strpos error (I"m missing something obvious)

strpos error (I"m missing something obvious)

am 01.10.2007 23:23:15 von Kevin Murphy

--Apple-Mail-12-365714187
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=US-ASCII;
delsp=yes;
format=flowed

Overly simplified version of my code.

$site = "http://www.wnc.edu";
$referer = $_SERVER["HTTP_REFERER"];

echo $referer; // the output is correct at: http://www.wnc.edu/test/

if (strpos($referer,$site) === TRUE)
{
echo "yes";
}

Why doesn't it echo out "yes"? I know I am doing something stupid
here, but it doesn't seem to work .... :-)


--
Kevin Murphy
Webmaster: Information and Marketing Services
Western Nevada College
www.wnc.edu
775-445-3326

P.S. Please note that my e-mail and website address have changed from
wncc.edu to wnc.edu.



--Apple-Mail-12-365714187--

Re: strpos error (I"m missing something obvious)

am 01.10.2007 23:33:45 von carlton.whitehead

Kevin,

Try this instead:

$site = "http://www.wnc.edu";
$referer = $_SERVER["HTTP_REFERER"];

echo $referer; // the output is correct at: http://www.wnc.edu/test/

if (is_int(strpos($referer, $site)))
{
echo "yes";
}

Why did I make this change? strpos returns an integer representing the
position of the needle ($site) in the haystack ($referrer). For more
info, see http://us.php.net/manual/en/function.strpos.php.

Regards,
Carlton Whitehead

Kevin Murphy wrote:
> Overly simplified version of my code.
>
> $site = "http://www.wnc.edu";
> $referer = $_SERVER["HTTP_REFERER"];
>
> echo $referer; // the output is correct at: http://www.wnc.edu/test/
>
> if (strpos($referer,$site) === TRUE)
> {
> echo "yes";
> }
>
> Why doesn't it echo out "yes"? I know I am doing something stupid
> here, but it doesn't seem to work .... :-)
>
>

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: strpos error (I"m missing something obvious)

am 01.10.2007 23:36:41 von Kevin Murphy

--Apple-Mail-14-366520151
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=US-ASCII;
delsp=yes;
format=flowed

I fixed this by changing === TRUE to !== FALSE, so I think I am good
to go now. But would still like to know why TRUE doesn't work. Thanks.

--
Kevin Murphy
Webmaster: Information and Marketing Services
Western Nevada College
www.wnc.edu
775-445-3326

P.S. Please note that my e-mail and website address have changed from
wncc.edu to wnc.edu.


On Oct 1, 2007, at 2:23 PM, Kevin Murphy wrote:

> Overly simplified version of my code.
>
> $site = "http://www.wnc.edu";
> $referer = $_SERVER["HTTP_REFERER"];
>
> echo $referer; // the output is correct at: http://www.wnc.edu/test/
>
> if (strpos($referer,$site) === TRUE)
> {
> echo "yes";
> }
>
> Why doesn't it echo out "yes"? I know I am doing something stupid
> here, but it doesn't seem to work .... :-)
>
>
> --
> Kevin Murphy
> Webmaster: Information and Marketing Services
> Western Nevada College
> www.wnc.edu
> 775-445-3326
>
> P.S. Please note that my e-mail and website address have changed
> from wncc.edu to wnc.edu.
>
>


--Apple-Mail-14-366520151--

Re: strpos error (I"m missing something obvious)

am 01.10.2007 23:41:13 von carlton.whitehead

Kevin,

I think I addressed that in my last message, if a bit indirectly.

strpos will never return a boolean true. It will only ever return
either the integer where the needle is found in the haystack, or false
if said needle is not found in said haystack. Check the Return Values
section at http://us.php.net/manual/en/function.strpos.php

Regards,
Carlton Whitehead

Kevin Murphy wrote:
> I fixed this by changing === TRUE to !== FALSE, so I think I am good
> to go now. But would still like to know why TRUE doesn't work. Thanks.
>

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: strpos error (I"m missing something obvious)

am 01.10.2007 23:44:32 von Jay Blanchard

[snip]
I fixed this by changing ===3D TRUE to !== FALSE, so I think I =
am good =20
to go now. But would still like to know why TRUE doesn't work. Thanks.
[/snip]

!== FALSE is not good either, it is not a valid test

strpos returns the numeric position of the first occurrence of needle in
the haystack string.=20

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: strpos error (I"m missing something obvious)

am 02.10.2007 01:56:16 von Tom Swiss

jblanchard@pocket.com ("Jay Blanchard") writes:

> !== FALSE is not good either, it is not a valid test
>
> strpos returns the numeric position of the first occurrence of needle in
> the haystack string.

Except when needle doesn't occur in string, in which case

"If needle is not found, strpos() will return boolean FALSE."

Checking strpos($foo,$bar) !== False is exactly right; since 0 == False,
you want to use !==, not !=.

-- Tom Swiss / tms(at)infamous.net / www.infamous.net / www.unreasonable.org
"What's so funny about peace, love, and understanding?" - Nick Lowe
"Power to the Peaceful" - Michael Franti

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: strpos error (I"m missing something obvious)

am 02.10.2007 15:34:36 von Jay Blanchard

[snip]
> !== FALSE is not good either, it is not a valid test
>=20
> strpos returns the numeric position of the first occurrence of needle
in
> the haystack string.=20

Except when needle doesn't occur in string, in which case=20

"If needle is not found, strpos() will return boolean FALSE."

Checking strpos($foo,$bar) !== False is exactly right; since 0 =
==
False,
you want to use !==, not !=3D.
[/snip]

If the string is in the first position does it not return a zero?

$needle =3D "a";
$haystack =3D "abcdef";

echo strpos($haystack, $needle);

returns 0

0 is not equal to false. But you are correct, if the string is not found
it returns the Boolean false, I should have been clearer.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: strpos error (I"m missing something obvious)

am 02.10.2007 16:53:02 von Al

Frankly, I use preg_match() for this type of thing. It's simpler and foolproof.
The difference in speed is negligible.

// The "i" after the pattern delimiter '%' indicates a case-insensitive search

if (preg_match("%$site%i", $referer)) {
echo $referer;
} else {
echo "A match was not found.";
}
?>


Kevin Murphy wrote:
> Overly simplified version of my code.
>
> $site = "http://www.wnc.edu";
> $referer = $_SERVER["HTTP_REFERER"];
>
> echo $referer; // the output is correct at: http://www.wnc.edu/test/
>
> if (strpos($referer,$site) === TRUE)
> {
> echo "yes";
> }
>
> Why doesn't it echo out "yes"? I know I am doing something stupid here,
> but it doesn't seem to work .... :-)
>
>

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Re: strpos error (I"m missing something obvious)

am 02.10.2007 17:32:36 von Andrew Ballard

I'd suggest the following *slight* enhancement to make sure that the
HTTP_REFERER actually *begins* with the site name, not simply contains
it.

// prevents visits from pages like
http://badsite.com/form.htm?http://www.wnc.edu
if (strpos($referer, $site) === 0)
{
echo 'yes';
}

(or, if you like the preg solution)
if (preg_match("%^$site%", $referer))
{
//....
}

However, I'd argue that the effectiveness of checking the referrer
itself could be considered "negligible", and hardly "foolproof". The
header is easily spoofed in scripts, and may not even be sent at all
by legitimate clients because of various browser and/or personal
firewall options.

Andrew

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Re: strpos error (I"m missing something obvious)

am 02.10.2007 17:52:45 von Kevin Murphy

--Apple-Mail-3-432284534
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=US-ASCII;
delsp=yes;
format=flowed

Thanks for the info. I've modified the script to reflect that. I
actually ended up reversing it, and so I used !== 0 which should work
just the same.

All this is a minor portion of a much larger security scheme for an
intranet site (which is protected by an LDAP server), where I am just
trying to keep images outside the web directory, and want to prevent
people from linking directly to an image... the only way an image
displays is if they view the page, and not link directly to the
image. Not foolproof, I know, but I'm not dealing with the general
population here, just internal employees some of whom are more
computer savvy than others.

Thanks all for your help. It seems to be working now.

--
Kevin Murphy
Webmaster: Information and Marketing Services
Western Nevada College
www.wnc.edu
775-445-3326

P.S. Please note that my e-mail and website address have changed from
wncc.edu to wnc.edu.


On Oct 2, 2007, at 8:32 AM, Andrew Ballard wrote:

> I'd suggest the following *slight* enhancement to make sure that the
> HTTP_REFERER actually *begins* with the site name, not simply contains
> it.
>
> // prevents visits from pages like
> http://badsite.com/form.htm?http://www.wnc.edu
> if (strpos($referer, $site) === 0)
> {
> echo 'yes';
> }
>
> (or, if you like the preg solution)
> if (preg_match("%^$site%", $referer))
> {
> //....
> }
>
> However, I'd argue that the effectiveness of checking the referrer
> itself could be considered "negligible", and hardly "foolproof". The
> header is easily spoofed in scripts, and may not even be sent at all
> by legitimate clients because of various browser and/or personal
> firewall options.
>
> Andrew
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>


--Apple-Mail-3-432284534--

Re: Re: strpos error (I"m missing something obvious)

am 02.10.2007 18:30:00 von Al

I didn't mean that the function was foolproof, only the match function itself.

However, your suggestion to add the line start is simple and effective.

Andrew Ballard wrote:
> I'd suggest the following *slight* enhancement to make sure that the
> HTTP_REFERER actually *begins* with the site name, not simply contains
> it.
>
> // prevents visits from pages like
> http://badsite.com/form.htm?http://www.wnc.edu
> if (strpos($referer, $site) === 0)
> {
> echo 'yes';
> }
>
> (or, if you like the preg solution)
> if (preg_match("%^$site%", $referer))
> {
> //....
> }
>
> However, I'd argue that the effectiveness of checking the referrer
> itself could be considered "negligible", and hardly "foolproof". The
> header is easily spoofed in scripts, and may not even be sent at all
> by legitimate clients because of various browser and/or personal
> firewall options.
>
> Andrew

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Re: strpos error (I"m missing something obvious)

am 02.10.2007 18:50:38 von Andrew Ballard

On 10/2/07, Al wrote:
> I didn't mean that the function was foolproof, only the match function itself.

Understood. :-)

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php