[asterisk-users] PHP can't insert - Can someone please help
Steve Edwards
asterisk.org at sedwards.com
Sat Jul 10 21:51:12 CDT 2010
On Sat, 10 Jul 2010, bruce bruce wrote:
> Here is the steel strong sanitizer:
> $npaa = "$_POST[anpa]";
> $nxxa = "$_POST[anxx]";
> $blocka = "$_POST[ablock]";
>
> # Sanitize
> $blocka_san = strspn("$blocka", "0123456789");
>
> if ($blocka_san==4 && is_numeric($npaa) && is_numeric($nxxa) &&
> is_numeric($blocka) && $npaa>=200 && $nxxa>=200 && $npaa!=900 &&
> $npaa!=911)
> {
> echo "Number passed sanitization";
> }
>
> What do you think? :-)
Yuk.
> On Sat, Jul 10, 2010 at 2:17 PM, bruce bruce <bruceb444 at gmail.com>
> wrote:
> Thanks again. Apparently all POST variables come through as strings.
You may want to read the relevant RFCs. Look for ENCTYPE.
> The function you pointed out is I think already built in php
> as is_numeric().
>
> http://www.php.net/manual/en/function.is-numeric.php
You may want to read the function definition again. It allows plus,
exponential notation and hexadecimal notation as well.
> I have my html/php file set so that the input field only takes 3 digit 3
> digit 4 digit (NPA, NXX, Block) so your purposal of: '201,0); drop
> database YOUR_DATABASE'; would fail due to big length and also I tested
> with inputing letters and my IF function caught it and exited.
>
> Further more, everything else (other than phone input fields) is drop
> down boxes with specific numbers or letters inserted in them. I should
> be 100% safe with those right?
>
> By using form POST there should be no other loop holes left opened
> right? It's not like php $_GET so people can't try typing to the browser
> in this format:
You may want to read the man pages for curl and wget -- both can submit
POST requests.
--
Thanks in advance,
-------------------------------------------------------------------------
Steve Edwards sedwards at sedwards.com Voice: +1-760-468-3867 PST
Newline Fax: +1-760-731-3000
More information about the asterisk-users
mailing list