PHP COTW: isset and empty

June 10th, 2007

The third PHP code of the week is isset and empty which allow you to determine if a variable has a value or not.

isset checks to see if the variable has a value. This function is mostly used for POST and GET variables. If used with POST or GET, it allows you to not have to do the processing for the variables unless they have a value present.

empty is basically the opposite of isset, it checks to see that the variable is empty.

Below are some examples:

if ( isset ($HTTP_POST_VARS['username']) ) {
// execute code if POST var is set
}

if ( empty ($HTTP_POST_VARS['username']) ) {
// execute code if POST var is not set
}

The next PHP code of the week we’ll cover mysql_connect, mysql_select_db, mysql_query and mysql_close.

PHP COTW: htmlspecialchars, intval and str_replace

June 2nd, 2007

The second PHP code of the week are htmlspecialchars, intval and str_replace which can all be used to process user form input before you use that input in your code.

htmlspecialchars basically converts the HTML characters like single and double quotes, less than, more than and ampersand signs to entities; which means that using this function we can prevent the users text from containing HTML characters.

echo htmlspecialchars(“<a href=’test’>Test</a>”);

This example will output in the browsers source code:

&lt;a href='test'&gt;Test&lt;/a&gt;

intval is a way we can convert anything to an integer since we are expecting an integer. This means we can covert a string containing a number to a integer. We can be sure that we will only receive a number and nothing else.

echo intval('035');

The example will output 35. If the string contains any other characters other than digits it will return 0 (unless the digits are at the start of the string).

A full example of htmlspecialchars and intval would be:

$sort_order = htmlspecialchars($HTTP_POST_VARS['order']);
$form_status = intval($HTTP_POST_VARS['status']);

str_replace is used to protect us from SQL injections into our database. If you aren’t protected from SQL injections, this means a user could perform any SQL query that you have access to.

For example, you could be updating a users email address in your database and the user types into the email address field.

'; DROP some_table; some_fake_query_here('

The original query is below.

UPDATE userdata SET email_address = '$form_email' WHERE user_id = '$user_id';

So what is going on you say? Below is what the resulting SQL statement looks like after the form has been processed.

UPDATE userdata SET email_address = ''; DROP some_table; some_fake_query_here('' WHERE user_id = '5234';

So what happens is the first query is processed we try not to break this query or all other queries would then fail. The second query to drop the table is successful and the table is therefore dropped and the last query fails.

So if we want to protect ourselfs from an SQL injection we use this code below.

str_replace("\'", "''", $variable_name);

If form fields that a user submits contain a quote they are automatically re-written as \’. What our code will do is make it database friendly. It converts \’ to ” which for the database means it will be represented as a single quote. We have therefore solved the SQL injection issue.

On the next PHP code of the week we will cover isset and empty which are other functions which should be considered when processing forms.

PHP COTW: HTTP_POST_VARS and HTTP_GET_VARS

May 27th, 2007

Over the following weeks I will be covering PHP code which stands out to myself and some code which I use regularly. These PHP codes will be mentioned every week with an explanation on their uses. The section is called “PHP code of the week“.


We begin with our first PHP code of the week: HTTP_POST_VARS and HTTP_GET_VARS. Without these two functions we wouldn’t be able to get data from forms or simplify the way we specify user input in our code.

HTTP_POST_VARS is the function we call when we want to retrieve variable input from a form that the user has submitted. Say we have a field in the form called username. To retrieve the value of username we would write it as:

$username = $HTTP_POST_VARS['username'];

So we have the username fields value being assigned to a local variable $username.


HTTP_GET_VARS
is commonly used when searching forums, looking up user names, etc so you have most likely seen it been used. It is a simple way to input values into your code and is done by placing a question mark (?) and variable name and the value after the file we are requesting.

http://www.test.com/view_user.php?userid=5

In the above case, we can see that we are requesting the view_user.php file and are wanting to find more information on the userid number 5.


The inside code would look like:

$user_id = $HTTP_GET_VARS['userid'];

That’s pretty simple, we have the userid variable being assigned to the local variable $user_id.


Using HTTP_GET_VARS you are also able to retrieve more than one variable by placing a ampersand sign after each value. Such as:

http://www.test.com/view_user.php?userid=5&amp;findtopics=1&amp;findposts=2


So there you go, you now know how to retrieve user data.

If you are requesting the values and say the user didn’t input anything in the POST/GET request, 0 (false) is assigned to the local variables.

Note: These examples aren’t recommended to be placed directly into code as there are security issues. You should use functions such as htmlspecialchars, intval and str_replace before touching the variables. These functions will be covered in the next PHP code of the week.

Add Text to Title When Locking Topic v0.1.0

May 6th, 2007

I’ve made another new phpBB mod called Add Text to Title When Locking Topic which allows the administrator or moderator to input some text and select whether the text will be added before or after the topic title.

They can then click the lock icon in the viewtopic page which will lock and add the text to the title. They can also select multiple topics from the moderator control panel and perform the same action as well.

Deny Posting Text and BBcode Until x Posts v1.0.3

May 6th, 2007

Deny Posting Text and BBcode Until x Posts has been updated to v1.0.3 as a user was using heaps more text than I though people would. So instead of storing the text list in an array in the config table it’s now got it’s own table.

You can download v1.0.3 or upgrade from v1.0.2 here.

Ebay Archive chewing on MySQL server resources

April 29th, 2007

I received an email from Dreamhost this morning with regards to the Ebay Archive database. It seems that the queries that it was performing wasn’t as optimised as I thought.

# Query_time: 0  Rows_examined: 156795
use  ebayarchive;
SELECT item_number
FROM items_pending
WHERE  item_number = 290108127963;

150k+ rows just for a search?
Sounds like it’s not even using the index I had…
I looked up how to find useful information about queries on google and it says I should put EXPLAIN before the query, so I did.

SQL query: EXPLAIN SELECT item_number
FROM  items_pending
WHERE item_number = 200103800946;

id       select_type       table       type       possible_keys       key       key_len       ref       rows       Extra
1     SIMPLE     items_pending     index     item_number     item_number     16     NULL     158537     Using where; Using index

But it was using the index… hmm, how interesting. How about we try to put the number in quotes?

SQL query: EXPLAIN SELECT item_number
FROM  items_pending
WHERE item_number = '200103800946';

id  select_type  table  type  possible_keys  key   key_len  ref  rows  Extra
1  SIMPLE  items_pending  ref   item_number  item_number  16  const  1  Using where; Using index

Ah ha! What a difference that makes… !

As for the other query that was taking up alot of resources:

EXPLAIN SELECT item_number, category, item_name, item_url, item_end_time
FROM items_pending
ORDER BY item_end_time
LIMIT 0 , 20;

id  select_type  table  type  possible_keys  key  key_len  ref  rows  Extra
1  SIMPLE  items_pending  index  NULL  item_end_time  4  NULL  158537

Doesn’t look promising. It seems like ORDER BY is causing the query not to perform as best it can. So we’ll have to rewrite this query in a different way and also cache the result as the file that uses this query processes each individual item.

Something like this works fine:

EXPLAIN SELECT item_number, category, item_name, item_url, item_end_time
FROM items_pending_disabled
WHERE item_end_time &lt;= 1177143110

id  select_type  table  type  possible_keys  key  key_len  ref  rows  Extra
1  SIMPLE  items_pending_disabled  range  item_end_time  item_end_time  4  NULL  1714  Using where

We’ll have to cache all the rows and then increment the number by say 200-500 and repeat the query. Better a few rows than thousands. Now I’ve just got to wait for Dreamhost to hopefully re-enable the table they disabled.

Ebay Archive categories expanding

April 3rd, 2007

So the Ebay Archive is going fine. There were a few problems initially such as the date/time sorting not working as I decided to use varchar for the database and copy the Ebay date/time instead of using int for the database and convert the Ebay date/time to a unix timestamp; I guess this shows that it’s better to do things properly instead of doing things quickly.

Another issue is the fact that each item takes about 50Kb for the HTML file. This is pretty big and if you 27,000 entries so far, it’s already 1.3 GB… ouch! Lucky for me I’m with Dreamhost which offer 200GB diskspace plus 1GB extra gets added on each week. I’ve now made a header and footer page for the HTML pages which cuts the size by half to 25kb each. Now there’s the problem of going through 27,000 HTML files and removing the parts that aren’t needed.

Finally I’m hoping to expand the categories the Ebay Archive covers to include Cameras, & Accessories, Electrical and Mobile phones.

Edit: Those Ebay Categories above have been added.

phpBB Mod: Use Email as Username

April 3rd, 2007

I’ve created a simple phpBB Mod called Use Email as Username which allows you to insert the email address that a user registers with as their username.

Ebay Archive

March 24th, 2007

So what I’ve been working on is the Ebay Archive which aims to keep a record of all the Ebay Items that have ended in certain categories for longer than the standard 90 days. It contains the Item Name, Price Sold, Date/Time Sold, Item Number and a HTML display of the page.

Currently this is only available for the Australian Ebay Website – www.ebay.com.au, but later on I might think about archiving the US Ebay Website – www.ebay.com.

phpBB Website/Forums back online

March 20th, 2007

The phpBB Website/Forums are back online. They’ve taken the opportunity to upgrade the forums to phpBB 3 and redesign their website.