Mombu the Php Forum sponsored links

Go Back   Mombu the Php Forum > Php > bug in script
User Name
Password
REGISTER NOW! Mark Forums Read

sponsored links


Reply
 
1 14th May 00:58
dark angel
External User
 
Posts: 1
Default bug in script


But recently found a bug in there that lets them subit the iteam even if its
blank.
I've think I've figured a way around this.
The script below is what should stop this.
Whould this work? or am I going about it the wrong way? <?php
if $_GET[] == '' { print (Please full all parts of the form out.<br> Please
go back and try again.);
} else { include ("phplinksconfig.php");
mysql_select_db($database,$connect);
$sql = "INSERT INTO phpLinks (`id`, `name`, `site_name`, `url`, `category`,
`comment`) VALUES ('', '$_POST[name]', '$_POST[site_name]', '$_POST[url]',
'$_POST[category]', '$_POST[comment]')"; if (mysql_query($sql,$connect)) {
echo "your input as been entered<br>";
echo "<a href=\"http://$site\">Click here</a> to retun to the main
page.<br>\n"; } else {
echo "There was an error, please try again later<br>";
echo "<a href=\"addlink.html\">Click here</a> to try again.<br>\n";
echo "or <a href=\"$site\">Click here</a> to retun to your homepage.<br>"; }
?>

--
Best Regards
Dark Angel

--------------------------------------------------------------------------
http://www.stateofmind.me.uk - My Home Page
http://www.keir.net/k9.html - Free spam filter for windows
http://www.shrine2aeris.co.uk - My shrine to Aeris from FF7
  Reply With Quote


  sponsored links


2 14th May 00:58
janwillem borleffs
External User
 
Posts: 1
Default bug in script


Apart from the syntax being incorrect, why would you evaluate $_GET while
your are retrieving your data from $_POST?

It would make more sense to something like the following:

if ($_POST['url'] == '') {
// error
}

but this way, the error won't be raised when the user has entered a single
white space character.

You could get around this by using trim:

if (trim($_POST['url']) == '') {
// error
}

but now, all the user has to do is enter 1 non-white space character to pass
by.

The way to get around this is to use regular expressions, e.g (and this is a
VERY basic expression which needs work):

if (!preg_match("|^http://[^\s.]+(.[^\s]+)+(/[^\s]+)*$|", $_POST['url'])) {
// error
}

Read the online manual for more info about regular expressions.


Teach yourself to use quotes around array keys:
$_POST['comment'];

Reasons: with the highest error reporting level there will be warnings all
over the place and it is well possible that one of the used names will be
defined as a constant in future PHP releases (`comment` in `$_POST[comment]`
is converted to a constant with `comment` as the value) .


JW
  Reply With Quote
Reply


Thread Tools
Display Modes




Copyright 2006 SmartyDevil.com - Dies Mies Jeschet Boenedoesef Douvema Enitemaus -
666