below code, i want to extract value of the  [template_path]  in  a Variable.   The value that i want to extract is " /home/ae1df/public_html/master/proae2/gdfcart/templates/default-black/".

I tired to do   $this->template_path but seems not working,

Can anyone help please?

Here is the Code >>>
Savant3_Error: Array ( [code] => ERR_TEMPLATE [info] => Array ( [template] => sidebar-left.tpl ) [level] => 256 [trace] => Array ( [0] => Array ( [file] => /home/ae1df/public_html/master/proae2/gdfcart/includes/template.php [line] => 1298 [function] => __construct [class] => Savant3_Error [object] => Savant3_Error Object ( [code] => ERR_TEMPLATE [info] => Array ( [template] => sidebar-left.tpl ) [level] => 256 [trace] => Array *RECURSION* ) [type] => -> [args] => Array ( [0] => Array ( [code] => ERR_TEMPLATE [info] => Array ( [template] => sidebar-left.tpl ) [level] => 256 [trace] => 1 ) ) ) [1] => Array ( [file] => /home/ae1df/public_html/master/proae2/gdfcart/includes/template.php [line] => 1121 [function] => error [class] => Savant3 [object] => Savant3 Object ( [__config:protected] => Array ( [b][template_path] => Array ( [0] => /home/ae1df/public_html/master/proae2/gdfcart/templates/default-black/ [/b][1] => ./ ) [resource_path] => Array ( [0] => /home/ae1df/public_html/master/proae2/gdfcart/includes/tmpl/resources/ ) [error_text] => template error, examine fetch() result [exceptions] => [autoload] => [compiler] => [filters] => Array ( ) [plugins] => Array ( ) [template] => [plugin_conf] => Array ( ) [extract] => [fetch] => /home/ae1df/public_html/master/proae2/gdfcart/templates/default-black/error.tpl [escape] => Array ( [0] => htmlspecialchars ) ) [banner] => stdClass Object ( [header] => stdClass Object ( [banner] => [count] => 0 ) [left_box] => stdClass Object ( [banner] => [count] => 0 ) [right_box] => stdClass Object ( [banner] => [count] => 0 ) [hometop] => stdClass Object ( [banner] => [count] => 0 ) [homebottom] => stdClass Object ( [banner] => [count] => 0 ) ) [template] => default-black [site] => stdClass Object ( [name] => Paintball Mall [slogan] => This is Master Installation [url] => http://gdfcartophily.co.uk/ [disclaimer] => CERTAIN CONTENT THAT APPEARS ON THIS SITE COMES FROM AMAZON EU SARL. THIS CONTENT IS PROVIDED "AS IS" AND IS SUBJECT TO CHANGE OR REMOVAL AT ANY()
Many Thanks
[/code]

or need to extract all h1 tags and insert into database
You can modify this code to make it work?
//////////////////////////////////////////////////////////////////
function getTextBetweenTags($tag, $get, $strict=0)
{
/*** a new dom object ***/
$dom = new domDocument;

/*** load the html into the object ***/
if($strict==1)
{
$dom->loadXML($get);
}
else
{
$dom->loadHTML($get);
}

/*** discard white space ***/
$dom->preserveWhiteSpace = false;

/*** the tag by its tag name ***/
$content = $dom->getElementsByTagname($tag);

/*** the array to return ***/
$out = array();
foreach ($content as $item)
{
/*** add node value to the out array ***/
$out[] = $item->nodeValue;
}
/*** return the results ***/
return $out;
}
$content = getTextBetweenTags('h1', $get);

foreach( $content as $item )
{
$h1 = $item.'<br />';
}

$query="UPDATE sitis SET
hh = '$h1' WHERE id = '$a'";


//My  problem and that puts only a h1


regards

Hi, how do I extract a substring? I just want to store "car" in a variable for other uses:

Here is the original string:
car/red/blue/gun/hit

Any help much appreciated!

Okay I now have a working extract ZIP archive script.
What I am now looking to do is have a loop which checks the percentage complete the extraction is and at 100% (with no erros) carry out a PHP function.

The code so far is (and includes comments on how the new function would be placed):
$dir = opendir('temp');
while(false !==($file=readdir($dir))){
if(strpos($file, '.zip',1)){
extractupdate($file);
}
}

function extractupdate($file){
$zip=new ZipArchive;
if($zip->open('temp/'.$file) == TRUE){
$update=rtrim($file, ".zip");
$zip->extractTo($_SERVER['DOCUMENT_ROOT']."/update/temp/$update");
$zip->close();
echo "Extraction started.";
// Place loop here to run untill 100% extraction completed and then run function "intsallupdate($update);"
} else {
echo "Failed to start extraction.";
}
}

function installupdate($update){
// installupdate() will now shift the files around as necessary.
// NB to PHPFREAKS, no assistance with code for installupdate() is required, only the loop. Cheers.
}

Many thanks in advance.

Hello,

I seem to be having a problem.  I am trying to extract the year from a date

Code: [Select]
2012-03-01
echo "2012";

I have tried this and it only displays 1969

$dateorig = "2012-03-01";
$new_year = date("Y", strtotime($dateorig));
echo $new_year;

I have just noticed that I m allowed to use variables without using the extract function.
like ;
before :
your name is $_POST['name'];

now I m allowed to use ;
your name is $name // I m not using here extract

What can cause this ? How can I switch it off ? Any security problems I can face ?

What is the difference between EXTR_PREFIX_SAME and EXTR_PREFIX_IF_EXISTS?

Folks,

Quote

http://natty.com/p/bh-fitness-class-indoor-magnetic-exercise-bike-2-years-parts-/detail/b004r2wuak/fitness-spinning.html


From this url String, i want to extract the last part of string which is, "fitness spinning".

This URL is dynamic an can have any value in that last bit, so how to extract anything btween Two Forward slashes just before .html?

Note: It can not be extracted with GET as its not how its designed.

Thanks
Natasha

I draw contents from a database. Some of the texts contain a footnote, which is formatted using a div class. Following the HTML of this:

<div class=""footnotes"">
<br>
<hr align=""left"" noshade=""noshade"" size=""1"" width=""150"" />
      <blockquote> <a href=""#f1"" name=""fn1""> <span class=""superscript""> * </span>

        </a>Some footnotetext</blockquote></div>

Since my bibliography uses data from the database as well, the footnote now appears before the references, but I would like it at the very bottom of the page. I was thinking of using preg_replace in order to separate the textfield into two variables, one for the text itself, the other one for the footnote (it is always just one) and integrate after the bibliography is compiled.    Unfortunately, it seems that the preg_replace does not work. It always displays the whole content of the textfield. Here's the PHP:

$text = preg_replace('/(.*)(\div class=\"footnotes\"\>.*?\<\/div\>)/s', '$1', $result['text']);$footnote = preg_replace('/(.*)(\div class=\"footnotes\"\>.+?\<\/div\>)/s', '$2', $result['text']);

echo '<div align="justify"><span style="font-family:Georgia;font-size:16px;">' . $text;

***BIBLIOGRAPHY***

...

echo $footnote; 

Maybe someone has an idea how to deal with that. I tried it on phpliveregex. There search string works fine. Many thanks for any help.

I am new to coding and I am trying to write a simple business registration app.
a foreach loop populates a select list and a nested loop checks to see if something new is being added.
If so write to the DB. Great.
Only part of it is working, I am getting the correct businessId but the categoryId is an array:

        188    Array
    189    Array
   190    Array
   191    Array
   192    Array
    195    Array
    196    Array

Here is the code:
Code: [Select]

<form method="post" action="?">
<table>
<tr><td class="picklist"><?php echo $pickMessage; ?>
<select name="bizCatSelect[]" size="4" multiple>
<?php
$sql = "SELECT categoryId FROM categories";
$sth = $dbh->prepare($sql);
$sth-> execute();
$result = $sth->fetchAll(PDO::FETCH_COLUMN, 0);

foreach($result as $value)
{
if($addRecord == 1)
{
$selected = false;
if(in_array($value, $bizCatSelect)) // $row[1]
{

$sql = "INSERT INTO businessCat(businessId,categoryId) VALUES(:bizId, :bizCatSelect)";
$sth = $dbh->prepare($sql);
$sth->bindValue(':bizId', $bizId, PDO::PARAM_STR);
$sth->bindValue(':bizCatSelect', $bizCatSelect, PDO::PARAM_STR);
$query = $sth->execute();

$params = array($bizId, $bizCatSelect);  // $row[0] $value
print_r($params);
//$resp = $sth->execute($query, $params);

echo "<option selected=\"$value\">$value</option>\n"; // $row[1]
$selected = true;
}
if($selected == false){echo "<option value=\"$value\">$value</option>\n";}
}

else{ echo "<option value=\"$value\">$value</option>\n";}
//echo "<option value=\"$value\">$value</option>\n";
}
?>
</select>
</td>
<td class="addlist">
<table>
<tr><td class="formLable">Business Name:</td>
<td><input type="text" name="bizName" size="40" maxlength="255" value="<?php echo $bizName; ?>"></td>
</tr>
<tr><td class="formLable">Address:</td>
<td><input type="text" name="bizAddress" size="40" maxlength="255" value="<?php echo $bizAddress; ?>" ></td>
</tr>
<tr><td class="formLable">City:</td>
<td><input type="text" name="bizCity" size="40" maxlength="128" value="<?php echo $bizCity; ?>" ></td>
</tr>
<tr><td class="formLable">Telephone:</td>
<td><input type="text" name="bizTele" size="40" maxlength="64" value="<?php echo $bizTele; ?>" ></td>
</tr>
<tr><td class="formLable">URL:</td>
<td><input type="text" name="bizUrl" size="40" maxlength="255" value="<?php echo $bizUrl; ?>" ></td>
</tr>
</table>
</td>
</tr>
</table>

<p><input type="hidden" name="addRecord" value="1">
<?php
if($addRecord == 1)
{echo "<p><a href=\"?\">Add another business</a></p>";}
else
{echo "<INPUT TYPE=\"submit\" NAME=\"submit\" VALUE=\"Add Business\">";}
?>
</p>

</form>


I just can't seem to get this last part, any suggestions?
AL