Re: [PHP-DB] mysql - image storing
Martin Norland wrote: Jochem Maas wrote: I was always under the impression that single quotes (assuming you are delineating you args with single quotes) should (officially) be escaped with another single quote - although backslash also works: "INSERT INTO status (hunger) values ('I''ve just eaten.');" ...alot of really old code of mine is full of stuff like: $var = str_replace("'","''",$var); but maybe that just MTAM(tm) working for me - (thats a reference to a bit of humour from another thread btw - MTAM is not a technology :-) AFAIK - for Sybase and CSV yes, otherwise no (in general). Maybe it's a compatibility option? Still, there are perfectly valid reasons to have multiple ''s. (why, there's one now - sort of...) ok - cheers, just for the record If I wanted to insert your sentence: 'Still, there are perfectly valid reasons to have multiple s' :-) Cheers, -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] mysql - image storing
Simon Rees wrote: On Tuesday 18 January 2005 19:18, Jochem Maas wrote: I was always under the impression that single quotes (assuming you are delineating you args with single quotes) should (officially) be escaped with another single quote - although backslash also works: I think it depends on the database that you are using. Oracle and MS-SQL both require quotes to be escaped with another quote, MySQL uses backslashes. I seem to recall that two quotes is the standard... Of course it is even better to use bind vars and then you don't need to escape the quotes (or worry about sql injection attacks)... did I mention I have been using firebird and the php-extension for the last year and a half ;-) cheers Simon -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] mysql - image storing
Jochem Maas wrote: I was always under the impression that single quotes (assuming you are delineating you args with single quotes) should (officially) be escaped with another single quote - although backslash also works: "INSERT INTO status (hunger) values ('I''ve just eaten.');" ...alot of really old code of mine is full of stuff like: $var = str_replace("'","''",$var); but maybe that just MTAM(tm) working for me - (thats a reference to a bit of humour from another thread btw - MTAM is not a technology :-) AFAIK - for Sybase and CSV yes, otherwise no (in general). Maybe it's a compatibility option? Still, there are perfectly valid reasons to have multiple ''s. (why, there's one now - sort of...) Cheers, -- - Martin Norland, Database / Web Developer, International Outreach x3257 The opinion(s) contained within this email do not necessarily represent those of St. Jude Children's Research Hospital. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] mysql - image storing
On Tuesday 18 January 2005 19:18, Jochem Maas wrote: > I was always under the impression that single quotes (assuming you are > delineating you args with single quotes) should (officially) be escaped > with another single quote - although backslash also works: I think it depends on the database that you are using. Oracle and MS-SQL both require quotes to be escaped with another quote, MySQL uses backslashes. I seem to recall that two quotes is the standard... Of course it is even better to use bind vars and then you don't need to escape the quotes (or worry about sql injection attacks)... cheers Simon -- ~~ Simon Rees | [EMAIL PROTECTED] | ORA-03113: end-of-file on communication channel ~~ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] mysql - image storing
Joseph Crawford wrote: Jason, can you explain why stripslashes should not be used on data taken from the db? when you store data in the db i thought it was good although 'slashing' text works pretty much all of the time (possibly the guys using exotic encodings all day will say different :-) but the data you are storing in the DB is binary - stripping and slashing will probably do weird things to the data: try creating some image data and run it thru add_slashes() and stripslashes() and compare the output of each with the original. practice to addslashes, when you retrieve from the db, you will need why is it good practice? (anyone)? sounds like pure overhead to me. you could look up 'magic quotes' in relation to this, its often where the trouble starts! on a side note: - me I use the ibase/firebird php extension which has parameterized queries - so I can say goodbye to mysql_escape_arg() (or whatever the damn function is called) and having to hand craft lots of arg checks - but alas you may not have access to a firebird DB. to use stripslashes to remove the extra \ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] mysql - image storing
To view the terms under which this email is distributed, please go to http://disclaimer.leedsmet.ac.uk/email.htm On 18 January 2005 17:11, Joseph Crawford wrote: > Jason, can you explain why stripslashes should not be used on data > taken from the db? when you store data in the db i thought it was good > practice to addslashes, when you retrieve from the db, you will need > to use stripslashes to remove the extra \ It's simple. Suppose you have a script that looks a bit like this (but hopefully with more input validation and error checking!): $value = addslashes($_POST['text']); // magic_quotes_gpc off $sql = "INSERT INTO tbl SET fld = '$value'"; database_execute($sql); Now suppose the user types this into the 'text' form field: Here's an apostrophe Here's what happens: PHP does this: $value is set to: Here\'s an apostrophe $sql becomes: INSERT INTO tbl SET fld = 'Here\'s an apostrophe' Which is sent to the database via database_execute() The DATABASE now does this: Receives the SQL statement: INSERT INTO tbl SET fld = 'Here\'s an apostrophe' (Note how the \ escape is required here to stop the field value from terminating prematurely -- but this escape is aimed at the *database*, and is not a PHP escape. A lot of confusion seems to arise here for databases which use the same \ escape character as PHP.) Extracts the value: Here\'s an apostrophe and de-escapes it to give:Here's an apostrophe Which gets inserted into the database. So the value inserted into the database is the unescaped original, and on retrieval there are no \ characters in the retrieved value to be stripslashes()ed. Hope that's clearer than mud, and helps you understand what's going on better. Cheers! Mike - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning & Information Services, JG125, James Graham Building, Leeds Metropolitan University, Headingley Campus, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] mysql - image storing
Martin Norland wrote: Joseph Crawford wrote: Jason, can you explain why stripslashes should not be used on data taken from the db? when you store data in the db i thought it was good practice to addslashes, when you retrieve from the db, you will need to use stripslashes to remove the extra \ The slashes are added for the database, not to be stored with the data. for e.g. - to store: "I've just eaten." you do: "INSERT INTO status (hunger) values ('I\'ve just eaten.');" I was always under the impression that single quotes (assuming you are delineating you args with single quotes) should (officially) be escaped with another single quote - although backslash also works: "INSERT INTO status (hunger) values ('I''ve just eaten.');" ...alot of really old code of mine is full of stuff like: $var = str_replace("'","''",$var); but maybe that just MTAM(tm) working for me - (thats a reference to a bit of humour from another thread btw - MTAM is not a technology :-) which stores: "I've just eaten." It's not good practice - it's required (if you're not using a mechanism that already handles this - such as the latest mysqli bind functions) - otherwise the query is invalid. nice to learn that mysqli is getting it 'right' :-) [makes mental note to look into it!] You may be thinking of running 'htmlentities' when retrieving data - which is necessary in some cases, depending on where you're using it (most notably - in html where you don't want html output). Cheers, -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] mysql - image storing
On Wednesday 19 January 2005 01:51, [EMAIL PROTECTED] wrote: > > Jason, can you explain why stripslashes should not be used on data > > taken from the db? when you store data in the db i thought it was good > > practice to addslashes, when you retrieve from the db, you will need > > to use stripslashes to remove the extra \ > > If I may step in... > > Assuming a MySQL db, using mysql_escape_string obviates the need for using > either stripslashes or addslashes for db inserts and selects. I'm not sure > of the underlying mechanism, but if you use mysql_escape_string on a > string, the \'s and " ' "s, etc... all get escaped automagically before > the insert. If you then take a look at the inserted data using the mysql > client, you will see that the full unescaped text has been inserted. So > there is no need to use stripslashes when selecting it out. Additionally, it should be noted that whether you need to use stripslashes() on data retrieved from the database depends on the setting of magic_quotes_runtime. The recommended setting is to have it disabled which means you do not need stripslashes(). -- Jason Wong -> Gremlins Associates -> www.gremlins.biz Open Source Software Systems Integrators * Web Design & Hosting * Internet & Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-db -- New Year Resolution: Ignore top posted posts -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] mysql - image storing
Joseph Crawford wrote: Jason, can you explain why stripslashes should not be used on data taken from the db? when you store data in the db i thought it was good practice to addslashes, when you retrieve from the db, you will need to use stripslashes to remove the extra \ The slashes are added for the database, not to be stored with the data. for e.g. - to store: "I've just eaten." you do: "INSERT INTO status (hunger) values ('I\'ve just eaten.');" which stores: "I've just eaten." It's not good practice - it's required (if you're not using a mechanism that already handles this - such as the latest mysqli bind functions) - otherwise the query is invalid. You may be thinking of running 'htmlentities' when retrieving data - which is necessary in some cases, depending on where you're using it (most notably - in html where you don't want html output). Cheers, -- - Martin Norland, Database / Web Developer, International Outreach x3257 The opinion(s) contained within this email do not necessarily represent those of St. Jude Children's Research Hospital. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] mysql - image storing
> Jason, can you explain why stripslashes should not be used on data > taken from the db? when you store data in the db i thought it was good > practice to addslashes, when you retrieve from the db, you will need > to use stripslashes to remove the extra \ If I may step in... Assuming a MySQL db, using mysql_escape_string obviates the need for using either stripslashes or addslashes for db inserts and selects. I'm not sure of the underlying mechanism, but if you use mysql_escape_string on a string, the \'s and " ' "s, etc... all get escaped automagically before the insert. If you then take a look at the inserted data using the mysql client, you will see that the full unescaped text has been inserted. So there is no need to use stripslashes when selecting it out. Personally, this is counterintuitive, but that's the way it works. David
Re: [PHP-DB] mysql - image storing
Jason, can you explain why stripslashes should not be used on data taken from the db? when you store data in the db i thought it was good practice to addslashes, when you retrieve from the db, you will need to use stripslashes to remove the extra \ -- Joseph Crawford Jr. Codebowl Solutions [EMAIL PROTECTED] -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] mysql - image storing
The problem is that I just display the "image broken link" icon. As I told before the image is displayed fine into phpMyAdmin, so I think the problem is really in the retrieval script, but I can't see where... I tried with several browser, so that's not the question either...I also tried with several header option as I thought it may be the problem as if I just echo the data without the header they look like "normal " data for a picture... Thanks for the reply. From: "Bastien Koert" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED], php-db@lists.php.net Subject: RE: [PHP-DB] mysql - image storing Date: Tue, 18 Jan 2005 10:46:50 -0500 so what exactly is the problem? bastien From: "mel list_php" <[EMAIL PROTECTED]> To: php-db@lists.php.net Subject: [PHP-DB] mysql - image storing Date: Tue, 18 Jan 2005 11:30:12 + Hi list, I try to store/retrieve pictures into MySQL. I know that a lot of people will say this is not a good practice, so here are briefly my reasons: -I want to protect that pictures (restricted access) -I don't want to use htaccess as I want my users to be able to modify their password whenever they want, and I don't want to modify dynamically an htaccess file. -I could store them on the filesystem (my actual solution), but I have only few pictures, so I would like to give the MySQL option a trial. I found on the web a lot of tutorials on how to do that, they almost all look like this one http://www.phpbuilder.com/columns/florian19991014.php3?page=1 I went through a lot of forums, saw a lot of problems and still am unable to make it work for me. Here are my scripts -for the upload into mysql I suppose all is ok as I am able to visualize the pictures through phpMyAdmin -for the retrieval $result = mysql_query("select * from images_binaires where id=1;") or die(mysql_error()); while( $row = mysql_fetch_array($result ) ) { $donnees=stripslashes($row[donnees_binaires]); $type=$row[type_fichier]; $taille_fichier=$row[taille_fichier]; } if ($donnees) { header('Content-Type: image/png'); header('Content-Length: $taille_fichier'); echo $donnees; } else { echo 'error'; } ?> and the calling script: "; ?> what I can say: -no problem with connexion, it retrieves data (echo of $donnees without header) -when I retrieve the data without the header, they look "normal", no excess of slashes for example. -I tried to open the file with "rb" for upload (even if it's supposed to be by default now) -I tried to put the header on top of the script -I tried different combinations with addslashes/stripslashes, trim in case of spaces, mysql_real_escape_string... -I also tried with imagecreatefromstring(), even if I saw that it shouldn't be necessary. -I think I shouldn't need the GD library, but it's installed anyway If somebody can help? Thanks! _ It's fast, it's easy and it's free. Get MSN Messenger today! http://www.msn.co.uk/messenger -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php _ It's fast, it's easy and it's free. Get MSN Messenger today! http://www.msn.co.uk/messenger -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] mysql - image storing
On Tuesday 18 January 2005 19:30, mel list_php wrote: [snip] > $donnees=stripslashes($row[donnees_binaires]); [snip] > -I tried different combinations with addslashes/stripslashes, trim in case > of spaces, mysql_real_escape_string... I haven't looked at your code in detail but stripslashes() should never be used on data retrieved from the DB (that is assuming your data was inserted correctly in the first place). -- Jason Wong -> Gremlins Associates -> www.gremlins.biz Open Source Software Systems Integrators * Web Design & Hosting * Internet & Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-db -- New Year Resolution: Ignore top posted posts -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] mysql - image storing
so what exactly is the problem? bastien From: "mel list_php" <[EMAIL PROTECTED]> To: php-db@lists.php.net Subject: [PHP-DB] mysql - image storing Date: Tue, 18 Jan 2005 11:30:12 + Hi list, I try to store/retrieve pictures into MySQL. I know that a lot of people will say this is not a good practice, so here are briefly my reasons: -I want to protect that pictures (restricted access) -I don't want to use htaccess as I want my users to be able to modify their password whenever they want, and I don't want to modify dynamically an htaccess file. -I could store them on the filesystem (my actual solution), but I have only few pictures, so I would like to give the MySQL option a trial. I found on the web a lot of tutorials on how to do that, they almost all look like this one http://www.phpbuilder.com/columns/florian19991014.php3?page=1 I went through a lot of forums, saw a lot of problems and still am unable to make it work for me. Here are my scripts -for the upload into mysql I suppose all is ok as I am able to visualize the pictures through phpMyAdmin -for the retrieval $result = mysql_query("select * from images_binaires where id=1;") or die(mysql_error()); while( $row = mysql_fetch_array($result ) ) { $donnees=stripslashes($row[donnees_binaires]); $type=$row[type_fichier]; $taille_fichier=$row[taille_fichier]; } if ($donnees) { header('Content-Type: image/png'); header('Content-Length: $taille_fichier'); echo $donnees; } else { echo 'error'; } ?> and the calling script: "; ?> what I can say: -no problem with connexion, it retrieves data (echo of $donnees without header) -when I retrieve the data without the header, they look "normal", no excess of slashes for example. -I tried to open the file with "rb" for upload (even if it's supposed to be by default now) -I tried to put the header on top of the script -I tried different combinations with addslashes/stripslashes, trim in case of spaces, mysql_real_escape_string... -I also tried with imagecreatefromstring(), even if I saw that it shouldn't be necessary. -I think I shouldn't need the GD library, but it's installed anyway If somebody can help? Thanks! _ It's fast, it's easy and it's free. Get MSN Messenger today! http://www.msn.co.uk/messenger -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] mysql - image storing
Hi list, I try to store/retrieve pictures into MySQL. I know that a lot of people will say this is not a good practice, so here are briefly my reasons: -I want to protect that pictures (restricted access) -I don't want to use htaccess as I want my users to be able to modify their password whenever they want, and I don't want to modify dynamically an htaccess file. -I could store them on the filesystem (my actual solution), but I have only few pictures, so I would like to give the MySQL option a trial. I found on the web a lot of tutorials on how to do that, they almost all look like this one http://www.phpbuilder.com/columns/florian19991014.php3?page=1 I went through a lot of forums, saw a lot of problems and still am unable to make it work for me. Here are my scripts -for the upload into mysql I suppose all is ok as I am able to visualize the pictures through phpMyAdmin -for the retrieval $result = mysql_query("select * from images_binaires where id=1;") or die(mysql_error()); while( $row = mysql_fetch_array($result ) ) { $donnees=stripslashes($row[donnees_binaires]); $type=$row[type_fichier]; $taille_fichier=$row[taille_fichier]; } if ($donnees) { header('Content-Type: image/png'); header('Content-Length: $taille_fichier'); echo $donnees; } else { echo 'error'; } ?> and the calling script: "; ?> what I can say: -no problem with connexion, it retrieves data (echo of $donnees without header) -when I retrieve the data without the header, they look "normal", no excess of slashes for example. -I tried to open the file with "rb" for upload (even if it's supposed to be by default now) -I tried to put the header on top of the script -I tried different combinations with addslashes/stripslashes, trim in case of spaces, mysql_real_escape_string... -I also tried with imagecreatefromstring(), even if I saw that it shouldn't be necessary. -I think I shouldn't need the GD library, but it's installed anyway If somebody can help? Thanks! _ It's fast, it's easy and it's free. Get MSN Messenger today! http://www.msn.co.uk/messenger -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php