|
Posted by Jackson Linux on 10/04/86 11:10
On 10 Mar 2005, at 07:38, Jochem Maas wrote:
> Jackson Linux wrote:
>> Okay, guys,
>> I hope I'm getting closer with your help here but I am still highly
>> confused (that's actually a general blanket statement these days).
>> I've taken your advice and made several changes,
>> On 9 Mar 2005, at 13:44, Jochem Maas wrote:
>>> M. Sokolewicz wrote:
>>>
>>>> Jackson Linux wrote:
>>>>
>>>>> Hi,
>>>>> This:
>>>>>
>>>>> if (isset($_GET['r']) &&
>>>>> !empty($_GET['r']) &&
>>>>> ($r = intval($_GET['r'])) ){
>>>
>>>
>>> does nobody notice the last 'bit' of the if expression??
>>> if the IF statement evaluates to true then $r _has_ been set!!!
>> That makes sense now.
>>>
>>>>> $r = "{$_GET['r']}"; //Set the variable $r to mean the category
>>>>> number
>>>>
>>>> gods, that's an ugly statement... why don't you simply use $r =
>>>> $_GET['r']; ????
>>>
>>>
>>> that leaves him completely open to SQL injection.
>>> but your right in that writing this:
>>>
>>> $r = "{$_GET['r']}";
>>>
>>> ... is just plain wasteful, pointless and looks ugly.
>>> and given the fact that $r is already set (see above) there is
>>> no need to set it again at all.
>> I see that now; thanks, I removed it
>>> I think you almost there Jackson, keep hacking :-)
>>>
>> Thanks for the encouragement! But there's more...
>>>>>
>>>>> $sort = "ORDER BY cv.sort";
>>>>> } else {
>>>>> $where = '';
>>>>> $fields =
>>>>> 'cv.cv_id,cv.category,dates,cv.job_title,cv.company,cv.job,cv.sort,
>>>>> jobcat.category';
>>>>> $sort = "ORDER BY cv.sort";
>>>>> }
>>>>>
>>>>> //Make the sql based on the joining of the table and intersection
>>>>> table
>>>>> $sql = "
>>>>> SELECT
>>>>> cv.cv_id,cv.category,dates,cv.job_title,cv.company,cv.job,cv.sort,j
>>>>> ob cat .category
>>>>> FROM cv, cvjobcats, jobcat
>>>>> WHERE cvjobcats.cv_id=cv.cv_id AND cvjobcats.jobcat_id = $r AND
>>>>> jobcat.jobcat_id=cvjobcats.jobcat_id";
>>>>>
>>>>> Works whenever there is an ?r= specified. When there is no r
>>>>> specified it chokes on
>>>>>
>>>>> WHERE cvjobcats.cv_id=cv.cv_id AND cvjobcats.jobcat_id = $r AND
>>>>> jobcat.jobcat_id=cvjobcats.jobcat_id";
>>>>>
>>>>> because there's no value to $r.
>>>>>
>>>>> it also opens me up to allowing anyone to state *anything* after
>>>>> the ?.
>>>>>
>>>>> So can I make an else statement which will say that if there's no
>>>>> r= or a wrong r= or even no ? at all then it should print a menu
>>>>> to $r's which actually exist in the database? How?
>>>>>
>>>>> Thanks in advance!!!
>>>>
>>>> You have 3 conditions in a single expression. Split that expression
>>>> up
>>>
>>>
>>> Jackson got that bit from me - I don't think he is fully aware of
>>> what that
>>> expression is doing!
>>>
>>> the 'sum' of those conditions determines that either $r is 'good' or
>>> 'bad'
>>> (whether $r is garbage or not set didn't seem like a difference
>>> worth bothering
>>> with)
>>>
>> No, I didn't and I actually still don't. I've implemented the change
>> below, breaking up the if(isset)$_GET['r']) bit (making it easier to
>> follow indeed, thank you!) but I am confused as to how to break that
>> three-condition statement split based on that change.
>>>> into multiple expressions, so you can check each (or a combination
>>>> of 2) individually.
>>>
>>>
>>> this is a good idea to better understand what is going on!
>>>
>>>> so, instead of:
>>>> if (isset($_GET['r']) && !empty($_GET['r']) && ($r =
>>>> intval($_GET['r']))){
>>>> do:
>>>> if (isset($_GET['r'])) {
>>>> if(!empty($_GET['r']) && ($r = intval($_GET['r']))){
>>>> // do whatever
>>>> } else {
>>>> // something boring
>>>> }
>>>> } else {
>>>> // not set
>>>> }
>>>
>>>
>> The code below is where I am now. I'm trying to document a bit
>> better, and clean it up. And I still don't have any clue as to how
>> to make it redirect if someone requests no ?r= or a bad one. Can
>> someone help please?
>> <snip>
>> if (isset($_GET['r'])) {
>> if(!empty($_GET['r']) && ($r = intval($_GET['r']))){
>> $fields = '*';
>> $where = "WHERE cvjobcats.cv_id=cv.cv_id AND
>> cvjobcats.jobcat_id = '$r' AND
>> jobcat.jobcat_id=cvjobcats.jobcat_id";
>> $sort = "ORDER BY cv.sort"; // Assemble the category items
>> in r=x
>> } else {
>> // Is this where I'd say IF no $r is set then redirect?
>> }
>> }
>
> all you need is 1 if (or if/else) statement, note that my example
> is the logical reverse of the first if statement I posted (in reply
> to your question):
>
> if (!isset($_GET['r']) || empty($_GET['r']) || !($r =
> intval($_GET['r']))) {
> // _GET['r'] is either not set, empty or not a positive int greater
> than zero.
> // the required var is 'bad' so lets redirect the user.
> if (!headers_sent()) {
> header('location: /yourRvarsucks.php');
> } else {
> // you'll have to figure out what to do yourself
> // if you want to redirect and headers have already been sent!
>
> }
> exit;
> }
>
> // now comes the rest of the script (build SQL, run it, output the
> data)
>
> $where = "WHERE cvjobcats.cv_id=cv.cv_id
> AND cvjobcats.jobcat_id = '$r'
> AND jobcat.jobcat_id=cvjobcats.jobcat_id";
>
> $sort = "ORDER BY cv.sort";
>
> // etc etc ...
>
Whhooo.
I created this:
$badr = "" )
1. I believe that this:
if (!isset($_GET['r']) || empty($_GET['r']) || !($r =
intval($_GET['r']))) {
// _GET['r'] is either not set, empty or not a positive int greater
than zero.
// the required var is 'bad' so lets redirect the user.
if (!headers_sent()) {
header('location: {$_SERVER['PHP_SELF']}#bookmark');
} else {
// you'll have to figure out what to do yourself
// if you want to redirect and headers have already been sent!
}
exit;
}
should kick back anyone who uses a bad or no $r to the location:
{$_SERVER['PHP_SELF']}#bookmark
However two problems:
1. This is dumb, I'm sure, but when I test this on its own it loops
into a constant redirect, as the page reloads itself (PHP_SELF), hits
the header location and tries again. I want it to keep the same page
name (file.htm) but load a conditional menu if the request is for a
non-existent or bad $r
2. Mustn't I also speficy what to do in the event that the $r is good?
Would that be just continuing the script:
if (isset($_GET['r'])) {
if(!empty($_GET['r']) && ($r = intval($_GET['r']))){
} else {
// And if so, then why do I need the IF statement here at all?
Shouldn't this be a WHILE?
}
}
// now comes the rest of the script (build SQL, run it, output the data)
??
[Back to original message]
|