[PHP] Re: Inserting NULL Integer Values

2005-10-29 Thread Bogdan Ribic 

Oliver Grätz wrote:

Shaun schrieb:


$qid = mysql_query('INSERT INTO MYTABLE (
   column1,
   column2,
  ) VALUES (
   '.$value1.',
   '.$value2.'
  )');



A bit off-topic but important: Always make sure that you check the
contents of $value1 and $value2 before putting them into the query!
With

$value1 = 'xyz,xyz); DELETE FROM MYTABLE;';

you might get surprising results!

This is called SQL injection and it's important to escape all the values
before putting them into the statement.



Did you try that? This doesn't work on my machine:

mysql_query(DELETE FROM mytable; DELETE FROM mytable;);

ie, mysql extension won't let me do more than one statement at a time.

--

   Open source PHP code generator for DB operations
   http://sourceforge.net/projects/bfrcg/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: Inserting NULL Integer Values

2005-10-29 Thread Richard Lynch 
On Sat, October 29, 2005 4:45 am, Bogdan Ribic wrote:
 $value1 = 'xyz,xyz); DELETE FROM MYTABLE;';

 you might get surprising results!

 This is called SQL injection and it's important to escape all the
 values
 before putting them into the statement.


 Did you try that? This doesn't work on my machine:

 mysql_query(DELETE FROM mytable; DELETE FROM mytable;);

 ie, mysql extension won't let me do more than one statement at a time.

PHP MySQL has not allowed multiple statements per query for awhile, I
think.

I also think it's possible to change that, or that it might change in
the future.

Regardless of all that, the general principle remains sound.

Even if the one specific example does not work, that doesn't mean that
there aren't a few billion that WILL work to compromise your site.

http://phpsec.org


-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: Inserting NULL Integer Values

2005-10-22 Thread Richard Lynch 
On Tue, October 18, 2005 2:15 pm, Shaun wrote:
 Thanks for your replies, rather than check each vaule by name I am
 trying to
 produce a more dynamic solution:

 foreach ($_POST as $key = $value) {
   if ($value == '') {
 $_POST[$key] == 'NULL';

If you actually have == in this line, that is your trouble.

   }
 }


-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: Inserting NULL Integer Values

2005-10-18 Thread Ben Litton 
Either cast your empty ints (which should make it zero) or do an if  
(!isset($variable)) { $variable = 'NULL'; }


Ben

On Tue, 18 Oct 2005 12:15:41 -0400, Shaun [EMAIL PROTECTED]  
wrote:



Hi,

Up to this point in time I used to construct my insert statements like  
this


$qid = mysql_query('INSERT INTO MYTABLE (
column1,
column2,
   ) VALUES (
'.$value1.',
'.$value2.'
   )');

However I understand it is better to remove the quote marks around an  
insert
if the column type is an integer. This is easy to do, however if the  
$value

is empty it causes a mysql error. Has anyone encountered this and found a
solution?

Thanks for your advice




--
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: Inserting NULL Integer Values

2005-10-18 Thread tg-php 
What Ben said is correct, but I'd like to elaborate so you know why it's 
correct.

The INSERT statement you're trying to end up with is:

INSERT INTO MYTABLE (column1, column2) VALUES ('somevalue1', 'somevalue2')


I'm not sure why it wouldn't work if you ended up with:
INSERT INTO MYTABLE (column1, column2) VALUES ('', '')

That should work.  You can set it so you can't have NULL, but dont know of 
anything that tells the database not to accept '' as a value (barring triggers 
or other things that check on insert).

Anyway, assuming that the first example is what youre going for, then it sounds 
like this is what you want if the first value is empty:

INSERT INTO MYTABLE (column1, column2) VALUES (NULL, 'somevalue2')

So I might try something like this:

$value1 = ;
$value2 = somevalue;

if (is_empty($value1)) {
  $value1 = NULL;
} else {
  $value1 = ' . $value1 . ';
}

if (is_empty($value2)) {
  $value2 = NULL;
} else {
  $value2 = ' . $value2 . ';
}

$qid = mysql_query(INSERT INTO MYTABLE (column1, column2) VALUES ($value1, 
$value2));

That way, if it's empty, you'll get NULL, otherwise you'll get 'somevalue'.

I use double quotes () PHP variable values (yeah, I know.. some people have 
issues because it makes everything inside interpret..blah blah..) and use 
single quotes (') for SQL stuff.  Looks like you do the opposite.  Whatever 
works for you.

Good luck!

-TG

= = = Original message = = =

Either cast your empty ints (which should make it zero) or do an if  
(!isset($variable))  $variable = 'NULL'; 

Ben

On Tue, 18 Oct 2005 12:15:41 -0400, Shaun [EMAIL PROTECTED]  
wrote:

 Hi,

 Up to this point in time I used to construct my insert statements like  
 this

 $qid = mysql_query('INSERT INTO MYTABLE (
 column1,
 column2,
) VALUES (
 '.$value1.',
 '.$value2.'
)');

 However I understand it is better to remove the quote marks around an  
 insert
 if the column type is an integer. This is easy to do, however if the  
 $value
 is empty it causes a mysql error. Has anyone encountered this and found a
 solution?

 Thanks for your advice


___
Sent by ePrompter, the premier email notification software.
Free download at http://www.ePrompter.com.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: Inserting NULL Integer Values

2005-10-18 Thread Shaun 
Hi Ben,

Thanks for your reply, woudn't that insert a string with a value of'NULL';?

Ben Litton [EMAIL PROTECTED] wrote in message 
news:[EMAIL PROTECTED]
 Either cast your empty ints (which should make it zero) or do an if 
 (!isset($variable)) { $variable = 'NULL'; }

 Ben

 On Tue, 18 Oct 2005 12:15:41 -0400, Shaun [EMAIL PROTECTED] 
 wrote:

 Hi,

 Up to this point in time I used to construct my insert statements like 
 this

 $qid = mysql_query('INSERT INTO MYTABLE (
 column1,
 column2,
) VALUES (
 '.$value1.',
 '.$value2.'
)');

 However I understand it is better to remove the quote marks around an 
 insert
 if the column type is an integer. This is easy to do, however if the 
 $value
 is empty it causes a mysql error. Has anyone encountered this and found a
 solution?

 Thanks for your advice



 -- 
 Using Opera's revolutionary e-mail client: http://www.opera.com/mail/ 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: Inserting NULL Integer Values

2005-10-18 Thread Ben Litton 
Yes, but NULL is a special thing to MySQL. If you don't quote 'NULL' it  
just means 'empty' to mySQL. If your database schema allows NULLS (it's  
optional), your insert will go through.


On Tue, 18 Oct 2005 13:10:32 -0400, Shaun [EMAIL PROTECTED]  
wrote:



Hi Ben,

Thanks for your reply, woudn't that insert a string with a value  
of'NULL';?


Ben Litton [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]

Either cast your empty ints (which should make it zero) or do an if
(!isset($variable)) { $variable = 'NULL'; }

Ben

On Tue, 18 Oct 2005 12:15:41 -0400, Shaun  
[EMAIL PROTECTED]

wrote:


Hi,

Up to this point in time I used to construct my insert statements like
this

$qid = mysql_query('INSERT INTO MYTABLE (
column1,
column2,
   ) VALUES (
'.$value1.',
'.$value2.'
   )');

However I understand it is better to remove the quote marks around an
insert
if the column type is an integer. This is easy to do, however if the
$value
is empty it causes a mysql error. Has anyone encountered this and  
found a

solution?

Thanks for your advice




--
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/




--
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: Inserting NULL Integer Values

2005-10-18 Thread Ben Litton 
Good explanation but I think he wanted to avoid quoting the integers. I  
may be wrong, but I think not quoting integers is a decent practice  
because it makes it easier to port your SQL over to a different database  
if you later decide you must do so. Of course he could just add a single  
quote to both sides of the string, whether it is empty or not, but if he  
wants to go without any single quotes, he'll have to use NULL or a  
numberic value for every column.


Everything you said is of course correct and a bit less lazy than my  
explanation. I would just say that if he didn't want any single quotes at  
all he could just replace your elses of $value = ' . $value2 . '; with  
$value = (int) $value1; OR $value1 = intval($value1).


If he decies not going to use quotes, it's probably a good idea to make  
sure it's really an number or it'll break the query. He could also do an  
is_numeric($value1) to make sure it really is one, but if you don't mind  
converting an errant string to a zero, casting works fine.


As for the double quotes inside the parser thing, I do that too out of  
laziness on occasion, but try not to. If the OP wants to stick to the  
gospel and employ quotes he could make your else $value1 = '\'.$value1.\'';


_Ben

On Tue, 18 Oct 2005 13:42:19 -0400, [EMAIL PROTECTED] wrote:

What Ben said is correct, but I'd like to elaborate so you know why it's  
correct.


The INSERT statement you're trying to end up with is:

INSERT INTO MYTABLE (column1, column2) VALUES ('somevalue1',  
'somevalue2')



I'm not sure why it wouldn't work if you ended up with:
INSERT INTO MYTABLE (column1, column2) VALUES ('', '')

That should work.  You can set it so you can't have NULL, but dont know  
of anything that tells the database not to accept '' as a value (barring  
triggers or other things that check on insert).


Anyway, assuming that the first example is what youre going for, then it  
sounds like this is what you want if the first value is empty:


INSERT INTO MYTABLE (column1, column2) VALUES (NULL, 'somevalue2')

So I might try something like this:

$value1 = ;
$value2 = somevalue;

if (is_empty($value1)) {
  $value1 = NULL;
} else {
  $value1 = ' . $value1 . ';
}

if (is_empty($value2)) {
  $value2 = NULL;
} else {
  $value2 = ' . $value2 . ';
}

$qid = mysql_query(INSERT INTO MYTABLE (column1, column2) VALUES  
($value1, $value2));


That way, if it's empty, you'll get NULL, otherwise you'll get  
'somevalue'.


I use double quotes () PHP variable values (yeah, I know.. some people  
have issues because it makes everything inside interpret..blah blah..)  
and use single quotes (') for SQL stuff.  Looks like you do the  
opposite.  Whatever works for you.


Good luck!

-TG

= = = Original message = = =

Either cast your empty ints (which should make it zero) or do an if
(!isset($variable))  $variable = 'NULL';

Ben

On Tue, 18 Oct 2005 12:15:41 -0400, Shaun [EMAIL PROTECTED]
wrote:


Hi,

Up to this point in time I used to construct my insert statements like
this

$qid = mysql_query('INSERT INTO MYTABLE (
column1,
column2,
   ) VALUES (
'.$value1.',
'.$value2.'
   )');

However I understand it is better to remove the quote marks around an
insert
if the column type is an integer. This is easy to do, however if the
$value
is empty it causes a mysql error. Has anyone encountered this and found  
a

solution?

Thanks for your advice



___
Sent by ePrompter, the premier email notification software.
Free download at http://www.ePrompter.com.




--
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: Inserting NULL Integer Values

2005-10-18 Thread Richard Lynch 
On Tue, October 18, 2005 12:42 pm, [EMAIL PROTECTED] wrote:
 That should work.  You can set it so you can't have NULL, but dont
 know of anything that tells the database not to accept '' as a value

Any database, other than MySQL, is *NOT* going to accept '' as an
integer value.

Because '' is not an integer by any stretch of the imagination.

If you don't care about ever porting your application to something
other than MySQL, then you can IGNORE the advice to not use '' on
integers.

If there's ANY possibility that some day somebody might maybe wanna
use a different database with your application, then don't confuse
strings with integers.

Actually, it might be better for your own
education/sanity/comprehension/documentation/code to not confuse
strings and integers with '' around integers in the SQL, but if
everything ELSE is good in your code, and it's always going to be
MySQL then it's fine.

Note that:

$value2 = 'NULL'; //PHP $value2 is a string

$query = insert into (integer_field) values ($value2);
//PHP $query is a string, but...

The place-holder in $value2 will be just: NULL

No quotes.

No apostrophes.

Not a string.

NULL

SQL NULL value representing no value

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: Inserting NULL Integer Values

2005-10-18 Thread Shaun 
Hi all,

Thanks for your replies, rather than check each vaule by name I am trying to 
produce a more dynamic solution:

foreach ($_POST as $key = $value) {
  if ($value == '') {
$_POST[$key] == 'NULL';
  }
}

I was expecting $_POST[$key] to be the same as $key, however this isnt the 
case:

$key = city
$_POST[$key] = London
$value = London

Any ideas?

Richard Lynch [EMAIL PROTECTED] wrote in message 
news:[EMAIL PROTECTED]
 On Tue, October 18, 2005 12:42 pm, [EMAIL PROTECTED] wrote:
 That should work.  You can set it so you can't have NULL, but dont
 know of anything that tells the database not to accept '' as a value

 Any database, other than MySQL, is *NOT* going to accept '' as an
 integer value.

 Because '' is not an integer by any stretch of the imagination.

 If you don't care about ever porting your application to something
 other than MySQL, then you can IGNORE the advice to not use '' on
 integers.

 If there's ANY possibility that some day somebody might maybe wanna
 use a different database with your application, then don't confuse
 strings with integers.

 Actually, it might be better for your own
 education/sanity/comprehension/documentation/code to not confuse
 strings and integers with '' around integers in the SQL, but if
 everything ELSE is good in your code, and it's always going to be
 MySQL then it's fine.

 Note that:

 $value2 = 'NULL'; //PHP $value2 is a string

 $query = insert into (integer_field) values ($value2);
 //PHP $query is a string, but...

 The place-holder in $value2 will be just: NULL

 No quotes.

 No apostrophes.

 Not a string.

 NULL

 SQL NULL value representing no value

 -- 
 Like Music?
 http://l-i-e.com/artists.htm 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: Inserting NULL Integer Values

2005-10-18 Thread tg-php 
Sorry everyone, I missed the integer requirement here.  I apologize.  And 
yes, '' isn't a good integer value and will throw an error.

That's what I get for not reading thoroughly enough :)

-TG

= = = Original message = = =

On Tue, October 18, 2005 12:42 pm, [EMAIL PROTECTED] wrote:
 That should work.  You can set it so you can't have NULL, but dont
 know of anything that tells the database not to accept '' as a value

Any database, other than MySQL, is *NOT* going to accept '' as an
integer value.

Because '' is not an integer by any stretch of the imagination.

If you don't care about ever porting your application to something
other than MySQL, then you can IGNORE the advice to not use '' on
integers.

If there's ANY possibility that some day somebody might maybe wanna
use a different database with your application, then don't confuse
strings with integers.

Actually, it might be better for your own
education/sanity/comprehension/documentation/code to not confuse
strings and integers with '' around integers in the SQL, but if
everything ELSE is good in your code, and it's always going to be
MySQL then it's fine.

Note that:

$value2 = 'NULL'; //PHP $value2 is a string

$query = insert into (integer_field) values ($value2);
//PHP $query is a string, but...

The place-holder in $value2 will be just: NULL

No quotes.

No apostrophes.

Not a string.

NULL

SQL NULL value representing no value


___
Sent by ePrompter, the premier email notification software.
Free download at http://www.ePrompter.com.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: Inserting NULL Integer Values

2005-10-18 Thread Ben Litton 

You're using two =='s for your assignment.

On Tue, 18 Oct 2005 15:15:59 -0400, Shaun [EMAIL PROTECTED]  
wrote:



Hi all,

Thanks for your replies, rather than check each vaule by name I am  
trying to

produce a more dynamic solution:

foreach ($_POST as $key = $value) {
  if ($value == '') {
$_POST[$key] == 'NULL';
  }
}

I was expecting $_POST[$key] to be the same as $key, however this isnt  
the

case:

$key = city
$_POST[$key] = London
$value = London

Any ideas?

Richard Lynch [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]

On Tue, October 18, 2005 12:42 pm, [EMAIL PROTECTED] wrote:

That should work.  You can set it so you can't have NULL, but dont
know of anything that tells the database not to accept '' as a value


Any database, other than MySQL, is *NOT* going to accept '' as an
integer value.

Because '' is not an integer by any stretch of the imagination.

If you don't care about ever porting your application to something
other than MySQL, then you can IGNORE the advice to not use '' on
integers.

If there's ANY possibility that some day somebody might maybe wanna
use a different database with your application, then don't confuse
strings with integers.

Actually, it might be better for your own
education/sanity/comprehension/documentation/code to not confuse
strings and integers with '' around integers in the SQL, but if
everything ELSE is good in your code, and it's always going to be
MySQL then it's fine.

Note that:

$value2 = 'NULL'; //PHP $value2 is a string

$query = insert into (integer_field) values ($value2);
//PHP $query is a string, but...

The place-holder in $value2 will be just: NULL

No quotes.

No apostrophes.

Not a string.

NULL

SQL NULL value representing no value

--
Like Music?
http://l-i-e.com/artists.htm




--
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: Inserting NULL Integer Values

2005-10-18 Thread Oliver Grätz 
Shaun schrieb:
 $qid = mysql_query('INSERT INTO MYTABLE (
 column1,
 column2,
) VALUES (
 '.$value1.',
 '.$value2.'
)');

A bit off-topic but important: Always make sure that you check the
contents of $value1 and $value2 before putting them into the query!
With

$value1 = 'xyz,xyz); DELETE FROM MYTABLE;';

you might get surprising results!

This is called SQL injection and it's important to escape all the values
before putting them into the statement.

An even better solution are prepared statements! With PDO (available as
an extension for PHP 5.x) these are natively supported. You prepare the
statements without any of the values and call them with the values. The
engine automatically escapes your data.

OLLi

Bug? That's not a bug, that's a feature.
[T. John Wendel]

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php