php-general Digest 22 Mar 2009 14:18:00 -0000 Issue 6026
Topics (messages 290517 through 290531):
Re: mysql_real_escape_string paranoid enough?
290517 by: Virgilio Quilario
290519 by: mike
Re: need help with code
290518 by: Virgilio Quilario
Re: how to make multiple sql run faster
290520 by: Virgilio Quilario
290528 by: Davi Vidal
Re: Web Development/Application Analysis
290521 by: OOzy Pal
290526 by: Stuart
290527 by: abdulazeez alugo
290529 by: tedd
290531 by: Daniel Brown
DOMElement - attributes and namespace
290522 by: Michael A. Peters
290523 by: Michael A. Peters
290525 by: Michael A. Peters
290530 by: Michael A. Peters
Re: Select Query with Multiple Optional Values
290524 by: Robert Cummings
Administrivia:
To subscribe to the digest, e-mail:
php-general-digest-subscr...@lists.php.net
To unsubscribe from the digest, e-mail:
php-general-digest-unsubscr...@lists.php.net
To post to the list, e-mail:
php-gene...@lists.php.net
----------------------------------------------------------------------
--- Begin Message ---
> I typically do something like this:
>
> $data_sql = mysql_real_escape_string($data, $connection);
> $query = "insert into data(data) values('$data_sql')";
> $insert = mysql_query($query, $connection);
> if (!$insert){
> trigger_error(mysql_error($connection), E_USER_ERROR);
> }
>
> My custom error handler logs the mysql error, and displays a nice
> generic "Something went wrong. Please try again or contact us" message
> to the user, wrapped in the page layout, and then exits.
>
> I've just noticed that while the function signature says:
> string mysql_real_escape_string( ...)
>
> The docs say it could return FALSE in case of error.
>
> I'm not real sure what all could cause a FALSE return.
>
> Obviously, if the database server/process/chipmunk has DIED just
> before the call to mysql_real_escape_string, I'll get FALSE back.
>
> If the input string is just too whack for the function to parse, could
> I get FALSE, and then I'd be inserting junk into the DB?
>
> Or is it possible that the function returns FALSE for what is
> obviously a hack attempt?
>
> I guess I'm asking if anybody adds a line like:
>
> if ($data_sql === false){
> trigger_error(mysql_error($connection), E_USER_ERROR);
> }
>
> Or is that not really going to do anything useful/better than what I
> already have?
yes you could add that condition and it would be helpful if you also
include the value of $data in addtion to mysql_error so you can
examine and figure out what cause it to return FALSE.
also, php manual says this:
mysql_query() will also fail and return FALSE if the user does not
have permission to access the table(s) referenced by the query.
Virgil
http://www.jampmark.com
Free tips, tutorials, innovative tools and techniques useful for
building and improving web sites.
--- End Message ---
--- Begin Message ---
2009/3/21 Robert Cummings <rob...@interjinn.com>:
> Yes, I'm a big fan of automatic database connection identifiers. Why
> just the other week I was integrating ZenCart into another system and I
> couldn't understand why ZenCart wasn't able to properly retrieve the
> last_insert_id(). After digging throught he code I found it was because
> they were making use of magic identifier semantics and since another db
> connection also existed, it was being used for the last_insert_id().
> Wonderful stuff. If you have a niftly little database layer, then it
> shouldn't need magic semantics since it should track the connection
> itself.
What probably makes the most sense is instead of relying on
mysqli_real_escape_string, to create a simple unicode-capable regex
that does the database escaping for you. then it is totally portable.
That is what is sticking in the back of my mind. Even though I force
utf8 connection on any of my database handles already.
--- End Message ---
--- Begin Message ---
>> hi Chris,
>>
>> basing on the code you posted, you're missing the closing brace for
>> if ($accessToken===NULL)
>> {
>>
>> there should be 3 closing braces before the last ?>
>
> That'll be the next error, but that error would print "unexpected
> $end on line xxx."
well, if you're getting the parse error without additional description
then it must be the php versions because the lib might be throwing
exceptions and you are running php4.
cheers,
Virgil
http://www.jampmark.com
Free tips, tutorials, innovative tools and techniques useful for
building and improving web sites.
--- End Message ---
--- Begin Message ---
> Usually a single transaction is faster than an insert a time (with or without
> union)
>
>> Hi all,
>>
>> I am inserting more than 5000 rows into sql database but its taking more
>> than 30 mins to get it all the data inserted. I use union to insert
>> multiple rows of 20 at a time.
>>
>> What is the best way to make insert sql statement run faster
hi,
inserting 5000 rows should only take seconds.
if you are looping, optimize the code inside the loop.
or before entering the loop, get a connection first and the use the
connection inside the loop.
or maybe you could post snippets, that would surely be helpful.
cheers,
Virgil
http://www.jampmark.com
Free tips, tutorials, innovative tools and techniques useful for
building and improving web sites.
--- End Message ---
--- Begin Message ---
On 03/21/2009 10:19 AM, Andrea Giammarchi wrote:
Hi all,
I am inserting more than 5000 rows into sql database but its taking more
than 30 mins to get it all the data inserted. I use union to insert
multiple rows of 20 at a time.
What is the best way to make insert sql statement run faster
Usually a single transaction is faster than an insert a time (with or without
union)
What do you mean?
START TRANSACTION;
INSERT;
INSERT;
INSERT;
COMMIT;
Is that?
Thank you very much
davi
--- End Message ---
--- Begin Message ---
On Sat, Mar 21, 2009 at 6:33 PM, tedd <tedd.sperl...@gmail.com> wrote:
> At 6:15 PM +0300 3/21/09, OOzy Pal wrote:
>>
>> Tedd,
>>
>> You wrote a long story about a client hiring a programmer which not
>> what I am asking.
>>
>> Anyhow, thank you for your post. I learned from it.
>>
>> I don't want to take it further. This php mailing list.
>
> Really -- is that what this is?
>
> I thought it was a place where people could ask:
>
> -- quote
> I have just hired a remote PHP programmer. His main job is web
> development and applications.
>
> I have few concerns, I would be happy if someone can point me to the
> right direction.
>
> 1. How can I provide him the requirements. I mean how can I analyze
> the site and put everything in writing.
> 2. How can I estimate manhours.
> -- unquote
>
> For which I provided advice and example, which apparently fell on deaf ears.
>
> As such, I won't waste my time entertaining any other questions from you.
>
> Cheers,
>
> tedd
>
> --
> -------
> http://sperling.com http://ancientstones.com http://earthstones.com
>
Again, I thank you for your post. It was beneficial.
If I may ask you to use the time that you will not use for asnwering
my questions in reading about relaxation politness.
No matter what type disagreement happend between any two, that does
not give any one of them the right to insult the other.
--
OOzy
Ubuntu (8.10)
--- End Message ---
--- Begin Message ---
2009/3/22 OOzy Pal <oozy...@gmail.com>:
> On Sat, Mar 21, 2009 at 6:33 PM, tedd <tedd.sperl...@gmail.com> wrote:
>> At 6:15 PM +0300 3/21/09, OOzy Pal wrote:
>>>
>>> Tedd,
>>>
>>> You wrote a long story about a client hiring a programmer which not
>>> what I am asking.
>>>
>>> Anyhow, thank you for your post. I learned from it.
>>>
>>> I don't want to take it further. This php mailing list.
>>
>> Really -- is that what this is?
>>
>> I thought it was a place where people could ask:
>>
>> -- quote
>> I have just hired a remote PHP programmer. His main job is web
>> development and applications.
>>
>> I have few concerns, I would be happy if someone can point me to the
>> right direction.
>>
>> 1. How can I provide him the requirements. I mean how can I analyze
>> the site and put everything in writing.
>> 2. How can I estimate manhours.
>> -- unquote
>>
>> For which I provided advice and example, which apparently fell on deaf ears.
>>
>> As such, I won't waste my time entertaining any other questions from you.
>>
>> Cheers,
>>
>> tedd
>>
>> --
>> -------
>> http://sperling.com http://ancientstones.com http://earthstones.com
>>
>
> Again, I thank you for your post. It was beneficial.
>
> If I may ask you to use the time that you will not use for asnwering
> my questions in reading about relaxation politness.
>
> No matter what type disagreement happend between any two, that does
> not give any one of them the right to insult the other.
I disagree. I believe it's a basic human right to say whatever you
want. It's also a basic human right to take offence at anything said
to or about you, but that's your choice. Stopping people from speaking
their minds is an early step on a steep downward hill. Oh, and I fart
in your general direction, etc, etc ;-)
Anyway, back to the point. You asked a question about dealing with a
remote developer. Regardless of whether you employ that person full
time, on a contract basis or ad hoc you are their client so Tedd's
comments formed a valid response to the question.
All too often people take the words of other people and apply their
own definitions and decide it doesn't apply. In my view this list and
the people on it are my clients, as is the board at my day job, as is
my better half, etc. A client to me (and a fair percentage of the
people I know) is "anyone you do stuff regardless of remuneration",
and very similar procedures apply to all different types of clients
for the purposes of specifying requirements and estimating effort.
Now that's done, it's Mothers Day here in jolly old England, and I
have a phonecall to make!
-Stuart
--
http://stut.net/
--- End Message ---
--- Begin Message ---
> Date: Sun, 22 Mar 2009 11:51:45 +0000
> From: stut...@gmail.com
> To: oozy...@gmail.com
> CC: php-gene...@lists.php.net
> Subject: Re: [PHP] Web Development/Application Analysis
>
> 2009/3/22 OOzy Pal <oozy...@gmail.com>:
> > On Sat, Mar 21, 2009 at 6:33 PM, tedd <tedd.sperl...@gmail.com> wrote:
> >> At 6:15 PM +0300 3/21/09, OOzy Pal wrote:
> >>>
> >>> Tedd,
> >>>
> >>> You wrote a long story about a client hiring a programmer which not
> >>> what I am asking.
> >>>
> >>> Anyhow, thank you for your post. I learned from it.
> >>>
> >>> I don't want to take it further. This php mailing list.
> >>
> >> Really -- is that what this is?
> >>
> >> I thought it was a place where people could ask:
> >>
> >> -- quote
> >> I have just hired a remote PHP programmer. His main job is web
> >> development and applications.
> >>
> >> I have few concerns, I would be happy if someone can point me to the
> >> right direction.
> >>
> >> 1. How can I provide him the requirements. I mean how can I analyze
> >> the site and put everything in writing.
> >> 2. How can I estimate manhours.
> >> -- unquote
> >>
> >> For which I provided advice and example, which apparently fell on deaf
> >> ears.
> >>
> >> As such, I won't waste my time entertaining any other questions from you.
> >>
> >> Cheers,
> >>
> >> tedd
> >>
> >> --
> >> -------
> >> http://sperling.com http://ancientstones.com http://earthstones.com
> >>
> >
> > Again, I thank you for your post. It was beneficial.
> >
> > If I may ask you to use the time that you will not use for asnwering
> > my questions in reading about relaxation politness.
> >
> > No matter what type disagreement happend between any two, that does
> > not give any one of them the right to insult the other.
>
> I disagree. I believe it's a basic human right to say whatever you
> want. It's also a basic human right to take offence at anything said
> to or about you, but that's your choice. Stopping people from speaking
> their minds is an early step on a steep downward hill. Oh, and I fart
> in your general direction, etc, etc ;-)
>
> Anyway, back to the point. You asked a question about dealing with a
> remote developer. Regardless of whether you employ that person full
> time, on a contract basis or ad hoc you are their client so Tedd's
> comments formed a valid response to the question.
>
> All too often people take the words of other people and apply their
> own definitions and decide it doesn't apply. In my view this list and
> the people on it are my clients, as is the board at my day job, as is
> my better half, etc. A client to me (and a fair percentage of the
> people I know) is "anyone you do stuff regardless of remuneration",
> and very similar procedures apply to all different types of clients
> for the purposes of specifying requirements and estimating effort.
>
> Now that's done, it's Mothers Day here in jolly old England, and I
> have a phonecall to make!
>
> -Stuart
Oh Stuart!!!
Hit me. You won't believe that I've been coding all the while and I forgot it's
mother's day.
Well, while you're at it, you can help me call my mum in jolly good NIGERIA and
tell her Happy mother's day for me.
Alugo Abdulazeez
www.frangeovic.com
_________________________________________________________________
Drag n’ drop—Get easy photo sharing with Windows Live™ Photos.
http://www.microsoft.com/windows/windowslive/products/photos.aspx
--- End Message ---
--- Begin Message ---
At 9:57 AM +0300 3/22/09, OOzy Pal wrote:
On Sat, Mar 21, 2009 at 6:33 PM, tedd <tedd.sperl...@gmail.com> wrote:
> As such, I won't waste my time entertaining any other questions from you.
If I may ask you to use the time that you will not use for asnwering
my questions in reading about relaxation politness.
No matter what type disagreement happend between any two, that does
not give any one of them the right to insult the other.
OOzy:
Two points.
First point:
You asked two questions that implied you were a client seeking advice
on how to deal with a programmer. I answered your questions from that
perspective (and did a good job of it).
Then you come back with additional information, which you should have
provided in your original question. And finally said you really
didn't need the information I provided, which leads me to believe
that you didn't read it either.
All of which illustrates the main point of my answer, which was
basically to *fully* communicate what you want to the programmer. In
other words, don't do what you just did!
Second point:
Where in all of this exchange did I insult you? All I did was to
identify that you don't know how to ask questions so next time I'll
pass on answering yours. That's not an insult, that's a choice.
You say that I should spent time reading about "relaxation politness"
(sic) -- what the hell is that? (Rhetorical question) That sounds
like the typical fluff from the political correctness crowd. Usually
when they're intellectually cornered they resort to "Let's don't
discuss your point because you hurt my feelings" nonsense.
In any event, if you're going to continue in this field, I suggest
that you improve your communication skills and develop a thicker skin.
Good luck with your remote programmer.
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--- End Message ---
--- Begin Message ---
On Sun, Mar 22, 2009 at 09:02, tedd <tedd.sperl...@gmail.com> wrote:
>
> Good luck with your remote programmer.
I second that, "OOzy." You're going to need all the luck you can
get with the "web development/design business" you apparently "own."
Since you obviously have no clue what it's like to freelance and
instead prefer to attempt to dominate a conversation by asserting your
opinion and ill-perceived fortitude, your "business" web site will
probably only make the top 50 pages on Google by searching for the
name explicitly. And even then, I wouldn't be surprised to hear that
it's the third or fourth result. Learn about the business and don't
spit in the face of those who attempt to give you free advice. Don't
just wake up one morning, register a domain name, and say you own a
company.
I've seen you on the Apache and Linux kernel lists over the years.
You know your stuff, and you've been on mailing lists long enough to
know that the kind of attitude you had toward Tedd earlier won't glean
the best results from the other list subscribers. So why start in
that direction now? Read Tedd's stuff and learn what you can from it.
Don't open yourself up to getting flamed and ignored for the rest of
your time here.
--
</Daniel P. Brown>
--- End Message ---
--- Begin Message ---
Here's my function -
private function filterAttributes($node) {
// filters the attribute names and content
$attributes = $node->attributes;
foreach ($attributes as $attribute) {
// allow colon as it is used in namespace attributes -
// needs to be tested though, may require different handling??
// I should get a MathML document and try it out.
$pattern = '/[^a-z0-9:-]+/i';
$clean = strtolower(preg_replace($pattern,'',$attribute->name));
if (strcmp($clean,$attribute->name) != 0) {
$this->policyReport("Invalid Attribute Name");
}
$saniAtt[] = $clean;
if (strcmp($clean,"value") != 0) {
if ($clean == "src") {
$saniVal[] = $this->obfus($attribute->value,1);
} elseif ($clean == "data") {
$saniVal[] = $this->obfus($attribute->value,1);
} elseif ($clean == "code") {
$saniVal[] = $this->obfus($attribute->value,1);
} else {
$saniVal[] = $this->obfus($attribute->value);
}
} else {
// do not alter value attributes
$saniVal[] = $attribute->value;
}
$oldAtt[] = $attribute->name;
}
if (isset($oldAtt)) {
for ($i=0; $i<sizeof($oldAtt);$i++) {
$node->removeAttribute($oldAtt[$i]);
}
}
if (isset($saniAtt)) {
for ($i=0; $i<sizeof($saniAtt);$i++) {
$check = " " . $saniAtt[$i] . " ";
if (substr_count($this->blacklist, $check) == 0) {
$node->setAttribute($saniAtt[$i],$saniVal[$i]);
} else {
$string = "Blacklisted Event Attribute: " . $saniAtt[$i];
$this->policyReport($string);
}
}
}
}
(entire class here - http://www.clfsrpm.net/xss/cspfilter_class.phps)
Here's the problem -
$attributes = $node->attributes;
creates a list that has both regular attributes and namespaced
attributes. But I don't know how to programatically tell them apart.
Here's the problem - when the attribute involves a namespace, IE xml:lang -
$node->removeAttribute($oldAtt[$i]);
doesn't remove it.
$node->setAttribute($saniAtt[$i],$saniVal[$i]);
creates a new attribute WITHOUT the namespace.
So if we have
xml:lang="something"
after the function is run, the result is that there is an additional
attribute lang="filtered something"
but xml:lang remains with the unfiltered attribute content.
If I knew a way to tell whether or not an attribute was namespaced I
could deal with it by using the correct $node->removeAttributeNS and
$node->setAttributeNS for those attributes, but I don't know how to tell
them apart programatically.
It seems that $attribute->name when the attribute is foo:bar will just
return bar, and I can't tell if it was originally foo:bar, xml:bar,
freak:bar, or just plain bar.
The extremely sparse documentation in the php manual on this area isn't
exactly helping me figure it out.
Any help would be appreciated.
To see the problem -
http://www.clfsrpm.net/xss/dom_script_test.php
Put
<p xml:bar = "javascript:something else">A Paragraph</p>
into the textarea and hit submit - and you'll see what the function does
with the attribute.
--- End Message ---
--- Begin Message ---
Michael A. Peters wrote:
Here's the problem -
$attributes = $node->attributes;
creates a list that has both regular attributes and namespaced
attributes. But I don't know how to programatically tell them apart.
http://phpbuilder.com/manual/en/class.domattr.php
What would be really nice is if I could do
$attribute->namespace
the same way I could do
$attribute->name
and
$attribute->value
That would easily allow me to solve the problem.
Is there a reason why that isn't part of the DOMAttr class?
--- End Message ---
--- Begin Message ---
Michael A. Peters wrote:
Michael A. Peters wrote:
Here's the problem -
$attributes = $node->attributes;
creates a list that has both regular attributes and namespaced
attributes. But I don't know how to programatically tell them apart.
http://phpbuilder.com/manual/en/class.domattr.php
What would be really nice is if I could do
$attribute->namespace
the same way I could do
$attribute->name
and
$attribute->value
That would easily allow me to solve the problem.
Is there a reason why that isn't part of the DOMAttr class?
I found a dirty fix - it works but isn't proper.
I think this is a bug in either
$node->elements
or
DOMAttr
Either the first needs to provide a way to tell what is before the :
when a : exists in an attribute name or the second needs to either
provide it in DOMAttr->name or provide another way to access what (if
anything) is before a semicolon.
At some point I'll get the guts to report it as a bug just to be told it
isn't a bug with the standard response that says it isn't a bug and
absolutely no explanation as to why.
--- End Message ---
--- Begin Message ---
Michael A. Peters wrote:
At some point I'll get the guts to report it as a bug just to be told it
isn't a bug with the standard response that says it isn't a bug and
absolutely no explanation as to why.
Bug ID 47747
Clear demonstration test case -
http://www.clfsrpm.net/bugs/domattr.phps
http://www.clfsrpm.net/bugs/domattr.php
I'll wait to see what they say, but if anyone knows how to get the
xml:lang from the attribute list w/o knowing it is xml: - I would really
like to know.
--- End Message ---
--- Begin Message ---
On Sun, 2009-03-22 at 09:22 +0800, Virgilio Quilario wrote:
> >> Trying to find best way to accomplish following scenario. Looking to
> >> search
> >> inventory through a POST form, have the following optional fields to search
> >> by: Product Name, Color, Size, and Status. Search maybe for the Product
> >> Name and/or Color or they may search for just the Color or all 4 fields. I
> >> am trying to find the most efficient way to do this without having 100
> >> different if statements.
> >
> > <?php
> >
> > $where = array( '1 = 1' );
> >
> > if( !empty( $_POST['name'] ) )
> > {
> > where[] = 'name = '.$db->quote( $_POST['name'] );
> > }
> >
> > if( !empty( $_POST['colour'] ) )
> > {
> > where[] = 'colour = '.$db->quote( $_POST['colour'] );
> > }
> >
> > if( !empty( $_POST['size'] ) )
> > {
> > where[] = 'size = '.$db->quote( $_POST['size'] );
> > }
> >
> > if( !empty( $_POST['status'] ) )
> > {
> > where[] = 'status = '.$db->quote( $_POST['status'] );
> > }
> >
> > $query =
> > "SELECT "
> > ." * "
> > ."FROM "
> > ." inventory "
> > ."WHERE "
> > ." (".implode( ") AND (", $where ).")";
> >
> > ?>
> >
> > Cheers,
> > Rob.
>
> Yep, that's the way to do it.
> Or you may do it this way.
>
> $fields = array('name','colour','size','status');
> foreach ($_POST as $name => $value) {
> if (empty($value)) continue;
> if (!in_array($name, $fields, TRUE)) continue;
> $where[] = $name . '=' . $db->quote($value);
> }
>
> which is more compact and useful when you have 100 different optional fields.
As long as your form field names are the same as your database field
names. Also as long as you don't need to post process the submitted
values in any way :)
Cheers,
Rob.
--
http://www.interjinn.com
Application and Templating Framework for PHP
--- End Message ---
