Re: [PHP] Re: Multithreading for OOP PHP
As far as php side goes, it's a
problem of design of the apps. Just because people decided to go through
hoops to use the threaded model doesn't mean that it is any faster than
writing to the same thing in event driven model, event driven way is
sometimes much faster than threads.
I'm on both sides of the fence on this one. Imagine the database
operation (not necessarily a SELECT statement) that could take an
arbitrarily long time to complete. PHP should be able to hand that off
to another thread and be done with it:
$dbOpertation = dbThread($sql)
$dbOpertation-start();
Currently, we've got to to write an alternative file dbOperation.php
and call it via exec(), complete with shell-escaping arguments and all
the dangers that go with that:
exec('dbOperation.php'.escapeshellarg($sql));
Now who knows what escapeshellarg() will do to my precious
hand-crafted SQL so I'll have to debug and test that as well. Wait
until you see what that does to your single quotes, and you are in a
world of hurt if your SQL contains literals that also happen to
contain escaped quotes. I don't even know what other characters
escapeshellarg() will mungle, it is not mentioned in the fine manual
so I can either go read the source or start experimenting. And I
happen to be a hobbiest sysadmin, what happens to the poor PHP dev who
doesn't even quite understand the shell or think to escape the
arguments. The prevalence of PDO for simple queries even further
removes many (novice) PHP devs from thoughts of escaping
Don't blame the language, blame the
poor dev who made it harder on themselves... There are plenty of big and
well performing systems online that pull data from many a locations on the
back end and still manage to serve it to you in less than 2 hundredth of a
second without the need for threading server side code. That's because they
are designed well and implemented well as a system.
That is either naive or trolling. You either know very well that some
database operation cannot be completed in n/100 of a second, and we
haven't even started to talk about curl or other potentially
long-running operations.
Finally another thing to consider is how the operating systems deal with
high amounts of threads, how different architectures deal with them, while
Linux is pretty good about threads, other systems have significant
problems. Php is meant to run on all of them so you choose the model that
works for all.
I see. Due to a Windows deficiency my PHP-on-*Nix code should suffer.
Are you not aware that some PHP features are available on some OS but
not others? Or that function differently by OS? Seriously, it looks
like you are trolling.
Lastly I am sorry, but massively parallel architecture for general
computing is still about 10 years out. That's where parallel processing
design will be bore efficient and beneficial. When we have that, and
programmers learn massively parallel design, maybe then we will have a need
for parallel php (pphp?) for now, there is no need, only poor design.
What? i don't know what you mean by massively parallel architecture
but it certainly has no relevancy to the PHP dev who wants to run a
long SQL query.
--
Dotan Cohen
http://gibberish.co.il
http://what-is-what.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Multithreading for OOP PHP
It's just as we sometimes use PHP for doing some big Server works (e.g. database copying or something) and it would be nice to controll by yourself which Thread (or process) does which part of the job. I don't suppose that the client is sitting there waiting for a reply until the browser times out while the code is database copying or something. That is why you should hand off the database copying to an application that does that and then return to the client a response quickly. exec(mysqldump); You could even give the client and AJAX page and inform them of the status of the operation if the application that you passed off the work to supports it. I have wished for PHP threading many times, and my current big client also asked for PHP threading recently. Yet, every single time that I've devised an alternative solution I was glad that I did. PHP is not memory efficient and we really don't need it hogging up the CPU when a real C program can do the intensive work. And if you need threading, then you are very likely looking at exactly the type of workload that PHP is designed not to do! -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: No error reporting on
On Mon, Apr 23, 2012 at 14:18, Jim Giner jim.gi...@albanyhandball.com wrote:
Just my $.02, but don't you need:
ini_set('display_errors', '1');
as well?
Possibly, thanks. I actually don't have access to that!
--
Dotan Cohen
http://gibberish.co.il
http://what-is-what.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: No error reporting on
On Mon, Apr 23, 2012 at 16:53, Jim Lucas li...@cmsws.com wrote: Possibly, thanks. I actually don't have access to that! That line should be placed in your script. not the php.ini file Yes, I'm working on a functions file that is include()ed by the main script. I'm not supposed to touch the main script without a very good reason. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] What is the mnemonic for date()'s Day format?
On Mon, Feb 13, 2012 at 22:51, Matijn Woudt tijn...@gmail.com wrote: Hi, I've been wondering where the letter was chosen from too, so I took svn and got all the way back to revision 214 where the options was first added. Note that this commit is June 7, 1996, and we're talking about php2 (php/fi) here. I tried to look at mailing list archives, but it seems that rasmus was pretty much developing PHP on it's own in those days. It seems that it has been added when cookie support was added, and for the cookie to set a date they wanted a nicely printed day. It seems to be just a choice from rasmus back in those days. My best guess would be that the 'l' is chosen because it is the last letter of 'full' in 'full name of day', though I don't understand why 'f' or 'F' wasn't chosen. Well, try remembering the 'l' in 'full' if you need it the next time..;) You are some sleuth! Let me know first if you ever have any dirt on me, Matijn! Thank you for the mnemonic full. I'll know next week if it sticks or not. Though, I already foresee myself trying to use f! -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] What is the mnemonic for date()'s Day format?
On Mon, Feb 13, 2012 at 23:04, Marc Guay marc.g...@gmail.com wrote: How about long dayname? That makes sense. I now have two ways to remember. Thanks! I find it interesting that the character for Day of the month without leading zeros is j, which makes sense to me as a half-Francophone who sometimes calls days jours. Not that it helps me remember it, I have to refer to that page pretty much every time I use date(). I also refer to that page enough to have it bookmarked on my homepage! -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to detect languages from (= LTR vs RTL)
On Tue, Feb 7, 2012 at 10:37, Michelle Konzack
linux4miche...@tamay-dogan.net wrote:
Hi colleges and gurus,
I coding a whole web office and one of my problems is LTR vs RTL.
If I have for exanple an E-Mail I use a
div style=direction:$DIRECTION
$SOME_TEXT
/div
but HOW can I detect the type of $SOME_TEXT from within PHP, to set
$DIRECTION? (RTL or LTR) correctly?
And how can I do this with mixed Text (by line or entired paragraph)
like:
german - must be LTR
persian --- must be RTL
english - must be LTR
arabic --- must be RTL
french - must be LTR
jidisch --- must be RTL
Ayn Iranian (Moxhtar?), Arabs (Jasin?) or Jews (Dotan?) here which can
help me please?
Thanks, Greetings and nice Day/Evening
Michelle Konzack
Hi Michelle! There is no reliable way to determine the intent of the
author, but most software detects RTL vs LTR by the first strong
character found in the string. Strong characters are letters, not
punctuation or numbers which are used in both LTR or RTL environments.
Untested, but you might be able to do something like this:
while (!feof($input)) {
$char = fgetc($input);
if ( is_strong($char) ) {
$direction=is_strong($char);
break;
}
}
function is_strong($char) {
if ( in_array($char, $arrayOfRtlCharacters) ) {
return RTL;
}
if ( in_array($char, $arrayOfLtrCharacters) ) {
return LTR;
}
return FALSE;
}
--
Dotan Cohen
http://gibberish.co.il
http://what-is-what.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to detect languages from (= LTR vs RTL)
On Tue, Feb 7, 2012 at 19:31, Dotan Cohen dotanco...@gmail.com wrote:
function is_strong($char) {
if ( in_array($char, $arrayOfRtlCharacters) ) {
return RTL;
}
if ( in_array($char, $arrayOfLtrCharacters) ) {
return LTR;
}
return FALSE;
}
On second thought, you might want to try preg_match() instead of
in_array() to use character ranges.
--
Dotan Cohen
http://gibberish.co.il
http://what-is-what.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] How to find where class is used?
In a large application that I am tasked with maintaining (vBulletin) there is a particular class that is used: vB_ProfileBlock_VisitorMessaging. I know the file that it is defined in, but I cannot find the file that actually creates a vB_ProfileBlock_VisitorMessaging object. I tried the brute-force grep approach, but the only place where I see the class mentioned is in the class declaration itself: [dev@localhost forum]$ grep -ir vB_ProfileBlock_VisitorMessaging * includes/class_profileblock.php:class vB_ProfileBlock_VisitorMessaging extends vB_ProfileBlock I know that this class is used as there is a page that is obviously using it. I have tried playing be-the-PHP-parser with that file, but it goes on to include() about a dozen other files, each of which include() another dozen files! This server does not and cannot have a debugger. What else can I do to find where this class object is created? Thanks. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to find where class is used?
On Fri, Jan 6, 2012 at 15:05, richard gray r...@richgray.com wrote: Can you not put a debug_print_backtrace() in the class constructor? Thanks, that might have worked. In the end, I found it by grepping for VisitorMessaging instead of vB_ProfileBlock_VisitorMessaging. It turns out that there is an array of the vB_ProfileBlock_* classes and they are called by vB_ProfileBlock_$className. I personally consider that terrible coding practice, but then again if vBulletin were well-coded then I would probably be made redundant so I cannot complain! Thanks for the help and for the ideas! -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Querying a database for 50 users' information: 50 queries or a WHERE array?
are using a stored procedure this is even harder), and that's beyond what you want to do during troubleshooting usually, and if you disable one point, your application fails to work all together and it fails closed. More over you can make this completely transparent to your devs by changing your data access libraries (for SQL, or Ajax functions for JS for example). They can pass in crap data, and the first thing your data access library does before doing anything else is it encodes the data into a bunch of gibberish... And when they pull the data back, your library gets the data and unencodes it. the devs don't have to worry about SQL injection, you don't have to worry about their competence, you win ;) Change the access libraries for the devs? I think that you've gone a bit too far! -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Escaping MySQL passwords necessary when md5 is used?
I have an application in which the password is stored in the database
as md5(md5('passWord').'userSpecificSalt'). I'm checking the password
entered with:
$password=md5( md5('$_POST['password']').'userSpecificSalt' );
$query=SELECT id FROM table WHERE password='{$password}';
Now I'm a bit queasy about not using mysql_real_escape_string() on
that $password variable! Please reassure me or tell me the folly of my
ways. Thanks!
--
Dotan Cohen
http://gibberish.co.il
http://what-is-what.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping MySQL passwords necessary when md5 is used?
On Wed, Sep 21, 2011 at 21:03, Daniel Brown danbr...@php.net wrote: It never hurts to be overly cautious, but as MD5 hashes are strictly alphanumeric (using hex characters), you won't have an issue with injection with the code above. That is, of course, unless your version of PHP is rebuilt without MD5 hash support, or some other oddity that is on the outside edge of possibility. The rebuild without md5 is an interesting point. That sounds exactly like the type of it-will-never-happen-until-it-happens-to-me problems! Thanks for the heads up. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping MySQL passwords necessary when md5 is used?
Thanks Igor. I will sleep peacefully this night! -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping MySQL passwords necessary when md5 is used?
On Wed, Sep 21, 2011 at 22:36, Daniel Brown danbr...@php.net wrote: I should've specified, though, that then you would simply have the fatal error message (call to undefined function) pass through, not the unhashed original text. Yes, that is obvious. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Querying a database for 50 users' information: 50 queries or a WHERE array?
On Tue, Sep 13, 2011 at 23:04, Alex Nikitin niks...@gmail.com wrote: Dotan, IN (the function used in all of the queries above) is not the same as an INNER_JOIN, inner join joins 2 tables, as you have already described, IN however is a function that return 1 if the value being searched for is in the array of its values or 0 if it is not, thus IN is not an inner join, but a comparator function, thus if you are using IN, limit will indeed be more efficient than it's omission for exactly the reason i have stated in my previous post. Because your user array seems to be in php, and implode has been a topic of discussion above as well, setting an adequate limit is a simple task with the php's count function. Yes, I did realize that after seeing the syntax of IN, which I have not been exposed to before. My response that you quoted was in response to a suggestion that a LIMIT clause be used with an INNER JOIN query, which is wrong on two principles. This is all ofcourse void if the user array being pulled from mysql, in which case you could simply join the two tables to get your resulting data set. The trick there is to use the USING clause which seems to run a lot faster than any ON clause, or work on an optimized subselect, especially if you are running a cluster. Agreed. In fact I don't know from where the array is coming, that's not my part of the code! But I agree that if it is coming from mysql then a join would be preferable. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Querying a database for 50 users' information: 50 queries or a WHERE array?
On Wed, Sep 14, 2011 at 06:05, chetan rane chetan.d.r...@gmail.com wrote: Hi, There are 2 peoblems with subselect 1. You cant use a limit on the nested select 2. Id the number of elements in the in clause exceeds the subselect buffer you will run into performance issues ans eventually you query will be doomed. Inner joins in,this is the best option for this . You can use a temp table for this Thanks Chetan. I will keep that in mind if I ever get around to learning about subselects. Have a great day! -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Querying a database for 50 users' information: 50 queries or a WHERE array?
On Wed, Sep 14, 2011 at 16:02, Eric Butera eric.but...@gmail.com wrote: Just out of curiosity, where are these ids coming from? Doing a raw implode on them like that is a sql injection vuln. They are in an array. I do of course is_int() them first, plus some other sanitation including mysql_real_escape_string(). -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Querying a database for 50 users' information: 50 queries or a WHERE array?
On Wed, Sep 14, 2011 at 21:01, Alex Nikitin niks...@gmail.com wrote: You can use a limit with a nested select, you just can't use it in some cases, like inside an IN statement, but something like this should work: SELECT id, data, etc FROM table JOIN (SELECT special_id as id FROM special_table ORDER BY special_id LIMIT 0, 1000) AS table2 USING (id) Note: syntax may not be valid, but should be fairly straight forward to fix, have no time to play with it though... Thanks. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Querying a database for 50 users' information: 50 queries or a WHERE array?
I have a MySQL database table with about 10,000 rows. If I want to
query for 50 specific users (so no LIMIT ORDER BY) then I seem to have
these choices:
1) SELECT * FROM table
This will pull in all 10,000 rows, not nice!
2) foreach ($user as $u) { mysql_query(SELECT * FROM table WHERE
userID=.$u); }
This will lead to 50 queries, again not nice! (maybe worse)
3) foreach ($user as $u) { $whereClause+= OR userID=.$u; }
This makes a huge SQL query. However, this is the method that I'm using now.
Is there some sort of array that can be passed in the WHERE clause,
containing all the userID's that I am interested in?
Thanks!
--
Dotan Cohen
http://gibberish.co.il
http://what-is-what.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Querying a database for 50 users' information: 50 queries or a WHERE array?
On Tue, Sep 13, 2011 at 17:29, Ashley Sheridan a...@ashleysheridan.co.uk wrote: SELECT * FROM table WHERE userID IN (1,2,3,4,5,etc) Much smaller than what you proposed in #3, and easier to make if your user is list is already an array. Thank you Ash, that is exactly what I was looking for! -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Querying a database for 50 users' information: 50 queries or a WHERE array?
On Tue, Sep 13, 2011 at 17:32, muad shibani muad.shib...@gmail.com wrote: Yes there is but all the IDs in one string like this $ids = $id1.', '.$id2.', ' ; note : remove the last comma from the string the make the query like this: mysql_query(SELECT * FROM table WHERE userID= in($ids ) } Thank you Muad! -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Querying a database for 50 users' information: 50 queries or a WHERE array?
On Tue, Sep 13, 2011 at 17:34, Steve Staples sstap...@mnsi.net wrote:
what criteria are you using to get the stats for these 50 users?
They are passed as an array into a function I'm cleaning up.
also, wouldn't this be much better suited for the mysql mailing list?
Yes.
if you know all the userids, then you could just do it as:
$sql = SELECT * FROM table WHERE userid IN (. implode(', ',
$usersids) .);
not very elegant, and I am not sure that the IN is any better than doing
50 mysql calls, but this is only 1 call, and gets you the data.
This is exactly what I need, thanks!
Are you querying the database to get the id's in the frist place? if
so, you could look at doing an inner join on the 2 tables.
Actually, I do suspect that is where it's coming from. But the calling
function is not in my hands.
--
Dotan Cohen
http://gibberish.co.il
http://what-is-what.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Querying a database for 50 users' information: 50 queries or a WHERE array?
On Tue, Sep 13, 2011 at 21:06, Steve Staples sstap...@mnsi.net wrote: I mentioned that implode earlier, but there is also the underlying question (which I also asked earlier)... how is he getting the 50 id's to populate? here are 2 other ways of skinning the cat: using an inner join: select table.* from table inner join othertable on (table.userid = othertable.userid) where (use the way your getting the 50 id's here); OR by using a subselect, select * from table where userid IN (select group_concat(userid, separator ', ') FROM othertable where (using logic here)); guess it all depends on how you want to do it... but that would make it 1 db query I personally would stick with the inner join as I know that syntax, but thanks for introducing me to the subselect. I have never seen that. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Querying a database for 50 users' information: 50 queries or a WHERE array?
On Tue, Sep 13, 2011 at 21:34, Alex Nikitin niks...@gmail.com wrote: And this will be faster or at least more efficient with a limit (e.g. limit 50) this way when you have found the 50 users in the in statement, you don't continue iterating through the rest of your data set... The number is never exactly 50 but rather some arbitrary large number. But there is no need for LIMIT, that is the purpose of the _INNER_ JOIN. INNER means to only return the matching rows. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Where is the code for this page?
On Thu, Aug 18, 2011 at 22:57, Daniel Brown danbr...@php.net wrote: Check the RewriteCond and RewriteRule entries in the .htaccess file in that directory. If there are none, check parent directories. Two things for the fine archives: 1) I found this in .htaccess: RewriteRule ^(.+)$ vbseo.php [L,QSA] If anyone wants to see spaghetti, go google vbseo.php. It looks like Perl. Batman Perl. 2) I learned a new trick today! Grep this/that syntax: cat .htaccess | grep RewriteCond\|RewriteRule That's a backslash-pipe double operator in there. Easy to remember: they're both on the same key. Thanks. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Where is the code for this page?
On Thu, Aug 18, 2011 at 23:17, Daniel Brown danbr...@php.net wrote: Depending on your keyboard layout, yes. ;-P It is on all four of mine :) If you like operators with your grep, try grepping on steroids by using egrep (`man egrep`). I'll look into that. Thanks! -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Queries and Common Practices
On Sun, May 22, 2011 at 17:38, tedd tedd.sperl...@gmail.com wrote: SELECT p.id, p.name, a.total FROM people p, accounts.a WHERE gender = 'male' Finding the error in the above code is fun. I'm surprised I spotted, it shows how sensitive one gets to debugging. For that matter, I like the OP's practice of redundancy in the name of consistency. If nothing at the least, it gets us used to looking at the code to debug as above. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] [Semi-OT] Request for help: Squirrelmail, PHP and RTL-Languages
On Wed, Mar 16, 2011 at 21:59, Michelle Konzack linux4miche...@tamay-dogan.net wrote: Hello, I am wotking in an environent where it is required to support LTR and RTL languages at once. My own website support this but with squirrelmail there is a problem. Is there an Iranien, Israelian or Arabic Programmer which can help out to get RTL support in the Squirrelmail interface including the New Mail form? Thanks, Greetings and nice Day/Evening Michelle Konzack What exactly is the problem? I have an associate using SquirrelMail in Hebrew, it even has a Hebrew interface. Are you getting directional display issues? Gibberish? -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to write code: how wrong am I?
On Tue, Feb 22, 2011 at 19:03, Paul M Foster pa...@quillandmouse.com wrote: Not a bad idea for HTML, not so great for PHP. Some of what you're trying to solve/avoid can be handled by a decent editor, one that does syntax highlighting and/or does brace and parenthesis checking. It doesn't require an expensive IDE. I use Vim, and it works fine for this. And honestly, if you're serious about programming, you really shouldn't be using something like Notepad on Windows. Seriously. We had a coder working for a company where I was who coded in Word of all things. We just looked at him like he was crazy. When I'm writing code in a language I know, I use either Vim, Kate, or Eclipse. But when I'm learning a language I use an environment with no syntax highlighting or code completion. It is in these cases that the close-then-fill coding style helps. Also, I've many times had to SSH into a server and change HTML or PHP code in the half-VIM that ships with CentOS and Debian, which does not support syntax highlighting. So the style has real-world advantages. Annotating end-braces is also very helpful for long conditionals. Vim can track start and stop braces, but when they span several screen pages, it can be a problem. Yup! Likewise commenting code as you go is an excellent idea. 2:1 comments are a bit much; Linus Torvalds would kick your butt. But I often do this if I'm not exactly sure how I'm going to code something, but I know the rough logic of it. Lay out the conditionals, comment on what should happen within each code block, and then go back and fill in the blocks with actual code. 2:1 is excessive. I only comment where the code is not explicitly clear, or at the beginning of each code block of a long if / elseif / elseif chain. And I comment the close parenthesis to know what it closed. It's also worth noting that sometimes code is hard to follow. And even if you're going to be the only one updating it, you may well forget the logic six months from now. Commenting allows you to recapture that logic more easily. Yup! And then there's the PHP interpreter. If you make a syntax error, like failing to add an closing brace, the interpreter will tell you so. If you spend *enough* time coding, you can usually track down where your mistakes are relatively easily. If you've ever coded in C, the same is true for the C compiler. Its behavior is very very similar to that of the PHP interpreter. It's something you get used to over time as you code more and more. Also, what could be called incremental coding or stepwise development helps: Code a little. Run/compile. Code a little, run/compile. That way, errors are easier to catch than after you've written 5000 lines in a file. Sometimes I have to touch a live site, in fact _most_ of the work I do is for small accounts that don't have a test environment. I can often write a test page with a security-by-obscurity filename, but relying on the interpreter is a habit that I cannot afford. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to write code: how wrong am I?
On Tue, Feb 22, 2011 at 14:11, Jay Blanchard jblanch...@pocket.com wrote: It is an interesting concept Dotan, what is the goal? Who is the page targeted to? The goal is to have every open and close bracket matched, and not have to worry about what is still open. The page was specifically written for a friend who is learning HTML, but I plan on presenting it to my C# and Java classmates who I think would benefit from it as well. I choose to display the concepts with PHP instead of C# or Java as I feel that there would be more PHP learners online to benefit from the concept than C# or Java beginners. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to write code: how wrong am I?
On Tue, Feb 22, 2011 at 15:00, Andy McKenzie amckenz...@gmail.com wrote:
I'll be the first to tell you that I'm not a great programmer, so my
take may not be worth a lot. However, this is pretty close to how I
write. Not exactly, but close. I also always label open and closing
brackets on everything, unless the brackets are less than three lines
apart. For instance, I might find myself writing:
if($foo == 'bar')
{ # Begin foo=bar test
# If foo=bar, do a lot of things.
} # End foo=bar test
Then I go back and fill in the conditional stuff.
I also do something similar, I debated writing about that as well:
class someClass{
function someFunction() {
if (true) {
// Some Code
}
} // end someFunction
} // end someClass
I don't strictly subscribe to a three-line limit, but whatever feels
reasonable at the time. Often that depends on the complexity of
surrounding code.
--
Dotan Cohen
http://gibberish.co.il
http://what-is-what.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to write code: how wrong am I?
On Tue, Feb 22, 2011 at 14:15, Marc Guay marc.g...@gmail.com wrote:
It's an interesting idea (a different take on coding best practices)
but I find the PHP example to be laborious and time consuming with
little benefit. If I'm typing an IF statement, I hope to god I know
what the condition is before I start typing it. Creating the if/else
structure first and then filling in the conditions after is a lot of
cursor-shuffling that could be lived without.
If the if statement is simple, then I do agree with you. But once
there are nestled functions or conditionals, I like to have the layout
already ready. Consider:
if ( someFunction( someCheck( srrtolower( $_POST[variable] ) ) ) ){
// Some Code
}
Now, after the $_POST variable, how many close parentheses does the
code need? This does trip up beginners, especially those who
rightfully learn outside an IDE. Similar situations occur for
something like this (unindented to not overflow email line character
limit):
function someFunction(){
if($something==true){
while($someCondition){
switch($someVariable){
// Some Code
}
}
}
}
Writing that is fine, but if the user goes in to add another while or
if, he will get lost in the sea of parenthesis. Therefore, I always
close elements before filling them in. It keeps the mind's state
machine saner!
--
Dotan Cohen
http://gibberish.co.il
http://what-is-what.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to write code: how wrong am I?
On Tue, Feb 22, 2011 at 14:58, Robert Cummings rob...@interjinn.com wrote:
I'm more likely to do this stuff for HTML than PHP. However, I do sometimes
lay out the structure of some conditionals/functions before fleshing them
out so that I can do some early testing... but I always fill the conditional
as I'm doing this. In case that's not clear... the code flows from first
character to last character as I type all of the conditionals (no jumping
around). Later I fill in the associated activity for the conditional.
Thanks for the insight. I could see where that is a good compromise.
Like this I suppose:
if (something)
if (something) {
}
if (something) {
// Code here
}
--
Dotan Cohen
http://gibberish.co.il
http://what-is-what.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Organisational question: surely someone has implemented many Boolean values (tags) and a solution exist
Actually, I'm the customer! But assuming that a customer exists, that implies compensation, and therefore fair bait. Then that's different altogether. you get to decide what information is displayed, and what information is 'sensed', and on what platform. Yes, but before I get to that stage (relatively easy today with high level languages such as PHP or C#) I need to decide how to organise the data. What do you want to sense and what do you want to display(not to say I'm an expert, but I like to think in CS)? The application will pull calendar records by category: entertainment, food, gov, transportation, etc. The idea is that the user could query for, say, postal offices open after 17:00 on Thursday, or films between 20:00 and 22:00 on Monday, or buses leaving Amsterdam to Rotterdam on Monday morning. By the way, I figured out what the troll issue was. I was confusing your signature for the body of the post. It was familiar, too, so I thought that it may have been a troll post on /. or such. It turns out that I had seen it on the Python-tutor list, and their I also mistook it for a troll as the length of the sig far outweighs the length of your typically concise and to-the-point post. Constructive advice: trim the sig! Thanks! -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Organisational question: surely someone has implemented many Boolean values (tags) and a solution exist
If you are doing this often, you could leave spaces in the left and right values so that you could minimize the number of rows that need to be updated. The article makes every leaf use x and x+1 for left and right which forces another update to add a child. If instead you used x and x+20 you'd leave space for more children without any updates. This could be applied from top to bottom, starting with the root category getting 0 and MAX_INT for its values. Then I would have to check what values are available when inserting, and possibly normalise every so often. I'll think about that, and when I have enough data in the database I'll set up a test system to play with the possibility. However, it's probably not even worth applying that complexity until you prove that frequent category additions are causing problems. Most systems will be querying against the categories table far more frequently, and that's where this model pays off. If you want to see all products in category X and its subcategories, it's a single *non-recursive* query. That's huge if you are doing a lot of searches like this. You are right, that non-recursive bit is important. In fact, I think that I'm convinced. Thanks! But what a mess this would be if the two methods go out of sync! Sure, but these values would be maintained by your code--not end-users. It just comes down to making sure your code is correct through appropriate unit tests. By moving the logic to a stored procedure, you can ensure the table is locked during the updates to keep two users from adding a new category simultaneously. So long as it is in fact my code, that's fine. But when others start maintaining it and not reading comments, it may get ugly. That does not apply to this particular pet project, but it is a consideration for future projects. That pays off more? For the guy writing code or for the database memory requirement? Performance-wise. The nested set method looks to be moderately more complex code-wise, but luckily that is done just once while querying the database is done again and again. As with all optimizations, it's best to measure and make sure there's a problem before trying to solve it. Once you've built a few hierarchical systems, you'll be able to make a gut call up front. I see, thanks. Good point about making sure that the problem exists before trying to fix it, I've seen people optimise away where there is no bottleneck. Only two update statements, but they are affecting on average half the database's rows! Of a single table: categories. Hopefully you have far more items that get categorized than you do categories. True. Which do you call the hierarchical model? That term is not used in the linked article. Well, both models are hierarchical in the sense that there's a parent-child relationship. By hierarchical here I mean that the method of implementation involves each category pointing to its parent directly via a parent_id column. Searching for all subcategories of category X requires searching first for all children, then all grandchildren, and so on, resulting in a recursive query. Using the nested sets model requires a single non-recursive query to get the same data. I do agree that the non-recursive method at retrieval time advantage far outweighs the update-half-the-table issue upon addition of an additional category. Thanks! -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Organisational question: surely someone has implemented many Boolean values (tags) and a solution exist
On Fri, Jan 21, 2011 at 12:29, Richard Quadling rquadl...@gmail.com wrote: Changing data in a database is the role of the database engine. It is much more efficient to have the cost on the insert than it is on the select. Agreed. On insert I could even delegate the operation to another thread which does not timeout with the pageload. The adjacent list model is very expensive at n-levels for the select, but trivial cost for the insert. If you are inserting millions of rows but only occasionally looking at the data, then stick with the adjacent list model. But if tags and n-levels are regularly accessed and form a main part to the functionality of the app, then you may want to reconsider. I've already reconsidered after some sleep and coffee! Sure, the insert for the nested set model is more expensive in terms of the number of rows to amend, but indexing will certainly should certainly help. If you have tools to help optimize the tag table and the queries you use, then I'd follow the recommendations (I use MS SQL, so my Query Optimization tools help me here). The nested set model is extremely efficient on the select. Interesting. I am using MySQL for this application, but another hat I wear is learning C# with MS tools and I will have to look into the Query Optimisation. It is a trade off that you have to decide upon, based upon your data and needs. If, as I suspect, you are going to be doing a LOT of selects on the tags and (in the future) to multiple levels, then this aspect needs to be very efficient. You suspect correctly. For me it is well worth the effort of moving from the adjacent list model to the nested set model. Both mechanisms work. In my opinion, the adjacent list model is for truly simply lookups, not for complicated n-levels. One of the changes I made to the nested set model was for a Bill Of Materials module. The client made complex machinery (industrial lathes). The sum quantity for all the parts were in the 20,000 region. Each nut, bolt, screw, etc. Many sub-assemblies. The parent/child node logic was massive in dealing with retrieving questions like How many machines can we build?, What stock do we need to buy/make to complete an order of 20 lathes?. Lot's of recursion into each level to build the list. Getting the results would take 3 or 4 minutes (this is in a non SQL environment using a peer-to-peer modified D-ISAM database - it was already slow because of all that). When I moved to the nested set model, no recursion and 1 query (more or less) and I have all the results I needed. It was seconds in comparison. Thanks, I enjoy reading these real-life scenarios. This was a terrific example. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Organisational question: surely someone has implemented many Boolean values (tags) and a solution exist
On Thu, Jan 20, 2011 at 18:20, Dotan Cohen dotanco...@gmail.com wrote: On Thu, Jan 20, 2011 at 17:00, Richard Quadling rquadl...@gmail.com wrote: I'd have my items table, my tags table and a join table for the two. My join table is really simple. UniqueID, ItemID, TagID. Yes, that is the first approach that I mentioned. It looks to be a good compromise. Sorry, that was _not_ the first approach that I mentioned. It looks to be the right method though, thanks! -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Organisational question: surely someone has implemented many Boolean values (tags) and a solution exist
On Thu, Jan 20, 2011 at 17:22, Jerry Schwartz je...@gii.co.jp wrote: I think the canonical way would be to have one table for your items, one table for your tags, and one table for your tag assignments. Thank you, I do agree that this is the best way. Other posters seem to agree as well! Using an ever-lengthening bitmap for the tag assignments is a trap for the unwary. The path to perdition is lined with the bodies of those who believed We'll never need more than x... 640 kb? As for setting up a hierarchy, that's trickier. One way to handle that is to work like libraries do: 10 is fiction, 10.05 is crime novels, 10.05.07 is British authors, and so forth. Your `tags` table then looks like Thanks. I prefer the parent tag field, though, I feel that it is more flexible. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Organisational question: surely someone has implemented many Boolean values (tags) and a solution exist
On Thu, Jan 20, 2011 at 19:21, Richard Quadling rquadl...@gmail.com wrote: That is terrific, at least the first half. The second half, with the Venn diagrams, is awkward! When you get heavily nested data, the adjacent set model (where you have a parentid for every uniqueid), you very quickly get into complicated logic trying to traverse n-levels. The nested set model is specifically built to handle this issue. I'd recommend getting to grips with it. It will make finding items belonging to a group (or a super group) a LOT easier. Especially if you have multiple tag hierarchies. Is that strategy widely deployed, then? It seems so unruly having to change on average half the database records for every new leaf. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Organisational question: surely someone has implemented many Boolean values (tags) and a solution exist
On Thu, Jan 20, 2011 at 20:50, David Hutto smokefl...@gmail.com wrote: Pseudo = Design Algorithm Design Algorithm = Actual Code Actual Code = Alterable db tables Alterable db tables = manipulated data through the app interface with data -- The lawyer in me says argue...even if you're wrong. The scientist in me... says shut up, listen, and then argue. But the lawyer won on appeal, so now I have to argue due to a court order. Furthermore, if you could be a scientific celebrity, would you want einstein sitting around with you on saturday morning, while you're sitting in your undies, watching Underdog?...Or better yet, would Einstein want you to violate his Underdog time? Can you imagine Einstein sitting around in his underware? Thinking about the relativity between his pubic nardsac, and his Fruit of the Looms, while knocking a few Dorito's crumbs off his inner brilliant white thighs, and hailing E = mc**2, and licking the orangy, delicious, Doritoey crust that layered his genetically rippled fingertips? But then again, J. Edgar Hoover would want his pantyhose intertwined within the equation. However, I digress, momentarily. But Einstein gave freely, for humanity, not for gain, other than personal freedom. An equation that benefited all, and yet gain is a personal product. Also, if you can answer it, is gravity anymore than interplanetary static cling? Is this a troll? Am I about to be baited? -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Organisational question: surely someone has implemented many Boolean values (tags) and a solution exist
On Thu, Jan 20, 2011 at 21:24, David Hutto smokefl...@gmail.com wrote: Is this a troll? Am I about to be baited? Baited to deploy what is designed to the consumer's specification? Surely. From what is wanted to what is needed. Troll on that. Actually, I'm the customer! But assuming that a customer exists, that implies compensation, and therefore fair bait. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] RE: Organisational question: surely someone has implemented many Boolean values (tags) and a solution exist
On Thu, Jan 20, 2011 at 21:40, Jerry Schwartz je...@gii.co.jp wrote: Thanks. I prefer the parent tag field, though, I feel that it is more flexible. [JS] I disagree. The method I proposed can be extended to any depth, and any leaf or branch can be retrieved with a single query. I suppose for retrievals this structure has advantages, but unless MySQL has a ++ operator (or better yet, one that adds or subtracts 2 from an int) then it looks to be a pain to add nodes. But I will play with the idea. Maybe after I write the code (I'm saving that for tomorrow) I'll see it differently. Thanks. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Organisational question: surely someone has implemented many Boolean values (tags) and a solution exist
On Thu, Jan 20, 2011 at 22:05, David Harkness davi...@highgearmedia.com wrote: Thanks for the link. That article proposes an interesting way to organize the categories. Have you implemented this in the wild? Clearly the design would work as it's pretty simple, and I like that it removes the need for recursive queries. I am also interested in knowing if this approach is used in any production code. Dotan, the Venn diagrams are just used to explain the concept. If you use the code to determine the left and right values, you can ignore the diagrams entirely. As long as you're not adding/removing categories every minute, having to recalculate left and right values isn't that big of a deal. I understood that. My concern is exactly with adding new nodes. There is no incrementor (++i) in SQL, so knowingly coding a solution that will require incrementing two fields in half the database rows seems irresponsible. Also, there's no reason you couldn't keep the parent_id field with the nested sets. It would come in handy for certain types of queries, though it's not necessary. That is true. I could store both methods, and experiment to see which is preferable. But what a mess this would be if the two methods go out of sync! Isn't there a name for that in SQL, something along the lines of not storing the same data in two places lest one should change and not the other? The term escapes me. I disagree. The method I proposed can be extended to any depth, and any leaf or branch can be retrieved with a single query. The nested set method can be extended to any depth, and it pays off more the larger the hierarchy grows. While you can retrieve any branch (all ancestors) of a node with a single SQL query, the SQL engine itself actually must perform a recursive query meaning multiple hits on the parent_id index. That pays off more? For the guy writing code or for the database memory requirement? I suppose for retrievals this structure has advantages, but unless MySQL has a ++ operator (or better yet, one that adds or subtracts 2 from an int) then it looks to be a pain to add nodes. ++ or += wouldn't be any better here than x = x + 2. Once you're modifying indexed values, you'll pay a much higher price writing to disk than += could ever save you in CPU cycles. The beauty is that inserting a node requires only two update statements that will fix *all* categories that need to be adjusted. Only two update statements, but they are affecting on average half the database's rows! Adding categories to the hierarchical model is definitely faster so it comes down to your insert-to-select ratio. Moving a subtree is also much easier with the hierarchical model. Which do you call the hierarchical model? That term is not used in the linked article. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Do you trim() usernames and passwords?
On Thu, Dec 30, 2010 at 03:05, Nicholas Kell n...@monkeyknight.com wrote: Even funnier yet - bottom post like you were asked. And to really bust your gut, this thread has gone on far too long off topic. I believe that the person you are referring to as Dani, is in fact Daniel. I don't, nor would I ever start to call you Omeggie just to get under your skin. Use your prestigious fraternity flaunting email and message Daniel directly to continue arguing. I'm not trying to be rude, but I do believe it is in the best interest of the list to kill this thread. Dotan, please chime in if your problem hasn't been solved. I will, as I am sure the rest of the list will be happy to help if it hasn't. Actually, though I've come to a decision regarding my site's password policies, I still enjoy reading the skirted personal attacks and borderline trolling. Seriously, it is as entertaining as it is informative. Who needs slashdot with action like this? If this stuff ever comes up again, will the participants be so kind as to CC me so I don't miss it? Thanks! -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Do you trim() usernames and passwords?
On Wed, Dec 29, 2010 at 02:46, David Harkness davi...@highgearmedia.com wrote: To address the OP, I would agree with skipping trim on both the user name and password. If it's a copy-paste error, they will try again. They do try again: copying and pasting in the exact same manner. It keeps happening. If you want to get fancy, warn when the password starts with or ends with spaces if it comes back incorrect, but I think that's probably going to be so rare as not to be worth the extra effort. I've changed it to warn client-side (javascript) if there are leading or trailing spaces in the the username only: Your username [begins||ends] with an errant space. Please reenter your credentials more carefully. I hope that they figure out to check their passwords as well. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Do you trim() usernames and passwords?
On Wed, Dec 29, 2010 at 06:51, Paul M Foster pa...@quillandmouse.com wrote: I agree that users should not use weak passwords, but not everyone goes everywhere with a vault. I am more then capable of memorizing 20 or so 16-32 character full set passwords. And so you assume everyone can do that? I can remember maybe 5 of the passwords I regularly need. (I rarely repeat passwords for different sites.) In addition, some passwords have been *assigned* to me and cannot readily be changed (and are usually difficult to remember). Many of the rest I so seldom use that it would be silly to try to remember them. Particularly when I do have a password-locked file I can use to record them for me. Exactly. Even Lifehacker is now assigning passwords since the Gawker exploit. Lifehacker users cannot choose their own passwords anymore, they are assigned passwords. Under the circumstances I described, I have yet to hear in what way copying and pasting passwords compromises security of anything by itself. Please enlighten me. I think this is the underwear rule: never leave passwords/underwear out in the open where everyone can see them. Also, change them frequently. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Do you trim() usernames and passwords?
On Wed, Dec 29, 2010 at 07:00, David Hutto smokefl...@gmail.com wrote: Correct me if I'm wrong, but If you initially type the username and password into a file, and you have, in my paranoid scenario, a keylogger you don't know about, it get's logged, but also, i assume it would get logged if you typed it in as well, on the site, or that someone could lift the password if given the authority on your system, correct? There is little us as serverside programmers can do when the user's system is already compromised. However, securing the password down the wire is certainly our job. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Do you trim() usernames and passwords?
On Wed, Dec 29, 2010 at 11:20, Omega -1911 1911...@gmail.com wrote: Hi Paul - I am interested in knowing how you prevent intrusion with your firewall when it is a known fact that post 9/11 companies that develop such leave ports open for Big Brother as required. Remember Green Lantern, Carnivore and the like are roaming around and used by various agencies. Even though a firewall reports that the ports are blocked, they aren't. Limiting surfing to only trusted sites does limit vulnerability, but for the last couple of years, Google, Yahoo, Fbook, Youtube are compromised by hackers installing Antivirus 2009, Antivirus 2010, etc. viruses. With a long list of sites improperly setting cookies, passwords and usernames are easily compromised when a person visits other sites. Most importantly, how do you verify that the Internet Service provider has not been compromised? Using SSL to pass passwords is still not 100 percent safe as people may think because the real problem lies in what and where the web site stores your information on the server. How do you thwart these possible and other intrusion nodes? A different password on each potentially-weak site? Lasspass is great for this. You can then export and print your Lastpass data, put it on a removable media, or access it via web access. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Do you trim() usernames and passwords?
I seem to have an issue with users who copy-paste their usernames and passwords coping and pasting leading and trailing space characters. The obvious fix was to trim() the values that I receive, but I worry how that would affect users who use a space at the beginning or end of their password. Of course, if I trim() also when the user is setting his password then he will never know that his password is really 1 digit shorter, but do I really want to do that? Thoughts? Thanks! -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Do you trim() usernames and passwords?
On Tue, Dec 28, 2010 at 15:27, Al n...@ridersite.org wrote: Can't you simply specify the allowed characters that can be used for PWs and usernames? No, I hate when websites do that. It leads to less secure passwords, not more secure, and it is passing the burden of fixing the issue onto the user. I always do, e.g., 6-8, case sensitive, alphanumerics, and the following characters: @, #, $, %, , *, -. Then, I trim() and check the submitted PW for any exceptions to the rules. I regularly use other characters in my passwords. Of the top of my head, I have passwords with the tilda, underscore, and exclamation point. Sites that don't let me use them don't get my business. Seriously. I once even switched banks twice in one week: once because the old bank's website did not work with Firefox in Fedora, and the second time because the new bank's website would not let me use an exclamation point in my password. I might be an extreme example, but it is behaviour that I do not agree with. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Do you trim() usernames and passwords?
On Tue, Dec 28, 2010 at 21:57, Nathan Rixham nrix...@gmail.com wrote: Don't trim or limit the range of input characters, but far more importantly /don't send passwords in clear text/, indeed don't generate passwords at all, let users enter there desired password, then they won't be copy and pasting them ;) ps: if unavoidable, then give some advice on login failure like passwords are case sensitive, check you don't have caps lock on and that you haven't included any additional spaces. I'm toying with the idea of having the passwords hashed twice: they're already in the database hashed, and javascript hashes them on the client before sending them over, but I'm thinking about sending an additional salt to the client to hash the hashed passwords with salt, and that's what is sent back. This way, each login is done with a different hash of the password so an attacker cannot simply capture and reuse the hashed password. But before all that goes on, I have to decide what to do about leading and trailing spaces. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Do you trim() usernames and passwords?
On Tue, Dec 28, 2010 at 22:02, Joshua Kehn josh.k...@gmail.com wrote:
Trim usernames but not passwords.
Some people put spaces at the beginning and end of their passwords. Double
confirm and don't mess with the input otherwise they tend to get confused.
How about:
if ($trimmedUsername != $username){
trim($password);
}
I suppose that it is reasonable to assume (ha!) that if one was
copy-pasted with spaces, so would the other. Naive, I know, too bad I
don't dare start logging raw data to determine how true this might or
might not be.
Maybe I will start anonymising the data on the client, testing for
this, then logging it to a separate database with no correlation to
the users. Interesting it will be, at least.
--
Dotan Cohen
http://gibberish.co.il
http://what-is-what.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Do you trim() usernames and passwords?
On Tue, Dec 28, 2010 at 22:11, Joshua Kehn josh.k...@gmail.com wrote: Users should not be copy-pasting passwords or usernames. Do not compromise a system to cater to bad [stupid, ignorant, you pick] users. If this is an issue then educate the users. Educate the users?!? Is that like making water flow uphill, or reversing aging? I can do a lot of things, but don't even ask me to bring back the dead! -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Do you trim() usernames and passwords?
On Tue, Dec 28, 2010 at 22:23, Peter Lind peter.e.l...@gmail.com wrote: Sounds like https would be MUCH simpler and likely as safe or safer. I wouldn't waste my time on trying to come up with very clever schemes when tried and true technologies are out there. You are right, I know. But before all that goes on, I have to decide what to do about leading and trailing spaces. As has been noted a couple of times: trim usernames. Never trim passwords. I think that is right. I needed that push. Thanks. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Do you trim() usernames and passwords?
On Tue, Dec 28, 2010 at 22:26, Joshua Kehn josh.k...@gmail.com wrote:
Educate the users, don't compromise the system. Either go full on and trim
everything (I don't recommend this) or trim
nothing. Be consistent in which one you pick.
Then how about:
if ($trimmedPassword==$realPassword $enteredPassword!=$realPassword){
print pWarmer!/p;
}
I'm kidding. I'll not trim. But if $trimmedUsername !=
$enteredUsername I'll mention that fact to the user and remind him to
be careful to copy exactly what he means to copy. Username only, not
password.
--
Dotan Cohen
http://gibberish.co.il
http://what-is-what.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Do you trim() usernames and passwords?
On Tue, Dec 28, 2010 at 22:30, Joshua Kehn josh.k...@gmail.com wrote: indeed, and on reflection, if you're putting this much effort in to it, and security is a worry, then forget username and passwords, and issue each user with a client side RSA v3 certificate and identify them via the public key of the cert. I just realize that this would also completely solve your trim() problem! Hello, Dotan? Hi, we haven't spoken in a full week now that we don't have the trim problem. But I reinstalled Windows and wiped the drive, now I can't log in. Can you help me? -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Do you trim() usernames and passwords?
On Tue, Dec 28, 2010 at 22:52, Joshua Kehn josh.k...@gmail.com wrote: We're PHP programmers, we do the impossible all the time. Without automatic migrations, managed models, succinct ORM's. Other developers look at us in shock as we memorize the $haystack and $needle argument orders for explode and str* functions. Raising the dead would be easy in comparison. Oh, how about verbNoun() vs nounVerb() vs mysql_adjective_verb_noun()?!? I'm not a PHP programmer by trade, more of a side thing while I maintain some servers, but I know to appreciate those who do the impossible! While we're at it, how about adding just one little feature... -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Do you trim() usernames and passwords?
On Tue, Dec 28, 2010 at 22:43, Nathan Rixham nrix...@gmail.com wrote: that's what pkcs12 was invented for, just issue another certificate / key pair. I could probably automate and script it, I would just give the users a name/password combo to their own control panel... -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Do you trim() usernames and passwords?
On Tue, Dec 28, 2010 at 23:02, Daniel Brown danbr...@php.net wrote: This thread has really just gone on far too long without the only correct answer: always use the same username/password for everything, and always make them as simple as possible so that you can remember them. For example, I always use the password 'brown1' for everything --- all of my servers root passwords, my bank accounts and credit cards, email addresses, nuclear arsenal, electronic safe containing all of my ninja swords up in my toddler daughter's room, customer cPanel accounts, social networking passwords, medical records, utilities payment sites, credit history, customer's credit cards, the antidote, the original KFC secret recipe, the key to your heart, the meaning of life, the true name of ***, the better mousetrap, the cure for the common cold, the last of the Mohicans, the look on your face, the way we were, the DeLorean, the secret of nirvana, and all of my exabytes of pr0n collections. Did you know that when you type 'brown1' we see it as **? Your system does that automatically. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Zip files: generate text file in archive on the fly
I found this terrific tool for creating dynamic zip files: http://pablotron.org/software/zipstream-php/ -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Zip files: generate text file in archive on the fly
I need to provide a download of a zip archive containing three files. This is fairly straightforward in PHP so long as one is working with files that already exist. However, I need to customise one of the files (a simple text file) with the user name and other info before zipping. I see no mention of this in the fine manual, and even googling has led me nowhere. Ideas? Am I missing something obvious? Thanks! -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Standalone WebServer for PHP
On Sun, Sep 12, 2010 at 18:55, tedd tedd.sperl...@gmail.com wrote: A question, to clarify my fuzzy thinking about such things: Can a business have a server connected to the Internet but limit access to just their employees? I don't mean a password protected scheme, but rather the server being totally closed to the outside world other than to their internal employees? Or is this something that can only be provided by a LAN with no Internet connection? Filter on IP address. Not foolproof, but mostly there. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Standalone WebServer for PHP
On Sun, Sep 12, 2010 at 20:07, tedd tedd.sperl...@gmail.com wrote: Forget modems or other such outside access -- everything would be done internally with computers and users being physically located within the office's physical location. So, could a server be set up in an office that would run web-languages such that users in the office could access their server and run scripts using browsers? Just connect them to a router and don't connect the router to the WAN. Each machine will get it's own IP address (assuming that the router is running a DHCP server). -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] What are the curly brackets around variables in SQL statements for?
Take for example:
INSERT INTO table ( field ) VALUES ('{$variable}' )
Why the curly brackets? Where in the fine manual is this addressed? I
started from [1] but did not find the relevant info.
[1] http://il2.php.net/manual/en/book.mysql.php
--
Dotan Cohen
http://gibberish.co.il
http://what-is-what.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] What are the curly brackets around variables in SQL statements for?
On Wed, Jul 21, 2010 at 22:07, Daniel Brown danbr...@php.net wrote: That's just basic variable parsing on the PHP side, it's not MySQL-specific. Check out the variable parsing heading at http://php.net/string . Thanks, Daniel. It seems unnecessary, then, as the quote character is not a valid character in a variable name. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] What are the curly brackets around variables in SQL statements for?
On Wed, Jul 21, 2010 at 22:27, Nathan Nobbe quickshif...@gmail.com wrote: the single quote is not part of the variable name in the example you posted and further more the curly braces won't be evaluated as part of a variable name unless the string expression is wrapped in double quotes (which probly also evaluates in heredocs nowdocs). in this case, i would say you are right, the curly braces seem gratuitous; again as dan suggested, read the docs for clarification ... http://us.php.net/manual/en/language.types.string.php#language.types.string.parsing Thanks, Nathan, I _just_finished_ reading that page! -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] protecting email addresses on a web site
On 14 June 2010 15:36, HallMarc Websites sa...@hallmarcwebsites.com wrote: Another is a CSS solution where you type the email address backwards and then use the CSS style declaration: style=direction: rtl; unicode-bidi: bidi-override; How does that work with screen readers? How about copy-paste? -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php quiz script/tutorial
On 26 April 2010 18:12, Paul Jinks p...@pauljinks.co.uk wrote: I'm considering my options for making quizzes mostly multiple choice type of thing, but also 'filling in the gaps'. This is in support of educational materials I'm working on. So far I've looked at Flash and javascript but have concerns about accessibility for both of these. Does anyone have any experience of writing quizzes with php and if so, can you recommend any resources to get me started? TIA Paul HTML has a form element with radio buttons, text fields, and more. Use that. -- Dotan Cohen http://bido.com http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Math Question....
On 22 April 2010 17:07, Dan Joseph dmjos...@gmail.com wrote: Howdy, This is a math question, but I'm doing the code in PHP, and have expunged all resources... hoping someone can guide me here. For some reason, I can't figure this out. I want to take a group of items, and divide them into equal groups based on a max per group. Example. 1,252,398 -- divide into equal groups with only 30 items per group max. Can anyone guide me towards an algorithm or formula name to solve this? PHP code or Math stuff is fine. Either way... Thanks... What is wrong with 626,299 groups of 2 items each (done in my head, so I might be off a little)? -- Dotan Cohen http://bido.com http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] $_POST vs $_REQUEST
I have Forms that I submit for processing. I have seen examples of people using either $_POST or $_REQUEST. Look at this example: form action=page.php?foo=bar input type=hidden name=foo value=pub /form Now what do you thing $_REQUEST will return? You had better not even think. Just use $_POST or $_GET as you _know_ what they will return. Don't forget, there might even be a cookie with the name foo. -- Dotan Cohen http://bido.com http://what-is-what.com Please CC me if you want to be sure that I read your message. I do not read all list mail. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Using base64 encode and decode to store user data in database
In order to prevent SQL injection, can one simply base64 encode the data and store that? Then it can be decoded when I need to display it on a website. I understand that this means that the data will not be searchable, and that I still must sanitize it before printing it on the site. Are there any other drawbacks or things to be aware of? Thanks. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il Please CC me if you want to be sure that I read your message. I do not read all list mail. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using base64 encode and decode to store user data in database
On 19 February 2010 16:27, tedd tedd.sperl...@gmail.com wrote: At 3:18 PM +0200 2/19/10, Dotan Cohen wrote: In order to prevent SQL injection, can one simply base64 encode the data and store that? Then it can be decoded when I need to display it on a website. I understand that this means that the data will not be searchable, and that I still must sanitize it before printing it on the site. Are there any other drawbacks or things to be aware of? Thanks. -- Dotan Cohen Dotan: You're a smart guy, why reinvent the wheel? The entire problem set has already been solved. Understand there are two issues here: 1) filtering input into a database; 2) escaping output to a browser. Use mysql_real_escape_string() to filter data before it's stored in a database (input). I was under the impression that mysql_real_escape_string() was not a 100% solution. Is it? Note that I serve my pages as UTF-8 and also declare them as such in the header and meta tag, but that does not mean that a malicious entity won't return a request in a different encoding. Use htmlentities() to retrieve data from the database to be displayed via a browser (output). This I do. I'm not sure if it's enough, so I'd like some reassurance on the matter. :) An excellent book on this (and much more) is Chris Shiflett's Essential PHP Security. You can pick it up on Amazon for less than $20 -- well worth the cost. They don't ship to Israel! I have looked for it locally, but not found it. I'm sure that I could acquire a copy on some p2p service but I really don't like doing that. Maybe I could Paypal $20 to Chris himself if that remains my only option! Chris, what say you? (CCed) -- Dotan Cohen http://what-is-what.com http://gibberish.co.il -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using base64 encode and decode to store user data in database
One would be storage space, as base64 requires more space to store the same data. For a single data element that might not be much, but when multiplied over all the values stored in your table it makes a difference. That is a good point, thanks. Also, don't forget to validate/filter non-character data, which you can't do with base64. Something like this is still vulnerable to SQL injection even though it 'sanitizes' the expected character input: ?php // user_id expects an integer value $user_id = $_POST['user_id']; $comment = base64_encode($_POST['comment']); $sql = INSERT INTO `comments` (user_id, comment) VALUES ($user_id, '$comment'); ? I see what you mean. In fact, userIDs are stored, and indeed I ensure that they are integers! -- Dotan Cohen http://what-is-what.com http://gibberish.co.il Please CC me if you want to be sure that I read your message. I do not read all list mail. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using base64 encode and decode to store user data in database
What about eBook ($23.99)? http://oreilly.com/catalog/9780596006563 If you can get this, you can get that. That may be a good idea. Certainly better than the pirate bay. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il Please CC me if you want to be sure that I read your message. I do not read all list mail. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to pronounce PHP code over the phone?
There is... It's called a Fax ;-) Again, I am interested in knowing the proper terminology for PHP constructs and code. We have a name for a small sweer green fruit from the vine, and we have a name for the alcoholic beverage that is derived from it. Knowing these names helps one communicate verbally, even when one could simply fax a photo of a grape and a glass of wine. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to pronounce PHP code over the phone?
But I think for the OP's purposes, he could simply DEFINE any word he wanted at the beginning of the conversation: Listen up duder. When I say 'de-ref' you make hyphen and a greater-than sign. Capiche?. He could just as easily say, Listen up duder. When I say 'arrow-thingy' you make hyphen and a greater-than sign. Capiche? Problem solved. ;-) That is what was done, but I wanted to know if there was already some agreed-upon language. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sanitizing potential MySQL strings with no database connection
So, actually taking a minute to read up on addcslashes(), it is a rather handy
little function.
Taking the list of characters that mysql_real_escape_string() says it escapes:
http://us3.php.net/mysql_real_escape_string
Which it lists: \x00, \n, \r, \, ', and \x1a
\0 = \x0
\10 = \n
\13 = \r
\92 = \
\44 = '
\34 =
\26 = \x1a
You could do something like this.
function cleaner($input) {
return addcslashes($input, \0\10\13\92\44\34\26);
}
Maybe this will help...
Jim
So far as I understand mysql_real_escape_string() was invented because
addslashes() is not adequate.
--
Dotan Cohen
http://what-is-what.com
http://gibberish.co.il
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to pronounce PHP code over the phone?
Open paren. Dollar-sign item de-ref getServiceID method. Question mark. Dollar-sign item de-ref getServiceID method again. Colon. Dollar-sign item de-ref getID method. Close up matching parenthesis. http://en.wikipedia.org/wiki/Reference_%28computer_science%29 Thanks. The word Reference was what was missing, as was the term de-ref. I would also suggest s/he and I use a tool such as: http://snipt.org/oGg http://pastebin.com/m5b1d82b2 http://pastie.org/662703 http://gist.github.com/214652 For more real-time collaboration and sharing of code fragments. Widely used, but sometimes unavailable due to technological limitations. Daevid. Is your name related to David? I have never seen this spelling, and my interest in etymology is overwhelming. What is the origin of this name or spelling? Thanks! -- Dotan Cohen http://what-is-what.com http://gibberish.co.il -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sanitizing potential MySQL strings with no database connection
If you look a little closer, you will see that I am not using addslashes(). Rather, I am using addcslashes(). This allows to specify the characters that I want escaped, instead of the default assumed characters from addslashes(). I do not know which characters to escape. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sanitizing potential MySQL strings with no database connection
Thinking a little deeper here, you say you are concerned about the character type, yet you say that it is all assumed UTF-8. Is everything going to be UTF-8 or something else? If it is all going to be UTF-8, then the addcslashes() variation above will work. It _should_ all be UTF-8 but I suppose that it is possible for someone to spoof a non-UTF-8 POST request. I do not want to take the development of a secure function into my own hands. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sanitizing potential MySQL strings with no database connection
Dotan,
You are making this thing harder then it has to be.
All you need is to replicate the escaping of the same characters that
mysql_real_escape_string() escapes. Simply do that. They are listed on the
functions manual page on php.net
http://php.net/mysql_real_escape_string
Here is a function that I mocked up really quick.
I have no idea if it will work, but it is a start down the right road to solve
your problem(s)...
?php
function clean_string($input) {
/**
* Character to escape...
* \x0 \n \r \ ' \x1a
**/
$patterns = array( \x0, \n, \r, \\, ', \, \x1a);
$replace = array( '\\\x0', '\n', '\r', '', '\\\'', '\\', '\\\x1a');
return str_replace($patterns, $replace, $input);
}
?
I think that I would rather trust the built-in functions. I don't need
to do anything smart and get attacked. Anybody else have an opinion
on this?
--
Dotan Cohen
http://what-is-what.com
http://gibberish.co.il
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sanitizing potential MySQL strings with no database connection
Your only option might be to do something smart. You can't use the proper mysql functions without a connection to a database, but you refuse to connect to a database until after you perform validation... More accurate to say that the file in which the function is stored does not know if there is a connection or not. I would make such a connection if I knew that none exist, but I do not want to interfere with a possibly existing connection. You do realise you can have several db connections open at one time, so you could have one always open for the purpose of validation? Potentially wasteful, but the architecture in this idea is a little different from the norm. Very wasteful indeed, I cannot be so irresponsible with this server. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sanitizing potential MySQL strings with no database connection
Yes, the mysql_real_escape_string() function uses the databases character encoding to determine how to encode the string, whereas the older deprecated version mysql_escape_string() required no connection as it always assumed Latin-1 (as far as I know) Is there such a function that always assumes UTF-8? That's what it always will be. The data itself only needs to be sanitised just prior to being inserted into the DB anyway, it shouldn't be used to validate data in any way, there are functions specifically for that. To me, it just seems that the logic of the script is flawed if you require the data to be sanitised before a connection has been made to the DB. I am not requiring the data to be sanitised before a connection has been made to the DB. The function that calls mysql_real_escape_string() is in an include file of commonly-reused functions. Scripts that connect to databases and scripts that do not connect to databases include this file. To clarify, the include file contains these funtions: function clean_mysql ($dirty) function clean_html ($dirty) function make_paginated_links_menu ($pages, $difference) function obfuscate_email_address ($address) Not all of the functions are used in all scripts, however, this file of reusable functions is included in all of them. Only the clean_mysql function gives me trouble because it calls mysql_real_escape_string(). -- Dotan Cohen http://what-is-what.com http://gibberish.co.il -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sanitizing potential MySQL strings with no database connection
No, and you clearly missed the point about that function being pretty much
dead anyway.
I understand that mysql_escape_string() is depreciated. Asking about
other similar functions does not seem out of line.
You mentioned also in your last email that you would make a DB connection if
none existed. That should be very easy
if you read the page on mysql_real_escape_string()
If says:
Returns the escaped string, or FALSE on error.
So all you have to do, is have warnings turned off (as it generates an
E_WARNING if you have no active connection) and then look at the return value
of a call to the function:
if(mysql_real_escape_string($variable) === false)
{
// create a default DB connection
}
Here, the key seems to be to turn the warning level down, which I do
not have privileges to do on this server. But it fact this seems to be
the key that I was missing, and even though I cannot make use of it at
least I know in general what needs to be done.
Thanks.
--
Dotan Cohen
http://what-is-what.com
http://gibberish.co.il
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sanitizing potential MySQL strings with no database connection
2009/10/20 Andrea Giammarchi an_...@hotmail.com:
even better
$error_reporting = error_reporting(0);
if(mysql_real_escape_string($variable) === false)
{
error_reporting($error_reporting);
// create a default DB connection
} else
error_reporting($error_reporting);
unset($error_reporting);
Thanks, I will try that this evening. I may not have permissions for
that, but we'll see.
--
Dotan Cohen
http://what-is-what.com
http://gibberish.co.il
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sanitizing potential MySQL strings with no database connection
If you're sure that all your data is UTF-8, and that all user-supplied data is *actually valid* UTF-8 (and not deliberately or accidentally malformed), then mysql_escape_string() should be just fine [1]. I cannot ensure that the users will not be malicious, even if it is all internal users. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sanitizing potential MySQL strings with no database connection
if(@mysql_real_escape_string($variable) === false) Perfect! The @ symbol suppresses the error and I can structure the code according to whether or not there is a connection. Thank you! -- Dotan Cohen http://what-is-what.com http://gibberish.co.il -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sanitizing potential MySQL strings with no database connection
2009/10/19 Kim Madsen php@emax.dk:
Dotan Cohen wrote on 2009-10-18 21:21:
I thought that one could not test if a database connection is
established or not, this is the most relevant thing that I found while
googling that:
http://bugs.php.net/bug.php?id=29645
from http://www.php.net/manual/en/function.mysql-connect.php
$link = mysql_connect('localhost', 'mysql_user', 'mysql_password');
if (!$link) {
die('Could not connect: ' . mysql_error());
}
So just test if $link is available
I need to know if there is _any_ connection available, not a specific
connection. In one script it may be $link but in another $connection.
All the connections are to MySQL databases, but to _different_ MySQL
databases on the same host.
Would't this solve you problem?
$link1 = mysql_connect('localhost', 'mysql_user1', 'mysql_password');
$link2 = mysql_connect('localhost', 'mysql_user2', 'mysql_password');
if($link1) {
etc...
or I would say that your different scripts should require different db
connection files.
Of course they connect differently, each to a different database (all
on localhost).
--
Dotan Cohen
http://what-is-what.com
http://gibberish.co.il
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sanitizing potential MySQL strings with no database connection
I assumed the reason you wanted to do escape the string so that you could perform DB operations. Yes, that is my intention. However, the function is found in an include file of functions used in many different scripts, each of which connect to a different database or may not connect to a database at all, so I cannot rely on there existing a database connection. The workaround would be to include this particular function in a separate include file to only be included when a database connection is present, but I would like to find a better way as I find it most maintainable to have all my reused functions in a single file. To give you an idea, the file contains these funtions: function clean_mysql ($dirty) function clean_html ($dirty) function make_paginated_links_menu ($pages, $difference) function obfuscate_email_address ($address) Not all functions are used in all pages, however, this file of reusable functions is included in all of them. Only the clean_mysql function gives me trouble because I cannot ensure a database connection. In your select/insert/update class(es)/function(s), you could just use prepare statement and bind param. Thus, no need to escape the string to protect against injection. It's also faster if by chance you're doing several updates/inserts due to the nature of prepare statement. You could use a call back function in case you have a varying size array of parameters, making your code more adaptable and somewhat smaller. I generally prefer using prepare statement + bind param over escape string + query for speed and flexibility. http://www.php.net/manual/en/mysqli.prepare.php http://www.php.net/manual/en/mysqli-stmt.bind-param.php have good examples. Thanks. Going through those pages, I see that it is not what I need. It is good to know, though. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sanitizing potential MySQL strings with no database connection
test if you have a db connection in the function, if not, skip MRES and other mysql_ functions? I thought that one could not test if a database connection is established or not, this is the most relevant thing that I found while googling that: http://bugs.php.net/bug.php?id=29645 In my opinion it's bad code to use a mysql_* function on a Oracle db (and vice versa) or on a string for that matter. It lies in the naming of the function what it's designed to do and work on. If you want a general function to sanitize an input, make your own function sanitize_input() based on ereg_* and/or str_replace and the likes. All the connections are to MySQL databases, but to _different_ MySQL databases on the same host. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to pronounce PHP code over the phone?
As for following a convention, just get the PHP terminology right, That is what I was hoping to learn! or at least agree on your on bastardized terminology. Because this may cause problems in the future. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to pronounce PHP code over the phone?
Wow! Here goes: Open-bracket, dollar item hypen greater-than, get service id, no all one word but with a capital S and I. Open and close brackets, question mark, dollar item again, then a hyphen and greater-than, that get service id and brackets bit again, exactly the same as last time; yes, capital S and I again. Colon, no the colon is the one with two dots, not dot and comma. Dollar item again, then hypen, greater-than, get id, with a capital I. Nope, no service bit this time. Now, open bracket and two closing brackets (I assumed the final two on your example were typos?!). now a semi-colon, yes the one with the comma. That's pretty much how I could foresee me telling someone this on the phone, but to be honest, I'd really prefer an email ;) So it really involves mentioning each character. I was hoping that there would be a shared language for constructs such as - and the like. Thanks. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to pronounce PHP code over the phone?
open parenthesis $item getServiceId question symbol $item getServiceId colon $item getId close parenthesis How would you mention the - constructs? Certainly they are not assumed? -- Dotan Cohen http://what-is-what.com http://gibberish.co.il -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to pronounce PHP code over the phone?
First ask him/her for an email address, and then while you are over the phone send the text by email. This way the other can *instantaneously* read and both of you can talk about the code. That is how it is usually done. But we have found ourselves twice in the position where one had to talk over the phone when a computer or other internet-enabled device was not accessible. Therefore, we would prefer to formulate a shared language now for use in such situations. Surely when coding, people say what they are typing in their heads. I do, but not in English. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to pronounce PHP code over the phone?
There are, what you'd call, technical jargon for them. However, it'd pretty obviously depend on the extent of knowledge of the person on other side of phone line. If she understands PHP objects, difference between OOP in PHP4 PHP5, and ternary operator, things would be fairly simple. Yes, the other end of the phone is an experienced PHP developer. In any case, Ashley's nailed the foolproof technique for sure :) But I am the fool to prove it! No internet access! -- Dotan Cohen http://what-is-what.com http://gibberish.co.il -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to pronounce PHP code over the phone?
Ok, but really, I would say something along these lines: Open Conditional statement Test Condition Using object variable item call object member method get service id if condition results are true issue following command Using object variable item call object member method get service id if condition results are false issue following command Using object variable item call object member method get id Thanks, that is probably best. Leave the code to the coder, but transmit the intention. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to pronounce PHP code over the phone?
It depends... is the person familiar with PHP or not? If they are not then the process is more cumbersome since I can't say things like variable item calling camel-case method getServiceId without parameters. Yes, I should have mentioned that the other party is an experienced PHP developer. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to pronounce PHP code over the phone?
Have you thought about using instant messaging? How about sending the code to him via text message? Putting it on a pastie or on code pad? IRC, sFTP, SSH, you see, in the 21st century, there exists a plethora of solutions to circumvent this particular issue. I would be interested in finding out how the OP ended up having absolutely no option but to pass code to another Homo Sapien verbally? Unless you managed to cripple your system and disconnect your company from the internet, surely, it would have been faster (and easier) using the methods above rather than trying to spell it out over the phone. It's called vacation away from the 'net but there is an emergency. I'm certain that a fair portion of the list is familiar with that! In any case, I would say: Call the getServiceId method of the $item object and make that the condition of a ternary opertor, if true, call the method again, otherwise call the getId method of the $item object Thanks! I'm guessing the reason you were on the phone to him/her was because your parentheses don't match ... but that's a different story I guess. That actually sounds like a subplot of a good movie. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to pronounce PHP code over the phone?
If they can reach you by phone you are not on vacation. You are still attached to their leash. And they still throw me bones :) It's worth it! -- Dotan Cohen http://what-is-what.com http://gibberish.co.il -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
