Jump to content

boen_robot

Members
  • Content Count

    8,493
  • Joined

  • Last visited

Everything posted by boen_robot

  1. boen_robot

    Security for post

    Your script never does these two things at once. It only does one after the other.e.g. <?php$mysqli = new mysqli(...);$username = $_POST['username'];$mysqli->query("SELECT * FROM `users` WHERE `username`='" .//At this moment, we're about to create a string that is part of a MySQLi query.//Time to do mysqli_real_escape_string() over the input (in this case $username)$mysqli->real_escape_string($username) ."'"//MySQLi string just ended. We don't want the input containing anything MySQLi related any more,//and because we never rewrote $username, that's exactly what's happening.);echo '<div>Hello ',//We're about to write something as part of the HTML output.//We want this to be plain text, so it's time to use htmlspecialchars().//Because we're still working with the original data (not the one mysqli_real_escape_string() produced),//this will work equally well, regardless of what $_POST['username'] contains.htmlspecialchars($username),'</div>'; vs <?php$mysqli = new mysqli(...);//Contraty to what you might think, your script is still doing one thing after the other://First htmlspecialchars(), and then mysqli_real_escape_string() operates over that.$username = $mysqli->real_escape_string(htmlspecialchars($_POST['username']));$mysqli->query("SELECT * FROM `users` WHERE `username`='" .//No SQL injection, because mysqli_real_escape_string was the outer most function we applied.//However, if $_POST['username'] contains any quotes, "<", ">", or "&",//you'll notice your DB is now storing something different from the other example.$username ."'");echo '<div>Hello ',//We're about to write something as part of the HTML output.//You may think you're safe because of htmlspecialchars(). Strictly speaking, in this particular case,//that's true, BUT if $_POST['username'] contains any apostrophes, you'll see them prepended with a slash.$username,'</div>';
  2. boen_robot

    Security for post

    The point is you shouldn't be adding stuff.You're approaching the problem with the idea that you have "hackable data"™, with which you do something, and it becomes "unhackable data"™. Things don't work that way.Instead, you have "data safe for X, damaging the intended content in Y, unsafe for Z". No matter how many functions you pass over a piece of data, you always have X, Y and Z in there. The only difference is what X, Y and Z actually are.When you apply mysqli_real_escape_string(), you're making your data "safe for a string in MySQLi, damaging the intended content for almost anything else (including HTML), unsafe for a file path (and perhaps a few other things)".Similarly, when you apply htmlspecialchars(), you're making your data "safe for (X)HTML text, damaging the intended content for almost anything else (including a MySQLi string), unsafe for a URL (and perhaps a few other things)".So... to protect yourself from an SQL injection, you "use mysqli_real_escape_string() when the data is about to become a string in a MySQL query". At that moment (ONLY at that moment), the fact that the result of mysqli_real_escape_string() is unsecured or damaging in other contexts is irrelevant, because the context of an SQL query is the only one you need to care about at that moment.To protect yourself from an XSS attack, you "use htmlspecialchars() when the data is about to be written as a plain text within an HTML document". And again, ONLY at that moment.
  3. boen_robot

    Security for post

    ?You didn't catch a word of what I said, did you?
  4. boen_robot

    Security for post

    The point justsomeguy is trying to get at is that there's no universal "enough" way to deal with input.It depends on what you're about to do with the given input.If you're about to write it as part of HTML output, htmlspecialchars() is enough to turn the input into plain text, and thus protext your users from XSS attacks.If you're about to insert this into a database, that's not enough at all, and in fact, should not be used to begin with. You must use something like mysqli_real_escape_string() instead of htmlspecialchars().
  5. You're right. It is. However, if you look carefully at the "if" section, you'll see the URL being pointed at the meta tag is that exact same PHP file, except with an "?id" attached, which in turn triggers the XML file to show.With the XML's MIME type and syntax error fixed, I'm personally out of ideas, given the docs. I don't yet use Windows 8, so I can't debug this personally.
  6. There is a meta tag at http://chsites.co.uk/test.php*. And with a frequency specified too. With the syntax error in the XML part now fixed, and http://chsites.co.uk/test.php?id=3 now pointing to a valid (according to the MSDN page) XML file, that's now 3 out of 3.If you're trying to give a different kind of hint, he's not getting it, and neither am I.* Unless what you're trying to say is that THAT page needs to be pinned, and not the XML file, or anything else with "?id" attached. Craig, you are doing that, right? You are not trying to pin the XML file?
  7. Regardless of whether they're in the default namespace or not, you need to register the namespace URI in XPath, and assign a prefix for it (which doesn't have to be the one used in the document). After that, both will be matched against the same expressions.
  8. boen_robot

    XML Schema basics

    It's not that the XSD "doesn't affect directly on xml", it's that browsers don't validate XML files, whether that's with DTD, XML Schema or anything else.To see XML Schema do its thing, you need to give the XML file to an XML Schema validator, which would then tell you what errors are there, if any, in the XML, or the schema itself.There are validators included in many editors that support XML, such as Stylus Studio, triggered by the click of a button.If you want to automatically (via a web application that is) check if an XML file is valid against an XML Schema, there are also APIs in various languages, such as PHP's DOMDocument::schemaValidate() method for example.
  9. Ahhh.... Just... replace header("Content-type: text/xml");$xml_output = "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n";$xml_output .= "<badge value="newMessage"/>\n";echo $xml_output; with header("Content-type: application/xml");$xml_output = '<?xml version="1.0" encoding="utf-8"?><badge value="newMessage"/>';echo $xml_output; And retry it. You may need to re-pin the site before the changes take effect.@thescientist While I can see you're trying to teach a man to fish, rather than giving him fish, which is all well and good... I think after the first failure, you may've wanted to postpone the fishing lesson, figuratively speaking.
  10. You could write separate XML files, and only merge them in the end by a final thread that waits for all others to finish.
  11. Hmm... it actually seems the MSDN page agrees with you Ingolme... I used the other term anyway not only because of PHP, but also because that's the term I used on the MSDN search to find that page.Personally, I'm not sure that "ambiguity in the context of other operators" should ever really an issue in naming an operator. Bitwise operators, if mixed with arithmetic operators can become ambiguous when a programmer tries to interpret them. Arithmetic operators alone can sometimes do that.But that's purely a philosophical issue (with no practical impact), so we can agree to disagree.
  12. Yes, it's a kind of an if statement. Formally called "ternary operator". The syntax is condition ? if-true : if-false See this MSDN page for details.
  13. boen_robot

    Homework

    You don't need anyone to assign you homework. You can assign one yourself, based on whatever level you think you're at.Just remind yourself about all the things you already know, and ask yourself what can you build using those things. Once you do that, try to extend it further, and see what you need to know next to do that.
  14. boen_robot

    new pc spec

    Everybody is... but you don't have much choice. It's either that, or investing money for a flawless isolation (and air conditioning) for your apartment.
  15. When you know what you're doing - no... as in "there's nothing wrong with such code".The warning is for newbies who do assignments when what they meant was an equals check. Heck, back when I was first learning PHP, I did this mistake too. Only instead of having NetBeans help me (I used Dreamwaver, which doesn't have such warnings), it was justsomeguy who did.
  16. boen_robot

    I have question

    Pretty much a beginner, still... because understanding XML also means being familiar with related APIs or languages, such as XPath, XSLT, DOM and more.
  17. boen_robot

    new pc spec

    Yes, Gigabyte were the first to introduce "double protected" capacitors (about a year ago if I remember correctly), but newer ASRock (as well as ASUS and pretty much every other brands') models also use similarly improved capacitors, so even if this argument was valid once, it no longer is.But it's important to keep in mind that similarly to the dual BIOS protection, these only help in cases where your area has frequent power surges. A motherboard can withstand a limited amount of such surges, and double protected ones have a higher limit (not double, but higher still... something like 50% if we take Gigabyte's self reported stats). If you live in an area with REALLY frequent surges (like... daily surges), this protection is not going to make any difference, as you'll hit the limit soon anyway (say, instead of hitting it in a week, you hit it in mostly two weeks).Plus, these only protect the motherboard. They don't protect the LAN card, the HDD, or the RAM which often go out first (in this order) due to power surges.(If you can't tell... where I live, we have less-than-semi-frequent, but VERY destructive power surges) Which is exactly why such things can be safely overlooked. If you live in an area with lots of dust around (from nearby builders, mines and the like), you need as many as the case will allow you, ideally with dust filtering sheets outside the case... and despite all of this, clean your PC every month or so.Otherwise, it's perfectly OK to have no chassis fans at all, and it may even help to keep your case opened, especially if you have an air conditioner in the room... and no pets.
  18. boen_robot

    new pc spec

    I'm curious about what kind of negative feedback are we talking about.The only "bad" thing about ASRock I can say is that many (not all!) models don't come in a shiny cardboard box, but only in the industry standard nylon instead, with the manual and driver CD being in there with the motherboard itself. Some may argue this gives off a smell of "unprofessional", but IMHO, this is an indication ASRock spent a few more cents towards the motherboard, rather than a few more cents towards the packaging, which is welcome. A few Gigabyte models also come like that, although admittedly, less often so.In terms of "actual quality"/lifespan, the amount of ASRock motherboards I repair or replace by warranty are pretty much the same as the amount of Gigabyte motherboards, so there's nothing about the motherboards themselves that qualifies either brand as being better or worse. The one that stuck out for me was "ACPI 1.1 Compliance Wake Up Events". This includes stuff like turning the computer on/off from a keyboard/mouse/USB-device, or putting it into a deep sleep, and allowing applications to wake the computer up when they want to.Also, the build in LAN supports "Wake-On-LAN", i.e. you can remotely turn the computer on.The Gigabyte motherboard has a "dual BIOS", unlike the ASRock one. This is an extra protection in cases where you flash your BIOS, and the flash fails, at which point, the BIOS will be recovered from the backup. Personally, I haven't had a situation where a flash on an ASRock motherboard failed, so I can't say how useful this protection is on face value. If you live in an area with frequent power surges/outages AND intend to keep your BIOS updated, you might appreciate this, but otherwise, this can be as safely ignored as the ASRock features above. By "cabinet", do you mean "case" (the metal box around the whole computer) or "bureau" (the furniture on which the computer, monitor and everything else is placed on)?For a case... just make sure you have a good enough power supply. The metal box itself is just that - a metal box. If you like the looks, that's a good case. Stuff like USB3 is dependent on the motherboard, not the case. The only thing a case could provide is a front-panel USB port extension cable... which is really just that - an extension of whatever port the motherboard supports. The two motherboards above both seem to have one USB3 "header" and two USB2 "headers". I assume that by "header" they mean exactly the ports that are intended for front USBs, though I'm not sure (that's the first time I see the term used). No... not as far as I've seen at least. CrossFire/SLI are applied between two external GPUs only.
  19. It seems like you're trying to run PHP files by double clicking on them... Do NOT start PHP files like that.Open your browser, and type "localhost". That is the place from which Apache (and inherently, PHP) runs. All paths must be relative to that.Check this part of the XAMPP FAQ for details.You could also try reinstalling XAMPP, or do the suggested settings above. XAMPP should do these by default.
  20. boen_robot

    new pc spec

    The Intel motherboard is a Micro-ATX one, i.e. for smaller cases. Even if it can be placed on a normal case (some "special" Micro-ATX motherboards can't), it will look weird.All ASUS motherboards used to have a problem with the chipset's cooling of all of their motherboards. The first time after the opening, to ensure proper work, one had to take off the cooling metal, add a new thermal paste on the chipset, and put the cooling metal back. I don't know if they've done any changes in their factory since (we're talking 2+ years back...), but I still haven't forgiven them for the tens of motherboards that we had to do this procedure on.Of the other two, I'd take the ASRock motherboard, as it has 2 more USB ports and some BIOS features that are nice for a server (though not for development). The Gigabyte one is nice too.
  21. boen_robot

    new pc spec

    OK then... it seems my perceptions were a little outdated (I based them mostly on personal experiences and benchmarks with what - according to Tom's Hardware - seem to be "middle class" SSDs).Now if only the price per GB could become bearable...
  22. boen_robot

    new pc spec

    If you've worked with PATA (a.k.a. IDE) drives... sure.
  23. boen_robot

    new pc spec

    Actually, about the SSD thing... SSD drives are great for servers, since you'll most often read data, and SSDs have noticeably better read speeds than any HDD.However, they are not very good for development or any kind of authoring work, because in those scenarios, you write (i.e. save) more often than you read, and the writing speed of SSDs is noticeably worse than SATA III HDDs. At least in current SSDs. They'll probably surpass HDDs one day, but they haven't done so yet. Last I checked, the best SSDs have writing speeds around those of SATA I drives.If you decide to use a PC as a server, consider SSDs then. That... or make sure to check out some benchmarks, and only buy an SSD if both speeds are better than your HDD of choice.
  24. You're simply using the wrong function. Use preg_replace() instead. str_replace() only replaces one literal string with another.
  25. boen_robot

    new pc spec

    Nope. For the reason you mentioned, plus, I don't have the money or nerves to look for coolers of extra terrestrial origin.But that's my point with the AMD over-clock thing - an over-clocked AMD CPU will deliver equal or better speeds to its non-overclocked Intel counterpart, at less power consumption... but with better cooling required to keep the darn thing running properly, which more often than not ends up making the electric bill equal or greater, except you're also running the risk of having the CPU live less. Tell me when you find an AMD CPU that is NOT too promising . All motherboards (of all brands) have at least one slot suitable for a GPU, including that one. All modern (as in "new", "non-second hand") models use PCI-E slots, which is also the only slot new GPUs are for. I like ASRock and Gigabyte best, and unless the client expresses preference for a different brand, I recommend those. But not because of the motherboard itself, but because those manufacturers keep their sites well organized and rich on support files (drivers, BIOS, manuals, etc.), even for older models. As a person that often needs to reinstall Windows (with the customer having lost their driver CD), that's something I value more than anything else.Between the two of them, I don't have a preference - I recommend whatever is the cheaper one in stock. It's not only "beneficial", it's "required". Intel and AMD use different, incompatible sockets to connect to the motherboard.
×
×
  • Create New...