Page 1 of 2
Reading and printing in Php
Posted: Thu Apr 15, 2004 6:47 am
by Kon-Tiki
I'm studying php and got stuck at a thing as simple as a guestbook. I can get the input and store it to a .txt-file, but I don't know how to access the file and show all the inputs. I've looked through w3schools.com, an e-book I have and the php-site itself, but can't find anything that might help :-\
Re:Reading and printing in Php
Posted: Thu Apr 15, 2004 6:59 am
by BI lazy
That's a simple task, provided you have concatenated the fields of each entry with some special char combo like && or ||. in php it is nothing more than:
Code: Select all
$entry=$nomen."||".$est."||".$omen."||".$text;
//open the file:
$fd=@fopen("guestbook",a); //a for append!
@fwrite($fd,$entry,1024); //max1024 chars, but only til eof
@fclose($fd);
//now you wanna read out the contents of the stuff ...
$entries=array(); //make it an array (dunno exactly by heart)
$fd=@fopen("guestbook",r);
while(@fread($fd,$line,1024)){//read til eof but max 1024 chars per line
//now comes the interesting part: we explode our actual line:
$entries=explode($line,"||");
//you can access the elements of $entries per index:
$nomen=$entries[0];
$est0$entries[1];
$omen=$entries[2];
$text=$entries[3];
//here it is up to you to perform some processing ...
}
I hope this is of any help for my php is a little bit rusty *g*
Re:Reading and printing in Php
Posted: Thu Apr 15, 2004 7:16 am
by BI lazy
ere you get lost in tons of websites about how to output the stuff:
echo "xxx".$var; after the retrieval of the line does the trick quite fine. You will want to put this stuff in a table? have echo output the tags too. Open the table-tag before the while loop and close it afterwards:?><table><?php and the according closing tag.
Re:Reading and printing in Php
Posted: Thu Apr 15, 2004 9:12 am
by Kon-Tiki
Wooo! It works! Got alot of help from Eero on little tidbits I wouldn't've learned 'bout otherwise. My code is
here.
Re:Reading and printing in Php
Posted: Thu Apr 15, 2004 1:08 pm
by AGI1122
With a script like this you need to make sure that you clean up the input to ensure it doesn't have html in it. Otherwise people would be able to hack your site.
Re:Reading and printing in Php
Posted: Thu Apr 15, 2004 1:32 pm
by Kon-Tiki
Yeah, Eero told me 'bout it, but we couldn't get the code to work ::) Another thing that's lacking, is IP-logging in the .txt-file without showing it online, or showing it as stars, but that's way too advanced for me at the moment.
Re:Reading and printing in Php
Posted: Thu Apr 15, 2004 3:26 pm
by AGI1122
use the function htmlspecialchars(); to remove the html.
An example of it's use:
$_POST['user'] = htmlspecialchars($_POST['user']);
It will turn html into entity's which makes it safe from javascript and html being executed.
Re:Reading and printing in Php
Posted: Fri Apr 16, 2004 5:13 am
by Eero Ränik
Yeah, we should've added htmlspecialchars(); back after deleting the whole line to fix a bug...
Anyway, the most simple way to log IPs is to use a different TXT-file.
Getting an IP-address:
Code: Select all
if (getenv(HTTP_X_FORWARDED_FOR) {
$ipaddress = getenv(HTTP_X_FORWARDED_FOR);
}
else {
$ipaddress = getenv(REMOTE_ADDR);
}
or a shorter one:
Code: Select all
$ipaddress = (getenv(HTTP_X_FORWARDED_FOR) ? getenv(HTTP_X_FORWARDED_FOR) : getenv(REMOTE_ADDR));
Don't forget logging the date and time, otherwise there's no use of logging IPs. You could also add date and time to the main page, since there's no use of hiding them.
Anyway, there are lots of things you could do with your guest book. Like adding special tags (like YABBC tags), smilies, removing strong language from a post, IP-banning and stuff...
Re:Reading and printing in Php
Posted: Fri Apr 16, 2004 2:07 pm
by Neo
A related question.....
i was wondering about access rights for PHP scripts.
Do you keep the scripts in a folder with 'execute' only rights?
or does it have to have the 'read' rights enabled too?
How can security be improved when using PHP scripts?
Re:Reading and printing in Php
Posted: Fri Apr 16, 2004 2:13 pm
by AGI1122
Well for security... make sure to code you scripts so that they work with register_globals turned off in php.
If you are working with a database make shure to escape all data to ensure they can't posion the query.
And never print out any data inputed by a user unless you remove html from it.
Make sure to initialize variables before you use them.
As for permissions, you can in most cases leave chmod's the way they are unless you have a host that requires you to chmod them to be executable. And yes it has to have read and execute rights.
Re:Reading and printing in Php
Posted: Fri Apr 16, 2004 2:18 pm
by Neo
Chris Cromer wrote:
If you are working with a database make shure to escape all data to ensure they can't posion the query.
What does escape all data mean?
And never print out any data inputed by a user unless you remove html from it.
Do you mean parsing it char by char?
Sorry but i'm a total newbee here.
Re:Reading and printing in Php
Posted: Fri Apr 16, 2004 3:03 pm
by AGI1122
Alright, here is an example mysql query which has a variable inputted by a user:
Code: Select all
UPDATE table_name SET username='$_POST[name]' WHERE (username='AGISCI');
This query is to change the username, but unfortunatly you can cause something extemely bad to happen because $_POST[name] isn't cleaned up.
Now if I where to put my name as this:
It would turn my account into an Administrator account!
The solution is to escape the variable to make sure it isn't poisioned like so.
To remedy this problem I would do this to the variable:
Code: Select all
$_POST['name'] = htmlspecialchars($_POST['name']);
$_POST['name'] = addslashes($_POST['name']);
Now, the first line would remove all html from the variable and turn it into entity's. The second line would escape the variable to ensure it can't be poisioned when put in a mysql query.
Using addslashes on that input would turn it into this:
Those slashes are known as escaping. With those slashes there it makes it so that the ' is not the end of the string.
Also something I just thought of you need to be carefull of is that if you have any code that opens, reads, or writes to files based on user input that the user input does not contain a period or a slash, with those they could hijack the file system and open/read/write to any file anywhere on the computer.
Re:Reading and printing in Php
Posted: Sat Apr 17, 2004 7:56 pm
by Kon-Tiki
Added those safety lines (anti-html and anti-slashes) and IP-logging in a different file (along with logging the message, sender and e-mail address in that different file too) and a timestamp on both. I don't really understand the ip-logging code Eero showed (used the second because it was less lines, but as I'm trying to fully understand the code as I use it, I'll have to see how it works or remove it)
Now another security problem has arisen, but it's not php-like. That txt-file with the IP's logged is chmodded 777, but as I forgot all about chmod, I forgot how to change it so that the php-script can write to it and that I myself can write and see it, but nobody else can even see it. It'd beat the purpose of using a different file for logging the IP if everybody could just open that file :-\
Oh, and the code now:
Here-o. Next step: a bar with emoticons that'll add the one you click on (like on boards) ;D
Re:Reading and printing in Php
Posted: Sun Apr 18, 2004 12:40 am
by Candy
Kon-Tiki wrote:
Now another security problem has arisen, but it's not php-like. That txt-file with the IP's logged is chmodded 777, but as I forgot all about chmod, I forgot how to change it so that the php-script can write to it and that I myself can write and see it, but nobody else can even see it. It'd beat the purpose of using a different file for logging the IP if everybody could just open that file :-\
Make the owner you, the group the group of the php daemon, and chmod it 620. (first number is you (4=read, 2=write, 1=execute), second is group, third is world. This means you read/write, the group writes and the world doesn't touch it).
Note that root can still view it anyway
Re:Reading and printing in Php
Posted: Sun Apr 18, 2004 1:21 am
by Eero Ränik
Those IP-logging codes were the same, second just used a bit more professional way of writing if...else statements.
Basically, it just checks if environmental variable HTTP_X_FORWARDED_FOR has a value (in case the user uses a proxy server or is behind a router). If it doesn't, $ipaddress will have the value of REMOTE_ADDR (which is an IP-address of the user, if we don't check for forwarding, it also could be the proxy, or the router).
The easiest way of doing smilies:
First, the Javascript part.
Code: Select all
<script>
function add(smiley) {
document.forms['formname'].comment.value += smiley;
document.forms['formname'].comment.focus();
}
</script>
In your case, the form must have a name attribute.
Code: Select all
<form name="formname" action="test.php" method="POST">
Then add a line
Code: Select all
$_POST['comment'] = str_replace(":)","<img src='smiley.gif'>",$_POST['comment']);
the line with htmlspecialchars. Change it according to the smilies you want to add.
Now, to insert a smiley, you can use this:
Code: Select all
<a href="javascript:add(':)')"><img src="smiley.gif" border="0"></a>
Words 'Java' and 'Script' should be together, the board separates them...