php-general Digest 14 Jul 2009 02:53:03 -0000 Issue 6228
Topics (messages 295324 through 295343):
Re: Doubts concerning a general Insert method
295324 by: MEM
295325 by: Stuart
295328 by: MEM
Re: RFC/Survey for Our Newer Folks (Including Lurkers)
295326 by: pan
295327 by: Martin Scotta
Re: open source event calendar
295329 by: Joey
Re: PHP not running properly
295330 by: Togrul Mamedbekov
295331 by: Jonathan Tapicer
295332 by: Ashley Sheridan
295333 by: Togrul Mamedbekov
Re: MySql Injection advice
295334 by: Haig Dedeyan
295335 by: Bastien Koert
295336 by: Ashley Sheridan
295337 by: Bastien Koert
295338 by: Michael A. Peters
mod primary key field - newbie question
295339 by: cool.hosting4days.com
295340 by: Floyd Resler
295342 by: Daniel Brown
Re: accidentally chown -R mysql /var/lib, so wrote a script to "fix" them
295341 by: Daevid Vincent
How to create Data Auto-Filters using PEAR Spreadsheet Writer ?
295343 by: Ali, Saqib
Administrivia:
To subscribe to the digest, e-mail:
[email protected]
To unsubscribe from the digest, e-mail:
[email protected]
To post to the list, e-mail:
[email protected]
----------------------------------------------------------------------
--- Begin Message ---
> $values[0] will give you the first element of $values, namely
> array('animal_name'=>'bruce', 'animal_type'=>'dingo').
>
> array_keys will return an array containing the keys from the
> passed array, so in this case you'll get array('animal_name',
> 'animal_type').
>
So... since $value is an associate array of arrays, we will get, on the first
key, not an array with "0, 1", like array(0,1); but
array('animal_name','animal_type'), yes?
When we use the implode over this array, we get:
animal_name, animal_type that is the string that will pass to be prepare using
the PDO prepare().
> After it's finished building $sql use var_dump to look at it. You'll
> see that the values are specified as :animal_name and :animal_type.
> The : indicates to PDO that these are replaceable values.
Yes. And normally, to fill those replaceable values, I was used to use
bindParam();
I like this bindParam method because we can then use PDO::PARAM_INT and
PDO::PARAM_STR to more accurately control the data type flow...
>
> The foreach will go through the $values array and for each row it will
> pass the data (e.g. array('animal_name'=>'bruce',
> 'animal_type'=>'dingo') for the first time round the loop) to the
> execute function which will effectively replace those elements in the
> SQL statement and execute it.
Ok, so:
Our $sql will be: INSERT INTO $table (animal_name, animal_type) VALUES
(:animal_name, :animal_type)
We then prepare this $sql by doing:
prepare($sql); and the value of this preparation will be kept on a variable
name $stmt.
Finally, on the foreach, we will grab each value of the $values array, and keep
him, on a variable called $vals,
The $vals will contain this on the first occurrence of the loop:
array('animal_name'=>'bruce', 'animal_type'=>'ding')
and then, the var $vals will have this on the second occurrence of the loop:
array('animal_name'=>'bruce', 'animal_type'=>'kanguro')
etc.,
At the end of each of these loops, we will process the execute (that will send
the statement to the database).
$stmt->execute(array('animal_name'=>'bruce', 'animal_type'=>'kanguro').
So this execute will do A LOT, it will take away the 'array(' part, will see
the keys of these arrays (e.g. animal_name and animal_type) compare them with
the placeholder names given on the prepare statement and, replace the
placeholder names with the values inside on each of this array keys.
Is this correct?
Regards,
Márcio
--- End Message ---
--- Begin Message ---
2009/7/13 MEM <[email protected]>:
>
>> $values[0] will give you the first element of $values, namely
>> array('animal_name'=>'bruce', 'animal_type'=>'dingo').
>>
>> array_keys will return an array containing the keys from the
>> passed array, so in this case you'll get array('animal_name',
>> 'animal_type').
>>
>
> So... since $value is an associate array of arrays, we will get, on the first
> key, not an array with "0, 1", like array(0,1); but
> array('animal_name','animal_type'), yes?
> When we use the implode over this array, we get:
> animal_name, animal_type that is the string that will pass to be prepare
> using the PDO prepare().
Indeed.
>> After it's finished building $sql use var_dump to look at it. You'll
>> see that the values are specified as :animal_name and :animal_type.
>> The : indicates to PDO that these are replaceable values.
>
> Yes. And normally, to fill those replaceable values, I was used to use
> bindParam();
> I like this bindParam method because we can then use PDO::PARAM_INT and
> PDO::PARAM_STR to more accurately control the data type flow...
I'm not overly familiar with PDO, but I believe that's an alternative
way to do it. The execute method lets you do it in one method call.
>> The foreach will go through the $values array and for each row it will
>> pass the data (e.g. array('animal_name'=>'bruce',
>> 'animal_type'=>'dingo') for the first time round the loop) to the
>> execute function which will effectively replace those elements in the
>> SQL statement and execute it.
>
> Ok, so:
> Our $sql will be: INSERT INTO $table (animal_name, animal_type) VALUES
> (:animal_name, :animal_type)
>
> We then prepare this $sql by doing:
> prepare($sql); and the value of this preparation will be kept on a variable
> name $stmt.
>
> Finally, on the foreach, we will grab each value of the $values array, and
> keep him, on a variable called $vals,
>
> The $vals will contain this on the first occurrence of the loop:
> array('animal_name'=>'bruce', 'animal_type'=>'ding')
>
> and then, the var $vals will have this on the second occurrence of the loop:
> array('animal_name'=>'bruce', 'animal_type'=>'kanguro')
>
> etc.,
>
> At the end of each of these loops, we will process the execute (that will
> send the statement to the database).
> $stmt->execute(array('animal_name'=>'bruce', 'animal_type'=>'kanguro').
>
> So this execute will do A LOT, it will take away the 'array(' part, will see
> the keys of these arrays (e.g. animal_name and animal_type) compare them with
> the placeholder names given on the prepare statement and, replace the
> placeholder names with the values inside on each of this array keys.
>
>
> Is this correct?
Indeed.
-Stuart
--
http://stut.net/
--- End Message ---
--- Begin Message ---
Nice. :-) Thanks a lot Stuart for your time and explanations.
Now that I have understand, I will try to move on, and understand how can we
introduce bindParams on it:
For a recall, here is the original class:
> public function dbInsert($table, $values) {
>
> $this->conn();
>
> $fieldnames = array_keys($values[0]);
>
> $size = sizeof($fieldnames);
>
> $i=1;
>
> //construction of the prepared statment
> $sql = "INSERT INTO $table";
>
> $fields = '( ' . implode(' ,', $fieldnames) . ' )';
>
> $bound = '(:' . implode(', :', $fieldnames) . ' )';
>
> $sql .= $fields.' VALUES '.$bound;
>
> //prepares statement e saves it on variable $stmt
> $stmt = $this->db->prepare($sql);
>
> foreach($values as vals)
> {
> $stmt->execute($vals);
> }
> }
However I do have some questions that maybe someone more experimented then me
could easily solve:
1)
The bindParams should look similar to this:
$stmt->bindParam(':animal_name', $animals->getName(), PDO::PARAM_STR );
$stmt->bindParam(':animal_type', $animals->getType(), PDO::PARAM_STR );
So, instead of looping trough an array of values, I will to do it for objects,
something like:
foreach($animals->listaAnimals() as $row) ...
Can I have some words on this so that I can properly try to add bindParam on
this class method.
2)
I also need to have a way to add PDO::PARAM_STR if the values is a string or
PDO::PARAM_INT if the values is int, PDO::PARAM_BOOL etc...
Is there a way to control this? Using something like is_integer() and
is_string(), inside if statement perhaps? If so, what about the Boolean?
Thanks a lot,
Márcio
--- End Message ---
--- Begin Message ---
Per Jessen wrote:
> pan wrote:
>
>> Urgh ! What do I tell them?
>
> How about what you started with here:
>
> "The information and support of php on windows is not as good."
>
Overcoming resistance to open source software that runs on
windows is easy. Overcoming the belief that "it's a windows world"
is more difficult.
I can show the values of php through the point of view windows offers.
Getting phbs to look at non-MS OSs is not easy. It's a matter of
one step at a time and "choose your battles".
Cost/benefit analysis is not enough. phbs do not understand or
trust non-MS OSs. They do trust results and as long as win versions
of php are available and well maintained I've got plenty to show them.
What they know is that the pecl4windows website doesn't exist anymore.
They know no new extension package has been offered.
They believe new extensions, whether beta or not, are not likely to
become available.
They know that 1st quarter 2009 was to see windows.php.net be
ready. They think delays == vaporware.
They also believe that there is indifference (if not outright hostility)
to php/win in the php developer community.
Personally, I could care less about further entrenchment of windows
in the business world. I'd like to see MS disappear. Unfortunately,
these issues are real.
If the point is to alienate businesses with a "who cares about windows"
attitude, then why bother with win-php at all?
If there is merit to introducing open source to current windows users,
then why make it difficult to do so?
Just looking to make life easier.
Don't blame me for the attitudes of those who pay me.
(And, no - compiling extensions is not an option).
--- End Message ---
--- Begin Message ---
That's exactly how I "inlist" here.
I usually follow threads and even sometime reply
I've here about 90 days (I suppose)
The list is really interesting, but I was expecting more "ninja" threads.
I know this list is wide open to anyone, ninja or newby, but I was
expecting more.
Anyway I'm really happy to be part of.
Mrtn
ps. top-posting xD
On Sun, Jul 12, 2009 at 4:54 AM, Ashley
Sheridan<[email protected]> wrote:
> I was using the php.net website for ages for syntax reference, saw the mailing
> list and figured why not. No amazing story, but now you're all stuck with
> me :p
>
> --
> Thanks,
> Ash
> http://www.ashleysheridan.co.uk
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
Martin Scotta
--- End Message ---
--- Begin Message ---
Hello,
I am looking to create a web event calendar for a company, I believe google
is more indidual calendar based, right?
I have also seen the others recommended here, but looking for something a
little cleaner, any suggestions?
Thanks!
From: kranthi [mailto:[email protected]]
Sent: Friday, July 10, 2009 3:35 AM
To: Joey
Cc: PHP
Subject: Re: [PHP] open source event calendar
that depends upon your need.
embedding google calendar is best for starters
--- End Message ---
--- Begin Message ---
We are running, Windows Server 2003.
1. Changed that
2. <?phpinfo();?>
Togrul Mamedbekov
Marketing & Publishing Assistant
(Tel: +1-(713)-292-1945 / Fax: +1-(713)-292-1946
http://www.iadc.org <http://www.iadc.org/>
_____
From: Zareef Ahmed [mailto:[email protected]]
Sent: Friday, July 10, 2009 19:38
To: Bastien Koert
Cc: Daniel Brown; Togrul Mamedbekov; [email protected]
Subject: Re: [PHP] PHP not running properly
A quick checklist/todo list :
1. set display_errors=yes in php.ini
2. Make sure you are using full <?php tag to write your script.
For a good solutions you should also mentions about your OS/Web Server
Zareef Ahmed
On Sat, Jul 11, 2009 at 1:53 AM, Bastien Koert <[email protected]> wrote:
On Fri, Jul 10, 2009 at 4:17 PM, Daniel Brown<[email protected]> wrote:
> On Fri, Jul 10, 2009 at 15:44, Togrul
> Mamedbekov<[email protected]> wrote:
>> Hello Sir or Madam,
>>
>> We just updated our PHP 5.2 software. And when I try to run the php info
>> script! I get a blank screen!
>
> What do you see when you view the source of the page with phpinfo() ?
>
> --
> </Daniel P. Brown>
> [email protected] || [email protected]
> http://www.parasane.net/ || http://www.pilotpig.net/
> Check out our great hosting and dedicated server deals at
> http://twitter.com/pilotpig
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
Your error handling is logging the errors, not displaying them to the
screen. Check the php ini file settings for that.
--
Bastien
Cat, the other other white meat
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
Zareef Ahmed :: A PHP Developer in India ( Delhi )
Homepage :: http://www.zareef.net
--- End Message ---
--- Begin Message ---
2. Try <?php phpinfo(); ?>
On Mon, Jul 13, 2009 at 3:47 PM, Togrul
Mamedbekov<[email protected]> wrote:
> We are running, Windows Server 2003.
>
> 1. Changed that
> 2. <?phpinfo();?>
>
> Togrul Mamedbekov
> Marketing & Publishing Assistant
> (Tel: +1-(713)-292-1945 / Fax: +1-(713)-292-1946
> http://www.iadc.org <http://www.iadc.org/>
>
>
> _____
>
> From: Zareef Ahmed [mailto:[email protected]]
> Sent: Friday, July 10, 2009 19:38
> To: Bastien Koert
> Cc: Daniel Brown; Togrul Mamedbekov; [email protected]
> Subject: Re: [PHP] PHP not running properly
>
>
> A quick checklist/todo list :
>
> 1. set display_errors=yes in php.ini
> 2. Make sure you are using full <?php tag to write your script.
>
> For a good solutions you should also mentions about your OS/Web Server
>
> Zareef Ahmed
>
>
> On Sat, Jul 11, 2009 at 1:53 AM, Bastien Koert <[email protected]> wrote:
>
>
> On Fri, Jul 10, 2009 at 4:17 PM, Daniel Brown<[email protected]> wrote:
>> On Fri, Jul 10, 2009 at 15:44, Togrul
>> Mamedbekov<[email protected]> wrote:
>>> Hello Sir or Madam,
>>>
>>> We just updated our PHP 5.2 software. And when I try to run the php info
>>> script! I get a blank screen!
>>
>> What do you see when you view the source of the page with phpinfo() ?
>>
>> --
>> </Daniel P. Brown>
>> [email protected] || [email protected]
>> http://www.parasane.net/ || http://www.pilotpig.net/
>> Check out our great hosting and dedicated server deals at
>> http://twitter.com/pilotpig
>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
>
>
> Your error handling is logging the errors, not displaying them to the
> screen. Check the php ini file settings for that.
>
> --
>
> Bastien
>
> Cat, the other other white meat
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
>
>
>
>
> --
> Zareef Ahmed :: A PHP Developer in India ( Delhi )
> Homepage :: http://www.zareef.net
>
>
--- End Message ---
--- Begin Message ---
On Mon, 2009-07-13 at 15:50 -0300, Jonathan Tapicer wrote:
> 2. Try <?php phpinfo(); ?>
>
> On Mon, Jul 13, 2009 at 3:47 PM, Togrul
> Mamedbekov<[email protected]> wrote:
> > We are running, Windows Server 2003.
> >
> > 1. Changed that
> > 2. <?phpinfo();?>
> >
> > Togrul Mamedbekov
> > Marketing & Publishing Assistant
> > (Tel: +1-(713)-292-1945 / Fax: +1-(713)-292-1946
> > http://www.iadc.org <http://www.iadc.org/>
> >
> >
> > _____
> >
> > From: Zareef Ahmed [mailto:[email protected]]
> > Sent: Friday, July 10, 2009 19:38
> > To: Bastien Koert
> > Cc: Daniel Brown; Togrul Mamedbekov; [email protected]
> > Subject: Re: [PHP] PHP not running properly
> >
> >
> > A quick checklist/todo list :
> >
> > 1. set display_errors=yes in php.ini
> > 2. Make sure you are using full <?php tag to write your script.
> >
> > For a good solutions you should also mentions about your OS/Web Server
> >
> > Zareef Ahmed
> >
> >
> > On Sat, Jul 11, 2009 at 1:53 AM, Bastien Koert <[email protected]> wrote:
> >
> >
> > On Fri, Jul 10, 2009 at 4:17 PM, Daniel Brown<[email protected]> wrote:
> >> On Fri, Jul 10, 2009 at 15:44, Togrul
> >> Mamedbekov<[email protected]> wrote:
> >>> Hello Sir or Madam,
> >>>
> >>> We just updated our PHP 5.2 software. And when I try to run the php info
> >>> script! I get a blank screen!
> >>
> >> What do you see when you view the source of the page with phpinfo() ?
> >>
> >> --
> >> </Daniel P. Brown>
> >> [email protected] || [email protected]
> >> http://www.parasane.net/ || http://www.pilotpig.net/
> >> Check out our great hosting and dedicated server deals at
> >> http://twitter.com/pilotpig
> >>
> >> --
> >> PHP General Mailing List (http://www.php.net/)
> >> To unsubscribe, visit: http://www.php.net/unsub.php
> >>
> >>
> >
> >
> > Your error handling is logging the errors, not displaying them to the
> > screen. Check the php ini file settings for that.
> >
> > --
> >
> > Bastien
> >
> > Cat, the other other white meat
> >
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
> >
> >
> >
> >
> > --
> > Zareef Ahmed :: A PHP Developer in India ( Delhi )
> > Homepage :: http://www.zareef.net
> >
> >
>
I was just about to say, there is your problem. Although your php.ini
may be set up to allow short tags, it will not complain if the full
start tag <?php is there either. As you had no space between <? and the
phpinfo(); the web server was matching the full tag, and then hitting an
error as you'd left no whitespace after it.
Just an aside, it's recommended you turn off short tags inside of your
php.ini if you want to do anything with XML files inside of your PHP
scripts.
Thanks
Ash
www.ashleysheridan.co.uk
--- End Message ---
--- Begin Message ---
Working now :)
Thanks!
Togrul Mamedbekov
Marketing & Publishing Assistant
(Tel: +1-(713)-292-1945 / Fax: +1-(713)-292-1946
http://www.iadc.org
-----Original Message-----
From: Jonathan Tapicer [mailto:[email protected]]
Sent: Monday, July 13, 2009 13:51
To: Togrul Mamedbekov
Cc: Zareef Ahmed; Bastien Koert; Daniel Brown; [email protected]
Subject: Re: [PHP] PHP not running properly
2. Try <?php phpinfo(); ?>
On Mon, Jul 13, 2009 at 3:47 PM, Togrul
Mamedbekov<[email protected]> wrote:
> We are running, Windows Server 2003.
>
> 1. Changed that
> 2. <?phpinfo();?>
>
> Togrul Mamedbekov
> Marketing & Publishing Assistant
> (Tel: +1-(713)-292-1945 / Fax: +1-(713)-292-1946 http://www.iadc.org
> <http://www.iadc.org/>
>
>
> _____
>
> From: Zareef Ahmed [mailto:[email protected]]
> Sent: Friday, July 10, 2009 19:38
> To: Bastien Koert
> Cc: Daniel Brown; Togrul Mamedbekov; [email protected]
> Subject: Re: [PHP] PHP not running properly
>
>
> A quick checklist/todo list :
>
> 1. set display_errors=yes in php.ini
> 2. Make sure you are using full <?php tag to write your script.
>
> For a good solutions you should also mentions about your OS/Web Server
>
> Zareef Ahmed
>
>
> On Sat, Jul 11, 2009 at 1:53 AM, Bastien Koert <[email protected]> wrote:
>
>
> On Fri, Jul 10, 2009 at 4:17 PM, Daniel Brown<[email protected]> wrote:
>> On Fri, Jul 10, 2009 at 15:44, Togrul
>> Mamedbekov<[email protected]> wrote:
>>> Hello Sir or Madam,
>>>
>>> We just updated our PHP 5.2 software. And when I try to run the php
>>> info script! I get a blank screen!
>>
>> What do you see when you view the source of the page with phpinfo() ?
>>
>> --
>> </Daniel P. Brown>
>> [email protected] || [email protected]
>> http://www.parasane.net/ || http://www.pilotpig.net/ Check out our
>> great hosting and dedicated server deals at
>> http://twitter.com/pilotpig
>>
>> --
>> PHP General Mailing List (http://www.php.net/) To unsubscribe, visit:
>> http://www.php.net/unsub.php
>>
>>
>
>
> Your error handling is logging the errors, not displaying them to the
> screen. Check the php ini file settings for that.
>
> --
>
> Bastien
>
> Cat, the other other white meat
>
>
> --
> PHP General Mailing List (http://www.php.net/) To unsubscribe, visit:
> http://www.php.net/unsub.php
>
>
>
>
>
>
> --
> Zareef Ahmed :: A PHP Developer in India ( Delhi ) Homepage ::
> http://www.zareef.net
>
>
--- End Message ---
--- Begin Message ---
On July 13, 2009 09:48:54 am Haig Dedeyan wrote:
> On Monday 13 July 2009 14:31:09 tedd wrote:
> > At 3:53 PM -0400 7/12/09, Paul M Foster wrote:
> > >On Sun, Jul 12, 2009 at 09:07:45AM -0400, tedd wrote:
> > >
> > ><snip>
> > >
> > >> As for prepared statements, I'm no authority on them, but from what
> > >> I've read they are not going to be something I'll be practicing
> > >> anytime soon.
> > >
> > >Aside from Stuart's comments about slowness, what else have you read
> > >that makes you discount the use of prepared statements? The PDO class
> > >emphasizes that you're safe from SQL injection exploits, which seems a
> > >big plus.
> > >
> > >Paul
> >
> > Paul:
> >
> > As I said, I'm no authority. However as I have read, prepared
> > statements are for a limited set of instructions in MySQL. They can't
> > be used for everything. Why should I learn one way to do something
> > that isn't universal in the language?
> >
> > Additionally, I think the way I sanitize data is sufficient AND I
> > understand it. *My* learning curve may introduce security problems
> > that I am not willing to risk, at this moment. As I said, I have more
> > than enough on my plate to digest -- including learning non-prepared
> > statements in MySQL.
> >
> > Cheers,
> >
> > tedd
> >
> > --
> > -------
> > http://sperling.com http://ancientstones.com http://earthstones.com
>
> Generally speaking, what I have always done to avoid MySQL injection is to
> use mysql_real_escape_string() on all variables I'm chucking into the
> database.
>
> This won't avoid hacks that involve people trying to insert other types of
> code into your content, aka XSS, et al, though. What I do for cases like
> these is try to be as specific as possible when allowing users to enter
> data and try to sanitise it as much as possible.
>
> For example, a name field shouldn't contain anything other than letters, so
> you can write a regex for that. Phone number fields should only contain
> numbers, the odd + sign, and sometimes spaces and brackets if you're users
> are really fastidious with their input.
>
> Sometimes this isn't possible, as in the case of a lot of free-text entry
> boxes, so for those you should try and make some attempt to strip out tags
> or html encode the data prior to displaying it.
>
> Anyway, that's my take on it, and it seems to work for me, but I'm always
> welcome to know of other ways, as I'd prefer being told on the list than
> finding out the hard way! :p
>
> --
> Thanks,
> Ash
> http://www.ashleysheridan.co.uk
Hi Ashley,
for the phone #'s, I'm using int as the data type & storing each part of the
phone # in its own cell,
When it gets displayed, I add a dash in between each part of the phone #'s
(country code-area code-1st set of digits-last set of digits)
Cheers
Haig
--- End Message ---
--- Begin Message ---
On Mon, Jul 13, 2009 at 4:18 PM, Haig Dedeyan<[email protected]> wrote:
> On July 13, 2009 09:48:54 am Haig Dedeyan wrote:
>> On Monday 13 July 2009 14:31:09 tedd wrote:
>> > At 3:53 PM -0400 7/12/09, Paul M Foster wrote:
>> > >On Sun, Jul 12, 2009 at 09:07:45AM -0400, tedd wrote:
>> > >
>> > ><snip>
>> > >
>> > >> As for prepared statements, I'm no authority on them, but from what
>> > >> I've read they are not going to be something I'll be practicing
>> > >> anytime soon.
>> > >
>> > >Aside from Stuart's comments about slowness, what else have you read
>> > >that makes you discount the use of prepared statements? The PDO class
>> > >emphasizes that you're safe from SQL injection exploits, which seems a
>> > >big plus.
>> > >
>> > >Paul
>> >
>> > Paul:
>> >
>> > As I said, I'm no authority. However as I have read, prepared
>> > statements are for a limited set of instructions in MySQL. They can't
>> > be used for everything. Why should I learn one way to do something
>> > that isn't universal in the language?
>> >
>> > Additionally, I think the way I sanitize data is sufficient AND I
>> > understand it. *My* learning curve may introduce security problems
>> > that I am not willing to risk, at this moment. As I said, I have more
>> > than enough on my plate to digest -- including learning non-prepared
>> > statements in MySQL.
>> >
>> > Cheers,
>> >
>> > tedd
>> >
>> > --
>> > -------
>> > http://sperling.com http://ancientstones.com http://earthstones.com
>>
>> Generally speaking, what I have always done to avoid MySQL injection is to
>> use mysql_real_escape_string() on all variables I'm chucking into the
>> database.
>>
>> This won't avoid hacks that involve people trying to insert other types of
>> code into your content, aka XSS, et al, though. What I do for cases like
>> these is try to be as specific as possible when allowing users to enter
>> data and try to sanitise it as much as possible.
>>
>> For example, a name field shouldn't contain anything other than letters, so
>> you can write a regex for that. Phone number fields should only contain
>> numbers, the odd + sign, and sometimes spaces and brackets if you're users
>> are really fastidious with their input.
>>
>> Sometimes this isn't possible, as in the case of a lot of free-text entry
>> boxes, so for those you should try and make some attempt to strip out tags
>> or html encode the data prior to displaying it.
>>
>> Anyway, that's my take on it, and it seems to work for me, but I'm always
>> welcome to know of other ways, as I'd prefer being told on the list than
>> finding out the hard way! :p
>>
>> --
>> Thanks,
>> Ash
>> http://www.ashleysheridan.co.uk
>
> Hi Ashley,
>
> for the phone #'s, I'm using int as the data type & storing each part of the
> phone # in its own cell,
>
> When it gets displayed, I add a dash in between each part of the phone #'s
> (country code-area code-1st set of digits-last set of digits)
>
> Cheers
>
> Haig
>
>
>
>
I too, store them as an int but then create a mask to show then user
the correct format based on country
--
Bastien
Cat, the other other white meat
--- End Message ---
--- Begin Message ---
On Mon, 2009-07-13 at 16:30 -0400, Bastien Koert wrote:
> On Mon, Jul 13, 2009 at 4:18 PM, Haig Dedeyan<[email protected]> wrote:
> > On July 13, 2009 09:48:54 am Haig Dedeyan wrote:
> >> On Monday 13 July 2009 14:31:09 tedd wrote:
> >> > At 3:53 PM -0400 7/12/09, Paul M Foster wrote:
> >> > >On Sun, Jul 12, 2009 at 09:07:45AM -0400, tedd wrote:
> >> > >
> >> > ><snip>
> >> > >
> >> > >> As for prepared statements, I'm no authority on them, but from what
> >> > >> I've read they are not going to be something I'll be practicing
> >> > >> anytime soon.
> >> > >
> >> > >Aside from Stuart's comments about slowness, what else have you read
> >> > >that makes you discount the use of prepared statements? The PDO class
> >> > >emphasizes that you're safe from SQL injection exploits, which seems a
> >> > >big plus.
> >> > >
> >> > >Paul
> >> >
> >> > Paul:
> >> >
> >> > As I said, I'm no authority. However as I have read, prepared
> >> > statements are for a limited set of instructions in MySQL. They can't
> >> > be used for everything. Why should I learn one way to do something
> >> > that isn't universal in the language?
> >> >
> >> > Additionally, I think the way I sanitize data is sufficient AND I
> >> > understand it. *My* learning curve may introduce security problems
> >> > that I am not willing to risk, at this moment. As I said, I have more
> >> > than enough on my plate to digest -- including learning non-prepared
> >> > statements in MySQL.
> >> >
> >> > Cheers,
> >> >
> >> > tedd
> >> >
> >> > --
> >> > -------
> >> > http://sperling.com http://ancientstones.com http://earthstones.com
> >>
> >> Generally speaking, what I have always done to avoid MySQL injection is to
> >> use mysql_real_escape_string() on all variables I'm chucking into the
> >> database.
> >>
> >> This won't avoid hacks that involve people trying to insert other types of
> >> code into your content, aka XSS, et al, though. What I do for cases like
> >> these is try to be as specific as possible when allowing users to enter
> >> data and try to sanitise it as much as possible.
> >>
> >> For example, a name field shouldn't contain anything other than letters, so
> >> you can write a regex for that. Phone number fields should only contain
> >> numbers, the odd + sign, and sometimes spaces and brackets if you're users
> >> are really fastidious with their input.
> >>
> >> Sometimes this isn't possible, as in the case of a lot of free-text entry
> >> boxes, so for those you should try and make some attempt to strip out tags
> >> or html encode the data prior to displaying it.
> >>
> >> Anyway, that's my take on it, and it seems to work for me, but I'm always
> >> welcome to know of other ways, as I'd prefer being told on the list than
> >> finding out the hard way! :p
> >>
> >> --
> >> Thanks,
> >> Ash
> >> http://www.ashleysheridan.co.uk
> >
> > Hi Ashley,
> >
> > for the phone #'s, I'm using int as the data type & storing each part of the
> > phone # in its own cell,
> >
> > When it gets displayed, I add a dash in between each part of the phone #'s
> > (country code-area code-1st set of digits-last set of digits)
> >
> > Cheers
> >
> > Haig
> >
> >
> >
> >
>
> I too, store them as an int but then create a mask to show then user
> the correct format based on country
>
> --
>
> Bastien
>
> Cat, the other other white meat
>
What about other data? Is what I'm doing already sufficient do you
think?
Thanks
Ash
www.ashleysheridan.co.uk
--- End Message ---
--- Begin Message ---
On Mon, Jul 13, 2009 at 5:52 PM, Ashley
Sheridan<[email protected]> wrote:
> On Mon, 2009-07-13 at 16:30 -0400, Bastien Koert wrote:
>> On Mon, Jul 13, 2009 at 4:18 PM, Haig Dedeyan<[email protected]> wrote:
>> > On July 13, 2009 09:48:54 am Haig Dedeyan wrote:
>> >> On Monday 13 July 2009 14:31:09 tedd wrote:
>> >> > At 3:53 PM -0400 7/12/09, Paul M Foster wrote:
>> >> > >On Sun, Jul 12, 2009 at 09:07:45AM -0400, tedd wrote:
>> >> > >
>> >> > ><snip>
>> >> > >
>> >> > >> As for prepared statements, I'm no authority on them, but from what
>> >> > >> I've read they are not going to be something I'll be practicing
>> >> > >> anytime soon.
>> >> > >
>> >> > >Aside from Stuart's comments about slowness, what else have you read
>> >> > >that makes you discount the use of prepared statements? The PDO class
>> >> > >emphasizes that you're safe from SQL injection exploits, which seems a
>> >> > >big plus.
>> >> > >
>> >> > >Paul
>> >> >
>> >> > Paul:
>> >> >
>> >> > As I said, I'm no authority. However as I have read, prepared
>> >> > statements are for a limited set of instructions in MySQL. They can't
>> >> > be used for everything. Why should I learn one way to do something
>> >> > that isn't universal in the language?
>> >> >
>> >> > Additionally, I think the way I sanitize data is sufficient AND I
>> >> > understand it. *My* learning curve may introduce security problems
>> >> > that I am not willing to risk, at this moment. As I said, I have more
>> >> > than enough on my plate to digest -- including learning non-prepared
>> >> > statements in MySQL.
>> >> >
>> >> > Cheers,
>> >> >
>> >> > tedd
>> >> >
>> >> > --
>> >> > -------
>> >> > http://sperling.com http://ancientstones.com http://earthstones.com
>> >>
>> >> Generally speaking, what I have always done to avoid MySQL injection is to
>> >> use mysql_real_escape_string() on all variables I'm chucking into the
>> >> database.
>> >>
>> >> This won't avoid hacks that involve people trying to insert other types of
>> >> code into your content, aka XSS, et al, though. What I do for cases like
>> >> these is try to be as specific as possible when allowing users to enter
>> >> data and try to sanitise it as much as possible.
>> >>
>> >> For example, a name field shouldn't contain anything other than letters,
>> >> so
>> >> you can write a regex for that. Phone number fields should only contain
>> >> numbers, the odd + sign, and sometimes spaces and brackets if you're users
>> >> are really fastidious with their input.
>> >>
>> >> Sometimes this isn't possible, as in the case of a lot of free-text entry
>> >> boxes, so for those you should try and make some attempt to strip out tags
>> >> or html encode the data prior to displaying it.
>> >>
>> >> Anyway, that's my take on it, and it seems to work for me, but I'm always
>> >> welcome to know of other ways, as I'd prefer being told on the list than
>> >> finding out the hard way! :p
>> >>
>> >> --
>> >> Thanks,
>> >> Ash
>> >> http://www.ashleysheridan.co.uk
>> >
>> > Hi Ashley,
>> >
>> > for the phone #'s, I'm using int as the data type & storing each part of
>> > the
>> > phone # in its own cell,
>> >
>> > When it gets displayed, I add a dash in between each part of the phone #'s
>> > (country code-area code-1st set of digits-last set of digits)
>> >
>> > Cheers
>> >
>> > Haig
>> >
>> >
>> >
>> >
>>
>> I too, store them as an int but then create a mask to show then user
>> the correct format based on country
>>
>> --
>>
>> Bastien
>>
>> Cat, the other other white meat
>>
>
> What about other data? Is what I'm doing already sufficient do you
> think?
>
> Thanks
> Ash
> www.ashleysheridan.co.uk
>
>
I think it all comes down to how you view the data and the validation
routines. I keep those separate from the sanitation routines as my
validations need to be more fluid (thinking about dates, life date(
basically the last 100 years) vs event date (not in the past, but
within the next 24 hours (depends on where the client locations are))
>From a sanitation perspective, I don't have any issues with what you
are doing and in many cases I do the same thing. I just have extra
validation other factors of the data.
--
Bastien
Cat, the other other white meat
--- End Message ---
--- Begin Message ---
tedd wrote:
At 3:53 PM -0400 7/12/09, Paul M Foster wrote:
On Sun, Jul 12, 2009 at 09:07:45AM -0400, tedd wrote:
<snip>
As for prepared statements, I'm no authority on them, but from what
I've read they are not going to be something I'll be practicing
anytime soon.
Aside from Stuart's comments about slowness, what else have you read
that makes you discount the use of prepared statements? The PDO class
emphasizes that you're safe from SQL injection exploits, which seems a
big plus.
Paul
Paul:
As I said, I'm no authority. However as I have read, prepared statements
are for a limited set of instructions in MySQL. They can't be used for
everything. Why should I learn one way to do something that isn't
universal in the language?
They are useful for select, insert, and update queries, which are the
three most common types of queries in web applications and are most
often used for SQL injection.
I personally use the MDB2 database abstration layer. Here's how it's done -
$types = Array('integer','text');
$q = "SELECT something,else FROM table WHERE id < ? AND type=?"
$sql = $mdb2->prepare($q,$types,MDB2_PREPARE_RESULT);
$args = Array($someinput,$someotherinput);
$rs = $sql->execute($args);
Here's the non prepared way
$sql = "SELECT something,else FROM table WHERE id < $someinput AND
type='$someotherinput'"
$rs = $mdb2->query($sql);
The two are very similar syntax, just a few extra steps required for
prepared statements - and if the query is performed multiple times with
different arguments, you can re-use the prepared statement and don't
have to make it again.
The first has sql injection protection automatically for the two
arguments, the second requires that you first sanitize the two arguments
- which is where mysql_real_escape_string comes in - but as soon as you
use that mysql specific function, your code no longer is as easily
portable to other databases.
Prepared statements may be a minor performance hit but I suspect if it
is even noticable, you are at the edge of what your server can handle
and either need hardware update, infrastructure update (IE dedicated sql
servers and load balancing), or code optimization that probably will
find bigger issues than sql prepared statements.
Using a cache (IE APC or memcached) for commonly performed queries makes
the speed difference between the two only matter when the query isn't
cached.
--- End Message ---
--- Begin Message ---
newbie question ... I have a MySQL table where I want to update
(renumber) the primary numeric key field.
- I successfully turned field off as a primary key index and UN auto
incremented it
- then created new sequential numbers for it
- then turned back on primary key index and re added auto increment in
BUT when I make a new record it does NOT start where new numbers stop
last is 51
next should be 52
but jumps to 157
Q: is there a way to reset the NEXT SERIAL ID NUMBER somewhere? how
do I fix this?
--
Thanks - RevDave
Cool @ hosting4days . com
[db-lists 09]
--- End Message ---
--- Begin Message ---
Sounds like you want to set the auto increment. To do that, use this
query:
alter table `table_name` auto_increment 1;
That will reset it to one. Although I've never tried it, I assume you
can give it another value.
Take care,
Floyd
On Jul 13, 2009, at 5:35 PM, [email protected] wrote:
newbie question ... I have a MySQL table where I want to update
(renumber) the primary numeric key field.
- I successfully turned field off as a primary key index and UN auto
incremented it
- then created new sequential numbers for it
- then turned back on primary key index and re added auto increment in
BUT when I make a new record it does NOT start where new numbers stop
last is 51
next should be 52
but jumps to 157
Q: is there a way to reset the NEXT SERIAL ID NUMBER somewhere? how
do I fix this?
--
Thanks - RevDave
Cool @ hosting4days . com
[db-lists 09]
--- End Message ---
--- Begin Message ---
On Mon, Jul 13, 2009 at 17:35,
[email protected]<[email protected]> wrote:
> newbie question ... I have a MySQL table where I want to update (renumber)
> the primary numeric key field.
The response you received from Floyd was accurate, but next time,
please keep these kinds of questions on the appropriate lists. This
wasn't on-topic or PHP-related, but instead should've been asked on
the MySQL list at [email protected].
--
</Daniel P. Brown>
[email protected] || [email protected]
http://www.parasane.net/ || http://www.pilotpig.net/
Check out our great hosting and dedicated server deals at
http://twitter.com/pilotpig
--- End Message ---
--- Begin Message ---
Figured I'd throw this into the intertubes so it's archived and maybe useful
for someone else, since I couldn't find a script that did this already...
-----Original Message-----
From: Daevid Vincent [mailto:[email protected]]
Sent: Monday, July 13, 2009 4:06 PM
To: '[email protected]'
Subject: RE: accidentally chown -R mysql /var/lib
Well, I just wrote a little script and ran it against the three Ubuntu boxen
I have access too, and then just ran the output against my own 'broken'
box...
---------------------------------- 8< snip >8
-------------------------------------------
#!/usr/bin/php
<?php
error_reporting(E_ALL ^ E_NOTICE ^ E_WARNING); //E_WARNING because the
posix_* seems to puke on symlinks ?!
function rootscan($base='', &$data=array())
{
$array = array_diff(scandir($base), array('.', '..'));
foreach($array as $value)
{
$bv = $base.$value;
$owner = posix_getpwuid(fileowner($bv));
$owner = $owner['name'];
$group = posix_getgrgid(filegroup($bv));
$group = $group['name'];
if ($owner != 'root' || $group != 'root')
echo "chown ".$owner.':'.$group.' '.$bv."\n";
if (is_dir($bv))
{
$data[] = $bv.'/';
$data = rootscan($bv.'/', $data);
}
elseif (is_file($bv))
{
$data[] = $bv;
}
}
return $data;
}
rootscan('/var/lib'.'/');
?>
---------------------------------- 8< snip >8
-------------------------------------------
It produces a bunch of lines like this:
vince...@gabriel:~$ sudo ./dirfix.php
chown root:polkituser /var/lib/PolicyKit
chown root:polkituser /var/lib/PolicyKit/user-haldaemon.auths
chown polkituser:root /var/lib/PolicyKit-public
chown avahi-autoipd:avahi-autoipd /var/lib/avahi-autoipd
chown root:gdm /var/lib/gdm
chown libuuid:libuuid /var/lib/libuuid
chown polkituser:polkituser /var/lib/misc/PolicyKit.reload
chown root:mlocate /var/lib/mlocate/mlocate.db
chown mysql:mysql /var/lib/mysql
...
chown postfix:postfix /var/lib/postfix
chown postfix:postfix /var/lib/postfix/master.lock
chown root:sambashare /var/lib/samba/usershares
> -----Original Message-----
> From: Daevid Vincent [mailto:[email protected]]
> Sent: Monday, July 13, 2009 2:38 PM
> To: '[email protected]'
> Subject: accidentally chown -R mysql /var/lib
>
> Yes, I was setting up a new Ubuntu 9.04 box for the past
> couple days, and today when copying a 70GB database from an
> old server to the new one, I accidentally did this (well, the
> equiv of anyways):
>
> chown -R mysql:mysql /var/lib
>
> Instead of
>
> chown -R mysql:mysql /var/lib/mysql
>
> So I've "reverted" to:
>
> chown -R root:root /var/lib
>
> Does anyone know of a "script" or something that will fix all
> the directories to their proper owner/group again?
>
> If not, I have a 9.04 box next to me that has a pristine
> /var/lib tree (just not all the same packages that the new
> box had). Is there some script-fu that I can run on the good
> box that will show me all the owner/groups that are NOT
> root:root, so I can manually adjust. Doing a random quick
> poke at various directories, I don't see all that many, so I
> expect the result list won't be that much.
>
> ...there is always the possibility of just re-installing, but
> obviously I prefer not to do that if I don't have to and
> waste another day re-setting stuff up (should be quicker
> thanks to .tgz though)
>
> And before anyone decides to be a smart alec, no, of course I
> hadn't done backups. ;-) But even if I did, I don't
> generally backup the entire system, only the core dirs like
> /etc, /home, /var/lib/mysql, etc...
> http://daevid.com/content/examples/daily_backup.php
>
--- End Message ---
--- Begin Message ---
Hello All,
Is there a way to create Data Auto-Filters using PEAR's Spreadsheet
Writer? Thanks
saqib
http://www.capital-punishment.us
--- End Message ---
