Page 1 of 1
php challenge lol
Posted: Fri Oct 11, 2002 12:13 pm
by tetsuo
***first off excuse me for my terrible english.
Ok. I need a script.
Its sort of complicated, but I'll try to explain.
Its basicly like
this.
First, you have something like a login. (but you dont need a password).
Then, it saves your name and you come to a page with a textarea. and in that textarea is the code from, lets say, changes.txt.
so, everyone can change the code in changes.txt.
but the difficult part is, is archiving each change.
so, if bob834 changes the code on Oct 11 at 7:30, it will show in the archive bob834 changed the code. and when you click on the name, you see what he "posted" at that time.
if you didnt understand what I wrote heres what i mean:
http://happygreat.5u.com/code.gif
if anyone wants to code this, just for fun, or can give any tips how i can do this, please post.
^-^
Posted: Sat Oct 12, 2002 5:19 am
by ReDucTor
laf, thats an old untested script, that i did because i was bored. its amasing the things people find
Untested again:
Code: Select all
<?php
function post()
{
?><html><body>
<input type=hidden name=action value=do_post>
Name: <input type=text name=name><br>
Body: <textarea rows=6 cols=40 name=body></textarea><br>
<input type=submit value=Add></body></html><?
exit;
}
function do_post()
{
global $_REQUEST;
$fp = fopen("changes.txt", "w");
fwrite($fp, "<hr>Posted by ".$_REQUESTї'name']." on ".date("M D")." at ".date("G:i")."<br>\n");
fwrite($fp, "<pre>".htmlspecialchars($body)."</pre>");
fclose($fp);
view();
}
function view()
{
include("changes.txt");
exit;
}
switch($_REQUESTї'action'])
{
case "post":
post();
case "do_post":
do_post();
default:
view();
}
?>
hehe
Posted: Sat Oct 12, 2002 10:25 am
by hob_goblin
is unneccessary, as $_REQUEST is already a superglobal along with $_POST and $_GET and $_COOKIE, etc...
You should also not use $_REQUEST, use $_POST or $_GET instead.
Posted: Sat Oct 12, 2002 10:31 am
by ReDucTor
Why not use _REQUEST ?
Posted: Sat Oct 12, 2002 11:09 am
by hob_goblin
From the manual itself:
$_REQUEST
Variables provided to the script via any user input mechanism, and which therefore cannot be trusted.
say you had a script like...
Code: Select all
$id = $_REQUESTї'id'];
$query = mysql_query("SELECT * FROM table WHERE id='$id'");
now, i could just send a POST request that had this as the contents:
Code: Select all
1';
UPDATE user SET Password=PASSWORD('crack') WHERE user='root';
FLUSH PRIVILEGES;
and BAM! I own your database.
REQUEST = Bad
Posted: Sat Oct 12, 2002 12:37 pm
by ReDucTor
Foreach of my querys i always use stripslashes for strings and intval for numbers.
Posted: Sat Oct 12, 2002 12:41 pm
by ReDucTor
oops addslashes
but really, any input method can have that done
Posted: Sat Oct 12, 2002 12:48 pm
by hob_goblin
But really, there is no point to turning register globals off if you're going to use request.
Say you had a cookie set, to determine whether a user is logged in... I could just append a GET string to the url and im logged in. You could probably find some way around it, but the thing is, you shouldn't have to. You should just use $_GET $_POST $_COOKIE $_SESSION, etc.
Posted: Sat Oct 12, 2002 12:58 pm
by ReDucTor
Sending either a post or get request can be done with fake data, neither are impossible to do, the difference is barly any..Except one is a suffix to the URL
Posted: Sat Oct 12, 2002 1:07 pm
by hob_goblin
from
viewtopic.php?t=2095
twigletmac wrote:When you are working with stuff submitted from forms using post it's best practise to use $_POST in favour of $_REQUEST. There's a bit in the manual that describes these
predefined variables. The change from register_globals on to off is being sold as a
security thing. Using $_REQUEST which contains all the information from $_POST, $_GET, $_COOKIE and $_FILES removes any security benefit.
The best way to do it is to use the array that equates to the data you're trying to retrieve, $_POST for post data, $_GET for get data, $_COOKIE for cookie data etc. That way you can be sure of where the user has sent the data from.
Mac
Posted: Sat Oct 12, 2002 1:44 pm
by ReDucTor
Yes, but if you are not wanting to have method specific variables then it doesn't matter, really i find no point in being fussy about POST or GET, the only thing worth worrying about is COOKIES, but even they can be changed.
Posted: Sat Oct 12, 2002 1:49 pm
by hob_goblin
If you don't use $_POST or $_GET there is no point of even having register globals off, so you might as well not worry about $_REQUEST at all...
Posted: Sun Oct 13, 2002 12:08 pm
by twigletmac
If you really don't care where the user inputted data is coming from and you want people to be able to submit the data a number of different way then maybe $_REQUEST is what you should be using since you only have to test for the existance of the variable once.
However, if you are trying to get data from a form use $_POST because it will then make sense to someone else reading your code. If you have a bunch of variables all of which are coming from different places, the URL, a form, cookies, a file upload - using the correct array for each one means your code is clearer, the way that it works is clearer and if a variable doesn't seem to be passing properly you know where to look to debug.
Mac