[PHP] Re: [PHP-DB] PHP Database Problems -- Code Snippets
I noticed the use of SQL concatenation like:
$allowed_fields = array
( 'Site' =$_POST['Site'], 'MedRec' = $_POST['MedRec'], 'Fname' =
$_POST['Fname'], 'Lname' = $_POST['Lname'] ,
'Phone' = $_POST['Phone'] , 'Sex' = $_POST['Sex'] , 'Height' =
$_POST['Height'] );
if(empty($allowed_fields))
{
echo ouch;
}
$query = select * from Intake3 where 1 ;
foreach ( $allowed_fields as $key = $val )
{
if ( (($val != '')) )
{
$query .= AND ($key = '$val') ;
}
$result1 = mysqli_query($cxn, $query);
}
and like
$query2 = select * from Visit3 where 1 AND (Site = 'AA') AND (MedRec =
$_GLOBALS[mdr]);
This is a SQL Injection security risk. There is a lot of material
on the web about this, e.g
https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet
I cannot strongly enough suggest you rewrite the app to mitigate
against this issue.
Also, set error_reporting = E_ALL E_STRICT in your php.ini file to
help you identify some of your other code issues.
Chris
--
christopher.jo...@oracle.com
http://twitter.com/#!/ghrd
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: [PHP-DB] Using oci_execute
Walter Galvão wrote:
Hi,
Im using the oracle instant client basic in my php app, with apache server.
When a query returns few rows, there is no problem.
Otherwise, the oci_execute method doesn return any records neither errors!
How can i solve this problem??
My implementation:
function executarSQL($conn, $stmt, $consulta){
echo brbrExecute...;
$r = oci_execute($stmt);
if (!$r) {
$erro = oci_error($stmt);
trataErroSQL($conn, $consulta, $erro, execute);
}
echo brbrFim do Execute...;
return $r;
}
What version of PHP? What version of Instant Client? What version of
the DB?
Are you exceeding the PHP script time out, or exceeding the memory
limit?
Is there an error from oci_parse or your fetch call?
Which fetch call are you using?
Does your error occur when there are lots of rows, or only when your
query contains a certain kind of datatype?
Chris
--
Email: [EMAIL PROTECTED] Tel: +1 650 506 8630
Twitter: http://twitter.com/ghrdFree PHP Book: http://tinyurl.com/f8jad
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: [PHP-DB] Using oci_execute
Walter Galvão wrote: Are you exceeding the PHP script time out, or exceeding the memory limit? I dont know. Doesnt appear any message. The script prints the last message before the oci_execute call. I'd start by looking at the max_execution_time and memory_limit settings in php.ini. Chris -- Email: [EMAIL PROTECTED] Tel: +1 650 506 8630 Twitter: http://twitter.com/ghrdFree PHP Book: http://tinyurl.com/f8jad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Compiling with pfpro (Payflow) with new SDK for Linux
Hello, I think there has to be some compile issues with PHP and the newer Payflow SDKs from VeriSign [Linux]. There is no longer a Beta SDK apparently for any of the platforms. I have consistenly received the following error: the pfpro extension requires version 2 or 3 of the SDK. I have attempted to find a workaround by altering the configure script, but have been unable to do so. I think some work on this would be appropriate as the information on php.net is out of date regarding a Beta SDK. Any help you could give to me would be much appreciated. Best regards, Christopher Jones -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
