php-general Digest 10 Aug 2011 01:15:45 -0000 Issue 7437
Topics (messages 314442 through 314458):
Re: pass text variables to next page
314442 by: Jasper Mulder
314443 by: Tamara Temple
314450 by: Tim Streater
314451 by: Richard Quadling
Struggling with MySQL query
314444 by: David Green
314445 by: Dajka Tamas
314446 by: admin.buskirkgraphics.com
314447 by: Alex Nikitin
314448 by: Andrew Ballard
314449 by: Dajka Tamas
314453 by: David Green
314454 by: Ashley Sheridan
314457 by: Alex Nikitin
Problems with interoperability: MCrypt AES PHP x Java
314452 by: robert mena
regex or 'tidy' script to fix broken <? tags and introspection of variables
314455 by: Daevid Vincent
314456 by: Camilo Sperberg
Using function prototypes in code
314458 by: Frank Thynne
Administrivia:
To subscribe to the digest, e-mail:
[email protected]
To unsubscribe from the digest, e-mail:
[email protected]
To post to the list, e-mail:
[email protected]
----------------------------------------------------------------------
--- Begin Message ---
> Date: Tue, 9 Aug 2011 07:30:47 -0500
> From: [email protected]
> To: [email protected]
> CC: [email protected]
> Subject: Re: [PHP] pass text variables to next page
>
> Thank you Tamara.
>
> Not sure if I am doing it right. It looks like the last single quote
> is being escaped.
> [SNIP]
> The query:
>
> $sql = "SELECT store_id, store_subject
> FROM stores
> WHERE store_subject = '" . mysql_real_escape_string($_GET['id']."'");
>
>
> Thank you,
>
> Chris
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
The problem is with the mysql_real_escape_string closing parenthesis position,
instead of
($_GET['id']."'");
it should be
($_GET['id'])."'";
HTH,
Jasper
--- End Message ---
--- Begin Message ---
On Aug 9, 2011, at 7:42 AM, Jasper Mulder wrote:
> Date: Tue, 9 Aug 2011 07:30:47 -0500
> From: [email protected]
> To: [email protected]
> CC: [email protected]
> Subject: Re: [PHP] pass text variables to next page
>
> Thank you Tamara.
>
> Not sure if I am doing it right. It looks like the last single quote
> is being escaped.
> [SNIP]
> The query:
>
> $sql = "SELECT store_id, store_subject
> FROM stores
> WHERE store_subject = '" .
mysql_real_escape_string($_GET['id']."'");
>
>
> Thank you,
>
> Chris
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
The problem is with the mysql_real_escape_string closing parenthesis
position, instead of
($_GET['id']."'");
it should be
($_GET['id'])."'";
Yup, my fault, I put it inside the closing paren to
mysql_real_escape_string. it should be outside.
--- End Message ---
--- Begin Message ---
On 09 Aug 2011 at 13:30, Chris Stinemetz <[email protected]> wrote:
> Not sure if I am doing it right. It looks like the last single quote
> is being escaped.
>
> When I dump the query I get:
>
> SELECT store_id, store_subject FROM stores WHERE store_subject =
> 'Bella Roe 4980 Roe Blvd\'
>
>
> I am thinking maybe I have too many single quotes some where, but I
> can't find it.
>
> echo '<h4><a href="store.php?id=' . $storerow['store_subject'] . '">'
> .. $storerow['store_subject'] . '</a></h4> at ' . date('m-d-Y',
> strtotime($storerow['store_date']));
>
>
> The query:
>
> $sql = "SELECT store_id, store_subject
> FROM stores
> WHERE store_subject = '" . mysql_real_escape_string($_GET['id']."'");
Why don't you:
1) Make this a single line instead of splitting it over three. No need to do
that.
2) Having created $sql, echo it out. That way you could see whether it's
correct or not.
Doing (1) and (2) will make it a damn sight easier to see what you are
*actually* creating.
--
Cheers -- Tim
--- End Message ---
--- Begin Message ---
On 9 August 2011 16:31, Tim Streater <[email protected]> wrote:
> On 09 Aug 2011 at 13:30, Chris Stinemetz <[email protected]> wrote:
>
>> Not sure if I am doing it right. It looks like the last single quote
>> is being escaped.
>>
>> When I dump the query I get:
>>
>> SELECT store_id, store_subject FROM stores WHERE store_subject =
>> 'Bella Roe 4980 Roe Blvd\'
>>
>>
>> I am thinking maybe I have too many single quotes some where, but I
>> can't find it.
>>
>> echo '<h4><a href="store.php?id=' . $storerow['store_subject'] . '">'
>> .. $storerow['store_subject'] . '</a></h4> at ' . date('m-d-Y',
>> strtotime($storerow['store_date']));
>>
>>
>> The query:
>>
>> $sql = "SELECT store_id, store_subject
>> FROM stores
>> WHERE store_subject = '" . mysql_real_escape_string($_GET['id']."'");
>
> Why don't you:
>
> 1) Make this a single line instead of splitting it over three. No need to do
> that.
>
> 2) Having created $sql, echo it out. That way you could see whether it's
> correct or not.
>
> Doing (1) and (2) will make it a damn sight easier to see what you are
> *actually* creating.
>
> --
> Cheers -- Tim
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
A single line of SQL is what things start out as. But it is a language
just like any other and as such, indenting has proven advantages.
--
Richard Quadling
Twitter : EE : Zend : PHPDoc
@RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY : bit.ly/lFnVea
--- End Message ---
--- Begin Message ---
Hi
I have a simple from which uses the post method to get to my page script
results.php
in results.php I have
$find=$_POST["find"]; //this works perfectly, echo $find gives me the search
term as entered
I then connect to mysql and select the db successfully.
After that, I have the following:
$find = strtoupper($find);
$find = strip_tags($find);
$find = trim($find);
$data = mysql_query("SELECT * FROM news_items WHERE upper('headline') LIKE
'%$find%'");
while($result = mysql_fetch_array($data)) { //etc
I get no error messages, but no results to work with either. It returns a
"no results" message that I put in further on in the script. A casual look
at the db shows that I should be getting results. I'm pretty sure that the
problem is in the query, but for the life of me I can't see the problem.
Kind regards
David
--- End Message ---
--- Begin Message ---
Why not trying this:
$q = "SELECT * FROM news_items WHERE upper('headline') LIKE '%".$find."%'";
echo $q;
$data = mysql_query($q);
...
And try running the echoed query in phpmyadmin, etc.
Cheers,
Tamas
-----Original Message-----
From: David Green [mailto:[email protected]]
Sent: Tuesday, August 09, 2011 4:14 PM
To: [email protected]
Subject: [PHP] Struggling with MySQL query
Hi
I have a simple from which uses the post method to get to my page script
results.php
in results.php I have
$find=$_POST["find"]; //this works perfectly, echo $find gives me the search
term as entered
I then connect to mysql and select the db successfully.
After that, I have the following:
$find = strtoupper($find);
$find = strip_tags($find);
$find = trim($find);
$data = mysql_query("SELECT * FROM news_items WHERE upper('headline') LIKE
'%$find%'");
while($result = mysql_fetch_array($data)) { //etc
I get no error messages, but no results to work with either. It returns a
"no results" message that I put in further on in the script. A casual look
at the db shows that I should be getting results. I'm pretty sure that the
problem is in the query, but for the life of me I can't see the problem.
Kind regards
David
--- End Message ---
--- Begin Message ---
> -----Original Message-----
> From: David Green [mailto:[email protected]]
> Sent: Tuesday, August 09, 2011 10:14 AM
> To: [email protected]
> Subject: [PHP] Struggling with MySQL query
>
> Hi
>
> I have a simple from which uses the post method to get to my page
> script
> results.php
>
> in results.php I have
>
> $find=$_POST["find"]; //this works perfectly, echo $find gives me the
> search
> term as entered
>
> I then connect to mysql and select the db successfully.
>
> After that, I have the following:
>
> $find = strtoupper($find);
> $find = strip_tags($find);
> $find = trim($find);
>
> $data = mysql_query("SELECT * FROM news_items WHERE upper('headline')
> LIKE
> '%$find%'");
>
> while($result = mysql_fetch_array($data)) { //etc
>
> I get no error messages, but no results to work with either. It
> returns a
> "no results" message that I put in further on in the script. A casual
> look
> at the db shows that I should be getting results. I'm pretty sure that
> the
> problem is in the query, but for the life of me I can't see the
> problem.
>
> Kind regards
> David
Suggestion:
$query = "SELECT * FROM news_items WHERE UPPER(headline) LIKE
'%".mysql_real_escape_string($find)."%' ";
$result = mysql_query($query);
//Check your syntax display any errors.
Echo mysql_error();
Echo mysql_errno();
If(mysql_num_rows($result)>= 1) {
While($row = mysql_fetch_assoc($result))
{
print_r($row);
}
}else{
Echo 'nothing to show';
}
--- End Message ---
--- Begin Message ---
It would be easier and faster to convert your string to lower case, than
perform the upper operation on every entry in the database. Also, just to
point it out, your code is very vulnerable to SQL injection.
But the suggestion is right, dump the query to make sure its correct, and
check for mysql errors post query execution. Also num results its helpful :)
On Aug 9, 2011 10:22 AM, "Dajka Tamas" <[email protected]> wrote:
> Why not trying this:
>
> $q = "SELECT * FROM news_items WHERE upper('headline') LIKE
'%".$find."%'";
>
> echo $q;
>
> $data = mysql_query($q);
> ...
>
> And try running the echoed query in phpmyadmin, etc.
>
> Cheers,
>
> Tamas
>
> -----Original Message-----
> From: David Green [mailto:[email protected]]
> Sent: Tuesday, August 09, 2011 4:14 PM
> To: [email protected]
> Subject: [PHP] Struggling with MySQL query
>
> Hi
>
> I have a simple from which uses the post method to get to my page script
> results.php
>
> in results.php I have
>
> $find=$_POST["find"]; //this works perfectly, echo $find gives me the
search
> term as entered
>
> I then connect to mysql and select the db successfully.
>
> After that, I have the following:
>
> $find = strtoupper($find);
> $find = strip_tags($find);
> $find = trim($find);
>
> $data = mysql_query("SELECT * FROM news_items WHERE upper('headline') LIKE
> '%$find%'");
>
> while($result = mysql_fetch_array($data)) { //etc
>
> I get no error messages, but no results to work with either. It returns a
> "no results" message that I put in further on in the script. A casual look
> at the db shows that I should be getting results. I'm pretty sure that the
> problem is in the query, but for the life of me I can't see the problem.
>
> Kind regards
> David
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--- End Message ---
--- Begin Message ---
On Tue, Aug 9, 2011 at 10:14 AM, David Green <[email protected]> wrote:
[snip]
> $data = mysql_query("SELECT * FROM news_items WHERE upper('headline') LIKE
> '%$find%'");
A couple things to consider.
First, as a few others have pointed out, you probably want to remove
the single quotes around the word headline in your query. The quotes
cause the query to compare the wildcard string '%{$find}%' to the
literal string 'headline' instead of the contents of a column named
headline. That would cause your query to return either no results for
ordinary search terms, or else return the entire table if the value of
$find is the word 'headline' or any sequence of characters within that
word.
You also probably don't need upper(...) function at all. Unless you
used a case-sensitive collation for that column/table (or are storing
it as binary data rather than text) the condition
'My Article Title' LIKE '%article%'
would return a match even though the case is different.
Andrew
--- End Message ---
--- Begin Message ---
Or the query should look like this, if there is a 'headline' field:
UPPER(`headline`) LIKE '%".mysql_real_escape_string(trim(strtoupper($find)))."%'
Cheers,
Tamas
-----Original Message-----
From: Andrew Ballard [mailto:[email protected]]
Sent: Tuesday, August 09, 2011 4:55 PM
To: David Green
Cc: [email protected]
Subject: Re: [PHP] Struggling with MySQL query
On Tue, Aug 9, 2011 at 10:14 AM, David Green <[email protected]> wrote:
[snip]
> $data = mysql_query("SELECT * FROM news_items WHERE upper('headline') LIKE
> '%$find%'");
A couple things to consider.
First, as a few others have pointed out, you probably want to remove
the single quotes around the word headline in your query. The quotes
cause the query to compare the wildcard string '%{$find}%' to the
literal string 'headline' instead of the contents of a column named
headline. That would cause your query to return either no results for
ordinary search terms, or else return the entire table if the value of
$find is the word 'headline' or any sequence of characters within that
word.
You also probably don't need upper(...) function at all. Unless you
used a case-sensitive collation for that column/table (or are storing
it as binary data rather than text) the condition
'My Article Title' LIKE '%article%'
would return a match even though the case is different.
Andrew
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
Thank you all for the various suggestions.
It now works with this:
$find = strip_tags($find);
$find = trim($find);
$data = mysql_query("SELECT * FROM news_items WHERE headline LIKE
'%$find%'");
Another "newb" question: does strip_tags() help at all in preventing SQL
injection attacks?
Kind regards
David
--- End Message ---
--- Begin Message ---
David Green <[email protected]> wrote:
>Thank you all for the various suggestions.
>
>It now works with this:
>
>$find = strip_tags($find);
>$find = trim($find);
>
>$data = mysql_query("SELECT * FROM news_items WHERE headline LIKE
>'%$find%'");
>
>Another "newb" question: does strip_tags() help at all in preventing
>SQL
>injection attacks?
>
>Kind regards
>David
strip_tags() doesn't prevent against sql injection. At best, it can protect
slightly against xss attacks. Use mysql_real_escape_string() for sql injection.
Thanks,
Ash
http://www.ashleysheridan.co.uk
--
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
--- End Message ---
--- Begin Message ---
Sorry but escaping doesnt protect against mysql injection either, it is not
a good answer, nor does it really work, its an effort, yes, buuut in unicode
world we pretty much have the ability to override what it means to be a
character through best guess matching, etc, iiit just doesnt quite work;
either pass data and code on different paths (i.e. prepared statement) or
set up a b64encrypt and decrypt modules in mysql, and wrap your vars in that
(i.e. "select * from somewhere were `foo`=b64d('".{$b64_foo}."') ... etc")
Please refer any question about why it escaping doesnt work to a talk that
Dan Kaminsky gave at the HOPE conference, i'd rather not have to restate,
and it's an excellent talk...
On Aug 9, 2011 4:21 PM, "Ashley Sheridan" <[email protected]> wrote:
>
>
> David Green <[email protected]> wrote:
>
>>Thank you all for the various suggestions.
>>
>>It now works with this:
>>
>>$find = strip_tags($find);
>>$find = trim($find);
>>
>>$data = mysql_query("SELECT * FROM news_items WHERE headline LIKE
>>'%$find%'");
>>
>>Another "newb" question: does strip_tags() help at all in preventing
>>SQL
>>injection attacks?
>>
>>Kind regards
>>David
>
> strip_tags() doesn't prevent against sql injection. At best, it can
protect slightly against xss attacks. Use mysql_real_escape_string() for sql
injection.
>
> Thanks,
> Ash
> http://www.ashleysheridan.co.uk
> --
> Sent from my Android phone with K-9 Mail. Please excuse my brevity.
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--- End Message ---
--- Begin Message ---
Hi,
I am having problems while trying to decrypt an encrypted string (generated
from a java system) in PHP.
To take external factors out of the way I decided to make them work first in
my local system.
So I've created a sample encrypt/decrypt from PHP (using mcrypt's extension)
and the java code found at
http://java.sun.com/developer/technicalArticles/Security/AES/AES_v1.html.
I've added a System.out.println("KEY: " + asHex(raw));
to get the key used in the java and set the same in PHP. There is no
mention in Java but since I didn't see a initialization vector I assume we
are use ECB mode.
Unfortunately the same string /key produces different encrypted values.
--- End Message ---
--- Begin Message ---
I've inherited a bunch of code and the previous developers have done two
things that are really bugging me and I want to clean up.
[a] They use short-tag "<?" instead of "<?php". Anyone have some good
search/replace style Regex (ideally for ZendStudio/Eclipse) that will run
through all the files in the project and fix those? There are lots of cases
to account for such as a space after the ? or nospace or a newline or even
other text (which are all valid cases).
[b] The other thing they do use use register_globals in the php.ini file. Is
there a good way to see all the variables that a page uses? Something I can
print at the bottom of the page on my dev box - ideally with enough
introspection to know where that variable originated from, and then I can
start converting things to $_GET, $_POST, $_SESSION, $_COOKIE, etc.
--- End Message ---
--- Begin Message ---
For the first one, it may be that zend studio does have an internal script to
do the job. Check the general preferences tab, template stuff. Please note that
<?= is also valid and should be replaced to "<?php echo" instead. Also the
short if version "1 == 1 ? True : false" should be replaced if i'm correct.
Second question: zend studio displays all variables used by a script by
clicking the arrow next to te file name. If you want to display it in runtime,
you can:
print_r($GLOBALS);
Sent from my iPhone 5 Beta [Confidential use only]
On 09-08-2011, at 19:40, "Daevid Vincent" <[email protected]> wrote:
> I've inherited a bunch of code and the previous developers have done two
> things that are really bugging me and I want to clean up.
>
> [a] They use short-tag "<?" instead of "<?php". Anyone have some good
> search/replace style Regex (ideally for ZendStudio/Eclipse) that will run
> through all the files in the project and fix those? There are lots of cases
> to account for such as a space after the ? or nospace or a newline or even
> other text (which are all valid cases).
>
> [b] The other thing they do use use register_globals in the php.ini file. Is
> there a good way to see all the variables that a page uses? Something I can
> print at the bottom of the page on my dev box - ideally with enough
> introspection to know where that variable originated from, and then I can
> start converting things to $_GET, $_POST, $_SESSION, $_COOKIE, etc.
>
--- End Message ---
--- Begin Message ---
In the interest of clarity and maintainability I would like to be able
to write code that makes it clear what kind of arguments a function
expects and what it returns.
This is what I tried:
function integer int_func(string $s) {
// does something like, say, converting "five" to 5
}
There are two problems:
1 The appearance of a type name before the function name is treated as
a syntax error
2 Even if I forget about declaring the return type and code it instead
as
function int_func(string $s) {
...
}
I get a run-time error when I call the function with a string. (eg
$var = int_func("five");) The error message says"Catchable fatal
error: Argument 1 passed to int_func() must be an instance of string,
string given".
It seems that basic data types cannot be specified in ths way although
(intstances of) classes can. I have successfully used the technique to
catch run-time errors of wrong object types when testing, but am
surprised that I can't use it to trap unexpected basic types - or at
least to document what is expected.
To confuse me a bit further, I can't find a definitive list of the
basic type names. For example, is it "integer" or "int"?
--- End Message ---
