Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On Thu, 2008-07-17 at 10:41 -0400, Daniel Brown wrote: > 9.) NEVER store passwords in a PHP script. Instead, store them in > a file named `inc/config.inc` in the web directory, and include them. Dude! You forgot the most important bit: inc/config.inc: $dbusername="root"; $dbpassword="r00t"; //By combining letters and numbers, this password becomes unhackable It's important to also set your server root password the same as your DB password so that when you hand passwords out to your outsourced developers, secretaries, tea ladies and janitors they can have full access to the system and don't waste your time setting up permissions. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
For anyone interested, here's a nice book to get anyone started on PHP Security: http://oreilly.com/catalog/9780596006563/index.html Thank you, Micah Gersten onShore Networks Internal Developer http://www.onshore.com Stut wrote: > On 17 Jul 2008, at 21:56, Robert Cummings wrote: >> On Thu, 2008-07-17 at 15:46 -0500, Micah Gersten wrote: >>> What can help is if one app only has access to it's own DB. Also, for >>> mysql, there is the mysql_real_escape_string function for a reason. >> >> Well I agree with that of course... but the post by Stut indicated the >> interviewee thought he could punt all DB security to the DBA. Obviously >> it's important that the app developer use appropriate programming >> techniques to achieve security in conjunction with the DBA. > > My main point was that security is the responsibility of everyone on > the team whether it's explicitly part of their job spec or not. A > candidate who doesn't see that without prompting will not be getting > any further in my interview process. > > -Stut > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On 17 Jul 2008, at 21:56, Robert Cummings wrote: On Thu, 2008-07-17 at 15:46 -0500, Micah Gersten wrote: What can help is if one app only has access to it's own DB. Also, for mysql, there is the mysql_real_escape_string function for a reason. Well I agree with that of course... but the post by Stut indicated the interviewee thought he could punt all DB security to the DBA. Obviously it's important that the app developer use appropriate programming techniques to achieve security in conjunction with the DBA. My main point was that security is the responsibility of everyone on the team whether it's explicitly part of their job spec or not. A candidate who doesn't see that without prompting will not be getting any further in my interview process. -Stut -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
What can help is if one app only has access to it's own DB. Also, for mysql, there is the mysql_real_escape_string function for a reason. Also, for the web app, you can usually disable Administrative functions and grant a minimal set of permissions. Thank you, Micah Gersten onShore Networks Internal Developer http://www.onshore.com Robert Cummings wrote: > On Thu, 2008-07-17 at 12:32 -0400, Andrew Ballard wrote: > >> On Thu, Jul 17, 2008 at 12:02 PM, Stut <[EMAIL PROTECTED]> wrote: >> >>> On 17 Jul 2008, at 15:31, David Giragosian wrote: >>> >>> On 7/17/08, Stut <[EMAIL PROTECTED]> wrote: > On 17 Jul 2008, at 14:10, tedd wrote: > > >> At 10:28 PM +0100 7/16/08, Stut wrote: >> >> >>> Oh, and you'd be working for me so bear that in mind ;) >>> >>> -Stut >>> >>> >> It's no wonder why you haven't found anyone. :-) >> >> > Thanks for that tedd. > > Seriously though, I'm wondering if my expectations are too high... I > expect > them to know that addslashes is not adequate protection against SQL > injection. I even had one tell me "SQL injection? I can't remember but > I'm > sure I've used it before". And I won't even go into the guy who asserted > that he's always worked with DB administrators who've dealt with security > issues so he'd never needed to learn about it. > > Am I expecting too much?!? > > -Stut > Surely you're being rhetorical, Stut, but no, you're not expecting too much. However the guy(s) who worked in a larger organization likely did have a very clear delineation of roles and responsibilities, as I am experiencing in a new position, and therefore may not be current on best practices in areas outside of their role. When my group leader instituted the current policy regarding job functions, a number of the open source guys decided their unused skills were eroding and/or they were not being exposed to new learning, and they left the company. >>> There's no way I would ever hire anyone who says "security was somebody >>> else's responsibility". I don't care what their previous managers have said, >>> that's never a valid statement in my book. When you then add the fact that >>> no DB admin no matter how good they are can implement adequate security to >>> prevent SQL injection you get a developer who doesn't care about security >>> issues much less know anything about them. >>> >>> -Stut >>> >>> >> A DBA can go pretty far to prevent SQL injection by setting >> appropriate rights on the accounts that applications will use to >> interact with the database: denying direct access to tables, allowing >> access to only the necessary stored procedures, thereby forcing >> developers to design products using only those procedures for all data >> access. Of course, a lot of developers would complain under this level >> of security, and I suspect a lot of frameworks that are out there >> would be much less "useful" to lazy programmers. >> > > So are you suggesting a web app make multiple different user account > connections to the SQL server depending on whether it wants to SELECT, > INSERT, DELETE, ETC.? I means that's a fair proposition... just seems a > tad heavy duty. Once again though... there's a programmer responsibility > here to implement the application with such a scenario in mind. most > applications need access to SEELCT, INSERT, and DELETE. In such a case, > a single account with restricted access permissions that allow all three > isn't going to do anything for the application if a programmer let's an > SQL injection through. > > Cheers, > Rob. > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On Thu, 2008-07-17 at 15:46 -0500, Micah Gersten wrote: > What can help is if one app only has access to it's own DB. Also, for > mysql, there is the mysql_real_escape_string function for a reason. Well I agree with that of course... but the post by Stut indicated the interviewee thought he could punt all DB security to the DBA. Obviously it's important that the app developer use appropriate programming techniques to achieve security in conjunction with the DBA. Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On Thu, 2008-07-17 at 15:53 -0400, tedd wrote: > At 3:47 PM -0400 7/17/08, Robert Cummings wrote: > >On Thu, 2008-07-17 at 15:32 -0400, tedd wrote: > >> At 10:41 AM -0400 7/17/08, Daniel Brown wrote: > >> >-snip- > >> > >> You're point? :-) > > > >I'm a circle... Tedd's a square? > > I've been called worse. > > I'm really more of a oblate spheroid. Naw... you're just a diamond on it's side :B Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
At 3:47 PM -0400 7/17/08, Robert Cummings wrote: On Thu, 2008-07-17 at 15:32 -0400, tedd wrote: At 10:41 AM -0400 7/17/08, Daniel Brown wrote: >-snip- You're point? :-) I'm a circle... Tedd's a square? I've been called worse. I'm really more of a oblate spheroid. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On Thu, 2008-07-17 at 15:32 -0400, tedd wrote: > At 10:41 AM -0400 7/17/08, Daniel Brown wrote: > >-snip- > > You're point? :-) I'm a circle... Tedd's a square? *runs away cackling* Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
At 10:41 AM -0400 7/17/08, Daniel Brown wrote: -snip- You're point? :-) tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On Jul 17, 2008, at 2:44 PM, Robert Cummings wrote: On Thu, 2008-07-17 at 17:32 +0100, Stut wrote: On 17 Jul 2008, at 15:41, Daniel Brown wrote: On Thu, Jul 17, 2008 at 9:55 AM, Stut <[EMAIL PROTECTED]> wrote: Seriously though, I'm wondering if my expectations are too high... I expect them to know that addslashes is not adequate protection against SQL injection. I even had one tell me "SQL injection? I can't remember but I'm sure I've used it before". And I won't even go into the guy who asserted that he's always worked with DB administrators who've dealt with security issues so he'd never needed to learn about it. 1.) It's obvious that addslashes() is not protection against SQL injection attacks. That's why God invented htmlentities() and flatfile databases. Yup, had that one. While we're talking about God here... why bother escaping your data. For he who believeth in the Lordeth could telleth thisith mountain hereth to moveth over thereth... Then again nevermind. 2.) No PHP programmer should ever be required to know anything about databases, server management, mail, or anything. This is because we all know that we'll someday all work in a Google-like atmosphere with enough funding to hire other people to work with databases, servers, HTML, and even a Senior JavaScript Engineer. I have a ghostwriter who keeps me active on the mailing lists. Best 50p I spend every week! 3.) "SQL injection" is just a buzzphrase. I already know where baby databases come from. The big Daddy database spends lots of CPU cycles on the big Momma database and she eventually lets him put his SQL client into her console and their SQL statements intermingle until something magic happens. At least that's what my Daddy told me when I was a little regex. No, no, no... you got the semantics wrong... SQL injection is when an imposter performs an insert on Momma database thus corrupting the data. Sometimes big daddy doesn't know about the corruption until he performs a select query on baby database. Unfortunately we're not yet technologically advanced enough to perform a repair under these circumstances. 4.) Any web programmer worth his or her salt knows that PHP, while a great language, is not compatible with all browsers. Especially Microsoft. For people using Windows, you'll need to have an ASP website. Indeed. And PHP can't be used for foreign language sites, only US English. It makes a complete mess of British English sites. You should see what happens when you have to manage Canadian English and Canadian French on the same site. PHP is the 5ux0r5. 5.) Never sanitize input. It takes too long, and unless you're dealing with credit cards, no one will ever want to hack your website. If you are taking credit cards, store them in a firewalled database. You say this, but the person I just did a phone interview with did tell me that security is a cost-benefit calculation in terms of both development time and runtime resources. He said he never bothers escaping input in Intranet sites. True story! I've been reading your email... hope you don't mind. 6.) If you need to copy files from one server to another, make sure you use FTP over HTTP. It's more secure. I use an Oompa-Loompas - much more reliable! 7.) register_globals is your friend. And I hug her, and kiss her and squeeze her tight. *pop* 8.) The best, most-scalable way to create an expandable website is to use a switch page. Just tack on a ?page=faq.php query to your GET request, and have PHP automatically `include($page)` (see point #7) in your switch file. *hahahahaahah* What a clever person... what other sites did he/she work on? Post links please >:) Ooh, dangerous. I worry about relative paths, so when I do this it's always with an absolute path... i.e. ?page=/var/www/mywebsite.com/ somedir/faq.php Absolute paths are much faster to resolve. Good for him, efficiency is paramount on a heavy traffic payment gateway where every cycle can contributes to squeezing in another credit card payment. 9.) NEVER store passwords in a PHP script. Instead, store them in a file named `inc/config.inc` in the web directory, and include them. I prefer to use .txt as the extension. Makes opening them in Notepad so much easier. Don't use a .htaccess file either to secure the directory. Apache needs to read that... cycles, cycles, cycles... things of the baby databases. 10.) If running a picture- or file-sharing website, make things easier on your users and yourself. Allow users to delete their files by using a simple link like: http://www.example.com/delete.php?file=images/mygraphic.jpg. Then, in delete.php, have only one line: (again, see point #7 --- see how much that's coming in handy now?) Wow, that's handy. You can practically create a clean-site web service using: wget -r This works best if the web server is running as root. None of those annoying error messages abou
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
2008/7/17 Stut <[EMAIL PROTECTED]>: >> 3.) "SQL injection" is just a buzzphrase. I already know where >> baby databases come from. > > The big Daddy database spends lots of CPU cycles on the big Momma database > and she eventually lets him put his SQL client into her console and their > SQL statements intermingle until something magic happens. At least that's > what my Daddy told me when I was a little regex. No, no, you've got it all wrong: http://www.zoitz.com/archives/14 Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On Thu, Jul 17, 2008 at 3:07 PM, Dotan Cohen <[EMAIL PROTECTED]> wrote: > 2008/7/17 Daniel Brown <[EMAIL PROTECTED]>: >>11.) The most important rule EVER: if you ever have the slightest >> problem, DO NOT bother to search the [EMAIL PROTECTED] web (STFW) or read >> the [EMAIL PROTECTED] >> manual (RTFM). There is a mailing list for that. Please ask any and >> all questions there, including why your MP3's aren't streaming on your >> AnalogX webserver from your home PC to your buddies in Antarctica >> after you turn your computer off. "But when I turn my computer off, >> the rest of the Internet still works! Hlp me pls!!!1!" We are here >> only to serve you. People on mailing lists are paid to write your >> code and do your homework for you, and you should expect nothing but >> the best, immediate answers, 24/7/365. If they don't respond within >> 90 seconds, please repost your message every 90 seconds until someone >> does. When in doubt, hijack a thread. >> > > You do realize, of course, that this is posted in a hijacked thread? Most times, people use the word "ironic" when they really mean coincidental. This, on the other hand, is the correct definition of irony, and was purposeful. -- Better prices on dedicated servers: Intel 2.4GHz/60GB/512MB/2TB $49.99/mo. Intel 3.06GHz/80GB/1GB/2TB $59.99/mo. Dedicated servers, VPS, and hosting from $2.50/mo. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On Thu, Jul 17, 2008 at 2:48 PM, Robert Cummings <[EMAIL PROTECTED]> wrote: > On Thu, 2008-07-17 at 12:32 -0400, Andrew Ballard wrote: >> On Thu, Jul 17, 2008 at 12:02 PM, Stut <[EMAIL PROTECTED]> wrote: >> > >> > On 17 Jul 2008, at 15:31, David Giragosian wrote: >> > >> >> On 7/17/08, Stut <[EMAIL PROTECTED]> wrote: >> >>> >> >>> On 17 Jul 2008, at 14:10, tedd wrote: >> >>> >> At 10:28 PM +0100 7/16/08, Stut wrote: >> >> > Oh, and you'd be working for me so bear that in mind ;) >> > >> > -Stut >> > >> >> It's no wonder why you haven't found anyone. :-) >> >> >>> >> >>> Thanks for that tedd. >> >>> >> >>> Seriously though, I'm wondering if my expectations are too high... I >> >>> expect >> >>> them to know that addslashes is not adequate protection against SQL >> >>> injection. I even had one tell me "SQL injection? I can't remember but >> >>> I'm >> >>> sure I've used it before". And I won't even go into the guy who asserted >> >>> that he's always worked with DB administrators who've dealt with security >> >>> issues so he'd never needed to learn about it. >> >>> >> >>> Am I expecting too much?!? >> >>> >> >>> -Stut >> >> >> >> >> >> Surely you're being rhetorical, Stut, but no, you're not expecting too >> >> much. >> >> However the guy(s) who worked in a larger organization likely did have a >> >> very clear delineation of roles and responsibilities, as I am experiencing >> >> in a new position, and therefore may not be current on best practices in >> >> areas outside of their role. When my group leader instituted the current >> >> policy regarding job functions, a number of the open source guys decided >> >> their unused skills were eroding and/or they were not being exposed to new >> >> learning, and they left the company. >> > >> > There's no way I would ever hire anyone who says "security was somebody >> > else's responsibility". I don't care what their previous managers have >> > said, >> > that's never a valid statement in my book. When you then add the fact that >> > no DB admin no matter how good they are can implement adequate security to >> > prevent SQL injection you get a developer who doesn't care about security >> > issues much less know anything about them. >> > >> > -Stut >> > >> >> A DBA can go pretty far to prevent SQL injection by setting >> appropriate rights on the accounts that applications will use to >> interact with the database: denying direct access to tables, allowing >> access to only the necessary stored procedures, thereby forcing >> developers to design products using only those procedures for all data >> access. Of course, a lot of developers would complain under this level >> of security, and I suspect a lot of frameworks that are out there >> would be much less "useful" to lazy programmers. > > So are you suggesting a web app make multiple different user account > connections to the SQL server depending on whether it wants to SELECT, > INSERT, DELETE, ETC.? I means that's a fair proposition... just seems a > tad heavy duty. Once again though... there's a programmer responsibility > here to implement the application with such a scenario in mind. most > applications need access to SEELCT, INSERT, and DELETE. In such a case, > a single account with restricted access permissions that allow all three > isn't going to do anything for the application if a programmer let's an > SQL injection through. > > Cheers, > Rob. No, not unless you really need that level of security. Simply by creating procedures and granting execute permissions only to a single web user account would go a long way to eliminating SQL injection. The query will fail if a malicious user tries to insert anything that doesn't fit into the parameter. Even if someone tried to truncate your SQL statement by sending something like "; DELETE * FROM users" it would fail because that account would not have permission to run the ad hoc statement. I know there are some cases where the number of possible permutations of search parameters means you pretty much have to allow ad hoc queries, but you can make that the exception rather than the rule. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
2008/7/17 Daniel Brown <[EMAIL PROTECTED]>: >11.) The most important rule EVER: if you ever have the slightest > problem, DO NOT bother to search the [EMAIL PROTECTED] web (STFW) or read the > [EMAIL PROTECTED] > manual (RTFM). There is a mailing list for that. Please ask any and > all questions there, including why your MP3's aren't streaming on your > AnalogX webserver from your home PC to your buddies in Antarctica > after you turn your computer off. "But when I turn my computer off, > the rest of the Internet still works! Hlp me pls!!!1!" We are here > only to serve you. People on mailing lists are paid to write your > code and do your homework for you, and you should expect nothing but > the best, immediate answers, 24/7/365. If they don't respond within > 90 seconds, please repost your message every 90 seconds until someone > does. When in doubt, hijack a thread. > You do realize, of course, that this is posted in a hijacked thread? Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On Thu, 2008-07-17 at 12:32 -0400, Andrew Ballard wrote: > On Thu, Jul 17, 2008 at 12:02 PM, Stut <[EMAIL PROTECTED]> wrote: > > > > On 17 Jul 2008, at 15:31, David Giragosian wrote: > > > >> On 7/17/08, Stut <[EMAIL PROTECTED]> wrote: > >>> > >>> On 17 Jul 2008, at 14:10, tedd wrote: > >>> > At 10:28 PM +0100 7/16/08, Stut wrote: > > > Oh, and you'd be working for me so bear that in mind ;) > > > > -Stut > > > > It's no wonder why you haven't found anyone. :-) > > >>> > >>> Thanks for that tedd. > >>> > >>> Seriously though, I'm wondering if my expectations are too high... I > >>> expect > >>> them to know that addslashes is not adequate protection against SQL > >>> injection. I even had one tell me "SQL injection? I can't remember but > >>> I'm > >>> sure I've used it before". And I won't even go into the guy who asserted > >>> that he's always worked with DB administrators who've dealt with security > >>> issues so he'd never needed to learn about it. > >>> > >>> Am I expecting too much?!? > >>> > >>> -Stut > >> > >> > >> Surely you're being rhetorical, Stut, but no, you're not expecting too > >> much. > >> However the guy(s) who worked in a larger organization likely did have a > >> very clear delineation of roles and responsibilities, as I am experiencing > >> in a new position, and therefore may not be current on best practices in > >> areas outside of their role. When my group leader instituted the current > >> policy regarding job functions, a number of the open source guys decided > >> their unused skills were eroding and/or they were not being exposed to new > >> learning, and they left the company. > > > > There's no way I would ever hire anyone who says "security was somebody > > else's responsibility". I don't care what their previous managers have said, > > that's never a valid statement in my book. When you then add the fact that > > no DB admin no matter how good they are can implement adequate security to > > prevent SQL injection you get a developer who doesn't care about security > > issues much less know anything about them. > > > > -Stut > > > > A DBA can go pretty far to prevent SQL injection by setting > appropriate rights on the accounts that applications will use to > interact with the database: denying direct access to tables, allowing > access to only the necessary stored procedures, thereby forcing > developers to design products using only those procedures for all data > access. Of course, a lot of developers would complain under this level > of security, and I suspect a lot of frameworks that are out there > would be much less "useful" to lazy programmers. So are you suggesting a web app make multiple different user account connections to the SQL server depending on whether it wants to SELECT, INSERT, DELETE, ETC.? I means that's a fair proposition... just seems a tad heavy duty. Once again though... there's a programmer responsibility here to implement the application with such a scenario in mind. most applications need access to SEELCT, INSERT, and DELETE. In such a case, a single account with restricted access permissions that allow all three isn't going to do anything for the application if a programmer let's an SQL injection through. Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
> -Original Message- > From: Andrew Ballard [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 17, 2008 11:33 AM > To: PHP General list > Subject: Re: [PHP] is there a problem with php script pulling HTML out > of database as it writes the page?? > > On Thu, Jul 17, 2008 at 12:02 PM, Stut <[EMAIL PROTECTED]> wrote: > > > > On 17 Jul 2008, at 15:31, David Giragosian wrote: > > > >> On 7/17/08, Stut <[EMAIL PROTECTED]> wrote: > >>> > >>> On 17 Jul 2008, at 14:10, tedd wrote: > >>> > >>>> At 10:28 PM +0100 7/16/08, Stut wrote: > >>>> > >>>>> Oh, and you'd be working for me so bear that in mind ;) > >>>>> > >>>>> -Stut > >>>>> > >>>> > >>>> It's no wonder why you haven't found anyone. :-) > >>>> > >>> > >>> Thanks for that tedd. > >>> > >>> Seriously though, I'm wondering if my expectations are too high... > I > >>> expect > >>> them to know that addslashes is not adequate protection against SQL > >>> injection. I even had one tell me "SQL injection? I can't remember > but > >>> I'm > >>> sure I've used it before". And I won't even go into the guy who > asserted > >>> that he's always worked with DB administrators who've dealt with > security > >>> issues so he'd never needed to learn about it. > >>> > >>> Am I expecting too much?!? > >>> > >>> -Stut > >> > >> > >> Surely you're being rhetorical, Stut, but no, you're not expecting > too > >> much. > >> However the guy(s) who worked in a larger organization likely did > have a > >> very clear delineation of roles and responsibilities, as I am > experiencing > >> in a new position, and therefore may not be current on best > practices in > >> areas outside of their role. When my group leader instituted the > current > >> policy regarding job functions, a number of the open source guys > decided > >> their unused skills were eroding and/or they were not being exposed > to new > >> learning, and they left the company. > > > > There's no way I would ever hire anyone who says "security was > somebody > > else's responsibility". I don't care what their previous managers > have said, > > that's never a valid statement in my book. When you then add the fact > that > > no DB admin no matter how good they are can implement adequate > security to > > prevent SQL injection you get a developer who doesn't care about > security > > issues much less know anything about them. > > > > -Stut > > > > A DBA can go pretty far to prevent SQL injection by setting > appropriate rights on the accounts that applications will use to > interact with the database: denying direct access to tables, allowing > access to only the necessary stored procedures, thereby forcing > developers to design products using only those procedures for all data > access. Of course, a lot of developers would complain under this level > of security, and I suspect a lot of frameworks that are out there > would be much less "useful" to lazy programmers. ...and giving procedures that only need read access--wait for it--only read access! I have seen so many pages from work I've done on crowd-sourcing websites that use one (practically) super-user DBMS account to read one or two columns from one or two rows and display them. It boggles the mind. Todd Boyd Web Programmer
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On Thu, 2008-07-17 at 17:32 +0100, Stut wrote: > On 17 Jul 2008, at 15:41, Daniel Brown wrote: > > On Thu, Jul 17, 2008 at 9:55 AM, Stut <[EMAIL PROTECTED]> wrote: > >> > >> Seriously though, I'm wondering if my expectations are too high... > >> I expect > >> them to know that addslashes is not adequate protection against SQL > >> injection. I even had one tell me "SQL injection? I can't remember > >> but I'm > >> sure I've used it before". And I won't even go into the guy who > >> asserted > >> that he's always worked with DB administrators who've dealt with > >> security > >> issues so he'd never needed to learn about it. > > > >1.) It's obvious that addslashes() is not protection against SQL > > injection attacks. That's why God invented htmlentities() and > > flatfile databases. > > Yup, had that one. While we're talking about God here... why bother escaping your data. For he who believeth in the Lordeth could telleth thisith mountain hereth to moveth over thereth... Then again nevermind. > >2.) No PHP programmer should ever be required to know anything > > about databases, server management, mail, or anything. This is > > because we all know that we'll someday all work in a Google-like > > atmosphere with enough funding to hire other people to work with > > databases, servers, HTML, and even a Senior JavaScript Engineer. > > I have a ghostwriter who keeps me active on the mailing lists. Best > 50p I spend every week! > > >3.) "SQL injection" is just a buzzphrase. I already know where > > baby databases come from. > > The big Daddy database spends lots of CPU cycles on the big Momma > database and she eventually lets him put his SQL client into her > console and their SQL statements intermingle until something magic > happens. At least that's what my Daddy told me when I was a little > regex. No, no, no... you got the semantics wrong... SQL injection is when an imposter performs an insert on Momma database thus corrupting the data. Sometimes big daddy doesn't know about the corruption until he performs a select query on baby database. Unfortunately we're not yet technologically advanced enough to perform a repair under these circumstances. > >4.) Any web programmer worth his or her salt knows that PHP, while > > a great language, is not compatible with all browsers. Especially > > Microsoft. For people using Windows, you'll need to have an ASP > > website. > > Indeed. And PHP can't be used for foreign language sites, only US > English. It makes a complete mess of British English sites. You should see what happens when you have to manage Canadian English and Canadian French on the same site. PHP is the 5ux0r5. > >5.) Never sanitize input. It takes too long, and unless you're > > dealing with credit cards, no one will ever want to hack your website. > > If you are taking credit cards, store them in a firewalled database. > > You say this, but the person I just did a phone interview with did > tell me that security is a cost-benefit calculation in terms of both > development time and runtime resources. He said he never bothers > escaping input in Intranet sites. True story! I've been reading your email... hope you don't mind. > >6.) If you need to copy files from one server to another, make > > sure you use FTP over HTTP. It's more secure. > > I use an Oompa-Loompas - much more reliable! > > >7.) register_globals is your friend. > > And I hug her, and kiss her and squeeze her tight. *pop* > > >8.) The best, most-scalable way to create an expandable website is > > to use a switch page. Just tack on a ?page=faq.php query to your GET > > request, and have PHP automatically `include($page)` (see point #7) in > > your switch file. *hahahahaahah* What a clever person... what other sites did he/she work on? Post links please >:) > Ooh, dangerous. I worry about relative paths, so when I do this it's > always with an absolute path... i.e. ?page=/var/www/mywebsite.com/ > somedir/faq.php Absolute paths are much faster to resolve. Good for him, efficiency is paramount on a heavy traffic payment gateway where every cycle can contributes to squeezing in another credit card payment. > >9.) NEVER store passwords in a PHP script. Instead, store them in > > a file named `inc/config.inc` in the web directory, and include them. > > I prefer to use .txt as the extension. Makes opening them in Notepad > so much easier. Don't use a .htaccess file either to secure the directory. Apache needs to read that... cycles, cycles, cycles... things of the baby databases. > >10.) If running a picture- or file-sharing website, make things > > easier on your users and yourself. Allow users to delete their files > > by using a simple link like: > > http://www.example.com/delete.php?file=images/mygraphic.jpg. Then, in > > delete.php, have only one line: (again, see > > point #7 --- see how much that's coming in handy now?) Wow, that's
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On Thu, Jul 17, 2008 at 2:27 PM, Robert Cummings <[EMAIL PROTECTED]> wrote: > > Look at all those executives dragging companies down while they happily > deposit their millions in salary/bonuses every year. Tell me about it. IndyMac threw a divide by zero exception as a result. -- Better prices on dedicated servers: Intel 2.4GHz/60GB/512MB/2TB $49.99/mo. Intel 3.06GHz/80GB/1GB/2TB $59.99/mo. Dedicated servers, VPS, and hosting from $2.50/mo. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On Thu, 2008-07-17 at 12:07 -0400, Daniel Brown wrote: > On Thu, Jul 17, 2008 at 12:02 PM, Stut <[EMAIL PROTECTED]> wrote: > > > > There's no way I would ever hire anyone who says "security was somebody > > else's responsibility". I don't care what their previous managers have said, > > that's never a valid statement in my book. When you then add the fact that > > no DB admin no matter how good they are can implement adequate security to > > prevent SQL injection you get a developer who doesn't care about security > > issues much less know anything about them. > > Ignorance is bliss. It may not make you a good programmer, but > it'll make you a fantastic executive. No, it'll probably make you an executive if you keep your mouth shut and follow orders... but not a good executive. You still need brains to be a good executive, otherwise you're just a leech on the system. Look at all those executives dragging companies down while they happily deposit their millions in salary/bonuses every year. Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On Thu, 2008-07-17 at 17:02 +0100, Stut wrote: > On 17 Jul 2008, at 15:31, David Giragosian wrote: > > > On 7/17/08, Stut <[EMAIL PROTECTED]> wrote: > >> > >> On 17 Jul 2008, at 14:10, tedd wrote: > >> > >>> At 10:28 PM +0100 7/16/08, Stut wrote: > >>> > Oh, and you'd be working for me so bear that in mind ;) > > -Stut > > >>> > >>> It's no wonder why you haven't found anyone. :-) > >>> > >> > >> Thanks for that tedd. > >> > >> Seriously though, I'm wondering if my expectations are too high... > >> I expect > >> them to know that addslashes is not adequate protection against SQL > >> injection. I even had one tell me "SQL injection? I can't remember > >> but I'm > >> sure I've used it before". And I won't even go into the guy who > >> asserted > >> that he's always worked with DB administrators who've dealt with > >> security > >> issues so he'd never needed to learn about it. > >> > >> Am I expecting too much?!? I've heard the NEDs are winning in the U.K. Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On Thu, 2008-07-17 at 13:46 +0100, Stut wrote: > On 17 Jul 2008, at 11:31, Jason Pruim wrote: > > On Jul 16, 2008, at 5:28 PM, Stut wrote: > >> On 16 Jul 2008, at 19:18, Daniel Brown wrote: > >>> On Tue, Jul 15, 2008 at 5:43 PM, Stut <[EMAIL PROTECTED]> wrote: > > Code please, we're not mind readers! > >>> > >>> I sensed you would say that, Stuart. ;-P > >> > >> Can you sense what I'm thinking right now? > >> > >> BTW, if anyone is looking for a PHP5/MySQL dev job in or around > >> Camberley, Surrey, England please drop me your CV. Looking for all > >> levels to join a small team (me + 2 non-devs). Contact me > >> personally for more info. Sorry, remote working is not an option. > >> We will consider both perm and contract but perm is preferred. Oh, > >> and you'd be working for me so bear that in mind ;) > > > > > > So would that be a plus or a negative? :P > > That's up to you to decide based on my activity on this list. IOW I > have no idea! I don't think it would be a bad experience. I'd have to say as a list contributor you've always had good posts and an even temperament. Anyways, I already telecommute 20 or so hours a week to Sheffield, England from Ottawa, Canada :D Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On Thu, Jul 17, 2008 at 12:02 PM, Stut <[EMAIL PROTECTED]> wrote: > > On 17 Jul 2008, at 15:31, David Giragosian wrote: > >> On 7/17/08, Stut <[EMAIL PROTECTED]> wrote: >>> >>> On 17 Jul 2008, at 14:10, tedd wrote: >>> At 10:28 PM +0100 7/16/08, Stut wrote: > Oh, and you'd be working for me so bear that in mind ;) > > -Stut > It's no wonder why you haven't found anyone. :-) >>> >>> Thanks for that tedd. >>> >>> Seriously though, I'm wondering if my expectations are too high... I >>> expect >>> them to know that addslashes is not adequate protection against SQL >>> injection. I even had one tell me "SQL injection? I can't remember but >>> I'm >>> sure I've used it before". And I won't even go into the guy who asserted >>> that he's always worked with DB administrators who've dealt with security >>> issues so he'd never needed to learn about it. >>> >>> Am I expecting too much?!? >>> >>> -Stut >> >> >> Surely you're being rhetorical, Stut, but no, you're not expecting too >> much. >> However the guy(s) who worked in a larger organization likely did have a >> very clear delineation of roles and responsibilities, as I am experiencing >> in a new position, and therefore may not be current on best practices in >> areas outside of their role. When my group leader instituted the current >> policy regarding job functions, a number of the open source guys decided >> their unused skills were eroding and/or they were not being exposed to new >> learning, and they left the company. > > There's no way I would ever hire anyone who says "security was somebody > else's responsibility". I don't care what their previous managers have said, > that's never a valid statement in my book. When you then add the fact that > no DB admin no matter how good they are can implement adequate security to > prevent SQL injection you get a developer who doesn't care about security > issues much less know anything about them. > > -Stut > A DBA can go pretty far to prevent SQL injection by setting appropriate rights on the accounts that applications will use to interact with the database: denying direct access to tables, allowing access to only the necessary stored procedures, thereby forcing developers to design products using only those procedures for all data access. Of course, a lot of developers would complain under this level of security, and I suspect a lot of frameworks that are out there would be much less "useful" to lazy programmers. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On 7/17/08, Stut <[EMAIL PROTECTED]> wrote: > > > On 17 Jul 2008, at 15:31, David Giragosian wrote: > > On 7/17/08, Stut <[EMAIL PROTECTED]> wrote: >> >>> >>> On 17 Jul 2008, at 14:10, tedd wrote: >>> >>> At 10:28 PM +0100 7/16/08, Stut wrote: Oh, and you'd be working for me so bear that in mind ;) > > -Stut > > It's no wonder why you haven't found anyone. :-) >>> Thanks for that tedd. >>> >>> Seriously though, I'm wondering if my expectations are too high... I >>> expect >>> them to know that addslashes is not adequate protection against SQL >>> injection. I even had one tell me "SQL injection? I can't remember but >>> I'm >>> sure I've used it before". And I won't even go into the guy who asserted >>> that he's always worked with DB administrators who've dealt with security >>> issues so he'd never needed to learn about it. >>> >>> Am I expecting too much?!? >>> >>> -Stut >>> >> >> >> Surely you're being rhetorical, Stut, but no, you're not expecting too >> much. >> However the guy(s) who worked in a larger organization likely did have a >> very clear delineation of roles and responsibilities, as I am experiencing >> in a new position, and therefore may not be current on best practices in >> areas outside of their role. When my group leader instituted the current >> policy regarding job functions, a number of the open source guys decided >> their unused skills were eroding and/or they were not being exposed to new >> learning, and they left the company. >> > > There's no way I would ever hire anyone who says "security was somebody > else's responsibility". I don't care what their previous managers have said, > that's never a valid statement in my book. When you then add the fact that > no DB admin no matter how good they are can implement adequate security to > prevent SQL injection you get a developer who doesn't care about security > issues much less know anything about them. > >-Stut Saying security was someone else's responsibility is not the smartest statement to make in a job interview. Whether that correlates to someone not caring about security is a different matter, I think. Of course, if the applicant said, "Security was somebody else's responsibility" in a flip and/or arrogant manner and clearly showed no concern about it, then sure, on to the next candidate. But I can imagine an exchange where somebody said that, but then followed up with, "But here's how I would handle it..." It sounds like the guy you interviewed was in the former category. --David.
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On 17 Jul 2008, at 15:41, Daniel Brown wrote: On Thu, Jul 17, 2008 at 9:55 AM, Stut <[EMAIL PROTECTED]> wrote: Seriously though, I'm wondering if my expectations are too high... I expect them to know that addslashes is not adequate protection against SQL injection. I even had one tell me "SQL injection? I can't remember but I'm sure I've used it before". And I won't even go into the guy who asserted that he's always worked with DB administrators who've dealt with security issues so he'd never needed to learn about it. 1.) It's obvious that addslashes() is not protection against SQL injection attacks. That's why God invented htmlentities() and flatfile databases. Yup, had that one. 2.) No PHP programmer should ever be required to know anything about databases, server management, mail, or anything. This is because we all know that we'll someday all work in a Google-like atmosphere with enough funding to hire other people to work with databases, servers, HTML, and even a Senior JavaScript Engineer. I have a ghostwriter who keeps me active on the mailing lists. Best 50p I spend every week! 3.) "SQL injection" is just a buzzphrase. I already know where baby databases come from. The big Daddy database spends lots of CPU cycles on the big Momma database and she eventually lets him put his SQL client into her console and their SQL statements intermingle until something magic happens. At least that's what my Daddy told me when I was a little regex. 4.) Any web programmer worth his or her salt knows that PHP, while a great language, is not compatible with all browsers. Especially Microsoft. For people using Windows, you'll need to have an ASP website. Indeed. And PHP can't be used for foreign language sites, only US English. It makes a complete mess of British English sites. 5.) Never sanitize input. It takes too long, and unless you're dealing with credit cards, no one will ever want to hack your website. If you are taking credit cards, store them in a firewalled database. You say this, but the person I just did a phone interview with did tell me that security is a cost-benefit calculation in terms of both development time and runtime resources. He said he never bothers escaping input in Intranet sites. True story! 6.) If you need to copy files from one server to another, make sure you use FTP over HTTP. It's more secure. I use an Oompa-Loompas - much more reliable! 7.) register_globals is your friend. And I hug her, and kiss her and squeeze her tight. *pop* 8.) The best, most-scalable way to create an expandable website is to use a switch page. Just tack on a ?page=faq.php query to your GET request, and have PHP automatically `include($page)` (see point #7) in your switch file. Ooh, dangerous. I worry about relative paths, so when I do this it's always with an absolute path... i.e. ?page=/var/www/mywebsite.com/ somedir/faq.php 9.) NEVER store passwords in a PHP script. Instead, store them in a file named `inc/config.inc` in the web directory, and include them. I prefer to use .txt as the extension. Makes opening them in Notepad so much easier. 10.) If running a picture- or file-sharing website, make things easier on your users and yourself. Allow users to delete their files by using a simple link like: http://www.example.com/delete.php?file=images/mygraphic.jpg. Then, in delete.php, have only one line: (again, see point #7 --- see how much that's coming in handy now?) This works best if the web server is running as root. None of those annoying error messages about not being able to open files that I know are there! 11.) The most important rule EVER: if you ever have the slightest problem, DO NOT bother to search the [EMAIL PROTECTED] web (STFW) or read the [EMAIL PROTECTED] manual (RTFM). There is a mailing list for that. Please ask any and all questions there, including why your MP3's aren't streaming on your AnalogX webserver from your home PC to your buddies in Antarctica after you turn your computer off. "But when I turn my computer off, the rest of the Internet still works! Hlp me pls!!!1!" We are here only to serve you. People on mailing lists are paid to write your code and do your homework for you, and you should expect nothing but the best, immediate answers, 24/7/365. If they don't respond within 90 seconds, please repost your message every 90 seconds until someone does. When in doubt, hijack a thread. Why do birds suddenly go *poof*, every time, you are near? -Stut -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On Thu, Jul 17, 2008 at 12:07 PM, Daniel Brown <[EMAIL PROTECTED]> wrote: > [snip] > Ignorance is bliss. It may not make you a good programmer, but > it'll make you a fantastic executive. > [/snip] > > ROFL, that describes my VP to a T -- Bastien Cat, the other other white meat
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On Thu, Jul 17, 2008 at 12:02 PM, Stut <[EMAIL PROTECTED]> wrote: > > There's no way I would ever hire anyone who says "security was somebody > else's responsibility". I don't care what their previous managers have said, > that's never a valid statement in my book. When you then add the fact that > no DB admin no matter how good they are can implement adequate security to > prevent SQL injection you get a developer who doesn't care about security > issues much less know anything about them. Ignorance is bliss. It may not make you a good programmer, but it'll make you a fantastic executive. -- Better prices on dedicated servers: Intel 2.4GHz/60GB/512MB/2TB $49.99/mo. Intel 3.06GHz/80GB/1GB/2TB $59.99/mo. Dedicated servers, VPS, and hosting from $2.50/mo. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On 17 Jul 2008, at 15:31, David Giragosian wrote: On 7/17/08, Stut <[EMAIL PROTECTED]> wrote: On 17 Jul 2008, at 14:10, tedd wrote: At 10:28 PM +0100 7/16/08, Stut wrote: Oh, and you'd be working for me so bear that in mind ;) -Stut It's no wonder why you haven't found anyone. :-) Thanks for that tedd. Seriously though, I'm wondering if my expectations are too high... I expect them to know that addslashes is not adequate protection against SQL injection. I even had one tell me "SQL injection? I can't remember but I'm sure I've used it before". And I won't even go into the guy who asserted that he's always worked with DB administrators who've dealt with security issues so he'd never needed to learn about it. Am I expecting too much?!? -Stut Surely you're being rhetorical, Stut, but no, you're not expecting too much. However the guy(s) who worked in a larger organization likely did have a very clear delineation of roles and responsibilities, as I am experiencing in a new position, and therefore may not be current on best practices in areas outside of their role. When my group leader instituted the current policy regarding job functions, a number of the open source guys decided their unused skills were eroding and/or they were not being exposed to new learning, and they left the company. There's no way I would ever hire anyone who says "security was somebody else's responsibility". I don't care what their previous managers have said, that's never a valid statement in my book. When you then add the fact that no DB admin no matter how good they are can implement adequate security to prevent SQL injection you get a developer who doesn't care about security issues much less know anything about them. -Stut -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On Thu, Jul 17, 2008 at 10:56 AM, Andrew Ballard <[EMAIL PROTECTED]> wrote: > > Bad day Dan? :-) No, but I have faith. The day is still young. ;-P -- Better prices on dedicated servers: Intel 2.4GHz/60GB/512MB/2TB $49.99/mo. Intel 3.06GHz/80GB/1GB/2TB $59.99/mo. Dedicated servers, VPS, and hosting from $2.50/mo. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On Thu, Jul 17, 2008 at 10:41 AM, Daniel Brown <[EMAIL PROTECTED]> wrote: > On Thu, Jul 17, 2008 at 9:55 AM, Stut <[EMAIL PROTECTED]> wrote: >> >> Seriously though, I'm wondering if my expectations are too high... I expect >> them to know that addslashes is not adequate protection against SQL >> injection. I even had one tell me "SQL injection? I can't remember but I'm >> sure I've used it before". And I won't even go into the guy who asserted >> that he's always worked with DB administrators who've dealt with security >> issues so he'd never needed to learn about it. > >1.) It's obvious that addslashes() is not protection against SQL > injection attacks. That's why God invented htmlentities() and > flatfile databases. > >2.) No PHP programmer should ever be required to know anything > about databases, server management, mail, or anything. This is > because we all know that we'll someday all work in a Google-like > atmosphere with enough funding to hire other people to work with > databases, servers, HTML, and even a Senior JavaScript Engineer. > >3.) "SQL injection" is just a buzzphrase. I already know where > baby databases come from. > >4.) Any web programmer worth his or her salt knows that PHP, while > a great language, is not compatible with all browsers. Especially > Microsoft. For people using Windows, you'll need to have an ASP > website. > >5.) Never sanitize input. It takes too long, and unless you're > dealing with credit cards, no one will ever want to hack your website. > If you are taking credit cards, store them in a firewalled database. > >6.) If you need to copy files from one server to another, make > sure you use FTP over HTTP. It's more secure. > >7.) register_globals is your friend. > >8.) The best, most-scalable way to create an expandable website is > to use a switch page. Just tack on a ?page=faq.php query to your GET > request, and have PHP automatically `include($page)` (see point #7) in > your switch file. > >9.) NEVER store passwords in a PHP script. Instead, store them in > a file named `inc/config.inc` in the web directory, and include them. > >10.) If running a picture- or file-sharing website, make things > easier on your users and yourself. Allow users to delete their files > by using a simple link like: > http://www.example.com/delete.php?file=images/mygraphic.jpg. Then, in > delete.php, have only one line: (again, see > point #7 --- see how much that's coming in handy now?) > >11.) The most important rule EVER: if you ever have the slightest > problem, DO NOT bother to search the [EMAIL PROTECTED] web (STFW) or read the > [EMAIL PROTECTED] > manual (RTFM). There is a mailing list for that. Please ask any and > all questions there, including why your MP3's aren't streaming on your > AnalogX webserver from your home PC to your buddies in Antarctica > after you turn your computer off. "But when I turn my computer off, > the rest of the Internet still works! Hlp me pls!!!1!" We are here > only to serve you. People on mailing lists are paid to write your > code and do your homework for you, and you should expect nothing but > the best, immediate answers, 24/7/365. If they don't respond within > 90 seconds, please repost your message every 90 seconds until someone > does. When in doubt, hijack a thread. > > -- > > Better prices on dedicated servers: > Intel 2.4GHz/60GB/512MB/2TB $49.99/mo. > Intel 3.06GHz/80GB/1GB/2TB $59.99/mo. > Dedicated servers, VPS, and hosting from $2.50/mo. > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > Bad day Dan? :-) Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On Thu, Jul 17, 2008 at 9:55 AM, Stut <[EMAIL PROTECTED]> wrote: > > Seriously though, I'm wondering if my expectations are too high... I expect > them to know that addslashes is not adequate protection against SQL > injection. I even had one tell me "SQL injection? I can't remember but I'm > sure I've used it before". And I won't even go into the guy who asserted > that he's always worked with DB administrators who've dealt with security > issues so he'd never needed to learn about it. 1.) It's obvious that addslashes() is not protection against SQL injection attacks. That's why God invented htmlentities() and flatfile databases. 2.) No PHP programmer should ever be required to know anything about databases, server management, mail, or anything. This is because we all know that we'll someday all work in a Google-like atmosphere with enough funding to hire other people to work with databases, servers, HTML, and even a Senior JavaScript Engineer. 3.) "SQL injection" is just a buzzphrase. I already know where baby databases come from. 4.) Any web programmer worth his or her salt knows that PHP, while a great language, is not compatible with all browsers. Especially Microsoft. For people using Windows, you'll need to have an ASP website. 5.) Never sanitize input. It takes too long, and unless you're dealing with credit cards, no one will ever want to hack your website. If you are taking credit cards, store them in a firewalled database. 6.) If you need to copy files from one server to another, make sure you use FTP over HTTP. It's more secure. 7.) register_globals is your friend. 8.) The best, most-scalable way to create an expandable website is to use a switch page. Just tack on a ?page=faq.php query to your GET request, and have PHP automatically `include($page)` (see point #7) in your switch file. 9.) NEVER store passwords in a PHP script. Instead, store them in a file named `inc/config.inc` in the web directory, and include them. 10.) If running a picture- or file-sharing website, make things easier on your users and yourself. Allow users to delete their files by using a simple link like: http://www.example.com/delete.php?file=images/mygraphic.jpg. Then, in delete.php, have only one line: (again, see point #7 --- see how much that's coming in handy now?) 11.) The most important rule EVER: if you ever have the slightest problem, DO NOT bother to search the [EMAIL PROTECTED] web (STFW) or read the [EMAIL PROTECTED] manual (RTFM). There is a mailing list for that. Please ask any and all questions there, including why your MP3's aren't streaming on your AnalogX webserver from your home PC to your buddies in Antarctica after you turn your computer off. "But when I turn my computer off, the rest of the Internet still works! Hlp me pls!!!1!" We are here only to serve you. People on mailing lists are paid to write your code and do your homework for you, and you should expect nothing but the best, immediate answers, 24/7/365. If they don't respond within 90 seconds, please repost your message every 90 seconds until someone does. When in doubt, hijack a thread. -- Better prices on dedicated servers: Intel 2.4GHz/60GB/512MB/2TB $49.99/mo. Intel 3.06GHz/80GB/1GB/2TB $59.99/mo. Dedicated servers, VPS, and hosting from $2.50/mo. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On 7/17/08, Stut <[EMAIL PROTECTED]> wrote: > > On 17 Jul 2008, at 14:10, tedd wrote: > >> At 10:28 PM +0100 7/16/08, Stut wrote: >> >>> Oh, and you'd be working for me so bear that in mind ;) >>> >>> -Stut >>> >> >> It's no wonder why you haven't found anyone. :-) >> > > Thanks for that tedd. > > Seriously though, I'm wondering if my expectations are too high... I expect > them to know that addslashes is not adequate protection against SQL > injection. I even had one tell me "SQL injection? I can't remember but I'm > sure I've used it before". And I won't even go into the guy who asserted > that he's always worked with DB administrators who've dealt with security > issues so he'd never needed to learn about it. > > Am I expecting too much?!? > > -Stut Surely you're being rhetorical, Stut, but no, you're not expecting too much. However the guy(s) who worked in a larger organization likely did have a very clear delineation of roles and responsibilities, as I am experiencing in a new position, and therefore may not be current on best practices in areas outside of their role. When my group leader instituted the current policy regarding job functions, a number of the open source guys decided their unused skills were eroding and/or they were not being exposed to new learning, and they left the company. --David.
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On Jul 17, 2008, at 9:55 AM, Stut wrote: On 17 Jul 2008, at 14:10, tedd wrote: At 10:28 PM +0100 7/16/08, Stut wrote: Oh, and you'd be working for me so bear that in mind ;) -Stut It's no wonder why you haven't found anyone. :-) Thanks for that tedd. Seriously though, I'm wondering if my expectations are too high... I expect them to know that addslashes is not adequate protection against SQL injection. I even had one tell me "SQL injection? I can't remember but I'm sure I've used it before". And I won't even go into the guy who asserted that he's always worked with DB administrators who've dealt with security issues so he'd never needed to learn about it. Am I expecting too much?!? From a professional? No... From someone who has taught him self as he went, and has added to his arsenal along the way? Not really that either... Only if you take a total newbie would that be expecting too much... If I was willing to move I'd apply :) I don't know it all but I'm a quick learner hehe :) -- Jason Pruim Raoset Inc. Technology Manager MQC Specialist 11287 James St Holland, MI 49424 www.raoset.com [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On Thu, Jul 17, 2008 at 9:10 AM, tedd <[EMAIL PROTECTED]> wrote: > At 10:28 PM +0100 7/16/08, Stut wrote: >> >> Oh, and you'd be working for me so bear that in mind ;) >> >> -Stut > > It's no wonder why you haven't found anyone. :-) I'm just surprised that Manuel Lemos hasn't been in here touting his phpclasses.org professionals site. -- Better prices on dedicated servers: Intel 2.4GHz/60GB/512MB/2TB $49.99/mo. Intel 3.06GHz/80GB/1GB/2TB $59.99/mo. Dedicated servers, VPS, and hosting from $2.50/mo. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On 17 Jul 2008, at 14:10, tedd wrote: At 10:28 PM +0100 7/16/08, Stut wrote: Oh, and you'd be working for me so bear that in mind ;) -Stut It's no wonder why you haven't found anyone. :-) Thanks for that tedd. Seriously though, I'm wondering if my expectations are too high... I expect them to know that addslashes is not adequate protection against SQL injection. I even had one tell me "SQL injection? I can't remember but I'm sure I've used it before". And I won't even go into the guy who asserted that he's always worked with DB administrators who've dealt with security issues so he'd never needed to learn about it. Am I expecting too much?!? -Stut -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
At 10:28 PM +0100 7/16/08, Stut wrote: Oh, and you'd be working for me so bear that in mind ;) -Stut It's no wonder why you haven't found anyone. :-) Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On 17 Jul 2008, at 11:31, Jason Pruim wrote: On Jul 16, 2008, at 5:28 PM, Stut wrote: On 16 Jul 2008, at 19:18, Daniel Brown wrote: On Tue, Jul 15, 2008 at 5:43 PM, Stut <[EMAIL PROTECTED]> wrote: Code please, we're not mind readers! I sensed you would say that, Stuart. ;-P Can you sense what I'm thinking right now? BTW, if anyone is looking for a PHP5/MySQL dev job in or around Camberley, Surrey, England please drop me your CV. Looking for all levels to join a small team (me + 2 non-devs). Contact me personally for more info. Sorry, remote working is not an option. We will consider both perm and contract but perm is preferred. Oh, and you'd be working for me so bear that in mind ;) So would that be a plus or a negative? :P That's up to you to decide based on my activity on this list. IOW I have no idea! -Stut -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On Jul 16, 2008, at 5:28 PM, Stut wrote: On 16 Jul 2008, at 19:18, Daniel Brown wrote: On Tue, Jul 15, 2008 at 5:43 PM, Stut <[EMAIL PROTECTED]> wrote: Code please, we're not mind readers! I sensed you would say that, Stuart. ;-P Can you sense what I'm thinking right now? BTW, if anyone is looking for a PHP5/MySQL dev job in or around Camberley, Surrey, England please drop me your CV. Looking for all levels to join a small team (me + 2 non-devs). Contact me personally for more info. Sorry, remote working is not an option. We will consider both perm and contract but perm is preferred. Oh, and you'd be working for me so bear that in mind ;) So would that be a plus or a negative? :P -- Jason Pruim Raoset Inc. Technology Manager MQC Specialist 11287 James St Holland, MI 49424 www.raoset.com [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On Wed, Jul 16, 2008 at 5:28 PM, Stut <[EMAIL PROTECTED]> wrote: > > Oh, and you'd be working for me so bear that in mind ;) *crickets* (And not the games.) -- Dedicated Servers - Intel 2.4GHz w/2TB bandwidth/mo. starting at just $59.99/mo. with no contract! Dedicated servers, VPS, and hosting from $2.50/mo. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On 16 Jul 2008, at 19:18, Daniel Brown wrote: On Tue, Jul 15, 2008 at 5:43 PM, Stut <[EMAIL PROTECTED]> wrote: Code please, we're not mind readers! I sensed you would say that, Stuart. ;-P Can you sense what I'm thinking right now? BTW, if anyone is looking for a PHP5/MySQL dev job in or around Camberley, Surrey, England please drop me your CV. Looking for all levels to join a small team (me + 2 non-devs). Contact me personally for more info. Sorry, remote working is not an option. We will consider both perm and contract but perm is preferred. Oh, and you'd be working for me so bear that in mind ;) -Stut -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On Tue, Jul 15, 2008 at 5:43 PM, Stut <[EMAIL PROTECTED]> wrote: > > Code please, we're not mind readers! I sensed you would say that, Stuart. ;-P -- Dedicated Servers - Intel 2.4GHz w/2TB bandwidth/mo. starting at just $59.99/mo. with no contract! Dedicated servers, VPS, and hosting from $2.50/mo. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[Fwd: [Fwd: Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??]]
OK. Once again, a problem I thought was abstruse and formidable turns out to be ridiculously simple and embarrassingly obvious (once you realize what it is - image not in web server directory!!!) But I didn't know until this happened that the browser sends a follow-up request to the web server for the images it finds specified on the page. This is a very useful piece of knowledge!! It made it obvious that I was looking for the problem in all the wrong places! Sorry for the false alarm. Next time I'll try to have a real problem everyone can sink their teeth into!! --- Begin Message --- Sorry, I'm back again with this same problem! Apparently the only reason it looked like it was solved an hour ago was because the src="xx"> statement I tried reading out of the database was pointing to an image already on the page! When the statement points to an image NOT already on the page, it doesn't work. I thought the size of the image might be the problem, but no matter how small I make the image, it doesn't work. Again, any insight into what might be the problem here would be MUCH appreciated. Is it necessary for an statement to be in the code of the script writing the page for the image to be correctly inserted onto the page? I believe that's the question. It looks like when the statement is pulled from a database and copied onto the webpage, some kind of php or HTML parser doesn't get a chance to parse it, resolve it, and go retrieve the image to put it on the page!!! I hope I'm wrong about this, but at this point I don't have any other plausible theory!! --- Begin Message --- Yes, here's the code that is retrieving "news items" from the database and printing them on the page (I do some other stuff with the text before, and after, I print it, for example, find the sentences, so I can print complete sentences, and not just pieces of sentences). As I say, occasionally these news items contain some HTML, e.g., the src="xxx"> statement. All of the text is being correctly retrieved from the database and written to the page, including the src="xxx"> statement, because I see it all in the page source of the page in my browser. However, the statement is NOT working, that is, the image does NOT appear on the page. $result = mysql_query("SELECT * FROM newsitem ORDER BY newsitem_date DESC"); if (mysql_num_rows($result) > 0) { $i = 1; while (($row = mysql_fetch_assoc($result)) && ($i < 6)) { ?> = $row['title']; echo $title; echo " by "; ?> $row['author']; echo " of "; echo $row['newsservice']; ?> echo ""; $url_string = " (read more of this article)"; echo $url_string; $blog_result = mysql_query("SELECT * FROM blog where discussion = \"$title\""); if (mysql_num_rows($blog_result) > 0) $not = ""; else $not = " not"; echo ""; echo "This news item does$not have a blog discussion "; echo " "; if (mysql_num_rows($blog_result) > 0) echo "Read this item's blog "; else echo "Start a discussion on this item "; $i++; ?> Stut wrote: On 15 Jul 2008, at 22:36, Rod Clay wrote: Hello. Again, I'm fairly new to php so please forgive me if my question is a very simple or obvious one. I've just tried testing for the first time some php code that is pulling text out of a database to print it on the webpage. Some of this text includes HTML, specifically in this case an src="x"> statement. Much to my surprise, this is not working. Is there a problem with pulling HTML out of a database like this as the page is being written? There's no problem of course if my php code is writing the HTML to the page - in this case, the statement works fine and the image is displayed. Why is it a problem when my php script pulls the HTML code out of a database and writes it to the page from there?? It would appear that when my php script writes HTML to the page a process of some kind is executed to, in this case, get the image and put it on the page. Apparently this same process is NOT executed if the HTML is retrieved from a database and simply written to the page from there. Is this correct? And, if it is, can anyone suggest a workaround, another way to get done what I'm trying to do here? Code please, we're not mind readers! -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php --- End Message --- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php--- End Message --- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[Fwd: Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??]
Sorry, I'm back again with this same problem! Apparently the only reason it looked like it was solved an hour ago was because the src="xx"> statement I tried reading out of the database was pointing to an image already on the page! When the statement points to an image NOT already on the page, it doesn't work. I thought the size of the image might be the problem, but no matter how small I make the image, it doesn't work. Again, any insight into what might be the problem here would be MUCH appreciated. Is it necessary for an statement to be in the code of the script writing the page for the image to be correctly inserted onto the page? I believe that's the question. It looks like when the statement is pulled from a database and copied onto the webpage, some kind of php or HTML parser doesn't get a chance to parse it, resolve it, and go retrieve the image to put it on the page!!! I hope I'm wrong about this, but at this point I don't have any other plausible theory!! --- Begin Message --- Yes, here's the code that is retrieving "news items" from the database and printing them on the page (I do some other stuff with the text before, and after, I print it, for example, find the sentences, so I can print complete sentences, and not just pieces of sentences). As I say, occasionally these news items contain some HTML, e.g., the src="xxx"> statement. All of the text is being correctly retrieved from the database and written to the page, including the src="xxx"> statement, because I see it all in the page source of the page in my browser. However, the statement is NOT working, that is, the image does NOT appear on the page. $result = mysql_query("SELECT * FROM newsitem ORDER BY newsitem_date DESC"); if (mysql_num_rows($result) > 0) { $i = 1; while (($row = mysql_fetch_assoc($result)) && ($i < 6)) { ?> = $row['title']; echo $title; echo " by "; ?> $row['author']; echo " of "; echo $row['newsservice']; ?> echo ""; $url_string = " (read more of this article)"; echo $url_string; $blog_result = mysql_query("SELECT * FROM blog where discussion = \"$title\""); if (mysql_num_rows($blog_result) > 0) $not = ""; else $not = " not"; echo ""; echo "This news item does$not have a blog discussion "; echo " "; if (mysql_num_rows($blog_result) > 0) echo "Read this item's blog "; else echo "Start a discussion on this item "; $i++; ?> Stut wrote: On 15 Jul 2008, at 22:36, Rod Clay wrote: Hello. Again, I'm fairly new to php so please forgive me if my question is a very simple or obvious one. I've just tried testing for the first time some php code that is pulling text out of a database to print it on the webpage. Some of this text includes HTML, specifically in this case an src="x"> statement. Much to my surprise, this is not working. Is there a problem with pulling HTML out of a database like this as the page is being written? There's no problem of course if my php code is writing the HTML to the page - in this case, the statement works fine and the image is displayed. Why is it a problem when my php script pulls the HTML code out of a database and writes it to the page from there?? It would appear that when my php script writes HTML to the page a process of some kind is executed to, in this case, get the image and put it on the page. Apparently this same process is NOT executed if the HTML is retrieved from a database and simply written to the page from there. Is this correct? And, if it is, can anyone suggest a workaround, another way to get done what I'm trying to do here? Code please, we're not mind readers! -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php --- End Message --- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
It would be helpful if you could clarify the error you are getting, but could be something involving quotes, stripslashes() and addslashes(); On Jul 15, 2008, at 2:36 PM, Rod Clay wrote: Hello. Again, I'm fairly new to php so please forgive me if my question is a very simple or obvious one. I've just tried testing for the first time some php code that is pulling text out of a database to print it on the webpage. Some of this text includes HTML, specifically in this case an src="x"> statement. Much to my surprise, this is not working. Is there a problem with pulling HTML out of a database like this as the page is being written? There's no problem of course if my php code is writing the HTML to the page - in this case, the statement works fine and the image is displayed. Why is it a problem when my php script pulls the HTML code out of a database and writes it to the page from there?? It would appear that when my php script writes HTML to the page a process of some kind is executed to, in this case, get the image and put it on the page. Apparently this same process is NOT executed if the HTML is retrieved from a database and simply written to the page from there. Is this correct? And, if it is, can anyone suggest a workaround, another way to get done what I'm trying to do here? Thanks for any help you can give me. Rod Clay -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
> -Original Message- > From: Rod Clay [mailto:[EMAIL PROTECTED] > Sent: 15 July 2008 22:36 > To: php-general@lists.php.net > Subject: [PHP] is there a problem with php script pulling HTML out of > database as it writes the page?? > > Hello. Again, I'm fairly new to php so please forgive me if my > question > is a very simple or obvious one. > > I've just tried testing for the first time some php code that is > pulling > text out of a database to print it on the webpage. Some of this text > includes HTML, specifically in this case an > statement. Much to my surprise, this is not working. Is there a > problem with pulling HTML out of a database like this as the page is > being written? > > There's no problem of course if my php code is writing the HTML to the > page - in this case, the statement works fine and > the > image is displayed. Why is it a problem when my php script pulls the > HTML code out of a database and writes it to the page from there?? > > It would appear that when my php script writes HTML to the page a > process of some kind is executed to, in this case, get the image and > put > it on the page. Apparently this same process is NOT executed if the > HTML is retrieved from a database and simply written to the page from > there. Is this correct? And, if it is, can anyone suggest a > workaround, another way to get done what I'm trying to do here? > > Thanks for any help you can give me. > > Rod Clay Have you got a code snippet?? Alex No virus found in this outgoing message. Scanned by AVG Free 8.0 Checked by AVG - http://www.avg.com Version: 8.0.138 / Virus Database: 270.4.11/1553 - Release Date: 15/07/2008 05:48 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
It's (was) not printing anything. Here's the doctype statement: "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";> HOWEVER, thanks for all of the responses so far, but please accept my apologies because evidently this is NOT a php question after all - I just tried another, much, much smaller photo and that is printing, so it would appear that it is a much more mundane problem, actually an HTML problem!!! Again, please accept my apologies for this false alarm, but I had tested and tested and tested this and was stumped an hour ago! Thought it was a different kind of problem. Mea culpa! :-[ dg wrote: On Jul 15, 2008, at 3:06 PM, Rod Clay wrote: All of the text is being correctly retrieved from the database and written to the page, including the statement, because I see it all in the page source of the page in my browser. However, the statement is NOT working, that is, the image does NOT appear on the page. What exactly is it printing? What is the doctype? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On Jul 15, 2008, at 3:06 PM, Rod Clay wrote: All of the text is being correctly retrieved from the database and written to the page, including the statement, because I see it all in the page source of the page in my browser. However, the statement is NOT working, that is, the image does NOT appear on the page. What exactly is it printing? What is the doctype? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
Yes, here's the code that is retrieving "news items" from the database and printing them on the page (I do some other stuff with the text before, and after, I print it, for example, find the sentences, so I can print complete sentences, and not just pieces of sentences). As I say, occasionally these news items contain some HTML, e.g., the src="xxx"> statement. All of the text is being correctly retrieved from the database and written to the page, including the src="xxx"> statement, because I see it all in the page source of the page in my browser. However, the statement is NOT working, that is, the image does NOT appear on the page. $result = mysql_query("SELECT * FROM newsitem ORDER BY newsitem_date DESC"); if (mysql_num_rows($result) > 0) { $i = 1; while (($row = mysql_fetch_assoc($result)) && ($i < 6)) { ?> = $row['title']; echo $title; echo " by "; ?> $row['author']; echo " of "; echo $row['newsservice']; ?> echo ""; $url_string = " (read more of this article)"; echo $url_string; $blog_result = mysql_query("SELECT * FROM blog where discussion = \"$title\""); if (mysql_num_rows($blog_result) > 0) $not = ""; else $not = " not"; echo ""; echo "This news item does$not have a blog discussion "; echo " "; if (mysql_num_rows($blog_result) > 0) echo "Read this item's blog "; else echo "Start a discussion on this item "; $i++; ?> Stut wrote: On 15 Jul 2008, at 22:36, Rod Clay wrote: Hello. Again, I'm fairly new to php so please forgive me if my question is a very simple or obvious one. I've just tried testing for the first time some php code that is pulling text out of a database to print it on the webpage. Some of this text includes HTML, specifically in this case an src="x"> statement. Much to my surprise, this is not working. Is there a problem with pulling HTML out of a database like this as the page is being written? There's no problem of course if my php code is writing the HTML to the page - in this case, the statement works fine and the image is displayed. Why is it a problem when my php script pulls the HTML code out of a database and writes it to the page from there?? It would appear that when my php script writes HTML to the page a process of some kind is executed to, in this case, get the image and put it on the page. Apparently this same process is NOT executed if the HTML is retrieved from a database and simply written to the page from there. Is this correct? And, if it is, can anyone suggest a workaround, another way to get done what I'm trying to do here? Code please, we're not mind readers! -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a problem with php script pulling HTML out of database as it writes the page??
On 15 Jul 2008, at 22:36, Rod Clay wrote: Hello. Again, I'm fairly new to php so please forgive me if my question is a very simple or obvious one. I've just tried testing for the first time some php code that is pulling text out of a database to print it on the webpage. Some of this text includes HTML, specifically in this case an src="x"> statement. Much to my surprise, this is not working. Is there a problem with pulling HTML out of a database like this as the page is being written? There's no problem of course if my php code is writing the HTML to the page - in this case, the statement works fine and the image is displayed. Why is it a problem when my php script pulls the HTML code out of a database and writes it to the page from there?? It would appear that when my php script writes HTML to the page a process of some kind is executed to, in this case, get the image and put it on the page. Apparently this same process is NOT executed if the HTML is retrieved from a database and simply written to the page from there. Is this correct? And, if it is, can anyone suggest a workaround, another way to get done what I'm trying to do here? Code please, we're not mind readers! -Stut -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php