PEAK XOOPS - News in englishin japanese

Archive | RSS |
  
Poster : GIJOE on 2008-05-16 04:55:48 (11624 reads)

A Trap with get_html_translation_table()in englishin japanese
You may know unhtmlspecialchars() has implemented into PHP.
With former versions of PHP, we had made such a custom function using get_html_translation_table() like this:


function my_unhtmlspecialchars( $text , $quotes = ENT_QUOTES )
{
	return strtr( $text , array_flip( get_html_translation_table( HTML_SPECIALCHARS , $quotes ) ) ) ;
}


Recently, I find the function never convert & #039; into single quotes.
This is a result of my investigation.
Code:

<?php
        var_dump( htmlspecialchars( '"\'<>&' , ENT_QUOTES ) ) ;
        var_dump( get_html_translation_table( HTML_SPECIALCHARS , ENT_QUOTES ) ) ;
?>

Result:

string(25) "& quot;& #039;& lt;& gt;& amp;"
array(5) {
  ["""]=>
  string(6) "& quot;"
  ["'"]=>
  string(5) "& #39;"
  ["<"]=>
  string(4) "& lt;"
  [">"]=>
  string(4) "& gt;"
  ["& "]=>
  string(5) "& amp;"
}

& #039 and & #39; ...

This bug(?) are alive in PHP versions from PHP 4.3.10 to 5.2.5 at least.
We have to consider this trap for some time.


Poster : GIJOE on 2007-09-18 04:00:24 (12025 reads)

in englishin japanese
WYSIWYG Editors require "allow HTML" for the system.
But it must invite "Script Insertion" attacks easily.

kentauls told me HTMLPurifier.
http://htmlpurifier.org/

It looks great especially smoketest for XSS.
You should know HTMLPurifier can work with PHP5 only though the documentation tells us that it can work with PHP>=4.3.2.

Anyway, I've included this library into Protector.

You can try "postcommon_post_htmlpurify4guest.php" as protector's filter plugin.

But, it is just a sample.
I'll modify my modules can use HTMLPurifier as necessary by config.

HTMLPurifier allows us "WYSIWYG forum" etc.


Poster : GIJOE on 2007-03-24 05:50:55 (7933 reads)

in englishin japanese
There are important difference in order of functions for shutdown and output-buffering between PHP4.x/5.0.x and PHP5.1

<?php
register_shutdown_function( 'sf' ) ;
ob_start( 'ob' ) ;
echo 'main ' ;

function ob( $s )
{
	return $s.'ob ' ;
}

function sf()
{
	echo 'sf ' ;
}
?>

The results excecuting this code...
PHP4.4.4 and PHP5.0.3
main ob sf 


PHP5.1.3
main sf ob 


You can understand they are far different each other.
Thus, we have to code like this style for cushoning the versions of PHP.
<?php
register_shutdown_function( 'sf' ) ;
ob_start( 'ob' ) ;
echo 'main ' ;

function ob( $s )
{
	return $s.'ob ' ;
}

function sf()
{
	while( @ob_end_flush() ) ; // here
	echo 'sf ' ;
}
?>

With this code, Both PHP4.x/5.0.x and PHP5.1.x run same order. (main, ob, sf)

If you want the order of (main, sf, ob), you have to call the shutdown function from the output-buffering function.

0 comments

Poster : GIJOE on 2007-03-20 13:06:04 (12500 reads)

in englishin japanese
array_map() the built-in function of PHP is fast and useful one.

eg1) fetching an array of integer from a textbox. [1,2,3,4]
You can get it by just a line.


$myarray = array_map( 'intval' , explode( ',' , $post_data ) ) ;


eg2) merging arrays with unique elements of arrays or objects
Neither "operator +" nor array_merge() are enough for the purpose.
You can use array_map() usefully like this.

$merged_array = array_map( 'unserialize' , array_unique( array_map( 'serialize' , array_merge( $array1 , $array2 ) ) ) ) ;

0 comments

Poster : GIJOE on 2007-03-10 04:56:00 (7722 reads)

in englishin japanese
Index specified by a boolean, a double, ant an int will be integer index via intval()
exception: out of the range of 32bit integer

Index specified by a string will be two type of index by the condition


/^[-]?[1-9][0-9]*$/

If the string matches this regex, it will be integer index.
Else, it will be string index (associated array).

0 comments

« 1 (2) 3 4 5 6 »
Login
Username or e-mail:

Password:

Remember Me

Lost Password?

Register now!