php-general Digest 18 Oct 2009 19:21:08 -0000 Issue 6397
Topics (messages 299026 through 299034):
Re: Sanitizing potential MySQL strings with no database connection
299026 by: Dotan Cohen
299027 by: Kim Madsen
299034 by: Dotan Cohen
Using setters/getters with array of objects
299028 by: mbneto
299029 by: Andy Shellam (Mailing Lists)
299030 by: Tommy Pham
ip-to-country
299031 by: SED
299032 by: Michael Shadle
299033 by: Per Jessen
Administrivia:
To subscribe to the digest, e-mail:
[email protected]
To unsubscribe from the digest, e-mail:
[email protected]
To post to the list, e-mail:
[email protected]
----------------------------------------------------------------------
--- Begin Message ---
> I assumed the reason you wanted to do escape the string so that you could
> perform DB operations.
Yes, that is my intention. However, the function is found in an
include file of functions used in many different scripts, each of
which connect to a different database or may not connect to a database
at all, so I cannot rely on there existing a database connection. The
workaround would be to include this particular function in a separate
include file to only be included when a database connection is
present, but I would like to find a better way as I find it most
maintainable to have all my reused functions in a single file.
To give you an idea, the file contains these funtions:
function clean_mysql ($dirty)
function clean_html ($dirty)
function make_paginated_links_menu ($pages, $difference)
function obfuscate_email_address ($address)
Not all functions are used in all pages, however, this file of
reusable functions is included in all of them. Only the clean_mysql
function gives me trouble because I cannot ensure a database
connection.
> In your select/insert/update class(es)/function(s), you could just use
>prepare statement and bind param. Thus, no need
> to escape the string to protect against injection. It's also faster if by
> chance you're doing several updates/inserts due
> to the nature of prepare statement. You could use a call back function in
> case you have a varying size array of
> parameters, making your code more adaptable and somewhat smaller. I
> generally prefer using prepare statement +
> bind param over escape string + query for speed and flexibility.
>
> http://www.php.net/manual/en/mysqli.prepare.php
> http://www.php.net/manual/en/mysqli-stmt.bind-param.php
>
> have good examples.
>
Thanks. Going through those pages, I see that it is not what I need.
It is good to know, though.
--
Dotan Cohen
http://what-is-what.com
http://gibberish.co.il
--- End Message ---
--- Begin Message ---
Dotan Cohen wrote on 2009-10-18 10:52:
I assumed the reason you wanted to do escape the string so that you could
perform DB operations.
Yes, that is my intention. However, the function is found in an
include file of functions used in many different scripts, each of
which connect to a different database or may not connect to a database
at all, so I cannot rely on there existing a database connection.
test if you have a db connection in the function, if not, skip MRES and
other mysql_ functions?
In my opinion it's bad code to use a mysql_* function on a Oracle db
(and vice versa) or on a string for that matter. It lies in the naming
of the function what it's designed to do and work on. If you want a
general function to sanitize an input, make your own function
sanitize_input() based on ereg_* and/or str_replace and the likes.
--
Kind regards
Kim Emax
--- End Message ---
--- Begin Message ---
> test if you have a db connection in the function, if not, skip MRES and
> other mysql_ functions?
>
I thought that one could not test if a database connection is
established or not, this is the most relevant thing that I found while
googling that:
http://bugs.php.net/bug.php?id=29645
> In my opinion it's bad code to use a mysql_* function on a Oracle db (and
> vice versa) or on a string for that matter. It lies in the naming of the
> function what it's designed to do and work on. If you want a general
> function to sanitize an input, make your own function sanitize_input() based
> on ereg_* and/or str_replace and the likes.
>
All the connections are to MySQL databases, but to _different_ MySQL
databases on the same host.
--
Dotan Cohen
http://what-is-what.com
http://gibberish.co.il
--- End Message ---
--- Begin Message ---
Hi,
I have two classes User and Email where one User can have many Emails so
I've done like this
class Email
{
protected $_email;
public function __get($name)
{
$property = '_' . $name;
return $this->$property;
}
public function __set($name, $value)
{
$property = '_' . $name;
$this->$property = $value;
}
}
class User
{
protected $_name;
protected $_emails = array();
public function __get($name)
{
$property = '_' . $name;
return $this->$property;
}
public function __set($name, $value)
{
$property = '_' . $name;
$this->$property = $value;
}
}
So I'd like to
$u = new User();
$u->name = 'xxxx';
$e = new Email();
$e->email = '[email protected]';
$u->emails[] = $e;
But that does not work. I've managed to achieve similar result using a
different setter in User
public function __set($name, $value)
{
$property = '_' . $name;
switch($name)
{
case 'emails':
array_push($this->$property, $value);
break;
default:
$this->$property = $value;
}
}
And then
$u = new User();
$u->name = 'xxxx';
$e = new Email();
$e->email = '[email protected]';
$u->emails = $e;
But this can confuse the programmer. Any ideas of why it is not working?
--- End Message ---
--- Begin Message ---
Hi,
$u->emails[] = $e;
I would hazard a guess because $u->emails isn't a concrete object
(whereas $u->_emails is, but is private.) It's sort of a virtual
reference - PHP has no way of knowing that $u->emails actually
translates into _emails which is an array, if you see what I mean
(it's difficult to explain.)
But that does not work. I've managed to achieve similar result
using a
different setter in User
public function __set($name, $value)
{
$property = '_' . $name;
switch($name)
{
case 'emails':
array_push($this->$property, $value);
break;
default:
$this->$property = $value;
}
}
You could also have done:
if (is_array($this->$property))
{
array_push($this->$property, $value);
}
else
{
$this->$property = $value;
}
which would handle any array property, not just the e-mails property.
If this was me, I would probably create a concrete method, called
"addEmail" which would do $this->_emails[] = $value, but allow a
programmer to call $user->emails to get the e-mails (not set.)
--- End Message ---
--- Begin Message ---
----- Original Message ----
> From: mbneto <[email protected]>
> To: [email protected]
> Sent: Sun, October 18, 2009 8:31:53 AM
> Subject: [PHP] Using setters/getters with array of objects
>
> Hi,
>
> I have two classes User and Email where one User can have many Emails so
> I've done like this
>
> class Email
> {
> protected $_email;
>
> public function __get($name)
> {
> $property = '_' . $name;
> return $this->$property;
> }
>
> public function __set($name, $value)
> {
> $property = '_' . $name;
> $this->$property = $value;
> }
> }
>
>
> class User
> {
> protected $_name;
> protected $_emails = array();
>
> public function __get($name)
> {
> $property = '_' . $name;
> return $this->$property;
> }
>
> public function __set($name, $value)
> {
> $property = '_' . $name;
> $this->$property = $value;
> }
>
> }
>
> So I'd like to
>
> $u = new User();
> $u->name = 'xxxx';
>
> $e = new Email();
> $e->email = '[email protected]';
>
> $u->emails[] = $e;
>
> But that does not work. I've managed to achieve similar result using a
> different setter in User
Of course it doesn't work because you didn't have 'set' method for the
protected $_emails.
http://www.php.net/manual/en/language.oop5.visibility.php
>
> public function __set($name, $value)
> {
> $property = '_' . $name;
>
> switch($name)
> {
> case 'emails':
> array_push($this->$property, $value);
> break;
>
> default:
> $this->$property = $value;
> }
> }
>
> And then
>
> $u = new User();
> $u->name = 'xxxx';
>
> $e = new Email();
> $e->email = '[email protected]';
>
> $u->emails = $e;
>
> But this can confuse the programmer. Any ideas of why it is not working?
I suggest you don't use magic methods as it's too ambiguous and hard to expand
your code later. Your 2 classes could be summarized as 1 class below:
class User
{
protected $_name;
protected $_emails = array();
public function getName()
{
return $this->_name;
}
public function setName($value)
{
$this->_name = $value;
}
public function getEmails() {
return $this->_emails();
}
public function setEmails($arrayList) {
$this->_emails = $arrayList;
}
public function setEmail($name, $value) {
$this->_emails[$name] = $value;
}
public fuction getEmail($name) {
if (isset($this->_emails[$name]))
return $this->_emails[$name];
else
return null;
}
}
$u = new User();
$u->setName('jon doe');
$u->setEmail('email1', '[email protected]');
Regards,
Tommy
--- End Message ---
--- Begin Message ---
Hi,
How can I access an index for IP to a country (or a more detailed location)?
I have not yet found a function for that in PHP nor a free to use website
that offers a remote search.
Perhaps, there is another solution - any ideas?
Regards,
Summi
--- End Message ---
--- Begin Message ---
http://pecl.php.net/package/geoip however i tried a few IPs once and
it was "unknowns"
On Sun, Oct 18, 2009 at 12:03 PM, SED <[email protected]> wrote:
> Hi,
>
> How can I access an index for IP to a country (or a more detailed location)?
> I have not yet found a function for that in PHP nor a free to use website
> that offers a remote search.
>
> Perhaps, there is another solution - any ideas?
>
> Regards,
> Summi
>
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--- End Message ---
--- Begin Message ---
SED wrote:
> Hi,
>
> How can I access an index for IP to a country (or a more detailed
> location)? I have not yet found a function for that in PHP nor a free
> to use website that offers a remote search.
>
> Perhaps, there is another solution - any ideas?
DNS lookup - see http://countries.nerd.dk
/Per
--
Per Jessen, Zürich (4.9°C)
--- End Message ---
