php-general Digest 13 Jul 2009 14:04:09 -0000 Issue 6227
php-general Digest 13 Jul 2009 14:04:09 - Issue 6227 Topics (messages 295303 through 295323): Re: I am RTFM, but still stumbling on how to get built-in functions parsed in heredoc 295303 by: Paul M Foster Re: phpscriptor.com 295304 by: Paul M Foster 295307 by: Reese Re: A prepared statements question 295305 by: Daniel Brown Re: PHP/mysql equivalent of PEAR's tableInfo()?? 295306 by: Zareef Ahmed 295323 by: Govinda php.ini and cli 295308 by: Ashley Sheridan 295309 by: Eddie Drapkin 295310 by: Stuart 295312 by: Ashley Sheridan Re: When did you start here? Was - RFC/Survey for Our Newer Folks 295311 by: David Robley Doubts concerning a general Insert method 295313 by: MEM 295314 by: Stuart Re: MySql Injection advice 295315 by: Haig Dedeyan 295316 by: Haig Dedeyan 295317 by: tedd 295320 by: tedd 295322 by: Ashley Sheridan Re: Establishing PHP Session From a Different Host 295318 by: Bob McConnell 295319 by: Ashley Sheridan 295321 by: Andrew Ballard Administrivia: To subscribe to the digest, e-mail: php-general-digest-subscr...@lists.php.net To unsubscribe from the digest, e-mail: php-general-digest-unsubscr...@lists.php.net To post to the list, e-mail: php-gene...@lists.php.net -- ---BeginMessage--- On Sat, Jul 11, 2009 at 11:23:11AM -0400, Daniel Brown wrote: snip I used $html =HTML because it then syntax-highlights as HTML+PHP in Vim, and as many know, almost everything I do is from the command line and Vim. Vim FTW! (And mutt for the pwnage!) Paul -- Paul M. Foster ---End Message--- ---BeginMessage--- On Sat, Jul 11, 2009 at 08:14:35AM -0700, PHPScriptor wrote: Ok this may look like spam but what the hell... I'm the owner of phpscriptor.com, I had bigg plans with this domainname but... well yes, no time. So I'm selling it. I don't want to make profit out of it. So for, lets say 200 dollar, you can have to domainname. And if you want, you get the website free with it. You don't want to make a profit, yet you're selling it for $200? Those two statements are contradictory. Paul -- Paul M. Foster ---End Message--- ---BeginMessage--- Paul M Foster wrote: On Sat, Jul 11, 2009 at 08:14:35AM -0700, PHPScriptor wrote: Ok this may look like spam but what the hell... I'm the owner of phpscriptor.com, I had bigg plans with this domainname but... well yes, no time. So I'm selling it. I don't want to make profit out of it. So for, lets say 200 dollar, you can have to domainname. And if you want, you get the website free with it. Why am I reminded of the Vincent D'Onofrio Edgar-cum-cochroach character when I read those lines above? I found myself adopting the cochroach accent as I read the first line. Seriously. You don't want to make a profit, yet you're selling it for $200? Those two statements are contradictory. He has a lot of mouths to feed. Plus if he's been sitting on it, the $200 might let him break even. I've learned that much, eh? SL ---End Message--- ---BeginMessage--- 2009/7/12 Eddie Drapkin oorza...@gmail.com: This is just my opinion, of course :) Which is welcome. Preferrably, on the php-db@ list, but welcome nonetheless. ;-P -- /Daniel P. Brown daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ Check out our great hosting and dedicated server deals at http://twitter.com/pilotpig ---End Message--- ---BeginMessage--- On Mon, Jul 13, 2009 at 3:19 AM, Govinda govinda.webdnat...@gmail.comwrote: On Sat, Jul 11, 2009 at 19:57, Govindagovinda.webdnat...@gmail.com wrote: I have been using PEAR's tableInfo() to remind myself about the columns in the table.. but now I want to see as much data as possible about the table and its contents *without* using PEAR. (I.e. just using built in stuff for mysqli.) This is not mysqli_#() directly, but just mocked up here in this email. Not guaranteed to work, but should give you the right idea at least. ;-P ?php include('inc/config.php'); // Your configuration include('inc/db.php'); // Your database connection info $sql = SHOW TABLES; $result = mysql_query($sql); foreach(mysql_fetch_assoc($result) as $k = $v) { $ssql = DESCRIBE .mysql_real_escape_string($v); $rresult = mysql_query($ssql); echo b.$k./b:br /\n; echo pre\n; print_r(mysql_fetch_assoc($rresult)); echo /pre\n; echo br /\n; } ? Dan I get roughly the idea, but alas I am stumped so easily in this new ocean.. it frustrates me. I have this code: $db_billing=mysqli_connect(localhost,metheuser,mypass,billing); if (mysqli_connect_error()) { die(Can't connect: . mysqli_connect_error()); } mysqli //$dbname = 'billing';
php-general Digest 14 Jul 2009 02:53:03 -0000 Issue 6228
php-general Digest 14 Jul 2009 02:53:03 - Issue 6228 Topics (messages 295324 through 295343): Re: Doubts concerning a general Insert method 295324 by: MEM 295325 by: Stuart 295328 by: MEM Re: RFC/Survey for Our Newer Folks (Including Lurkers) 295326 by: pan 295327 by: Martin Scotta Re: open source event calendar 295329 by: Joey Re: PHP not running properly 295330 by: Togrul Mamedbekov 295331 by: Jonathan Tapicer 295332 by: Ashley Sheridan 295333 by: Togrul Mamedbekov Re: MySql Injection advice 295334 by: Haig Dedeyan 295335 by: Bastien Koert 295336 by: Ashley Sheridan 295337 by: Bastien Koert 295338 by: Michael A. Peters mod primary key field - newbie question 295339 by: cool.hosting4days.com 295340 by: Floyd Resler 295342 by: Daniel Brown Re: accidentally chown -R mysql /var/lib, so wrote a script to fix them 295341 by: Daevid Vincent How to create Data Auto-Filters using PEAR Spreadsheet Writer ? 295343 by: Ali, Saqib Administrivia: To subscribe to the digest, e-mail: php-general-digest-subscr...@lists.php.net To unsubscribe from the digest, e-mail: php-general-digest-unsubscr...@lists.php.net To post to the list, e-mail: php-gene...@lists.php.net -- ---BeginMessage--- $values[0] will give you the first element of $values, namely array('animal_name'='bruce', 'animal_type'='dingo'). array_keys will return an array containing the keys from the passed array, so in this case you'll get array('animal_name', 'animal_type'). So... since $value is an associate array of arrays, we will get, on the first key, not an array with 0, 1, like array(0,1); but array('animal_name','animal_type'), yes? When we use the implode over this array, we get: animal_name, animal_type that is the string that will pass to be prepare using the PDO prepare(). After it's finished building $sql use var_dump to look at it. You'll see that the values are specified as :animal_name and :animal_type. The : indicates to PDO that these are replaceable values. Yes. And normally, to fill those replaceable values, I was used to use bindParam(); I like this bindParam method because we can then use PDO::PARAM_INT and PDO::PARAM_STR to more accurately control the data type flow... The foreach will go through the $values array and for each row it will pass the data (e.g. array('animal_name'='bruce', 'animal_type'='dingo') for the first time round the loop) to the execute function which will effectively replace those elements in the SQL statement and execute it. Ok, so: Our $sql will be: INSERT INTO $table (animal_name, animal_type) VALUES (:animal_name, :animal_type) We then prepare this $sql by doing: prepare($sql); and the value of this preparation will be kept on a variable name $stmt. Finally, on the foreach, we will grab each value of the $values array, and keep him, on a variable called $vals, The $vals will contain this on the first occurrence of the loop: array('animal_name'='bruce', 'animal_type'='ding') and then, the var $vals will have this on the second occurrence of the loop: array('animal_name'='bruce', 'animal_type'='kanguro') etc., At the end of each of these loops, we will process the execute (that will send the statement to the database). $stmt-execute(array('animal_name'='bruce', 'animal_type'='kanguro'). So this execute will do A LOT, it will take away the 'array(' part, will see the keys of these arrays (e.g. animal_name and animal_type) compare them with the placeholder names given on the prepare statement and, replace the placeholder names with the values inside on each of this array keys. Is this correct? Regards, Márcio ---End Message--- ---BeginMessage--- 2009/7/13 MEM tal...@gmail.com: $values[0] will give you the first element of $values, namely array('animal_name'='bruce', 'animal_type'='dingo'). array_keys will return an array containing the keys from the passed array, so in this case you'll get array('animal_name', 'animal_type'). So... since $value is an associate array of arrays, we will get, on the first key, not an array with 0, 1, like array(0,1); but array('animal_name','animal_type'), yes? When we use the implode over this array, we get: animal_name, animal_type that is the string that will pass to be prepare using the PDO prepare(). Indeed. After it's finished building $sql use var_dump to look at it. You'll see that the values are specified as :animal_name and :animal_type. The : indicates to PDO that these are replaceable values. Yes. And normally, to fill those replaceable values, I was used to use bindParam(); I like this bindParam method because we can then use PDO::PARAM_INT and PDO::PARAM_STR to more accurately control the data type
Re: [PHP] phpscriptor.com
Paul M Foster wrote: On Sat, Jul 11, 2009 at 08:14:35AM -0700, PHPScriptor wrote: Ok this may look like spam but what the hell... I'm the owner of phpscriptor.com, I had bigg plans with this domainname but... well yes, no time. So I'm selling it. I don't want to make profit out of it. So for, lets say 200 dollar, you can have to domainname. And if you want, you get the website free with it. Why am I reminded of the Vincent D'Onofrio Edgar-cum-cochroach character when I read those lines above? I found myself adopting the cochroach accent as I read the first line. Seriously. You don't want to make a profit, yet you're selling it for $200? Those two statements are contradictory. He has a lot of mouths to feed. Plus if he's been sitting on it, the $200 might let him break even. I've learned that much, eh? SL -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] php.ini and cli
Hi All, Just a quick question. When I make changes in the php.ini, to take effect, I need to restart the Apache (or other web server) service. What happens with PHP CLI? Is the php.ini parsed each time the script is called, or is there something specific which needs resetting? The machine that the PHP CLI is running on is a Windows machine with no web server. -- Thanks, Ash http://www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php.ini and cli
On Mon, Jul 13, 2009 at 4:48 AM, Ashley Sheridana...@ashleysheridan.co.uk wrote: Hi All, Just a quick question. When I make changes in the php.ini, to take effect, I need to restart the Apache (or other web server) service. What happens with PHP CLI? Is the php.ini parsed each time the script is called, or is there something specific which needs resetting? The machine that the PHP CLI is running on is a Windows machine with no web server. -- Thanks, Ash http://www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php The CLI binary reads and parses php.ini on every initialization. Try something like ?php echo $foo ? And then set error_reporting (in php.ini) to E_ALL and see your warning, then set it to 0 and see nothing. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php.ini and cli
2009/7/13 Ashley Sheridan a...@ashleysheridan.co.uk: Just a quick question. When I make changes in the php.ini, to take effect, I need to restart the Apache (or other web server) service. What happens with PHP CLI? Is the php.ini parsed each time the script is called, or is there something specific which needs resetting? The machine that the PHP CLI is running on is a Windows machine with no web server. The php.ini file is read whenever a PHP process is started, so in the case of the CLI binary that's whenever it's run from the command line. Long-running scripts will need to be restarted for them to see any changes. -Stuart -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] When did you start here? Was - RFC/Survey for Our Newer Folks
Ashley Sheridan wrote: On Sunday 12 July 2009 15:54:27 Daniel Brown wrote: On Sun, Jul 12, 2009 at 09:45, Ashley Sheridana...@ashleysheridan.co.uk wrote: Yeah, I'll put it down to old age and not my reading laziness! You're just lucky Tedd got to you first, Ash. I was going to fairy-slap you for messing up the rotation! You've been here, what, about a year now? ;-P And here's hoping there will be more to come. About a year and a half now I think. I just have to take this slightly(?) off topic, as that is expected behaviour here :-). I thought I had been around for about five years or so, but a quick search on marc turned up contributions from me as far back as September 2000 http://marc.info/?l=php-generalm=96822528212538w=2 On reflection, I suspect that the marc archives may not go back as far as when I first joined what was then a mailinglist only (I think!). Although I find contributions to other mailing lists back as far as 1995. $deity, I must be getting old. Checks birth year, notes it was in the first half of last century and goes off to polish and oil the walking frame Cheers -- David Robley I have enough trouble single-tasking! Today is Prickle-Prickle, the 48th day of Confusion in the YOLD 3175. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php.ini and cli
On Monday 13 July 2009 10:07:24 Stuart wrote: 2009/7/13 Ashley Sheridan a...@ashleysheridan.co.uk: Just a quick question. When I make changes in the php.ini, to take effect, I need to restart the Apache (or other web server) service. What happens with PHP CLI? Is the php.ini parsed each time the script is called, or is there something specific which needs resetting? The machine that the PHP CLI is running on is a Windows machine with no web server. The php.ini file is read whenever a PHP process is started, so in the case of the CLI binary that's whenever it's run from the command line. Long-running scripts will need to be restarted for them to see any changes. -Stuart -- http://stut.net/ Cool. The script I'm running is just scanning a directory structure for new files, so it's not a long-running one. I just needed to add some email functionality to it, and had to make some SMTP changes in the php.ini. -- Thanks, Ash http://www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Doubts concerning a general Insert method
Hello, I'm trying to understand a general CRUD class that I've seen here: http://www.phpro.org/classes/PDO-CRUD.html I'm learning PHP and I have some doubts on this method to generally insert data into DB. The class name is crud and here is the method: public function dbInsert($table, $values) { $this-conn(); $fieldnames = array_keys($values[0]); $size = sizeof($fieldnames); $i=1; //construction of the prepared statment $sql = INSERT INTO $table; $fields = '( ' . implode(' ,', $fieldnames) . ' )'; $bound = '(:' . implode(', :', $fieldnames) . ' )'; $sql .= $fields.' VALUES '.$bound; //prepares statement e saves it on variable $stmt $stmt = $this-db-prepare($sql); foreach($values as vals) { $stmt-execute($vals); } } To place values on the DB we do: $crud = new crud(); $values = array ( array('animal_name'='bruce', 'animal_type'='dingo'), array('animal_name'='bruce', 'animal_type'='kangaroo'), ); $crud-dbInsert('animals', $values); The doubts: 1) Names convention question: Isn't more correct to call $columname, instead of $fieldname ? 2) Why do we have this? $i=1 3) Here: $fieldnames = array_keys($values[0]); We are keeping on variable $fieldnames, the key value of the $values array, when this array is on the position 0 ? And what is *actually* the value returned, considering our array? $values = array ( array('animal_name'='bruce', 'animal_type'='dingo'), array('animal_name'='bruce', 'animal_type'='kangaroo'), ); 4) Here: foreach($values as $vals) { $stmt-execute($vals); } We are telling that, for each (line/element/index ???) of $values array, the actual value will be given(?) to vals, and the pointer goes to the next (line/element/index)... ? We then execute the prepared statement, but I don't get what are we passing as a param? I mean, what kind of think does the execute PDO method expects as a param? Why $stmt-execute($vals); and not only $stmt-execute(); ? Can I please have your help on clarifying those doubts? Thanks a lot, Márcio -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Doubts concerning a general Insert method
2009/7/13 MEM tal...@gmail.com: Hello, I'm trying to understand a general CRUD class that I've seen here: http://www.phpro.org/classes/PDO-CRUD.html I'm learning PHP and I have some doubts on this method to generally insert data into DB. The class name is crud and here is the method: public function dbInsert($table, $values) { $this-conn(); $fieldnames = array_keys($values[0]); $size = sizeof($fieldnames); $i=1; //construction of the prepared statment $sql = INSERT INTO $table; $fields = '( ' . implode(' ,', $fieldnames) . ' )'; $bound = '(:' . implode(', :', $fieldnames) . ' )'; $sql .= $fields.' VALUES '.$bound; //prepares statement e saves it on variable $stmt $stmt = $this-db-prepare($sql); foreach($values as vals) { $stmt-execute($vals); } } To place values on the DB we do: $crud = new crud(); $values = array ( array('animal_name'='bruce', 'animal_type'='dingo'), array('animal_name'='bruce', 'animal_type'='kangaroo'), ); $crud-dbInsert('animals', $values); The doubts: 1) Names convention question: Isn't more correct to call $columname, instead of $fieldname ? The two terms are interchangeable in the context of a database. 2) Why do we have this? $i=1 It's not used so I'd guess it's a remnant from an older version of the method. Safe to remove it. 3) Here: $fieldnames = array_keys($values[0]); We are keeping on variable $fieldnames, the key value of the $values array, when this array is on the position 0 ? And what is *actually* the value returned, considering our array? $values = array ( array('animal_name'='bruce', 'animal_type'='dingo'), array('animal_name'='bruce', 'animal_type'='kangaroo'), ); You can use the var_dump function to dump the contents of $fieldnames after that line has been executed and see for yourself. In this case let's break it down... $values[0] will give you the first element of $values, namely array('animal_name'='bruce', 'animal_type'='dingo'). array_keys will return an array containing the keys from the passed array, so in this case you'll get array('animal_name', 'animal_type'). 4) Here: foreach($values as $vals) { $stmt-execute($vals); } We are telling that, for each (line/element/index ???) of $values array, the actual value will be given(?) to vals, and the pointer goes to the next (line/element/index)... ? We then execute the prepared statement, but I don't get what are we passing as a param? I mean, what kind of think does the execute PDO method expects as a param? Why $stmt-execute($vals); and not only $stmt-execute(); ? After it's finished building $sql use var_dump to look at it. You'll see that the values are specified as :animal_name and :animal_type. The : indicates to PDO that these are replaceable values. The foreach will go through the $values array and for each row it will pass the data (e.g. array('animal_name'='bruce', 'animal_type'='dingo') for the first time round the loop) to the execute function which will effectively replace those elements in the SQL statement and execute it. For more info I suggest you Google for PDO prepared statements for further reading. -Stuart -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MySql Injection advice
On July 12, 2009 03:34:49 pm Haig Dedeyan wrote: On Sat, 11 Jul 2009 21:26:36 -0400, Haig Dedeyan wrote: On Sun, Jul 12, 2009 at 4:09 AM, Haig Dedeyan hdede...@videotron.ca wrote: mysql_query(INSERT INTO phonedir (fname, lname) VALUES('$new_fname','$new_lname')) or die(mysql_error()); I won;t be using 2x escapes but I just need to know if I should be seeing the backslash in the dbase. No, the backslashes should not be stored in the database. They are only there to tell the database engine how to separate data from the SQL syntax. /Nisse Ahhh. Thanks for the info. Cheers Haig
Re: [PHP] MySql Injection advice
On July 12, 2009 08:52:56 am Haig Dedeyan wrote: At 6:39 PM -0400 7/11/09, Haig Dedeyan wrote: [1] mysql_query(INSERT INTO phonedir (fname, lname) VALUES('$new_fname','$new_lname')) or die(mysql_error()); or [2] mysql_query(INSERT INTO phonedir (fname, lname) VALUES('.mysql_real_escape_string($new_fname).','.mysql_real_escape_str ing($new_lname).')) or die(mysql_error()); I always do [1] and NOT [2]. The reason for this is that when I clean and scrub data prior to insertion, I may do more than pass it through a mysql_real_escape_string() function. For example, I may want to trim() it; or check if it's a valid email address; or check if it's a number; or do any number of other checks prior to insertion. I don't want to place all those functions into a query, so why place one? Lastly, I think [1] is easier to read than [2]. That's my take. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com Thanks. Yes I agree [1] is the better way to go. After reading Nisse's response, it looks like the backslashes are never stored in the table so all is good for me. Thanks to everyone to helped out. Cheers Haig
Re: [PHP] MySql Injection advice
At 8:50 PM +0530 7/12/09, Zareef Ahmed wrote: On Sun, Jul 12, 2009 at 8:42 PM, tedd mailto:tedd.sperl...@gmail.comtedd.sperl...@gmail.com wrote: As with all communication, it's better to be clear than obtuse. Agree, but I believe obtuse word meaning is contextual and depends :) The word obtuse can mean difficult to understand or stupid depending upon context. Considering the context of my post was addressing difficulties in understanding your replies to postings, I think it proper to use the word in the manner I did. However, if you wish to take the other meaning, then that's your choice. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Establishing PHP Session From a Different Host
From: Daniel Kolbo Daniel Brown wrote: On Sun, Jul 12, 2009 at 12:37, Daniel Kolbokolb0...@umn.edu wrote: Hello, How does one continue a php session on a different domain (domain B) than the domain (domain A) that started the session? Simple answer: you don't. Thanks for the responses. Re: Simple answer I thought of another example. My bank's website. I sign-in and authenticate with bank.com. Then, i click credit card from bank.com and i'm redirected to creditcard.com without me having to reinput user/pass. They clearly do it (granted they have a lot more resources then I do, but i'd still like to know how they are doing it). My bank also does this, but it only works if Javascript is enabled when I first log in. Otherwise the initial login fails and I do it again on the second site. I haven't actually looked at the page sources to see what they do. But I have NoScript configured to block all JS by default so the initial login attempt always fails. It also reports blocked XSS attempts on both pages. So whatever they are doing does not appear to be very safe. Bob McConnell -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Establishing PHP Session From a Different Host
On Monday 13 July 2009 14:15:18 Bob McConnell wrote: From: Daniel Kolbo Daniel Brown wrote: On Sun, Jul 12, 2009 at 12:37, Daniel Kolbokolb0...@umn.edu wrote: Hello, How does one continue a php session on a different domain (domain B) than the domain (domain A) that started the session? Simple answer: you don't. Thanks for the responses. Re: Simple answer I thought of another example. My bank's website. I sign-in and authenticate with bank.com. Then, i click credit card from bank.com and i'm redirected to creditcard.com without me having to reinput user/pass. They clearly do it (granted they have a lot more resources then I do, but i'd still like to know how they are doing it). My bank also does this, but it only works if Javascript is enabled when I first log in. Otherwise the initial login fails and I do it again on the second site. I haven't actually looked at the page sources to see what they do. But I have NoScript configured to block all JS by default so the initial login attempt always fails. It also reports blocked XSS attempts on both pages. So whatever they are doing does not appear to be very safe. Bob McConnell Just a thought, but as the session ID normally gets automatically added to the header request by a browser, could you not add it into the form itself as you move from one domain to another? Afaik, PHP tends to prefer the PHPSESSID as an element in the $_COOKIE array (or the $_REQUEST array which is made up from the cookie as well) so you might be able to do some clever playing around to achieve the effect? -- Thanks, Ash http://www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MySql Injection advice
At 3:53 PM -0400 7/12/09, Paul M Foster wrote: On Sun, Jul 12, 2009 at 09:07:45AM -0400, tedd wrote: snip As for prepared statements, I'm no authority on them, but from what I've read they are not going to be something I'll be practicing anytime soon. Aside from Stuart's comments about slowness, what else have you read that makes you discount the use of prepared statements? The PDO class emphasizes that you're safe from SQL injection exploits, which seems a big plus. Paul Paul: As I said, I'm no authority. However as I have read, prepared statements are for a limited set of instructions in MySQL. They can't be used for everything. Why should I learn one way to do something that isn't universal in the language? Additionally, I think the way I sanitize data is sufficient AND I understand it. *My* learning curve may introduce security problems that I am not willing to risk, at this moment. As I said, I have more than enough on my plate to digest -- including learning non-prepared statements in MySQL. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MySql Injection advice
On Monday 13 July 2009 14:31:09 tedd wrote: At 3:53 PM -0400 7/12/09, Paul M Foster wrote: On Sun, Jul 12, 2009 at 09:07:45AM -0400, tedd wrote: snip As for prepared statements, I'm no authority on them, but from what I've read they are not going to be something I'll be practicing anytime soon. Aside from Stuart's comments about slowness, what else have you read that makes you discount the use of prepared statements? The PDO class emphasizes that you're safe from SQL injection exploits, which seems a big plus. Paul Paul: As I said, I'm no authority. However as I have read, prepared statements are for a limited set of instructions in MySQL. They can't be used for everything. Why should I learn one way to do something that isn't universal in the language? Additionally, I think the way I sanitize data is sufficient AND I understand it. *My* learning curve may introduce security problems that I am not willing to risk, at this moment. As I said, I have more than enough on my plate to digest -- including learning non-prepared statements in MySQL. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com Generally speaking, what I have always done to avoid MySQL injection is to use mysql_real_escape_string() on all variables I'm chucking into the database. This won't avoid hacks that involve people trying to insert other types of code into your content, aka XSS, et al, though. What I do for cases like these is try to be as specific as possible when allowing users to enter data and try to sanitise it as much as possible. For example, a name field shouldn't contain anything other than letters, so you can write a regex for that. Phone number fields should only contain numbers, the odd + sign, and sometimes spaces and brackets if you're users are really fastidious with their input. Sometimes this isn't possible, as in the case of a lot of free-text entry boxes, so for those you should try and make some attempt to strip out tags or html encode the data prior to displaying it. Anyway, that's my take on it, and it seems to work for me, but I'm always welcome to know of other ways, as I'd prefer being told on the list than finding out the hard way! :p -- Thanks, Ash http://www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP/mysql equivalent of PEAR's tableInfo()??
I have this code: $db_billing=mysqli_connect(localhost,metheuser,mypass,billing); if (mysqli_connect_error()) { die(Can't connect: . mysqli_connect_error()); } mysqli //$dbname = 'billing'; $sql = SHOW TABLES; $result = mysql_query($sql); // line 53 Now mysql, What are you doing? Yes. 3 lashing. Thanks. I am not likely to neglect again remembering that mysql and mysqli are different and have different syntax. unfortunately I am still in over my head enough to have to ask.. Here is what I have now: $db_billing=mysql_connect(localhost,metheuser,mypass,billing); if (!$db_billing) { die('Could not connect: ' . mysql_error()); } $sql = SHOW TABLES; $result = mysql_query($sql); foreach(mysql_fetch_assoc($result) as $k = $v) { //line 62 $ssql = DESCRIBE .mysql_real_escape_string($v); $rresult = mysql_query($ssql); echo b.$k./b:br /\n; echo pre\n; print_r(mysql_fetch_assoc($rresult)); echo /pre\n; echo br /\n; } giving this error: Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in /home/meee/public_html/somedir/test.php on line 62 I read about: -mysql_fetch_assoc -mysql_query -SHOW TABLES but do not see why this should be failing. Why isn't $result a ' valid MySQL result resource'? -G -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Establishing PHP Session From a Different Host
On Mon, Jul 13, 2009 at 9:15 AM, Bob McConnellr...@cbord.com wrote: From: Daniel Kolbo Daniel Brown wrote: On Sun, Jul 12, 2009 at 12:37, Daniel Kolbokolb0...@umn.edu wrote: Hello, How does one continue a php session on a different domain (domain B) than the domain (domain A) that started the session? Simple answer: you don't. Thanks for the responses. Re: Simple answer I thought of another example. My bank's website. I sign-in and authenticate with bank.com. Then, i click credit card from bank.com and i'm redirected to creditcard.com without me having to reinput user/pass. They clearly do it (granted they have a lot more resources then I do, but i'd still like to know how they are doing it). My bank also does this, but it only works if Javascript is enabled when I first log in. Otherwise the initial login fails and I do it again on the second site. I haven't actually looked at the page sources to see what they do. But I have NoScript configured to block all JS by default so the initial login attempt always fails. It also reports blocked XSS attempts on both pages. So whatever they are doing does not appear to be very safe. Bob McConnell I have seen cases where site A to renders a form whose action points to site B with credentials for site B in hidden form elements. Since there are no visible UI elements, it requires Javascript to trigger the form to submit itself. If the credentials are simply the username and password, this seems pretty insecure to me. I'm not sure how much more secure you can make it if you use a one-time token (possibly one that encodes the client's IP address with some other server-side information into a hash?). For this to work, the two systems would have to be able to communicate either through shared data storage or some sort of behind-the-scenes web service. It can also fail in cases where the form processor on site B depends on some previous state being established with the browser (for example, a particular cookie that must already be set, or only accepting posts with a valid HTTP_REFERER value) before posting the credentials. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Doubts concerning a general Insert method
$values[0] will give you the first element of $values, namely array('animal_name'='bruce', 'animal_type'='dingo'). array_keys will return an array containing the keys from the passed array, so in this case you'll get array('animal_name', 'animal_type'). So... since $value is an associate array of arrays, we will get, on the first key, not an array with 0, 1, like array(0,1); but array('animal_name','animal_type'), yes? When we use the implode over this array, we get: animal_name, animal_type that is the string that will pass to be prepare using the PDO prepare(). After it's finished building $sql use var_dump to look at it. You'll see that the values are specified as :animal_name and :animal_type. The : indicates to PDO that these are replaceable values. Yes. And normally, to fill those replaceable values, I was used to use bindParam(); I like this bindParam method because we can then use PDO::PARAM_INT and PDO::PARAM_STR to more accurately control the data type flow... The foreach will go through the $values array and for each row it will pass the data (e.g. array('animal_name'='bruce', 'animal_type'='dingo') for the first time round the loop) to the execute function which will effectively replace those elements in the SQL statement and execute it. Ok, so: Our $sql will be: INSERT INTO $table (animal_name, animal_type) VALUES (:animal_name, :animal_type) We then prepare this $sql by doing: prepare($sql); and the value of this preparation will be kept on a variable name $stmt. Finally, on the foreach, we will grab each value of the $values array, and keep him, on a variable called $vals, The $vals will contain this on the first occurrence of the loop: array('animal_name'='bruce', 'animal_type'='ding') and then, the var $vals will have this on the second occurrence of the loop: array('animal_name'='bruce', 'animal_type'='kanguro') etc., At the end of each of these loops, we will process the execute (that will send the statement to the database). $stmt-execute(array('animal_name'='bruce', 'animal_type'='kanguro'). So this execute will do A LOT, it will take away the 'array(' part, will see the keys of these arrays (e.g. animal_name and animal_type) compare them with the placeholder names given on the prepare statement and, replace the placeholder names with the values inside on each of this array keys. Is this correct? Regards, Márcio -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Doubts concerning a general Insert method
2009/7/13 MEM tal...@gmail.com: $values[0] will give you the first element of $values, namely array('animal_name'='bruce', 'animal_type'='dingo'). array_keys will return an array containing the keys from the passed array, so in this case you'll get array('animal_name', 'animal_type'). So... since $value is an associate array of arrays, we will get, on the first key, not an array with 0, 1, like array(0,1); but array('animal_name','animal_type'), yes? When we use the implode over this array, we get: animal_name, animal_type that is the string that will pass to be prepare using the PDO prepare(). Indeed. After it's finished building $sql use var_dump to look at it. You'll see that the values are specified as :animal_name and :animal_type. The : indicates to PDO that these are replaceable values. Yes. And normally, to fill those replaceable values, I was used to use bindParam(); I like this bindParam method because we can then use PDO::PARAM_INT and PDO::PARAM_STR to more accurately control the data type flow... I'm not overly familiar with PDO, but I believe that's an alternative way to do it. The execute method lets you do it in one method call. The foreach will go through the $values array and for each row it will pass the data (e.g. array('animal_name'='bruce', 'animal_type'='dingo') for the first time round the loop) to the execute function which will effectively replace those elements in the SQL statement and execute it. Ok, so: Our $sql will be: INSERT INTO $table (animal_name, animal_type) VALUES (:animal_name, :animal_type) We then prepare this $sql by doing: prepare($sql); and the value of this preparation will be kept on a variable name $stmt. Finally, on the foreach, we will grab each value of the $values array, and keep him, on a variable called $vals, The $vals will contain this on the first occurrence of the loop: array('animal_name'='bruce', 'animal_type'='ding') and then, the var $vals will have this on the second occurrence of the loop: array('animal_name'='bruce', 'animal_type'='kanguro') etc., At the end of each of these loops, we will process the execute (that will send the statement to the database). $stmt-execute(array('animal_name'='bruce', 'animal_type'='kanguro'). So this execute will do A LOT, it will take away the 'array(' part, will see the keys of these arrays (e.g. animal_name and animal_type) compare them with the placeholder names given on the prepare statement and, replace the placeholder names with the values inside on each of this array keys. Is this correct? Indeed. -Stuart -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: RFC/Survey for Our Newer Folks (Including Lurkers)
Per Jessen wrote: pan wrote: Urgh ! What do I tell them? How about what you started with here: The information and support of php on windows is not as good. Overcoming resistance to open source software that runs on windows is easy. Overcoming the belief that it's a windows world is more difficult. I can show the values of php through the point of view windows offers. Getting phbs to look at non-MS OSs is not easy. It's a matter of one step at a time and choose your battles. Cost/benefit analysis is not enough. phbs do not understand or trust non-MS OSs. They do trust results and as long as win versions of php are available and well maintained I've got plenty to show them. What they know is that the pecl4windows website doesn't exist anymore. They know no new extension package has been offered. They believe new extensions, whether beta or not, are not likely to become available. They know that 1st quarter 2009 was to see windows.php.net be ready. They think delays == vaporware. They also believe that there is indifference (if not outright hostility) to php/win in the php developer community. Personally, I could care less about further entrenchment of windows in the business world. I'd like to see MS disappear. Unfortunately, these issues are real. If the point is to alienate businesses with a who cares about windows attitude, then why bother with win-php at all? If there is merit to introducing open source to current windows users, then why make it difficult to do so? Just looking to make life easier. Don't blame me for the attitudes of those who pay me. (And, no - compiling extensions is not an option). -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] RFC/Survey for Our Newer Folks (Including Lurkers)
That's exactly how I inlist here. I usually follow threads and even sometime reply I've here about 90 days (I suppose) The list is really interesting, but I was expecting more ninja threads. I know this list is wide open to anyone, ninja or newby, but I was expecting more. Anyway I'm really happy to be part of. Mrtn ps. top-posting xD On Sun, Jul 12, 2009 at 4:54 AM, Ashley Sheridana...@ashleysheridan.co.uk wrote: I was using the php.net website for ages for syntax reference, saw the mailing list and figured why not. No amazing story, but now you're all stuck with me :p -- Thanks, Ash http://www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Martin Scotta -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Doubts concerning a general Insert method
Nice. :-) Thanks a lot Stuart for your time and explanations. Now that I have understand, I will try to move on, and understand how can we introduce bindParams on it: For a recall, here is the original class: public function dbInsert($table, $values) { $this-conn(); $fieldnames = array_keys($values[0]); $size = sizeof($fieldnames); $i=1; //construction of the prepared statment $sql = INSERT INTO $table; $fields = '( ' . implode(' ,', $fieldnames) . ' )'; $bound = '(:' . implode(', :', $fieldnames) . ' )'; $sql .= $fields.' VALUES '.$bound; //prepares statement e saves it on variable $stmt $stmt = $this-db-prepare($sql); foreach($values as vals) { $stmt-execute($vals); } } However I do have some questions that maybe someone more experimented then me could easily solve: 1) The bindParams should look similar to this: $stmt-bindParam(':animal_name', $animals-getName(), PDO::PARAM_STR ); $stmt-bindParam(':animal_type', $animals-getType(), PDO::PARAM_STR ); So, instead of looping trough an array of values, I will to do it for objects, something like: foreach($animals-listaAnimals() as $row) ... Can I have some words on this so that I can properly try to add bindParam on this class method. 2) I also need to have a way to add PDO::PARAM_STR if the values is a string or PDO::PARAM_INT if the values is int, PDO::PARAM_BOOL etc... Is there a way to control this? Using something like is_integer() and is_string(), inside if statement perhaps? If so, what about the Boolean? Thanks a lot, Márcio -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] open source event calendar
Hello, I am looking to create a web event calendar for a company, I believe google is more indidual calendar based, right? I have also seen the others recommended here, but looking for something a little cleaner, any suggestions? Thanks! From: kranthi [mailto:kranthi...@gmail.com] Sent: Friday, July 10, 2009 3:35 AM To: Joey Cc: PHP Subject: Re: [PHP] open source event calendar that depends upon your need. embedding google calendar is best for starters
RE: [PHP] PHP not running properly
We are running, Windows Server 2003. 1. Changed that 2. ?phpinfo();? Togrul Mamedbekov Marketing Publishing Assistant (Tel: +1-(713)-292-1945 / Fax: +1-(713)-292-1946 http://www.iadc.org http://www.iadc.org/ _ From: Zareef Ahmed [mailto:zareef.ah...@gmail.com] Sent: Friday, July 10, 2009 19:38 To: Bastien Koert Cc: Daniel Brown; Togrul Mamedbekov; php-general@lists.php.net Subject: Re: [PHP] PHP not running properly A quick checklist/todo list : 1. set display_errors=yes in php.ini 2. Make sure you are using full ?php tag to write your script. For a good solutions you should also mentions about your OS/Web Server Zareef Ahmed On Sat, Jul 11, 2009 at 1:53 AM, Bastien Koert phps...@gmail.com wrote: On Fri, Jul 10, 2009 at 4:17 PM, Daniel Browndanbr...@php.net wrote: On Fri, Jul 10, 2009 at 15:44, Togrul Mamedbekovtogrul.mamedbe...@iadc.org wrote: Hello Sir or Madam, We just updated our PHP 5.2 software. And when I try to run the php info script! I get a blank screen! What do you see when you view the source of the page with phpinfo() ? -- /Daniel P. Brown daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ Check out our great hosting and dedicated server deals at http://twitter.com/pilotpig -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Your error handling is logging the errors, not displaying them to the screen. Check the php ini file settings for that. -- Bastien Cat, the other other white meat -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Zareef Ahmed :: A PHP Developer in India ( Delhi ) Homepage :: http://www.zareef.net
Re: [PHP] PHP not running properly
2. Try ?php phpinfo(); ? On Mon, Jul 13, 2009 at 3:47 PM, Togrul Mamedbekovtogrul.mamedbe...@iadc.org wrote: We are running, Windows Server 2003. 1. Changed that 2. ?phpinfo();? Togrul Mamedbekov Marketing Publishing Assistant (Tel: +1-(713)-292-1945 / Fax: +1-(713)-292-1946 http://www.iadc.org http://www.iadc.org/ _ From: Zareef Ahmed [mailto:zareef.ah...@gmail.com] Sent: Friday, July 10, 2009 19:38 To: Bastien Koert Cc: Daniel Brown; Togrul Mamedbekov; php-general@lists.php.net Subject: Re: [PHP] PHP not running properly A quick checklist/todo list : 1. set display_errors=yes in php.ini 2. Make sure you are using full ?php tag to write your script. For a good solutions you should also mentions about your OS/Web Server Zareef Ahmed On Sat, Jul 11, 2009 at 1:53 AM, Bastien Koert phps...@gmail.com wrote: On Fri, Jul 10, 2009 at 4:17 PM, Daniel Browndanbr...@php.net wrote: On Fri, Jul 10, 2009 at 15:44, Togrul Mamedbekovtogrul.mamedbe...@iadc.org wrote: Hello Sir or Madam, We just updated our PHP 5.2 software. And when I try to run the php info script! I get a blank screen! What do you see when you view the source of the page with phpinfo() ? -- /Daniel P. Brown daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ Check out our great hosting and dedicated server deals at http://twitter.com/pilotpig -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Your error handling is logging the errors, not displaying them to the screen. Check the php ini file settings for that. -- Bastien Cat, the other other white meat -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Zareef Ahmed :: A PHP Developer in India ( Delhi ) Homepage :: http://www.zareef.net -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP not running properly
On Mon, 2009-07-13 at 15:50 -0300, Jonathan Tapicer wrote: 2. Try ?php phpinfo(); ? On Mon, Jul 13, 2009 at 3:47 PM, Togrul Mamedbekovtogrul.mamedbe...@iadc.org wrote: We are running, Windows Server 2003. 1. Changed that 2. ?phpinfo();? Togrul Mamedbekov Marketing Publishing Assistant (Tel: +1-(713)-292-1945 / Fax: +1-(713)-292-1946 http://www.iadc.org http://www.iadc.org/ _ From: Zareef Ahmed [mailto:zareef.ah...@gmail.com] Sent: Friday, July 10, 2009 19:38 To: Bastien Koert Cc: Daniel Brown; Togrul Mamedbekov; php-general@lists.php.net Subject: Re: [PHP] PHP not running properly A quick checklist/todo list : 1. set display_errors=yes in php.ini 2. Make sure you are using full ?php tag to write your script. For a good solutions you should also mentions about your OS/Web Server Zareef Ahmed On Sat, Jul 11, 2009 at 1:53 AM, Bastien Koert phps...@gmail.com wrote: On Fri, Jul 10, 2009 at 4:17 PM, Daniel Browndanbr...@php.net wrote: On Fri, Jul 10, 2009 at 15:44, Togrul Mamedbekovtogrul.mamedbe...@iadc.org wrote: Hello Sir or Madam, We just updated our PHP 5.2 software. And when I try to run the php info script! I get a blank screen! What do you see when you view the source of the page with phpinfo() ? -- /Daniel P. Brown daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ Check out our great hosting and dedicated server deals at http://twitter.com/pilotpig -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Your error handling is logging the errors, not displaying them to the screen. Check the php ini file settings for that. -- Bastien Cat, the other other white meat -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Zareef Ahmed :: A PHP Developer in India ( Delhi ) Homepage :: http://www.zareef.net I was just about to say, there is your problem. Although your php.ini may be set up to allow short tags, it will not complain if the full start tag ?php is there either. As you had no space between ? and the phpinfo(); the web server was matching the full tag, and then hitting an error as you'd left no whitespace after it. Just an aside, it's recommended you turn off short tags inside of your php.ini if you want to do anything with XML files inside of your PHP scripts. Thanks Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] PHP not running properly
Working now :) Thanks! Togrul Mamedbekov Marketing Publishing Assistant (Tel: +1-(713)-292-1945 / Fax: +1-(713)-292-1946 http://www.iadc.org -Original Message- From: Jonathan Tapicer [mailto:tapi...@gmail.com] Sent: Monday, July 13, 2009 13:51 To: Togrul Mamedbekov Cc: Zareef Ahmed; Bastien Koert; Daniel Brown; php-general@lists.php.net Subject: Re: [PHP] PHP not running properly 2. Try ?php phpinfo(); ? On Mon, Jul 13, 2009 at 3:47 PM, Togrul Mamedbekovtogrul.mamedbe...@iadc.org wrote: We are running, Windows Server 2003. 1. Changed that 2. ?phpinfo();? Togrul Mamedbekov Marketing Publishing Assistant (Tel: +1-(713)-292-1945 / Fax: +1-(713)-292-1946 http://www.iadc.org http://www.iadc.org/ _ From: Zareef Ahmed [mailto:zareef.ah...@gmail.com] Sent: Friday, July 10, 2009 19:38 To: Bastien Koert Cc: Daniel Brown; Togrul Mamedbekov; php-general@lists.php.net Subject: Re: [PHP] PHP not running properly A quick checklist/todo list : 1. set display_errors=yes in php.ini 2. Make sure you are using full ?php tag to write your script. For a good solutions you should also mentions about your OS/Web Server Zareef Ahmed On Sat, Jul 11, 2009 at 1:53 AM, Bastien Koert phps...@gmail.com wrote: On Fri, Jul 10, 2009 at 4:17 PM, Daniel Browndanbr...@php.net wrote: On Fri, Jul 10, 2009 at 15:44, Togrul Mamedbekovtogrul.mamedbe...@iadc.org wrote: Hello Sir or Madam, We just updated our PHP 5.2 software. And when I try to run the php info script! I get a blank screen! What do you see when you view the source of the page with phpinfo() ? -- /Daniel P. Brown daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ Check out our great hosting and dedicated server deals at http://twitter.com/pilotpig -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Your error handling is logging the errors, not displaying them to the screen. Check the php ini file settings for that. -- Bastien Cat, the other other white meat -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Zareef Ahmed :: A PHP Developer in India ( Delhi ) Homepage :: http://www.zareef.net -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MySql Injection advice
On July 13, 2009 09:48:54 am Haig Dedeyan wrote: On Monday 13 July 2009 14:31:09 tedd wrote: At 3:53 PM -0400 7/12/09, Paul M Foster wrote: On Sun, Jul 12, 2009 at 09:07:45AM -0400, tedd wrote: snip As for prepared statements, I'm no authority on them, but from what I've read they are not going to be something I'll be practicing anytime soon. Aside from Stuart's comments about slowness, what else have you read that makes you discount the use of prepared statements? The PDO class emphasizes that you're safe from SQL injection exploits, which seems a big plus. Paul Paul: As I said, I'm no authority. However as I have read, prepared statements are for a limited set of instructions in MySQL. They can't be used for everything. Why should I learn one way to do something that isn't universal in the language? Additionally, I think the way I sanitize data is sufficient AND I understand it. *My* learning curve may introduce security problems that I am not willing to risk, at this moment. As I said, I have more than enough on my plate to digest -- including learning non-prepared statements in MySQL. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com Generally speaking, what I have always done to avoid MySQL injection is to use mysql_real_escape_string() on all variables I'm chucking into the database. This won't avoid hacks that involve people trying to insert other types of code into your content, aka XSS, et al, though. What I do for cases like these is try to be as specific as possible when allowing users to enter data and try to sanitise it as much as possible. For example, a name field shouldn't contain anything other than letters, so you can write a regex for that. Phone number fields should only contain numbers, the odd + sign, and sometimes spaces and brackets if you're users are really fastidious with their input. Sometimes this isn't possible, as in the case of a lot of free-text entry boxes, so for those you should try and make some attempt to strip out tags or html encode the data prior to displaying it. Anyway, that's my take on it, and it seems to work for me, but I'm always welcome to know of other ways, as I'd prefer being told on the list than finding out the hard way! :p -- Thanks, Ash http://www.ashleysheridan.co.uk Hi Ashley, for the phone #'s, I'm using int as the data type storing each part of the phone # in its own cell, When it gets displayed, I add a dash in between each part of the phone #'s (country code-area code-1st set of digits-last set of digits) Cheers Haig
Re: [PHP] MySql Injection advice
On Mon, Jul 13, 2009 at 4:18 PM, Haig Dedeyanhdede...@videotron.ca wrote: On July 13, 2009 09:48:54 am Haig Dedeyan wrote: On Monday 13 July 2009 14:31:09 tedd wrote: At 3:53 PM -0400 7/12/09, Paul M Foster wrote: On Sun, Jul 12, 2009 at 09:07:45AM -0400, tedd wrote: snip As for prepared statements, I'm no authority on them, but from what I've read they are not going to be something I'll be practicing anytime soon. Aside from Stuart's comments about slowness, what else have you read that makes you discount the use of prepared statements? The PDO class emphasizes that you're safe from SQL injection exploits, which seems a big plus. Paul Paul: As I said, I'm no authority. However as I have read, prepared statements are for a limited set of instructions in MySQL. They can't be used for everything. Why should I learn one way to do something that isn't universal in the language? Additionally, I think the way I sanitize data is sufficient AND I understand it. *My* learning curve may introduce security problems that I am not willing to risk, at this moment. As I said, I have more than enough on my plate to digest -- including learning non-prepared statements in MySQL. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com Generally speaking, what I have always done to avoid MySQL injection is to use mysql_real_escape_string() on all variables I'm chucking into the database. This won't avoid hacks that involve people trying to insert other types of code into your content, aka XSS, et al, though. What I do for cases like these is try to be as specific as possible when allowing users to enter data and try to sanitise it as much as possible. For example, a name field shouldn't contain anything other than letters, so you can write a regex for that. Phone number fields should only contain numbers, the odd + sign, and sometimes spaces and brackets if you're users are really fastidious with their input. Sometimes this isn't possible, as in the case of a lot of free-text entry boxes, so for those you should try and make some attempt to strip out tags or html encode the data prior to displaying it. Anyway, that's my take on it, and it seems to work for me, but I'm always welcome to know of other ways, as I'd prefer being told on the list than finding out the hard way! :p -- Thanks, Ash http://www.ashleysheridan.co.uk Hi Ashley, for the phone #'s, I'm using int as the data type storing each part of the phone # in its own cell, When it gets displayed, I add a dash in between each part of the phone #'s (country code-area code-1st set of digits-last set of digits) Cheers Haig I too, store them as an int but then create a mask to show then user the correct format based on country -- Bastien Cat, the other other white meat -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MySql Injection advice
On Mon, 2009-07-13 at 16:30 -0400, Bastien Koert wrote: On Mon, Jul 13, 2009 at 4:18 PM, Haig Dedeyanhdede...@videotron.ca wrote: On July 13, 2009 09:48:54 am Haig Dedeyan wrote: On Monday 13 July 2009 14:31:09 tedd wrote: At 3:53 PM -0400 7/12/09, Paul M Foster wrote: On Sun, Jul 12, 2009 at 09:07:45AM -0400, tedd wrote: snip As for prepared statements, I'm no authority on them, but from what I've read they are not going to be something I'll be practicing anytime soon. Aside from Stuart's comments about slowness, what else have you read that makes you discount the use of prepared statements? The PDO class emphasizes that you're safe from SQL injection exploits, which seems a big plus. Paul Paul: As I said, I'm no authority. However as I have read, prepared statements are for a limited set of instructions in MySQL. They can't be used for everything. Why should I learn one way to do something that isn't universal in the language? Additionally, I think the way I sanitize data is sufficient AND I understand it. *My* learning curve may introduce security problems that I am not willing to risk, at this moment. As I said, I have more than enough on my plate to digest -- including learning non-prepared statements in MySQL. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com Generally speaking, what I have always done to avoid MySQL injection is to use mysql_real_escape_string() on all variables I'm chucking into the database. This won't avoid hacks that involve people trying to insert other types of code into your content, aka XSS, et al, though. What I do for cases like these is try to be as specific as possible when allowing users to enter data and try to sanitise it as much as possible. For example, a name field shouldn't contain anything other than letters, so you can write a regex for that. Phone number fields should only contain numbers, the odd + sign, and sometimes spaces and brackets if you're users are really fastidious with their input. Sometimes this isn't possible, as in the case of a lot of free-text entry boxes, so for those you should try and make some attempt to strip out tags or html encode the data prior to displaying it. Anyway, that's my take on it, and it seems to work for me, but I'm always welcome to know of other ways, as I'd prefer being told on the list than finding out the hard way! :p -- Thanks, Ash http://www.ashleysheridan.co.uk Hi Ashley, for the phone #'s, I'm using int as the data type storing each part of the phone # in its own cell, When it gets displayed, I add a dash in between each part of the phone #'s (country code-area code-1st set of digits-last set of digits) Cheers Haig I too, store them as an int but then create a mask to show then user the correct format based on country -- Bastien Cat, the other other white meat What about other data? Is what I'm doing already sufficient do you think? Thanks Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MySql Injection advice
On Mon, Jul 13, 2009 at 5:52 PM, Ashley Sheridana...@ashleysheridan.co.uk wrote: On Mon, 2009-07-13 at 16:30 -0400, Bastien Koert wrote: On Mon, Jul 13, 2009 at 4:18 PM, Haig Dedeyanhdede...@videotron.ca wrote: On July 13, 2009 09:48:54 am Haig Dedeyan wrote: On Monday 13 July 2009 14:31:09 tedd wrote: At 3:53 PM -0400 7/12/09, Paul M Foster wrote: On Sun, Jul 12, 2009 at 09:07:45AM -0400, tedd wrote: snip As for prepared statements, I'm no authority on them, but from what I've read they are not going to be something I'll be practicing anytime soon. Aside from Stuart's comments about slowness, what else have you read that makes you discount the use of prepared statements? The PDO class emphasizes that you're safe from SQL injection exploits, which seems a big plus. Paul Paul: As I said, I'm no authority. However as I have read, prepared statements are for a limited set of instructions in MySQL. They can't be used for everything. Why should I learn one way to do something that isn't universal in the language? Additionally, I think the way I sanitize data is sufficient AND I understand it. *My* learning curve may introduce security problems that I am not willing to risk, at this moment. As I said, I have more than enough on my plate to digest -- including learning non-prepared statements in MySQL. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com Generally speaking, what I have always done to avoid MySQL injection is to use mysql_real_escape_string() on all variables I'm chucking into the database. This won't avoid hacks that involve people trying to insert other types of code into your content, aka XSS, et al, though. What I do for cases like these is try to be as specific as possible when allowing users to enter data and try to sanitise it as much as possible. For example, a name field shouldn't contain anything other than letters, so you can write a regex for that. Phone number fields should only contain numbers, the odd + sign, and sometimes spaces and brackets if you're users are really fastidious with their input. Sometimes this isn't possible, as in the case of a lot of free-text entry boxes, so for those you should try and make some attempt to strip out tags or html encode the data prior to displaying it. Anyway, that's my take on it, and it seems to work for me, but I'm always welcome to know of other ways, as I'd prefer being told on the list than finding out the hard way! :p -- Thanks, Ash http://www.ashleysheridan.co.uk Hi Ashley, for the phone #'s, I'm using int as the data type storing each part of the phone # in its own cell, When it gets displayed, I add a dash in between each part of the phone #'s (country code-area code-1st set of digits-last set of digits) Cheers Haig I too, store them as an int but then create a mask to show then user the correct format based on country -- Bastien Cat, the other other white meat What about other data? Is what I'm doing already sufficient do you think? Thanks Ash www.ashleysheridan.co.uk I think it all comes down to how you view the data and the validation routines. I keep those separate from the sanitation routines as my validations need to be more fluid (thinking about dates, life date( basically the last 100 years) vs event date (not in the past, but within the next 24 hours (depends on where the client locations are)) From a sanitation perspective, I don't have any issues with what you are doing and in many cases I do the same thing. I just have extra validation other factors of the data. -- Bastien Cat, the other other white meat -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MySql Injection advice
tedd wrote: At 3:53 PM -0400 7/12/09, Paul M Foster wrote: On Sun, Jul 12, 2009 at 09:07:45AM -0400, tedd wrote: snip As for prepared statements, I'm no authority on them, but from what I've read they are not going to be something I'll be practicing anytime soon. Aside from Stuart's comments about slowness, what else have you read that makes you discount the use of prepared statements? The PDO class emphasizes that you're safe from SQL injection exploits, which seems a big plus. Paul Paul: As I said, I'm no authority. However as I have read, prepared statements are for a limited set of instructions in MySQL. They can't be used for everything. Why should I learn one way to do something that isn't universal in the language? They are useful for select, insert, and update queries, which are the three most common types of queries in web applications and are most often used for SQL injection. I personally use the MDB2 database abstration layer. Here's how it's done - $types = Array('integer','text'); $q = SELECT something,else FROM table WHERE id ? AND type=? $sql = $mdb2-prepare($q,$types,MDB2_PREPARE_RESULT); $args = Array($someinput,$someotherinput); $rs = $sql-execute($args); Here's the non prepared way $sql = SELECT something,else FROM table WHERE id $someinput AND type='$someotherinput' $rs = $mdb2-query($sql); The two are very similar syntax, just a few extra steps required for prepared statements - and if the query is performed multiple times with different arguments, you can re-use the prepared statement and don't have to make it again. The first has sql injection protection automatically for the two arguments, the second requires that you first sanitize the two arguments - which is where mysql_real_escape_string comes in - but as soon as you use that mysql specific function, your code no longer is as easily portable to other databases. Prepared statements may be a minor performance hit but I suspect if it is even noticable, you are at the edge of what your server can handle and either need hardware update, infrastructure update (IE dedicated sql servers and load balancing), or code optimization that probably will find bigger issues than sql prepared statements. Using a cache (IE APC or memcached) for commonly performed queries makes the speed difference between the two only matter when the query isn't cached. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] mod primary key field - newbie question
newbie question ... I have a MySQL table where I want to update (renumber) the primary numeric key field. - I successfully turned field off as a primary key index and UN auto incremented it - then created new sequential numbers for it - then turned back on primary key index and re added auto increment in BUT when I make a new record it does NOT start where new numbers stop last is 51 next should be 52 but jumps to 157 Q: is there a way to reset the NEXT SERIAL ID NUMBER somewhere? how do I fix this? -- Thanks - RevDave Cool @ hosting4days . com [db-lists 09]
Re: [PHP] mod primary key field - newbie question
Sounds like you want to set the auto increment. To do that, use this query: alter table `table_name` auto_increment 1; That will reset it to one. Although I've never tried it, I assume you can give it another value. Take care, Floyd On Jul 13, 2009, at 5:35 PM, c...@hosting4days.com wrote: newbie question ... I have a MySQL table where I want to update (renumber) the primary numeric key field. - I successfully turned field off as a primary key index and UN auto incremented it - then created new sequential numbers for it - then turned back on primary key index and re added auto increment in BUT when I make a new record it does NOT start where new numbers stop last is 51 next should be 52 but jumps to 157 Q: is there a way to reset the NEXT SERIAL ID NUMBER somewhere? how do I fix this? -- Thanks - RevDave Cool @ hosting4days . com [db-lists 09] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] FW: accidentally chown -R mysql /var/lib, so wrote a script to fix them
Figured I'd throw this into the intertubes so it's archived and maybe useful for someone else, since I couldn't find a script that did this already... -Original Message- From: Daevid Vincent [mailto:dae...@daevid.com] Sent: Monday, July 13, 2009 4:06 PM To: 'sv...@lists.svlug.org' Subject: RE: accidentally chown -R mysql /var/lib Well, I just wrote a little script and ran it against the three Ubuntu boxen I have access too, and then just ran the output against my own 'broken' box... -- 8 snip 8 --- #!/usr/bin/php ?php error_reporting(E_ALL ^ E_NOTICE ^ E_WARNING); //E_WARNING because the posix_* seems to puke on symlinks ?! function rootscan($base='', $data=array()) { $array = array_diff(scandir($base), array('.', '..')); foreach($array as $value) { $bv = $base.$value; $owner = posix_getpwuid(fileowner($bv)); $owner = $owner['name']; $group = posix_getgrgid(filegroup($bv)); $group = $group['name']; if ($owner != 'root' || $group != 'root') echo chown .$owner.':'.$group.' '.$bv.\n; if (is_dir($bv)) { $data[] = $bv.'/'; $data = rootscan($bv.'/', $data); } elseif (is_file($bv)) { $data[] = $bv; } } return $data; } rootscan('/var/lib'.'/'); ? -- 8 snip 8 --- It produces a bunch of lines like this: vince...@gabriel:~$ sudo ./dirfix.php chown root:polkituser /var/lib/PolicyKit chown root:polkituser /var/lib/PolicyKit/user-haldaemon.auths chown polkituser:root /var/lib/PolicyKit-public chown avahi-autoipd:avahi-autoipd /var/lib/avahi-autoipd chown root:gdm /var/lib/gdm chown libuuid:libuuid /var/lib/libuuid chown polkituser:polkituser /var/lib/misc/PolicyKit.reload chown root:mlocate /var/lib/mlocate/mlocate.db chown mysql:mysql /var/lib/mysql ... chown postfix:postfix /var/lib/postfix chown postfix:postfix /var/lib/postfix/master.lock chown root:sambashare /var/lib/samba/usershares -Original Message- From: Daevid Vincent [mailto:dae...@daevid.com] Sent: Monday, July 13, 2009 2:38 PM To: 'sv...@lists.svlug.org' Subject: accidentally chown -R mysql /var/lib Yes, I was setting up a new Ubuntu 9.04 box for the past couple days, and today when copying a 70GB database from an old server to the new one, I accidentally did this (well, the equiv of anyways): chown -R mysql:mysql /var/lib Instead of chown -R mysql:mysql /var/lib/mysql So I've reverted to: chown -R root:root /var/lib Does anyone know of a script or something that will fix all the directories to their proper owner/group again? If not, I have a 9.04 box next to me that has a pristine /var/lib tree (just not all the same packages that the new box had). Is there some script-fu that I can run on the good box that will show me all the owner/groups that are NOT root:root, so I can manually adjust. Doing a random quick poke at various directories, I don't see all that many, so I expect the result list won't be that much. ...there is always the possibility of just re-installing, but obviously I prefer not to do that if I don't have to and waste another day re-setting stuff up (should be quicker thanks to .tgz though) And before anyone decides to be a smart alec, no, of course I hadn't done backups. ;-) But even if I did, I don't generally backup the entire system, only the core dirs like /etc, /home, /var/lib/mysql, etc... http://daevid.com/content/examples/daily_backup.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] mod primary key field - newbie question
On Mon, Jul 13, 2009 at 17:35, c...@hosting4days.comc...@hosting4days.com wrote: newbie question ... I have a MySQL table where I want to update (renumber) the primary numeric key field. The response you received from Floyd was accurate, but next time, please keep these kinds of questions on the appropriate lists. This wasn't on-topic or PHP-related, but instead should've been asked on the MySQL list at my...@lists.mysql.com. -- /Daniel P. Brown daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ Check out our great hosting and dedicated server deals at http://twitter.com/pilotpig -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] How to create Data Auto-Filters using PEAR Spreadsheet Writer ?
Hello All, Is there a way to create Data Auto-Filters using PEAR's Spreadsheet Writer? Thanks saqib http://www.capital-punishment.us -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Launch Windows Program from PHP
I'm probably just not Googling right... Short version: How can I launch a program for the current user sitting in front of a windows web server? Longer version: I've written a PHP app to migrate data from the FoxPro version of our product to the upcoming MySQL version. I have a self contained setup on an XP box consisting of XAMPP, DBConvert (a data conversion program) and the ODBTP client/server. Phase 1 is a PHP app the pre-preps the data through ODBTP to a local FoxPro DBC. Phase 2 is the DBConvert and Phase 3 is a PHP app again doing post-conversion stuff in MySQL. To help in automating the whole shebang I'd like to automatically launch DBConvert with a command line argument (for the right data conversion stored session). Whenever I Google I find stuff about launching background tasks or using things like popen to launch processes inside the web server. I don't care if the owner of the process is the user at the keyboard just that they can interact with it. And if its Christmas and I can get everything I want :)... I'd love for PHP to be able to watch the process and stay resident until it exits so at that point I can send a final bit of javascript that will cause phase 3 to automatically start. Any ideas? Thanks! Matt -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] mod primary key field - newbie question
-Original Message- From: Floyd Resler [mailto:fres...@adex-intl.com] Sent: Monday, July 13, 2009 5:41 PM To: c...@hosting4days.com Cc: php-general@lists.php.net Subject: Re: [PHP] mod primary key field - newbie question Sounds like you want to set the auto increment. To do that, use this query: alter table `table_name` auto_increment 1; That will reset it to one. Although I've never tried it, I assume you can give it another value. Take care, Floyd On Jul 13, 2009, at 5:35 PM, c...@hosting4days.com wrote: newbie question ... I have a MySQL table where I want to update (renumber) the primary numeric key field. - I successfully turned field off as a primary key index and UN auto incremented it - then created new sequential numbers for it - then turned back on primary key index and re added auto increment in BUT when I make a new record it does NOT start where new numbers stop last is 51 next should be 52 but jumps to 157 Q: is there a way to reset the NEXT SERIAL ID NUMBER somewhere? how do I fix this? -- Thanks - RevDave Cool @ hosting4days . com [db-lists 09] alter table `table_name` auto_increment 1; Correct you can give it any value you wish it to start FROM. ie if you pass 51 as the value then the next will be Auto increment value will be 52 __ Information from ESET Smart Security, version of virus signature database 4240 (20090713) __ The message was checked by ESET Smart Security. http://www.eset.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MySql Injection advice
On Mon, Jul 13, 2009 at 4:18 PM, Haig Dedeyanhdede...@videotron.ca wrote: for the phone #'s, I'm using int as the data type storing each part of the phone # in its own cell, When it gets displayed, I add a dash in between each part of the phone #'s (country code-area code-1st set of digits-last set of digits) Cheers Haig I disagree. Telephone numbers are not actually numbers; they are sequences of numeric digits. Unlike IP addresses where 10.0.0.1 is equivalent to 010.000.000.001, leading zeros are significant; they are part of the data, not just padding to be inserted automatically by the database or by a formatting function in the presentation layer. When you validate an area code in the North American numbering plan, do you validate that it is a number between 1 and 999 or do you validate that it is a string of exactly 3 decimal-digit characters long? Expand that to international phone numbers, and the zeros become even more significant since you can't easily make assumptions about the length of various segments in a phone number. Sorry, but I just don't see any advantage to storing them as integers. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php