RE: MySQL Magazine - Issue 1 available NOW!!!!
Yes, you are correct. In a cruel, ironic twist, that actually bit me in the ass, as it turns out we tried to import some HTML output from MS Word, which adds all kinds of crazy XHTML comment tag thingys that look like: !--[if gte mso 9] !--[if !mso] ![endif]-- Etc. *sigh* -Original Message- From: Yves Goergen [mailto:[EMAIL PROTECTED] Sent: Saturday, June 09, 2007 4:34 AM To: Daevid Vincent Cc: 'B. Keith Murphy'; 'MySQL General' Subject: Re: MySQL Magazine - Issue 1 available NOW On 04.06.2007 23:44 CE(S)T, Daevid Vincent wrote: Thanks for the magazine. I already incorporated a little extra SQL injection checking into my db.inc.php wrapper... //[dv] added to remove all comments (which may help with SQL injections as well. $sql = preg_replace(/#.*?[\r\n]/s, '', $sql); $sql = preg_replace(/--.*?[\r\n]/s, '', $sql); $sql = preg_replace(@/\*(.*?)\*/@s, '', $sql); I'm not aware of the context, but I guess you can imagine that this will corrupt any SQL queries that contain # or -- or /* ... */ inside a string. So I would highly recommend not using those. -- Yves Goergen LonelyPixel [EMAIL PROTECTED] Visit my web laboratory at http://beta.unclassified.de -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: MySQL Magazine - Issue 1 available NOW!!!!
Oh dear... Without getting into any religious arguments, if you have to use it, PHP already provides a perfectly good interface for preventing any SQL injections - ever. Use MySQLi and bound parameters. And if somebody manages to invent some quasi-valid reason for not using MySQLi (e.g. version of PHP used), then there is always mysql_escape_string() / mysql_real_escape_string(). I don't understand this never-ending fascination with re-inventing a square wheel for an application for which the standard round type has already been kindly provided since year dot. /RANT Gordan Daevid Vincent wrote: Yes, you are correct. In a cruel, ironic twist, that actually bit me in the ass, as it turns out we tried to import some HTML output from MS Word, which adds all kinds of crazy XHTML comment tag thingys that look like: !--[if gte mso 9] !--[if !mso] ![endif]-- Etc. *sigh* -Original Message- From: Yves Goergen [mailto:[EMAIL PROTECTED] Sent: Saturday, June 09, 2007 4:34 AM To: Daevid Vincent Cc: 'B. Keith Murphy'; 'MySQL General' Subject: Re: MySQL Magazine - Issue 1 available NOW On 04.06.2007 23:44 CE(S)T, Daevid Vincent wrote: Thanks for the magazine. I already incorporated a little extra SQL injection checking into my db.inc.php wrapper... //[dv] added to remove all comments (which may help with SQL injections as well. $sql = preg_replace(/#.*?[\r\n]/s, '', $sql); $sql = preg_replace(/--.*?[\r\n]/s, '', $sql); $sql = preg_replace(@/\*(.*?)\*/@s, '', $sql); I'm not aware of the context, but I guess you can imagine that this will corrupt any SQL queries that contain # or -- or /* ... */ inside a string. So I would highly recommend not using those. -- Yves Goergen LonelyPixel [EMAIL PROTECTED] Visit my web laboratory at http://beta.unclassified.de -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: MySQL Magazine - Issue 1 available NOW!!!!
At 5:53p -0400 on 11 Jun 2007, Gordan Bobic wrote: I don't understand this never-ending fascination with re-inventing a square wheel for an application for which the standard round type has already been kindly provided since year dot. I imagine the reason for this never-ending fascination ... is along the lines of education. To the uninitiated, the idea of binding variables seems weird and unintuitive. What?! I don't want them to be bound! They're variables! They're supposed to change. Okay, so it's a slight exaggeration, but I think the point is still good. A lot of folks pick up MySQL by fiddling around in their spare time. Unless someone (among my friends, it's usually me) enlightens them to better ways of doing things, and reasons for doing something in a more abstract, not-always-immediately-intuitive way, folks just don't know any better. In that sense, this very discussion is /exactly/ what the magazine article should be creating. For those who don't know, binding is a process that does two things: 1. Lets the database pre-parse a query This can give enormous boosts in speed because a large amount of the time involved in getting information from the database is spent in parsing and planning a query. If you're planning to do the same query many times over with only one or two different parameters, why not only parse and plan it once, and then aggregate the cost over / all/ the executions? 2. as well as let the database do any escaping necessary. The database designers ostensibly know best what characters need to be escaped, so let them do it. Besides, no sense in having multiple definitions around, or reinventing a wheel, or wasting your time doing something mundane. In lieu of an example, I'll just point to the PHP site: http://us.php.net/manual/en/function.mysqli-prepare.php Kevin -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: MySQL Magazine - Issue 1 available NOW!!!!
On 04.06.2007 23:44 CE(S)T, Daevid Vincent wrote: Thanks for the magazine. I already incorporated a little extra SQL injection checking into my db.inc.php wrapper... //[dv] added to remove all comments (which may help with SQL injections as well. $sql = preg_replace(/#.*?[\r\n]/s, '', $sql); $sql = preg_replace(/--.*?[\r\n]/s, '', $sql); $sql = preg_replace(@/\*(.*?)\*/@s, '', $sql); I'm not aware of the context, but I guess you can imagine that this will corrupt any SQL queries that contain # or -- or /* ... */ inside a string. So I would highly recommend not using those. -- Yves Goergen LonelyPixel [EMAIL PROTECTED] Visit my web laboratory at http://beta.unclassified.de -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: MySQL Magazine - Issue 1 available NOW!!!!
On Wed, Jun 06, 2007 at 05:56:44PM -0700, Peter Rosenthal wrote: On 04/06/07, Jon Ribbens [EMAIL PROTECTED] wrote: Um, what? Both that and the methods described in the magazine are completely wrong. You use mysql_real_ecape_string(), that's it. I would disagree on the use of mysql_real_escape_string(). The use of placeholders is much safer from a maintenance and 'oops look I typoed it' perspective. That's not a disagreement - you're just talking about a different abstraction layer. Behind the scenes your 'placeholder' API will be using mysql_real_escape_string(). -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: MySQL Magazine - Issue 1 available NOW!!!!
I would disagree on the use of mysql_real_escape_string(). The use of placeholders is much safer from a maintenance and 'oops look I typoed it' perspective. On 04/06/07, Jon Ribbens [EMAIL PROTECTED] wrote: On Mon, Jun 04, 2007 at 02:44:25PM -0700, Daevid Vincent wrote: Thanks for the magazine. I already incorporated a little extra SQL injection checking into my db.inc.php wrapper... //[dv] added to remove all comments (which may help with SQL injections as well. $sql = preg_replace(/#.*?[\r\n]/s, '', $sql); $sql = preg_replace(/--.*?[\r\n]/s, '', $sql); $sql = preg_replace(@/\*(.*?)\*/@s, '', $sql); Um, what? Both that and the methods described in the magazine are completely wrong. You use mysql_real_ecape_string(), that's it. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
MySQL Magazine - Issue 1 available NOW!!!!
Everyone, I have just uploaded the first issue MySQL Magazine to http://paragon-cs.com/mag/issue1.pdf Please take a look at it. There is a great deal of information here and I think it is worth some time. Feedback is always welcome. thanks, Keith Murphy -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
RE: MySQL Magazine - Issue 1 available NOW!!!!
Thanks for the magazine. I already incorporated a little extra SQL injection checking into my db.inc.php wrapper... //[dv] added to remove all comments (which may help with SQL injections as well. $sql = preg_replace(/#.*?[\r\n]/s, '', $sql); $sql = preg_replace(/--.*?[\r\n]/s, '', $sql); $sql = preg_replace(@/\*(.*?)\*/@s, '', $sql); Keep up the great work! d -Original Message- From: B. Keith Murphy [mailto:[EMAIL PROTECTED] Sent: Monday, June 04, 2007 9:56 AM To: MySQL General Subject: MySQL Magazine - Issue 1 available NOW Everyone, I have just uploaded the first issue MySQL Magazine to http://paragon-cs.com/mag/issue1.pdf Please take a look at it. There is a great deal of information here and I think it is worth some time. Feedback is always welcome. thanks, Keith Murphy -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED] -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: MySQL Magazine - Issue 1 available NOW!!!!
Can you explain what each of those lines do? Thanks, Nestor PS Great work on the mysql article On 6/4/07, Daevid Vincent [EMAIL PROTECTED] wrote: Thanks for the magazine. I already incorporated a little extra SQL injection checking into my db.inc.php wrapper... //[dv] added to remove all comments (which may help with SQL injections as well. $sql = preg_replace(/#.*?[\r\n]/s, '', $sql); $sql = preg_replace(/--.*?[\r\n]/s, '', $sql); $sql = preg_replace(@/\*(.*?)\*/@s, '', $sql); Keep up the great work! d -Original Message- From: B. Keith Murphy [mailto:[EMAIL PROTECTED] Sent: Monday, June 04, 2007 9:56 AM To: MySQL General Subject: MySQL Magazine - Issue 1 available NOW Everyone, I have just uploaded the first issue MySQL Magazine to http://paragon-cs.com/mag/issue1.pdf Please take a look at it. There is a great deal of information here and I think it is worth some time. Feedback is always welcome. thanks, Keith Murphy -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED] -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
RE: MySQL Magazine - Issue 1 available NOW!!!!
Well, they're PHP syntax to go along with the article about SQL injection. According to this page: http://dev.mysql.com/doc/refman/5.0/en/comments.html There are basically three styles of comments. I just have a wrapper class for all my SQL queries (db.inc.php) and I added a little cleaning code that strips out anything that looks like comments. It could be argued that since they're comments already, mySQL shouldn't parse them, but just to be safe. The real issue to look for is the ; (semicolon). I have another routine that looks for ; and doesn't execute if it finds one outside of or ' mark pairs. d -Original Message- From: Néstor [mailto:[EMAIL PROTECTED] Sent: Monday, June 04, 2007 3:01 PM To: MySQL General Subject: Re: MySQL Magazine - Issue 1 available NOW Can you explain what each of those lines do? Thanks, Nestor PS Great work on the mysql article On 6/4/07, Daevid Vincent [EMAIL PROTECTED] wrote: Thanks for the magazine. I already incorporated a little extra SQL injection checking into my db.inc.php wrapper... //[dv] added to remove all comments (which may help with SQL injections as well. $sql = preg_replace(/#.*?[\r\n]/s, '', $sql); $sql = preg_replace(/--.*?[\r\n]/s, '', $sql); $sql = preg_replace(@/\*(.*?)\*/@s, '', $sql); Keep up the great work! d -Original Message- From: B. Keith Murphy [mailto:[EMAIL PROTECTED] Sent: Monday, June 04, 2007 9:56 AM To: MySQL General Subject: MySQL Magazine - Issue 1 available NOW Everyone, I have just uploaded the first issue MySQL Magazine to http://paragon-cs.com/mag/issue1.pdf Please take a look at it. There is a great deal of information here and I think it is worth some time. Feedback is always welcome. thanks, Keith Murphy -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED] -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED] -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: MySQL Magazine - Issue 1 available NOW!!!!
On Mon, Jun 04, 2007 at 02:44:25PM -0700, Daevid Vincent wrote: Thanks for the magazine. I already incorporated a little extra SQL injection checking into my db.inc.php wrapper... //[dv] added to remove all comments (which may help with SQL injections as well. $sql = preg_replace(/#.*?[\r\n]/s, '', $sql); $sql = preg_replace(/--.*?[\r\n]/s, '', $sql); $sql = preg_replace(@/\*(.*?)\*/@s, '', $sql); Um, what? Both that and the methods described in the magazine are completely wrong. You use mysql_real_ecape_string(), that's it. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
