Re: [PHP] Re: mysql_real_escape_string("asdasddas") ??? wtf
Ah, ic. Mh, why wouldn't a function like that function without a db
connection? Does it use the db? Isn't that less efficient? I might just use
str_replace, because i can't think of any way that one could get a sql
injection into
str_replace("'", "\\\'", $value); // might need to replace a literal \ too.
If you can, please enlighten me.
Maybe if they enter something like \c ?? Like one of the mysql special
commands? But if it's inside a string literal??
Thanks a lot, i would have never thought about that.
Will try.
Tim-Hinnerk Heuer
http://www.ihostnz.com
George Burns - "I would go out with women my age, but there are no women my
age."
2009/2/21 Ross McKay
> On Sat, 21 Feb 2009 19:19:44 +1300, t...@ihostnz.com wrote:
>
> >Can anyone here tell me why mysql_real_escape_string("asdasddas") returns
> an
> >empty string?
>
> Have you opened a connection to a MySQL database? It won't work without
> an open connection.
> --
> Ross McKay, Toronto, NSW Australia
> "Let the laddie play wi the knife - he'll learn"
> - The Wee Book of Calvin
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
Re: [PHP] Re: mysql_real_escape_string("asdasddas") ??? wtf
On Sat, 2009-02-21 at 22:55 +1300, German Geek wrote:
> Ah, ic. Mh, why wouldn't a function like that function without a db
> connection? Does it use the db? Isn't that less efficient? I might just use
> str_replace, because i can't think of any way that one could get a sql
> injection into
>
> str_replace("'", "\\\'", $value); // might need to replace a literal \ too.
>
> If you can, please enlighten me.
>
> Maybe if they enter something like \c ?? Like one of the mysql special
> commands? But if it's inside a string literal??
>
> Thanks a lot, i would have never thought about that.
>
> Will try.
>
> Tim-Hinnerk Heuer
>
> http://www.ihostnz.com
> George Burns - "I would go out with women my age, but there are no women my
> age."
>
> 2009/2/21 Ross McKay
>
> > On Sat, 21 Feb 2009 19:19:44 +1300, t...@ihostnz.com wrote:
> >
> > >Can anyone here tell me why mysql_real_escape_string("asdasddas") returns
> > an
> > >empty string?
> >
> > Have you opened a connection to a MySQL database? It won't work without
> > an open connection.
> > --
> > Ross McKay, Toronto, NSW Australia
> > "Let the laddie play wi the knife - he'll learn"
> > - The Wee Book of Calvin
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
It doesn't actually use the connection, but it requires one to be open
before you can use it. You said you're using this on a query anyway, so
why not open the connection to mysql?
Ash
www.ashleysheridan.co.uk
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: mysql_real_escape_string("asdasddas") ??? wtf
German Geek wrote:
>Ah, ic. Mh, why wouldn't a function like that function without a db
>connection? Does it use the db? Isn't that less efficient?
It doesn't use the db - at least, it doesn't make a call to the db. It
probably wants a db resource handle so that it can know what character
set it is meant to be handling, which is established as a property on
the connection.
>I might just use
>str_replace, because i can't think of any way that one could get a sql
>injection into
>
>str_replace("'", "\\\'", $value); // might need to replace a literal \ too.
>
>If you can, please enlighten me.
And also: NUL, LF, CR, " and ^Z
Or you could just call mysql_real_escape_string and know that you
haven't coded your str_replace with some hole in it :)
--
Ross McKay, Toronto, NSW Australia
"The chief cause of problems is solutions" -Eric Sevareid
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: mysql_real_escape_string("asdasddas") ??? wtf
Ross McKay wrote: > It doesn't use the db - at least, it doesn't make a call to the db. It > probably wants a db resource handle so that it can know what character > set it is meant to be handling, which is established as a property on > the connection. Yep, that's exactly why. If the current character set is unimportant, you can use mysql_escape_string() instead. (yes, I know it's deprecated). -- Per Jessen, Zürich (4.8°C) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] mysql_real_escape_string("asdasddas") ??? wtf
On Sat, 2009-02-21 at 19:19 +1300, Tim | iHostNZ wrote:
> Hi everyone,
>
> Can anyone here tell me why mysql_real_escape_string("asdasddas") returns an
> empty string?
>
> Just writing a data import...
>
> Anyway, for security but also simply because i might have a ' in the string,
> i need to escape it. Apparently it is good practice to use
> mysql_real_escape_string() but it simply doesn't work at all on this
> machine. I thought it's a rather standard function.
>
> Is it maybe my Apache server setup? But i thought the function wouldn't
> exist then and throw an error in the php script, but it runs through fine.
>
> Please help, we need this data import by next week hence i'm working now...
>
> I can send you details of the server setup if required. Please let me know
> what as there are quite a few things... It's xampp on windows xp
> (testing/dev machine).
RTFM:
Note: A MySQL connection is required before using
mysql_real_escape_string() otherwise an error of level
E_WARNING is generated, and FALSE is returned. If
link_identifier isn't defined, the last MySQL connection
is used.
And turn your error reporting on or check your logs.
Cheers,
Rob.
--
http://www.interjinn.com
Application and Templating Framework for PHP
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Unique User Hashes
Nathan Rixham wrote: > it's all a bit pointless, the only way to ensure only one vote per > person is to get take and test a dns sample from each user. > > anything else is going to be flawed Not at all - you issue voting-rights based on user identity. Works very well in many places. Here in Switzerland for instance. /Per -- Per Jessen, Zürich (3.9°C) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Unique User Hashes
At 1:19 PM +0100 2/21/09, Per Jessen wrote: Nathan Rixham wrote: it's all a bit pointless, the only way to ensure only one vote per person is to get take and test a dns sample from each user. anything else is going to be flawed Not at all - you issue voting-rights based on user identity. Works very well in many places. Here in Switzerland for instance. /Per Certainly voting methodology can work provided you can accurately identify the voter -- and therein lies the problem. Fortunately/unfortunately, the server can only gather a limited amount of information from a user's visit and certainly not enough to accurately discern one user from another. So some other method must be employed and all methods revolve around some process where the user is required to identify themselves online before casting their vote. Now, the question is -- how do you do that? With Unions, Federal, State, Local and other such organizations, they often have hard-copy ID cards that the user have in their possession. The organization wanting the gather the vote simply has to have an online database with those ID numbers to approve and subsequently permit voting. However, a problem still remains, which is "Is the person casting the vote the person who is registered to that ID?" At some point you have to conclude that the person submitting the correct ID is the person voting. If you don't have a hard-copy ID card for the people you are accepting votes from, then you must rely on some other method of uniquely identifying the person voting. The method I suggested was simply to use the person's email address. Each email address is indeed unique. HOWEVER, many people could use the same email address and thus the method cannot guarantee the identity of the person casting the vote. But like the ID card, at some point you have to conclude that the person submitting the correct email address is the person voting. Neither method is perfect, but one vote is gathered per ID/email address. Granted, my method does not prohibit someone from gathering numerous email address and voting several times. But my method does provide a better job than not requiting any identification from the voter at all, as was suggested at the beginning of this thread by someone who didn't understand the problem. It's one thing to be required to have a real email address, it's another matter to just click and click again. Even with using COOKIES, it's not a problem to click, clear COOKIES, and click again. So in Switzerland if each of you have a ID card, then the problem is "solved" as descried above. However, if there is no ID card, then other methods must be considered. But I just don't see any way of uniquely identifying a user online without some sort of unique user input -- do you? Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Unique User Hashes
tedd wrote: [agree with all of the above] > So in Switzerland if each of you have a ID card, then the problem is > "solved" as descried above. However, if there is no ID card, then > other methods must be considered. It's not the ID-card as such (it's your ability to prove your own identity), but your point is valid nonetheless. > But I just don't see any way of uniquely identifying a user online > without some sort of unique user input -- do you? Nope. -- Per Jessen, Zürich (6.0°C) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] redirecting output for a spawned child process..
hi... got a situation where i have a parent app that spawns children. trying to figure out how to get the output of the spawned/forked children to be written to an external file... can't seem to find any examples of how to accomplish this... do i have to insert something within the child php app itself to redirect the output that's currently being sent to the term? i'd prefer to have the output displayed, as well as redirected... these are cli apps... code chunks would be appreciated.. thanks -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] redirecting output for a spawned child process..
bruce wrote: > hi... > > got a situation where i have a parent app that spawns children. trying > to figure out how to get the output of the spawned/forked children to > be written to an external file... Normally I would use freopen() on stdout and stderr, but that's not available in PHP :-( > can't seem to find any examples of how to accomplish this... do i have > to insert something within the child php app itself to redirect the > output that's currently being sent to the term? i'd prefer to have the > output displayed, as well as redirected... You basically need to do something about the stdin, stdout and stderr file descriptors that your child inherited from the parent at time of fork(). I can't seem to find many PHP functions that deal with file descriptors though. -- Per Jessen, Zürich (2.6°C) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] adding whitespace to a timestamp
I hoping to add a space between the date and the time in this:
$thedate = date('M jS g:i A', $postTIME);
i.e, between* jS* and *g:i*
I've looked around but can't find anything.
Thanks
Eric Sherman
Multi Media Information
--
Copyediting the web, one page at a time.
[PHP] Re: adding whitespace to a timestamp
Eric Sherman wrote:
> I hoping to add a space between the date and the time in this:
>
> $thedate = date('M jS g:i A', $postTIME);
>
> i.e, between* jS* and *g:i*
>
> I've looked around but can't find anything.
>
> Thanks
>
> Eric Sherman
> Multi Media Information
There is already a space there!
--
Thanks!
-Shawn
http://www.spidean.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] adding whitespace to a timestamp
On Feb 21, 2009, at 1:28 PM, Eric Sherman wrote:
I hoping to add a space between the date and the time in this:
$thedate = date('M jS g:i A', $postTIME);
i.e, between* jS* and *g:i*
I've looked around but can't find anything.
Thanks
If what you want it to have something like this:
First part of date balh blha blha blha other type Second part of date
then you just pt in the variable twice and format it that way. Such as:
or something along those lines..
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] mysql_real_escape_string("asdasddas") ??? wtf
OK, thanks. I think you guys are right. It's just safer and simpler than
writing my function and probably not really slower either. need a db
connection anyway. Read a bit on the function and yeah, a bit of screwed up
binary data might yet cause funny errors although the xml is a feed from a
trusted source.
You guys are great! Faster with answers than i can search. Almost feel
tempted not to search Nah i still search first. :-)
Tim-Hinnerk Heuer
http://www.ihostnz.com
Emo Philips - "I was the kid next door's imaginary friend."
2009/2/22 Robert Cummings
> On Sat, 2009-02-21 at 19:19 +1300, Tim | iHostNZ wrote:
> > Hi everyone,
> >
> > Can anyone here tell me why mysql_real_escape_string("asdasddas") returns
> an
> > empty string?
> >
> > Just writing a data import...
> >
> > Anyway, for security but also simply because i might have a ' in the
> string,
> > i need to escape it. Apparently it is good practice to use
> > mysql_real_escape_string() but it simply doesn't work at all on this
> > machine. I thought it's a rather standard function.
> >
> > Is it maybe my Apache server setup? But i thought the function wouldn't
> > exist then and throw an error in the php script, but it runs through
> fine.
> >
> > Please help, we need this data import by next week hence i'm working
> now...
> >
> > I can send you details of the server setup if required. Please let me
> know
> > what as there are quite a few things... It's xampp on windows xp
> > (testing/dev machine).
>
> RTFM:
>
>Note: A MySQL connection is required before using
>mysql_real_escape_string() otherwise an error of level
>E_WARNING is generated, and FALSE is returned. If
>link_identifier isn't defined, the last MySQL connection
>is used.
>
> And turn your error reporting on or check your logs.
>
> Cheers,
> Rob.
> --
> http://www.interjinn.com
> Application and Templating Framework for PHP
>
>
Re: [PHP] mysql_real_escape_string("asdasddas") ??? wtf
---
Use FreeOpenSourceSoftwares, Stop piracy, Let the developers live. Get
a Free CD of Ubuntu mailed to your door without any cost. Visit :
www.ubuntu.com
--
On Sun, Feb 22, 2009 at 5:35 AM, Tim | iHostNZ wrote:
> OK, thanks. I think you guys are right. It's just safer and simpler than
> writing my function and probably not really slower either. need a db
> connection anyway. Read a bit on the function and yeah, a bit of screwed up
> binary data might yet cause funny errors although the xml is a feed from a
> trusted source.
Having concluded with this realization get to read about Security chapters
from Zend Certified Engineer Exam Guide Book from phpArchitect. Written by
Ben Ramsey and David Shafiq.
And you probably know about the term of 're-inventing the wheel'. :)
>
>
> You guys are great! Faster with answers than i can search. Almost feel
> tempted not to search Nah i still search first. :-)
>
> Tim-Hinnerk Heuer
>
> http://www.ihostnz.com
> Emo Philips - "I was the kid next door's imaginary friend."
>
> 2009/2/22 Robert Cummings
>
> > On Sat, 2009-02-21 at 19:19 +1300, Tim | iHostNZ wrote:
> > > Hi everyone,
> > >
> > > Can anyone here tell me why mysql_real_escape_string("asdasddas")
> returns
> > an
> > > empty string?
> > >
> > > Just writing a data import...
> > >
> > > Anyway, for security but also simply because i might have a ' in the
> > string,
> > > i need to escape it. Apparently it is good practice to use
> > > mysql_real_escape_string() but it simply doesn't work at all on this
> > > machine. I thought it's a rather standard function.
> > >
> > > Is it maybe my Apache server setup? But i thought the function wouldn't
> > > exist then and throw an error in the php script, but it runs through
> > fine.
> > >
> > > Please help, we need this data import by next week hence i'm working
> > now...
> > >
> > > I can send you details of the server setup if required. Please let me
> > know
> > > what as there are quite a few things... It's xampp on windows xp
> > > (testing/dev machine).
> >
> > RTFM:
> >
> >Note: A MySQL connection is required before using
> >mysql_real_escape_string() otherwise an error of level
> >E_WARNING is generated, and FALSE is returned. If
> >link_identifier isn't defined, the last MySQL connection
> >is used.
> >
> > And turn your error reporting on or check your logs.
> >
> > Cheers,
> > Rob.
> > --
> > http://www.interjinn.com
> > Application and Templating Framework for PHP
> >
> >
>
