[FX.php List] What can possibly be wrong?

DC dan.cynosure at dbmscan.com
Thu Jul 27 10:25:54 MDT 2006 

Sometimes (as Chris Hansen just pointed out) when really weird things  
happen, it is because of problems in data with high ascii charcters  
or other corrupting bits. But, in my experience it is usually the  
filemaker data that holds the corrupt data that chokes the XML engine  
without warning.

to answer a question you didn';t ask..., i do know how you can get  
rid of about 12 lines of potentially buggy code:

replace your POST assigns with the extract() function. like so:

BUT, Stop before you do this... This is forbidden fruit and against  
security principles!

See the PHP.net manual warning for extract()
----------------
Warning
Do not use extract() on untrusted data, like user-input ($_GET, ...).  
If you do, for example, if you want to run old code that relies on  
register_globals temporarily, make sure you use one of the non- 
overwriting extract_type values such as EXTR_SKIP and be aware that  
you should extract in the same order that's defined in  
variables_order within the php.ini.
----------------
Ok, are you sufficiently scared? here's the code that will open  
security holes (but not much bigger than the ones you already have  
because you seem to be already using POST data raw without even  
changing the variable names from the form field names):

// the easiest and most vulnerable way to use extract().
// this will achieve the same effect as your list of variable
// assigns and tell you how many variables were created
$num_of_variables_created = extract($_POST);

// this is slightly better security wise since you prefix the  
variables with the string user_:
$num_of_variables_created = extract($_POST, EXTR_PREFIX_ALL, 'user');

so from anything in your POSTed form you'll get variables named:  
$user_this, and $user_that, $user_formfield, etc...

but, the best way is to validate and clean all user input before  
letting it anywhere near your db.

PHP is very clever that way - but tricky. good luck.

dan

On Jul 27, 2006, at 11:59 AM, Bob Patin wrote:

> I'm trying to do the simplest of forms, and getting nada...
>
> What am I missing here??
>
> The database is online, XML is enabled for the username, all the  
> fields DO exist. The problem is, I'm not even getting an error  
> code. When I comment out pieces of the code it still doesn't  
> process...
>
> My FX folder does exist, is being used for a cart on this site;  
> this is such a simple little add-record script...
>
> <?php
> include_once('FX/FX.php');
> include_once('FX/server_data.php');
>
> $address1=$_POST['address1'];
> $address2=$_POST['address2'];
> $city=$_POST['city'];
> $state=$_POST['state'];
> $zip=$_POST['zip'];
> $country=$_POST['country'];
> $daytime_phone=$_POST['daytime_phone'];
> $email=$_POST['email'];
> $firstname=$_POST['firstname'];
> $home_or_work=$_POST['home_or_work'];
> $how_found=$_POST['how_found'];
> $interest=$_POST['interest'];
> $lastname=$_POST['lastname'];
> $who_am_i=$_POST['who_am_i'];
> $who_am_i_other=$_POST['who_am_i_other'];
>
> $create=new FX($serverIP,$webCompanionPort);
> $create->SetDBData('dbname.fp7','Guestbook'); <- edited out the  
> real names
> $create->SetDBPassword('password','username'); <- edited out the  
> real names
> $create->AddDBParam('address1',$address1);
> $create->AddDBParam('address2',$address2);
> $create->AddDBParam('city',$city);
> $create->AddDBParam('state',$state);
> $create->AddDBParam('zip',$zip);
> $create->AddDBParam('country',$country);
> $create->AddDBParam('daytime_phone',$daytime_phone);
> $create->AddDBParam('email',$email);
> $create->AddDBParam('firstname',$firstname);
> $create->AddDBParam('home_or_work',$home_or_work);
> $create->AddDBParam('how_found',$how_found);
> $create->AddDBParam('interest',$interest);
> $create->AddDBParam('lastname',$lastname);
> $create->AddDBParam('who_am_i',$who_am_i);
> $create->AddDBParam('who_am_i_other',$who_am_i_other);
> $createResult=$create->FMNew();
>
> echo $createResult['errorCode'];
>
> ?>
>
> Thanks,
>
> Bob Patin
> Longterm Solutions
> bob at longtermsolutions.com
> 615-333-6858
> http://www.longtermsolutions.com
>
>   CONTACT US VIA INSTANT MESSAGING:
>      AIM or iChat: longterm1954
>      Yahoo: longterm_solutions
>      MSN: tech at longtermsolutions.com
>      ICQ: 159333060
>
>
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list

More information about the FX.php_List mailing list