Archive for PHP Programming

PHP Excel/Reader and oleread.inc not reading negative numbers on 64-bit machines

I recently switched from a 32-bit machine to a 64-bit machine.  I noticed that negative numbers were coming in around 1073741814.  This has to do with how bits are shifted on the different machines.

I have read that not patching these files will cause memory exhaustion, which can be critically bad in a production environment. 

I found a fix for oleread.inc that replace the GetInt4d function with

function GetInt4d($data, $pos) {
$_or_24 = ord($data[$pos+3]);

if ($_or_24>=128)
$_ord_24 = -abs((256-$_or_24) << 24);
else
$_ord_24 = ($_or_24&127) << 24;

return ord($data[$pos]) | (ord($data[$pos+1]) << 8) | (ord($data[$pos+2]) << 16) | $_ord_24;
}

But what they failed to mention was that you also have to change the function _GetInt4d in the Excel/reader.php file as well.

I hope this helps someone (or myself) in the future.

 

Jquery Ajax Returning Null / Not Working

I was working with jquery.ajax yesterday and today and it just wasn’t working for me.  It was starting to get very frustrating because it was a very very very simple code snippet.  I have used this numerous times before with no problems.

So to debug it, I started watching all of my Apache Logs and saw that instead of a GET request, I was getting an OPTIONS request.  This was strange, so I thought that maybe I just have to set the ajax type property to GET.  Tried that to no avail, same request type.

Upon further research, I found that it was because I was trying to hit a different domain instead of the one I was on.  I setup a quick proxy through my domain and everything worked like a charm. 

After writing this post I read this NOTE on the jQuery site.

Note: All remote (not on the same domain) requests should be specified as GET when ’script’ or ‘jsonp’ is the dataType (because it loads script using a DOM script tag). Ajax options that require an XMLHttpRequest object are not available for these requests. The complete and success functions are called on completion, but do not receive an XHR object; the beforeSend and dataFilter functions are not called.

 

SQL Injection

As a programmer you should always be aware of possible SQL injection attacks.  Make sure that you scrub all of your data before using it, especially in a db query.

Do not just blindly accept that the parameters you receive are going to be good. 

For example, if you are going to show a post from a blog, your url might look like http://www.cyborgcomputing.com/showPost.php?ID=5.  That would show post #5, right?

What if it was http://www.cyborgcomputing.com/showPost.php?ID=5+union+select+1,2,3,4,5,6+–

You would have a MAJOR problem if your query in PHP is
$result = mysql_query(”SELECT * FROM post WHERE ID=” . $_REQUEST['ID']);

Try it out on your own and see (The links above are not real).  If you are expecting an ID, you should rewrite your PHP to.
$ID = preg_match(’/^\d*$/’, $_REQUEST['ID']) ? $_REQUEST['ID'] : 1;

Now your ID has to be a series of digits, otherwise you return post #1.

 

Mazooma Payment Option

I am in the middle of implementing Mazooma as a payment option on bowlingball.com. It is an interesting payment method from what I have seen.

The integration has been very simple so far. They do make it easy.

From a technical point of view, here are the sticking points for me.
1) They request the customer’s username and password for their bank.
2) Mazooma acts as an agent on behalf of the customer
3) The customer never sees their bank’s website

So Mazooma must create a payee (if necessary) and then schedule a payment. So the question is can the customer then cancel the payment within their bank’s interface?

I am still gathering more information, and I am not 100% positive that we actually offer this payment option at this point.

 
 
This site hosted by bowlingball.com - Find the best deals on Bowling Balls, Bowling Bags, Bowling Shoes, and Bowling Accessories.