|
|
 |
|
|
Thread Tools | Display Modes |
Nov 9th, 2004, 10:05 AM
|
#1 |
|
Programming Guru
 
Join Date: May 2004
Location: Brandon, Manitoba, Canada
Posts: 2,023
Rep Power: 7
   |
Hey,
I am currently webifying one of my vb apps. I am ofcourse using PHP and Postgresql. Anyways, i am having trouble grabing values from the url. Here is the code that generates the link that the user clicks: case "list":
//Settting up for db transaction.
$db = new dbobj();
$db->setUser($postgres_user);
$db->setDBname($database);
//connecting to the db.
if ($db->conn())
{
//now to do a select and output all of the customers.
$res = $db->dbSelect("*", "customerinfo", "");
if (pg_num_rows($res) > 0)
{
echo "<table width=\"500\" cellpadding=\"0\" cellspacing=\"0\">\n";
echo "<tr>\n"
."<td align=\"center\" bgcolor=\"$background2\"><font color=\"$background1\"><b>Company Name:</b></font></td>\n"
."<td align=\"center\" bgcolor=\"$background2\"><font color=\"$background1\"><b>City:</b></font></td>\n"
."<td align=\"center\" bgcolor=\"$background2\"><font color=\"$background1\"><b>Street Address:</b></font></td>\n"
."<td align=\"center\" bgcolor=\"$background2\"><font color=\"$background1\"><b>Contact Name:</b></font></td>\n"
."</tr>\n";
for ($x=0; $x<pg_num_rows($res); $x++)
{
$data = pg_fetch_object($res, $x);
$company = htmlentities(urlencode($data->companyname));
$cityu = htmlentities(urlencode($data->city));
$saddy = htmlentities(urlencode($data->streetaddress));
echo "<tr>\n"
."<td align=\"left\"><a href=\"cuslist.php?action=cusinfo&cname=$company&city=$cityu&streeta=$saddy\">$data->companyname</a></td>\n"
//The above line is the link that the user clicks to run the next block of code.
."<td align=\"left\">$data->city</td>\n"
."<td align=\"left\">$data->streetaddress</td>\n"
."<td align=\"left\">$data->firstname $data->lastname</td>\n"
."</tr>\n";
}
echo "</table>\n";
}
else
{
echo "<tr>\n";
echo "<td colspan=\"4\" align=\"center\"><b>There are no customers in the database.</b></td>\n";
echo "</tr>\n";
echo "</table>\n";
}
}
else
{
echo "<center><b>Error, there was a problem while trying to connect to the database.</b></center>";
}
break;Anyways, when i click that link this is the code that get run. case "cusinfo":
//setting up objects:
$db = new dbobj();
$db->setUser($postgres_user);
$db->setDBname($database);
//connecting:
if ($db->conn())
{
//Search the db for the customer/
$comapny = html_entity_decode(urldecode($cname));
$city = html_entity_decode(urldecode($city));
$street = html_entity_decode(urldecode($streeta));
echo $city . "<---City " . $company . "<---Company " . $street . "<---Street Address";
if ($company <> "" && $city <> "" && $street <> "")
{
$res = $db->dbSelect("*", "customerinfo", "companyname='$company' AND city='$city' AND streetaddres='$street'");
if (pg_num_rows($res) == 1)
{
//Output Shit For the Customer INfo:
$data = pg_fetch_object($res, 0);
echo "<table width=\"500\" cellpadding=\"0\" cellspacing=\"0\">\n"
."<tr>\n"
."<td align=\"center\ colspan=\"4\"><font size=\"5\"><b><u>$data->companyname</u></b></font></td>\n"
."</tr>\n"
."<td align=\"left\" colspan=\"4\"><font size=\"4\"><b><u>Contact Information:</u></b></td>\n"
."</tr>\n"
."<tr>\n"
."<td align=\"left\"><b>First Name:</b></td>\n"
."<td align=\"center\">$data->firstname</td>\n"
."<td align=\"Left\"><b>Last Name:</b></td>\n"
."<td align=\"Center\">$data->lastname</td>\n"
."</tr><tr>\n"
."<td align=\"center\" colspan=\"2\"><b>Email:</b></td>\n"
."<td align=\"Center\" colspan=\"2\">$data->email</td>\n"
."</tr><tr>\n"
."<td align=\"left\"><b>Phone Number:</b></td>\n"
."<td align=\"center\">$data->landphone</td>\n"
."<td align=\"left\"><b>Fax:</b></td>\n"
."<td align=\"center\">$data->fax</td>\n"
."</tr><tr>\n"
."<td align=\"left\" colspan=\"4\"><font size=\"4\"><b><u>Mailing Address:</u></b></td>\n"
."</tr><tr>\n"
."<td align=\"left\"><b>Country:</b></td>\n"
."<td align=\"center\">$data->country</td>\n"
."<td align=\"left\"><b>Province:</b></td>\n"
."<td align=\"center\">$data->provincestate</td>\n"
."</tr><tr>\n"
."<td align=\"left\"><b>City:</b></td>\n"
."<td align=\"center\">$data->city</td>\n"
."<td align=\"left\"><b>Street Address:</b></td>\n"
."<td align=\"center\">$data->streetaddress</td>\n"
."</tr><tr>\n"
."<td align=\"left\" colspan=\"2\"><b>Postal/Zip Code:</b></td>\n"
."<td align=\"center\" colspan=\"2\">$data->postalzip</td>\n"
."</tr><tr>\n"
."<td align=\"left\" colspan=\"4\"><font size=\"4\"><b><u>Other Information:</u></b></font></td>\n"
."</tr><tr>\n"
."<td align=\"left\"><b>Customer Level:</b></td>\n"
."<td align=\"center\">$data->cuslevel</td>\n"
."<td align=\"left\"><b>Type of Customer:<b></td>\n"
."<td align=\"center\">$data->type</td>\n"
."</tr><tr>\n"
."<td align=\"center\" colspan=\"2\"><b>OEM Type:</b></td>\n"
."<td align=\"center\" colspan=\"2\">$data->oemtype</td>\n"
."</tr><tr>\n"
."<td align=\"left\"><b>GST #:</b></td>\n"
."<td align=\"center\">$data->gst</td>\n"
."<td align=\"left\"><b>PST #:</td>\n"
."<td align=\"center\">$data->pst</td>\n"
."</tr><tr>\n"
."<td align=\"center\" colspan=\"4\"><b>Comments:</b></td>\n"
."<td align=\"center\" colspan=\"4\"><p align=\"left\">$data->comments</p></td>\n"
."</tr></table>\n";
}
else
{
echo "<table width=\"500\" cellspacing=\"0\" cellpadding=\"0\">\n"
."<tr>\n"
."<td align=\"center\" bgcolor=\"$errorcolor\">\n";
$e->queryerror();
echo "</td></tr></table>\n";
}
}
else
{
echo "<table width=\"500\" cellpadding=\"0\" cellspacing=\"0\">\n";
echo "<tr>\n";
echo "<td align=\"center\" bgcolor=\"$errorcolor\">\n";
$e->queryerror();
echo "</td></tr></table>\n";
}
}
else
{
echo "<table width=\"500\" cellpadding=\"0\" cellspacing=\"0\">\n"
."<tr>\n"
."<td align=\"center\" bgcolor=\"$errorcolor\">\n";
$e->dberror();
echo "</td></tr></table>";
}
break;
__________________
Profanity is the one language that all programmers understand. Check out my Blog <---updated Nov 30 2007! |
|
|
|
Nov 9th, 2004, 11:51 AM
|
#2 |
|
Expert Programmer
Join Date: Jul 2004
Location: Halifax, Nova Scotia (Canada)
Posts: 784
Rep Power: 5
|
MY guess is that you are using PHP 4.1 or greater and the PHP GLOBALS have been disabled (because you script is VERY vulnerable to attack if it were not disabled).
When you pass a variable through an HTTP POST or an HTTP GET such as http://.../?foo=bar you do not access it through $foo, you have to access it through $_REQUEST[foo]. This prevents people from "Seeding" invalid global variables, or initialize variables that should not otherwise be initialized, causing severe security vulnerabilities in your script.
__________________
Clifford Matthew Roche <geek@cliffordroche.com> Web Hosting: http://www.crd-hosting.com Consulting: http://www.crdev-consulting.com |
|
|
|
|
Nov 9th, 2004, 2:50 PM
|
#3 |
|
Programming Guru
Join Date: May 2004
Location: Brandon, Manitoba, Canada
Posts: 2,023
Rep Power: 7
|
Yeah i know, but the GLOBALS is turned on currently, however i have tryied it both ways and gotten the same results both times.
__________________
Profanity is the one language that all programmers understand. Check out my Blog <---updated Nov 30 2007! |
|
|
|
|
| Bookmarks |
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
