logs archiveIRC Archive / Freenode / #php / 2015 / August / 1 / 1
Apeowl
runinsquares: I don't see anything when I echo $printtoreffile.
NoiseEee
Apeowl: var_dump, don't echo
runinsquares
^
latestbot
I just updated my gist, https://gist.github.com/ankurkaushal/072d18c3ecd90bca2779. My question stays the same. So it is still unsafe right?
doMynation
I take back what I said about CI using prepared statements. It appear they are not using them. I confused them with laravel. Regardless, using Query Bindings in CI will escape the data for you.
TML
Apeowl: OK, now change your form to post to this: http://codepad.viper-7.com/YytmJg/5.6.10?1
Apeowl: Then resubmit and tell me what the response is
doMynation
Yes latestbot, it is still unsafe.
TML
action="http://codepad.viper-7.com/YytmJg/5.6.10?1"
Apeowl
runinsquares & NoiseEee: I get string(310) "" with var_dump.
         

TML
Apeowl: View source
Apeowl: See where it says "string(310)"? That means you have a 310 character string.
it's either bad markup, or control characters, or whitespace, or something equally "not visible when using a web browser"
latestbot
Also, CI mentioned this in their examples, http://www.codeigniter.com/user_guide/database/examples.html#query-builder-insert. I take thats an unsafe query too?
TML
latestbot: Whether or not it's "unsafe" as written requires knowing CI and what $this->db->query is. However, it's certainly not "safe" in the obvious, parameterized query sense that we would prefer to see things written in.
latestbot
I see
Apeowl
TML: It says this: Notice: Undefined offset: 3 in /code/YytmJg on line 6... and then below, it says: 8piece+2 large sides$20.99 (which is the $_POST contents).
TML
latestbot: !+why pdo
php-bot
latestbot, For the most part, what PDO does is give you access to parameterized queries, which are fundamentally different than escaping. In parameterized queries, "data" (such as your variables) and "code" (the SQL) are sent along different paths, so that there's no *possible* way for "data" to leak over into the space of "code", which is fundamentally what is happening when you have SQL injection.
TML
Apeowl: So here you can see that I was able to write the contents of $_POST to a file, and read them back out, just fine.
Apeowl: Which means there's something somewhere in the code you aren't showing us, or maybe it's in the code you DID show us and we just can't tell because it's too hard to read, that is causing your problem.
Apeowl: My suggestion would be to start by writing your PHP so that you're not echo'ing HTML out of PHP.
that's not going to be a small rewrite, based on what you've shown
Most likely, in that process, you'll either realize what the error IS, or you'll fix it just by nature of making your code easier to read.
Apeowl
So the best way to do that is just to write HTML and then separate out the PHP in to individual <?php ?> tags?
TML
Apeowl: I would also suggest looking into sqlite via PDO (see php.net/pdo-sqlite for docs) instead of doing fwrites
Apeowl: for example, instead of doing: <?php echo "<foo bar=\"$baz\">"; ?>, do <foo bar="<?php echo $baz;?>">
Apeowl
I'd love to find (and burn) the book that suggested the spaghetti code. I've always hated that but thought it was the right way to do it! I'm nearly blind from looking a back-slashes.
TML
learning PHP from books probably isn't a great idea
laszlof
^
Apeowl
Okay, TML... a HUGE thank you! I'm going to go and start rewriting this mess. Thanks SO much for your help.
hassoon
TML: what ekse would be a good idea then :o
*else *
Apeowl
Hahaha... no... so I'll be back soon for lesson two. ;)
TML
hassoon: php.net
Whiskey
what is the most easy way to replace "https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.10.6/moment.min.js" whit "https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.10.6/moment.js" preg replace or what?
hassoon
aaah, there php's official manual itself..
i find it most of the time boring and long tb
*tbh
NoiseEee
Whiskey: str_replace("moment.min.js","moment.js",$momentSource)
         

TML
Whiskey: str_replace
Whiskey
thanks
TML
Whiskey: Better yet, don't generate your JS URLs from within PHP code. :)
laszlof
we do that in dev, but they're all local JS
theres too many of them to have to update the index everytime we add something new
[wolverine]flaszlon$ find . -name \*.js | wc -l
908
:)
cquilty
Well... that was a massive letdown. (Windows 10)
Next on the list: PHP 7 and Oculus Rift.
laszlof
OR looks cool
cquilty
A bit too cool.
laszlof
i just dont know what practical use it has beyond gaming
cquilty
Virtual reality. Doesn't have to involve any gaming at all.
laszlof
PHP7 has some exciting new features as well.
cquilty
Just being able to fly around in some sort of hovercraft in an immersing world...
The "double speed" thing excites me about PHP 7.
laszlof
cquilty: well, i would consider that "gaming"
cquilty
Assuming it's true.
laszlof
its not really useful :/
cquilty
laszlof: Maybe you do important things inside that world. It's likely going to be a major thing.
laszlof
eventually
for now, its just an expensive toy
cquilty
I wonder if PHP 7 really is twice as fast for everything, or just in very specific instances.
laszlof
ive done some small tests and it seems a bit faster than 5.6
but I havent done any serious testing with it yet
cquilty
:/
laszlof
i know my code doesnt run on it right now
lol
cquilty
It doesn't?!
WHy not?
laszlof
its a large codebase
theres some stuff that breaks
its a major release, such is to be expected
I have a list somewhere of the breaking changes
TML
laszlof: Be honest - you're still using mysql_query
;)
laszlof
you caught me
runinsquares
behind the bushes
in the moonlight
laszlof
I actually had thought about that. theres a popular piece of billing software that I believe still uses mysql_query
and they have a crapton of 3rd party modules
runinsquares
you'd think they have the money to rewrite huh
laszlof
and break the several thousand modules?
:)
I fully plan to capitalize on that situation when they do switch
"OMG OUR SITES DOWN, PLZ CONVERT TO PDO NAO"
cquilty
...
Let me guess: you think The Annoying Orange and PewDiePie are funny?
laszlof
what?
runinsquares
this conversation is going strange places
laszlof
i dont even know what hes talking about
heh
TML
cquilty: I don't know what you're talking about, but it doesn't SOUND very funny
cquilty
Given the quote.
sorabji
wasaaaaabi :)
runinsquares
i know what he's talking about, don't bother learning about what he's talking about
cquilty
My point is that his quote was annoying to say the least.
caffinated
TML: I know what he's talking about, your assessment is accurate.
runinsquares
incidentally i can tell you don't like south park either, otherwise you'd know pewdiepie at least
« prev 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 next »