php-general Digest 22 Apr 2008 07:28:49 -0000 Issue 5418
Topics (messages 273369 through 273385):
Re: Security Concern?
273369 by: Jason Pruim
Re: Denver PHP opportunity - Senior Software Engineers
273370 by: Richard Heyes
273373 by: Jason Pruim
273374 by: Daniel Brown
273375 by: Robert Cummings
273376 by: Nathan Nobbe
273377 by: Robert Cummings
273380 by: Manuel Lemos
273382 by: Nathan Nobbe
Re: Cannot modify header information - headers already sentby ...
273371 by: M. Sokolewicz
273372 by: M. Sokolewicz
Re: Alter Table newbie help needed ...
273378 by: revDAVE
273379 by: revDAVE
Re: Alter Table newbie help needed ...]
273381 by: Jason Norwood-Young
Humour in Hotmail :OT
273383 by: Bastien Koert
php, ajax and international application
273384 by: Alain Roger
273385 by: Robert Cummings
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[EMAIL PROTECTED]
----------------------------------------------------------------------
--- Begin Message ---
On Apr 21, 2008, at 11:49 AM, Philip Thompson wrote:
On Apr 21, 2008, at 8:03 AM, Jason Pruim wrote:
Hi Everyone,
Last week you all helped me with the code to pull the database
field names directly from the database rather then being hardcoded
by me. Now I got to thinking, that I have exposed my database
layout to anyone who can log in and see it. Is that a security
issue? I've heard that if an attacker has the field names of a
database, it makes it easier for them to try and inject code into
it. All my queries to the database are done through prepared
statements, and mysqli_real_escape_string. So I've taken care of at
least part of it.
I'm thinking that sense you have to log into the website to see the
field names, it's okay as long as I trust and monitor my users. But
I thought I would pose the question to people who are ALOT more
knowledgeable then me :)
Any comments are welcome, if you want to see source let me know and
I can shoot you an e-mail off list (Don't really want to expose my
code to all the archives just yet :))
As long as you're taking the necessary measures to ensure that your
database is not breakable/hackable, then us knowing your schema
shouldn't be an issue. I'd bet that one could guess part (or all?)
of many people's database schemas b/c they're so generic - and it
doesn't really matter to obfuscate them. I don't think it's as
important to create obscure database schemas as it is protect how
you interact with it.
However, just make sure of the following, and you should be good:
• Use mysql?_real_escape_string as you mentioned
• Use `backticks` around ALL your table and field names:
<?php
$user_id = mysql_real_escape_string ($_GET['user_id']);
$sql = "SELECT `first_name`, `last_name` FROM `user` WHERE
(`user_id` = '$user_id')";
?>
With those simple precautions, you should be well-protected.
Hey Phillip,
Thanks for the response, I'll have to double check if I have the back
ticks around my field names...
And to complete the archives, I was recommend a couple of books by
Chris Shiftlett Here's the link for anyone who is interested: http://shiflett.org/books
Thanks again for the response!
--
Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
3251 132nd ave
Holland, MI, 49424-9337
www.raoset.com
[EMAIL PROTECTED]
--- End Message ---
--- Begin Message ---
The commute would be a killer, Richard. LOL.
I think you're right. A 60 mile commute caused me to quit a job, so
several thousand miles sounds excessive... :-)
--
Richard Heyes
+----------------------------------------+
| Access SSH with a Windows mapped drive |
| http://www.phpguru.org/sftpdrive |
+----------------------------------------+
--- End Message ---
--- Begin Message ---
On Apr 21, 2008, at 2:57 PM, Richard Heyes wrote:
The commute would be a killer, Richard. LOL.
I think you're right. A 60 mile commute caused me to quit a job, so
several thousand miles sounds excessive... :-)
Depends on the pay.... I'm looking at a job that's 30 minute drive
away... But it doubles my salary ;)
Just think about the frequent flyer miles you'd get! Vacation anywhere
you want in the world! :)
--
Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
3251 132nd ave
Holland, MI, 49424-9337
www.raoset.com
[EMAIL PROTECTED]
--- End Message ---
--- Begin Message ---
On Mon, Apr 21, 2008 at 3:01 PM, Jason Pruim <[EMAIL PROTECTED]> wrote:
>
> Just think about the frequent flyer miles you'd get! Vacation anywhere you
> want in the world! :)
Like you'd want to fly to a vacation spot after two 10 hour, 15
minute flights per day, five days per week. ;-P
--
</Daniel P. Brown>
Dedicated Servers - Intel 2.4GHz w/2TB bandwidth/mo. starting at just
$59.99/mo. with no contract!
Dedicated servers, VPS, and hosting from $2.50/mo.
--- End Message ---
--- Begin Message ---
On Mon, 2008-04-21 at 15:20 -0400, Daniel Brown wrote:
> On Mon, Apr 21, 2008 at 3:01 PM, Jason Pruim <[EMAIL PROTECTED]> wrote:
> >
> > Just think about the frequent flyer miles you'd get! Vacation anywhere you
> > want in the world! :)
>
> Like you'd want to fly to a vacation spot after two 10 hour, 15
> minute flights per day, five days per week. ;-P
Wow, you guys really don't know the shortest path to work. I don't think
I'd hire you. Everyone knows the quickest way is:
ssh [EMAIL PROTECTED]
Soemtimes though you need to make do with public transport:
ftp [EMAIL PROTECTED]
Now if they'd only offer frequent typer miles.
Cheers,
Rob.
--
http://www.interjinn.com
Application and Templating Framework for PHP
--- End Message ---
--- Begin Message ---
On Mon, Apr 21, 2008 at 1:48 PM, Robert Cummings <[EMAIL PROTECTED]>
wrote:
> On Mon, 2008-04-21 at 15:20 -0400, Daniel Brown wrote:
> > On Mon, Apr 21, 2008 at 3:01 PM, Jason Pruim <[EMAIL PROTECTED]> wrote:
> > >
> > > Just think about the frequent flyer miles you'd get! Vacation
> anywhere you
> > > want in the world! :)
> >
> > Like you'd want to fly to a vacation spot after two 10 hour, 15
> > minute flights per day, five days per week. ;-P
>
> Wow, you guys really don't know the shortest path to work. I don't think
> I'd hire you. Everyone knows the quickest way is:
>
> ssh [EMAIL PROTECTED]
>
> Soemtimes though you need to make do with public transport:
>
> ftp [EMAIL PROTECTED]
>
> Now if they'd only offer frequent typer miles.
i think they have it setup where you accrue miles per bandwidth consumption
if u work from home :D but seriously, my commute here in denver is only 2
blocks; im enjoying it ;) i know youve got me beat working in the basement
or w/e rob, but ill take a little fresh air when i can get it :)
-nathan
--- End Message ---
--- Begin Message ---
On Mon, 2008-04-21 at 14:16 -0600, Nathan Nobbe wrote:
> On Mon, Apr 21, 2008 at 1:48 PM, Robert Cummings <[EMAIL PROTECTED]>
> wrote:
>
> > On Mon, 2008-04-21 at 15:20 -0400, Daniel Brown wrote:
> > > On Mon, Apr 21, 2008 at 3:01 PM, Jason Pruim <[EMAIL PROTECTED]> wrote:
> > > >
> > > > Just think about the frequent flyer miles you'd get! Vacation
> > anywhere you
> > > > want in the world! :)
> > >
> > > Like you'd want to fly to a vacation spot after two 10 hour, 15
> > > minute flights per day, five days per week. ;-P
> >
> > Wow, you guys really don't know the shortest path to work. I don't think
> > I'd hire you. Everyone knows the quickest way is:
> >
> > ssh [EMAIL PROTECTED]
> >
> > Soemtimes though you need to make do with public transport:
> >
> > ftp [EMAIL PROTECTED]
> >
> > Now if they'd only offer frequent typer miles.
>
>
> i think they have it setup where you accrue miles per bandwidth consumption
> if u work from home :D but seriously, my commute here in denver is only 2
> blocks; im enjoying it ;) i know youve got me beat working in the basement
> or w/e rob, but ill take a little fresh air when i can get it :)
Hey! I've got a rubber tube that extends to the outside so I can get the
occasional breath of fresh air. I just wish spiders would stop making
nests in it. *makes sound like cat expunging furball*.
But seriously, with a 2 year old and a 4 year old, I get plenty of fresh
air at the park :)
Cheers,
Rob.
--
http://www.interjinn.com
Application and Templating Framework for PHP
--- End Message ---
--- Begin Message ---
Hello,
You may want to take a look here and find qualified PHP developers near
your region. You may even search for developers that have relevant skills.
http://www.phpclasses.org/professionals/country/us/
--
Regards,
Manuel Lemos
PHP professionals looking for PHP jobs
http://www.phpclasses.org/professionals/
PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/
--- End Message ---
--- Begin Message ---
On Mon, Apr 21, 2008 at 3:59 PM, Manuel Lemos <[EMAIL PROTECTED]> wrote:
> Hello,
>
> You may want to take a look here and find qualified PHP developers near
> your region. You may even search for developers that have relevant skills.
>
> http://www.phpclasses.org/professionals/country/us/
the zend yellow pages are decent too; here colorado;
http://www.zend.com/store/education/certification/yellow-pages.php?cid=1&sid=CO&submit=search&orderby=ID&form_name=Zend_VUE_Search_Form
-nathan
--- End Message ---
--- Begin Message ---
Jim Lucas wrote:
Waynn Lue wrote:
Actually, I think I fixed it by moving the style sheets below the
instantiation of the facebook client, where I *think* set_user was
being called. I'm still curious if it's possible to get stack trace
information on errors, though. :)
You are probably looking for something like this.
http://us2.php.net/manual/en/function.debug-backtrace.php
XDebug is a lot prettier here since it adds them _implicitly_ (assuming
you've configured it correctly).
url: http://www.xdebug.org/ (it's an extension written by Derick, one of
PHP's main devs)
- Tul
--- End Message ---
--- Begin Message ---
Jim Lucas wrote:
Waynn Lue wrote:
Actually, I think I fixed it by moving the style sheets below the
instantiation of the facebook client, where I *think* set_user was
being called. I'm still curious if it's possible to get stack trace
information on errors, though. :)
You are probably looking for something like this.
http://us2.php.net/manual/en/function.debug-backtrace.php
XDebug is a lot prettier here since it adds them _implicitly_ (assuming
you've configured it correctly).
url: http://www.xdebug.org/ (it's an extension written by Derick, one of
PHP's main devs)
- Tul
--- End Message ---
--- Begin Message ---
Jason & David,
Thanks so much for your help....
BTW: to reiterate the problem: I guess it was not knowing to use the 'try1'
connection ( try1.ztest) - and used 'connect2' connection instead...
Error said : Table 'connect2.ztest' doesn't exist
(connect2 was some other one I set up for something else)
Q: Is there a way to insure that it uses the right connection ( try1 - not
connect2 )?
----------
On 4/20/2008 1:41 PM, "Jason Norwood-Young" <[EMAIL PROTECTED]>
wrote:
> revDave - can we see a bit more of the code in one block and not broken
> up? Makes it a bit easier to see what you're doing.
Will do - check below...
On 4/20/2008 11:08 AM, "David Giragosian" <[EMAIL PROTECTED]> wrote:
> Is try1 the name of a database? The SQL syntax is
> databasename.tablename.fieldname.
Hmmm - looking below, maybe this is the DB name?
$database_try1
As you see below - I tried this, but it gave me errors
$result = mysql_query($sql,***$database_try1*** )
This also failed...
$sql = 'ALTER TABLE `test.ztest` ADD `new4` VARCHAR(50) NOT NULL;';
$result = mysql_query($sql)
>
> When you issue a query using mysql_query() you can explicitly indicate the
> connection (returned by mysql_connect()) to use as the second parameter, e.g.,
> mysql_query($sql_Statement, $returnedConnectionObject);
>
> HTH,
>
> David
Here's the orig post with some mods:
Connection called 'try1'...
<?php
# FileName="Connection_php_mysql.htm"
# Type="MYSQL"
# HTTP="true"
$hostname_try1 = "127.0.0.1:8889";
$database_try1 = "test";
$username_try1 = "test";
$password_try1 = "test";
$try1 = mysql_pconnect($hostname_try1, $username_try1, $password_try1) or
trigger_error(mysql_error(),E_USER_ERROR);
?>
=========
<?php
$sql = 'ALTER TABLE `ztest` ADD `newfield3` VARCHAR(50) NOT NULL;';
$result = mysql_query($sql) or die("no good dB $sql" . mysql_error());
?>
maybe it needs something like:?
$result = mysql_query($sql,***$database_try1*** ) - hmmm?
I get errors like this: Warning: mysql_query(): supplied argument is not a
valid MySQL-Link resource
--
Thanks - RevDave
Cool @ hosting4days . com
[db-lists]
--- End Message ---
--- Begin Message ---
On 4/21/2008 2:04 PM, "revDAVE" <[EMAIL PROTECTED]> wrote:
> : Is there a way to insure that it uses the right connection ( try1 - not
> connect2 )?
- seems to be ok now with this new db selector line...
mysql_select_db($database_try1, $try1); // this new line
New ...
<?php
$sql = 'ALTER TABLE `ztest` ADD `newfield3` VARCHAR(50) NOT NULL;';
mysql_select_db($database_try1, $try1);
$result = mysql_query($sql) or die("no good dB $sql" . mysql_error());
?>
Old - no
<?php
$sql = 'ALTER TABLE `ztest` ADD `newfield3` VARCHAR(50) NOT NULL;';
$result = mysql_query($sql) or die("no good dB $sql" . mysql_error());
?>
--
Thanks - RevDave
Cool @ hosting4days . com
[db-lists]
--- End Message ---
--- Begin Message ---
Darn forgot to hit "reply to all"
-------- Forwarded Message --------
From: Jason Norwood-Young <[EMAIL PROTECTED]>
To: revDAVE <[EMAIL PROTECTED]>
Subject: Re: [PHP] Alter Table newbie help needed ...
Date: Mon, 21 Apr 2008 23:52:30 +0200
On Mon, 2008-04-21 at 14:04 -0700, revDAVE wrote:
> Jason & David,
>
> Thanks so much for your help....
>
> BTW: to reiterate the problem: I guess it was not knowing to use the 'try1'
> connection ( try1.ztest) - and used 'connect2' connection instead...
>
> Error said : Table 'connect2.ztest' doesn't exist
> (connect2 was some other one I set up for something else)
>
> Q: Is there a way to insure that it uses the right connection ( try1 - not
> connect2 )?
Hi revDAVE
You'll simplify your life dramatically by using one database and one
connection per application. If you're not going to do that, you can make
sure the table is there in PHP with something like:
function check_table_exists($tablename) {
$sqlresult=mysql_query("SHOW TABLES LIKE $tablename");
if (mysql_num_rows($sqlresult)==1) {
return true;
}
return false;
}
J
--- End Message ---
--- Begin Message ---
Guys,
I switched to gmail since I was having so many issues getting my emails thru
the spam filter thanks to M$ adding ads to the bottom of the message. To
make it even better, the unsubcribe confirmation email is also being
rejected due to spammy urls in the message.
Anyway, this should work out much better,
Thanks,
--
Bastien
Cat, the other other white meat
--- End Message ---
--- Begin Message ---
Hi,
Till now, i'm used to have a php file (for each language) to store all text
labels for my international application.
i tried with Ajax to improve it but it seems not so flexible at it promised.
my purpose was to limit the transfer data and especially to not load too
much the server with not important calculation as localization of
application.
therefore, i would like to know what do you do to have an international
application ?
1. do you use JSON : 1 javascript file for each language and for each
module. Code is not secured and everybody can read it.
2. do you use PHP like i wrote above.
3. you use another method
I would be glad to here from you the pros and cons of your experiences.
thx.
--
Alain
------------------------------------
Windows XP SP2
PostgreSQL 8.2.4 / MS SQL server 2005
Apache 2.2.4
PHP 5.2.4
C# 2005-2008
--- End Message ---
--- Begin Message ---
On Tue, 2008-04-22 at 07:55 +0200, Alain Roger wrote:
> Hi,
>
> Till now, i'm used to have a php file (for each language) to store all text
> labels for my international application.
> i tried with Ajax to improve it but it seems not so flexible at it promised.
> my purpose was to limit the transfer data and especially to not load too
> much the server with not important calculation as localization of
> application.
>
> therefore, i would like to know what do you do to have an international
> application ?
> 1. do you use JSON : 1 javascript file for each language and for each
> module. Code is not secured and everybody can read it.
Usually you use one "language" JavaScript file for each language. And
the JavaScript code itself is language neutral.
> 2. do you use PHP like i wrote above.
PHP would also use the language file. You could put all your language
stuff in a PHP file and have a script that can convert it to a
JavaScript loadable file. That way your maintenance occurs in one
location, but you can benefit from having the JS pre-created.
> 3. you use another method
>
> I would be glad to here from you the pros and cons of your experiences.
I've not done a lot with JavaScript and multilingualism. At least not in
a way that was overly important. With respect to content, I do use
separate content files. My InterJinn framework when it builds the pages
from the templates will grab template lang/X and fall back on template X
if the language specific version doesn't exist. This is automatic when
multilingual is enabled for a project. Then it's just a case of having
language strings defined for stuff like forms and error messages. here's
a site I recently launched:
http://www.expertpanel.ca
The mapping of links to language specific content is all done at compile
time. The only run-time feature of the site is the random banner image
at the top and any forms. If *I* was to have a need for JavaScript like
you mention, I would build the language files from a PHP master file
automatically when building the site.
Cheers,
Rob.
--
http://www.interjinn.com
Application and Templating Framework for PHP
--- End Message ---
