php-general Digest 18 Oct 2009 07:11:18 -0000 Issue 6396
Topics (messages 299019 through 299025):
Re: How to pronounce PHP code over the phone?
299019 by: LinuxManMikeC
Re: Sanitizing potential MySQL strings with no database connection
299020 by: Dotan Cohen
299023 by: Tommy Pham
299025 by: Jim Lucas
Re: PHP broadcast mailer
299021 by: Manuel Lemos
299022 by: George Langley
299024 by: Paul M Foster
Administrivia:
To subscribe to the digest, e-mail:
[email protected]
To unsubscribe from the digest, e-mail:
[email protected]
To post to the list, e-mail:
[email protected]
----------------------------------------------------------------------
--- Begin Message ---
On Sat, Oct 17, 2009 at 11:42 AM, Dotan Cohen <[email protected]> wrote:
>> As for following a convention, just
>> get the PHP terminology right,
>
> That is what I was hoping to learn!
>
http://www.php.net/manual/en/langref.php
--- End Message ---
--- Begin Message ---
> I don't think so since the mysql_real_escape_string() requires a connection
> handler. Why not use bind param?
>
Thanks. I just googled bind param but I am still a bit unclear as to
what is going on.
To be clear, I have a file of functions that I use in many scripts,
lets call it functions.inc. One of the functions calls
mysql_real_escape_string() but in order to do that it looks like I
have to connect to a database. However, different scripts connect to
different databases, and some do not connect to a database at all, so
I cannot simple connect to a database from the functions.inc file as
that will interfere with the database connections going on in the
scripts including that file.
--
Dotan Cohen
http://what-is-what.com
http://gibberish.co.il
--- End Message ---
--- Begin Message ---
----- Original Message ----
> From: Dotan Cohen <[email protected]>
> To: Tommy Pham <[email protected]>
> Cc: php-general. <[email protected]>
> Sent: Sat, October 17, 2009 10:59:52 AM
> Subject: Re: [PHP] Sanitizing potential MySQL strings with no database
> connection
>
> > I don't think so since the mysql_real_escape_string() requires a connection
> handler. Why not use bind param?
> >
>
> Thanks. I just googled bind param but I am still a bit unclear as to
> what is going on.
>
> To be clear, I have a file of functions that I use in many scripts,
> lets call it functions.inc. One of the functions calls
> mysql_real_escape_string() but in order to do that it looks like I
> have to connect to a database. However, different scripts connect to
> different databases, and some do not connect to a database at all, so
> I cannot simple connect to a database from the functions.inc file as
> that will interfere with the database connections going on in the
> scripts including that file.
>
> --
> Dotan Cohen
>
> http://what-is-what.com
> http://gibberish.co.il
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
I assumed the reason you wanted to do escape the string so that you could
perform DB operations. In your select/insert/update class(es)/function(s), you
could just use prepare statement and bind param. Thus, no need to escape the
string to protect against injection. It's also faster if by chance you're
doing several updates/inserts due to the nature of prepare statement. You
could use a call back function in case you have a varying size array of
parameters, making your code more adaptable and somewhat smaller. I generally
prefer using prepare statement + bind param over escape string + query for
speed and flexibility.
http://www.php.net/manual/en/mysqli.prepare.php
http://www.php.net/manual/en/mysqli-stmt.bind-param.php
have good examples.
Regards,
Tommy
--- End Message ---
--- Begin Message ---
Dotan Cohen wrote:
How can I configure mysql_real_escape_string() to _not_ need a
database connection in order to do it's work on a string. I understand
that the function wants a database connection to determine which
charset / encoding is in use, but in my case it will always be UTF-8.
I have a file of reusable functions that I include in several scripts,
one of them is a MySQL sanitation function, like this:
function clean_mysql ($dirty) {
$dirty=trim($dirty);
$clean=mysql_real_escape_string($dirty);
return $clean;
}
As different scripts reuse this code but connect to different
databases, I need the function to work independently of the database
connection. In other words, the include file cannot connect to the
database but it still must perform the mysql_real_escape_string()
function on UTF-8 data.
Thanks in advance for any ideas.
What is your intension when calling this function, if you are not connecting to a DB? I realize you
want to sanitize a string, but why? The only reason to use mysql_real_escape_string() would be to
sanitize a string to prepare it to be used in a query against a mysql database.
If you are simply looking to escape a (UTF-8) string, why not just use the other built in escape
functions from PHP?
What does mysql_real_escape_string() offer you that addslashes(), addcslashes(), htmlentities(),
quotemeta(), htmlspecialchars(), etc... would not offer you?
What type of data are you trying to protect yourself from? And what are you planning on doing with
the output?
--
Jim Lucas
"Some men are born to greatness, some achieve greatness,
and some have greatness thrust upon them."
Twelfth Night, Act II, Scene V
by William Shakespeare
--- End Message ---
--- Begin Message ---
Hello,
on 10/17/2009 02:41 AM Brian Hazelton said the following:
> I am in charge of an email newsletter list and making sure it gets sent
> out in time. My problem is I have never done broadcast emailing and
> right now we have 400 subscribers but want to build a system that can
> scale well regardless of the number of subscribers. Right now I use
> mysql to store the email and use phpmailer in a loop to send an email to
> each of the emails in the db, it is already slow with just 400(takes
> around 10 min (i think that's slow isnt it?). Has anyone built a
> broadcast email script and willing to help me?
I use the MIME message mailer class which has optimizations specifically
for sending messages to many recipients. Take a look at the
test_personalized_bulk_mail.php example script.
Also keep in mind that for sending many messages, queueing messages in
an SMTP server is the slowest method of all. Read this article for more
details:
http://www.phpclasses.org/blog/package/14/post/1-Sending-messages-to-many-recipients-via-SMTP-in-PHP.html
--
Regards,
Manuel Lemos
Find and post PHP jobs
http://www.phpclasses.org/jobs/
PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/
--- End Message ---
--- Begin Message ---
On 16-Oct-09, at 11:56 PM, George Langley wrote:
At what point would it be beneficial to subscribe to a mass mail
service such as Constant Contact or iContact, to avoid being
blacklisted for sending too many e-mails?
On 17-Oct-09, at 12:01 AM, Brian Hazelton wrote:
I am sorry, but I am confused by your question. I thought that these
companies worked with email providers to stay off the blacklists?
-----------
They do - my point exactly. You may be fine for a small mass e-mail
campaign (you mentioned 400 but growing). But if you do grow to the
point of something getting triggered, and your URL or server, or
worse, your ISP, gets black-listed, it may be hard to undo the damage.
Am not sure what sort of limits any of these will allow before they
start thinking you are spamming. Or how big you have to be to be
considered trust-worthy to be allowed to send multiple e-mails. My
main ISP (shaw.ca - 100s of 1,000s of customers) has gotten
blacklisted a number of times, and suddenly friends would get e-mails
to my @shaw address rejected, and had to start using one of my other
addresses. A very tiny mail list I belonged to (40 people if even
that) refused to send to all of its @shaw members, and I ended up re-
registering under a different address because it happened enough times.
The company I work for has internal clamps that get triggered if
anyone tries to send to more than 50 addresses. They also run a
separate mail server from their web site hosting. The site is hosted
on Amazon's Cloud - a huge company, and yet every one of their IPs are
black-listed:
<http://searchcloudcomputing.techtarget.com/news/article/0,289142,sid201_gci1371369,00.html
>
The result was that even just a single e-mail to confirm
registration to the member-only section of the site was getting
flagged as spam by hotmail, or rejected outright by some other mail
servers. Kinda hard to complete a registration if you never see the e-
mail! We ended up relaying through our own mail server, which is fine
for a one-at-a-time e-mail. But at over 50,000 customers, I have been
strongly recommending the use of service if they do decide to start
any mass e-mail newsletters or campaigns.
Anyway, my point is - how important is this part of your business,
and would it be worth the $ cost to use a service, rather than
building, maintaining and potentially protecting your own? Just a
thought.
George
--- End Message ---
--- Begin Message ---
On Sat, Oct 17, 2009 at 01:41:03AM -0400, Brian Hazelton wrote:
> I am in charge of an email newsletter list and making sure it gets sent
> out in time. My problem is I have never done broadcast emailing and
> right now we have 400 subscribers but want to build a system that can
> scale well regardless of the number of subscribers. Right now I use
> mysql to store the email and use phpmailer in a loop to send an email to
> each of the emails in the db, it is already slow with just 400(takes
> around 10 min (i think that's slow isnt it?). Has anyone built a
> broadcast email script and willing to help me?
>
Use PHPList. It's free.
Paul
--
Paul M. Foster
--- End Message ---
