2008. 01. 18, péntek keltezéssel 12.10-kor Wolf ezt írta:
> ---- Eric Butera <[EMAIL PROTECTED]> wrote:
> > On Jan 18, 2008 11:38 AM, Wolf <[EMAIL PROTECTED]> wrote:
> > > Steve,
> > >
> > > This should work as some basic sudo code. You are running into a number
> > > of issues with your usage of the foreach as it sounds like what you
> > > really want to do is walk through one array and grab the corresponding
> > > value from another.
> > >
> > > <?php
> > > // First check to make sure you are getting both fields
> > > if(isset($_POST['name']) && is_array($_POST['name']) &&
> > > isset($_POST['order']) && is_array($_POST['order']))
> > > {
> > > // Now assign them to easier to play with variables
> > > $names=$_POST['name'];
> > > $orders=$_POST['orders'];
> > > // This tests for the same number of items as names
> > > if (count($names) == count($orders))
> > > {
> > > $i=0;
> > > while($i<=count($names))
> > > {
> > > $update_data = "UPDATE sections SET `order` = '$orders[$i]' WHERE name
> > > = '$names[$i]'";
> > > $response = mysql_query( $update_data, $cnx );
> > > if(mysql_error()) die ('database error<br>'.mysql_error());
> > > }
> > > }
> > > }
> > > ?>
> > >
> > > HTH,
> > > Wolf
> > >
> > >
> > > --
> > > PHP General Mailing List (http://www.php.net/)
> > > To unsubscribe, visit: http://www.php.net/unsub.php
> > >
> > >
> >
> > Hi Wolf,
> >
> > Your code is missing data validation! Hopefully you don't do stuff
> > like that either.
> >
> > function super_duper_escaper($value, $db) {
> > if (!get_magic_quotes_gpc()) {
> > $value = mysql_real_escape_string($value, $db);
> > }
> > return $value;
> > }
> >
> > $_sql = "UPDATE sections SET `order` = %d WHERE name = '%s'";
> > $sql = sprintf(
> > $_sql,
> > (int)$orders[$i],
> > super_duper_escaper($names[$i], $cnx)
> > );
> >
> > What we're doing here is making sure that the order is a number and
> > that the name is a string that properly escapes out the quotes to make
> > sure people can't break out of the context of data and into commands.
> > Look up SQL injection for more information.
> >
> > Don't rely on magic quotes, etc as it is a server specific setting, is
> > going away in php6, and does not take character sets into
> > consideration. The mysql extension is just as bad as it wont allow
> > you to update the character set context from the mysql server default.
> > So use mysqli or pdo unless everything matches across the board.
>
>
> Of course it was missing the data validation, I don't write a whole page/app
> for anyone just out of the blue. I was expecting Steve to make sure he
> handled the data validation on his side before implementing the code fully.
> As it is, I would have used a function and array_walk to check the validness
> of each field and assign it to a new array if it was valid, then use the new
> arrays to actually be pushed into the mysql queries. :)
>
> I also tend to put in a referrer checker to make sure the page is coming
> where it should be coming from and depending on how nice I am either
> redirecting back to my page and my form, or heading them off to other fun
> places (like ratemypoo or something similar) :)
I wouldn't do that as the referer value can be set on the client side to
anything... I just simply don't trust it.
greets
Zoltán Németh
>
> Wolf
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
