[PHP] sql query

Hello Can someone explain this to me. I don't know how to read this. if (!$variable = mysql_query("select id,sessid from users where ... What is this "if(!" I mean the ! sign. Thanks -Will -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] SQL - INSERT INTO booleans

Tim Burgan wrote: > I am continually getting a data type mismatch error (relating to the > boolean columns) when trying to execute this code. > > I've tried removing the single quotes, but that returns a syntax error. I've forgotten the rules for MS-Access, but... Perhaps try 1 and 0 as your bool

RE: [PHP] SQL - INSERT INTO booleans

> $db_sql = "INSERT INTO tblStudents (name, username, password, expiry, > permissions, website, displayUser) VALUES ('Joe', > 'joejoe','pw4joe','20-Jan-05','staff','true','false');"; > > In using MS Access via COM, the data types for each column (in order) > is: string, string, string, date, strin

[PHP] SQL - INSERT INTO booleans

Hello, I'm trying to insert a new row using the following SQL: $db_sql = "INSERT INTO tblStudents (name, username, password, expiry, permissions, website, displayUser) VALUES ('Joe', 'joejoe','pw4joe','20-Jan-05','staff','true','false');"; In using MS Access via COM, the data types for each colu

Re: [PHP] SQL Server log file

just to help out, you might wanna try and use the Profiler under the MS SQL programs group http://jonel.road14.com -- I not know English well, but I know 7 computer languages. anonymous On Jan 12, 2005, at 7:54 AM, Zouari Fourat

Re: [PHP] SQL Server log file

John Nichel wrote: Zouari Fourat wrote: Hello am new to ms sql server and using it for a while, i where searching where to find sql queries log file ? some one have an idea about it ? There's a php question in there somewhere, right? John, you have to look 'beyond the surface' ;-) seriously though

RE: [PHP] SQL Server log file

[snip] am new to ms sql server and using it for a while, i where searching where to find sql queries log file ? some one have an idea about it ? [/snip] A MS SQL list might. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] SQL Server log file

Zouari Fourat wrote: Hello am new to ms sql server and using it for a while, i where searching where to find sql queries log file ? some one have an idea about it ? There's a php question in there somewhere, right? -- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP Genera

[PHP] SQL Server log file

Hello am new to ms sql server and using it for a while, i where searching where to find sql queries log file ? some one have an idea about it ? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] sql syntax problem

Merlin wrote: > SELECT c.name AS city > FROM geo_de.geodb_locations AS c, fix.user AS u > WHERE u.user_id =4 AND c.plz > LIKE "%u.plz%"; I believe you want something not unlike this: WHERE u.user_id = 4 AND c.plz LIKE concat('%', u.plz, '%') -- Like Music? http://l-i-e.com/artists.htm -- P

[PHP] sql syntax problem

Hello everybody, I am trying to create a sql query with php and I do have a syntax problem with the mysql query. One row is called "plz" and I would like to search for a value inside that with a like statement. Problem is, the system takes the u.plz as a character not as a table element: LIKE

Re: [PHP] sql syntax problem

This is the PHP mailing list, not the SQL mailing list ;) but here is the syntax ( not tested ): SELECT c.name AS city FROM geodb_locations AS c, user AS u WHERE u.user_id = 4 AND c.plz LIKE u.plz; > Hello everybody, > > I am trying to create a sql query with php and I do h

Re: [PHP] SQL sums

Raditha Dissanayake wrote: Marek Kilimajer wrote: Jason Wong wrote: On Saturday 04 December 2004 00:40, Marek Kilimajer wrote: Raditha Dissanayake wrote: Marek Kilimajer wrote: This is an SQL question. Marek, don't you know that this the mysql list? you are supposed to answer questions like these.

Re: [PHP] SQL sums

Marek Kilimajer wrote: Jason Wong wrote: On Saturday 04 December 2004 00:40, Marek Kilimajer wrote: Raditha Dissanayake wrote: Marek Kilimajer wrote: This is an SQL question. Marek, don't you know that this the mysql list? you are supposed to answer questions like these. If you don't there will be

Re: [PHP] SQL sums

Jason Wong wrote: On Saturday 04 December 2004 00:40, Marek Kilimajer wrote: Raditha Dissanayake wrote: Marek Kilimajer wrote: This is an SQL question. Marek, don't you know that this the mysql list? you are supposed to answer questions like these. If you don't there will be self appointed list mod

Re: [PHP] SQL sums

On Saturday 04 December 2004 00:40, Marek Kilimajer wrote: > Raditha Dissanayake wrote: > > Marek Kilimajer wrote: > >> This is an SQL question. > > > > Marek, don't you know that this the mysql list? you are supposed to > > answer questions like these. If you don't there will be self appointed > >

Re: [PHP] SQL sums

> Now to create this I've tried a horrible method of using php to call sql > table, and then go through each one, and add it to each period of time as > appropriate. it's messy and slow! Yes! To generalize: ANY time you try to get PHP to access SQL data row by row, and do something with it (othe

Re: [PHP] SQL sums

On Fri, 3 Dec 2004 14:55:46 -, James Nunnerley <[EMAIL PROTECTED]> wrote: > I'm trying to create a table, and ultimately a graph, out of some syslog > data. > > I have a mysql table with the following info in it: > > Time (unixtime stamp), bytes rcvd and bytes sent Why reinvent the wheel? U

Re: [PHP] SQL sums

Raditha Dissanayake wrote: Marek Kilimajer wrote: This is an SQL question. Marek, don't you know that this the mysql list? you are supposed to answer questions like these. If you don't there will be self appointed list moderators who will jump on you like what happened to me last week. I was ac

Re: [PHP] SQL sums

Marek Kilimajer wrote: This is an SQL question. Marek, don't you know that this the mysql list? you are supposed to answer questions like these. If you don't there will be self appointed list moderators who will jump on you like what happened to me last week. I was accused of being not helpfull.

Re: [PHP] SQL sums

Marek Kilimajer wrote: This is an SQL question. Yes, but this is the php-general_mysql_javascript_wax-my-car_html_apache_kitchen-sink list. ;) -- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://w

Re: [PHP] SQL sums

This is an SQL question. James Nunnerley wrote: I'm trying to create a table, and ultimately a graph, out of some syslog data. I have a mysql table with the following info in it: Time (unixtime stamp), bytes rcvd and bytes sent I want to create a sql statement that group the data over a certa

RE: [PHP] SQL sums

If someone doesn't give you an answer here, try php cookbook by O'reilly. It has this exact recipe in it. Best, Thomas S. Crum -Original Message- From: James Nunnerley [mailto:[EMAIL PROTECTED] Sent: Friday, December 03, 2004 9:56 AM To: [EMAIL PROTECTED] Subject: [PHP] SQL

[PHP] SQL sums

I'm trying to create a table, and ultimately a graph, out of some syslog data. I have a mysql table with the following info in it: Time (unixtime stamp), bytes rcvd and bytes sent I want to create a sql statement that group the data over a certain period of time, and produces the following

Re: [PHP] sql insert into 2 tables

Hi there - I was wondering if anyone could point me in the right direction to be able to add data to two different tables (I am using mysql and php V4). I understand joins, etc for the query of the data, however adding the data - still getting my head wrapped around it (multiple tables). You'll

[PHP] sql insert into 2 tables

Hi there - I was wondering if anyone could point me in the right direction to be able to add data to two different tables (I am using mysql and php V4). I understand joins, etc for the query of the data, however adding the data - still getting my head wrapped around it (multiple tables). Thank

Re: [PHP] SQL-Injection, XSS and Hijacking

--- Jordi Canals <[EMAIL PROTECTED]> wrote: > > I highlight some of the things I think are of principal concern > > for PHP developers in something I call the PHP Security Workbook: > > > > http://shiflett.org/php-security.pdf > > > > That doesn't cover everything, of course, but it covers those

Re: [PHP] SQL-Injection, XSS and Hijacking

On Wed, 3 Nov 2004 19:02:22 -0800 (PST), Chris Shiflett <[EMAIL PROTECTED]> wrote: > There is a lot more. I highlight some of the things I think are of > principal concern for PHP developers in something I call the PHP Security > Workbook: > > http://shiflett.org/php-security.pdf > > That doesn'

RE: [PHP] SQL-Injection, XSS and Hijacking

Pedro Iran Mendez Perez -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Enviado el: Miercoles, 03 de Noviembre de 2004 04:25 p.m. Para: [EMAIL PROTECTED] Asunto: [PHP] SQL-Injection, XSS and Hijacking Hi, I read now quite a lot of articles about SQL-Injection, XSS a

Re: [PHP] SQL-Injection, XSS and Hijacking

--- [EMAIL PROTECTED] wrote: > I read now quite a lot of articles about SQL-Injection, > XSS, and session hijacking in a hopefully appropriate way. > > As I understand the function addslashes(), quote_meta(), > and mysql_real_escape_string() are to avoid SQL Injection The database-specific escapi

RE: [PHP] SQL-Injection, XSS and Hijacking

ED] >Subject: [PHP] SQL-Injection, XSS and Hijacking >Hi, >I read now quite a lot of articles about SQL-Injection, >XSS and session hijacking in a hopefully appropriate way. >As I understand the function addslashes(),quote_meta() >and mysql_real_escape_string() are to avoid S

[PHP] SQL-Injection, XSS and Hijacking

Hi, I read now quite a lot of articles about SQL-Injection, XSS and session hijacking in a hopefully appropriate way. As I understand the function addslashes(),quote_meta() and mysql_real_escape_string() are to avoid SQL Injection e.g. in order to use page_sliding with entered POST data over for

RE: [PHP] Further help for PHP, SQL syntax, and register_globals

To view the terms under which this email is distributed, please go to http://disclaimer.leedsmet.ac.uk/email.htm On 26 October 2004 12:01, John Holmes wrote: > Sugimoto wrote: > > Bad query: You have an error in your SQL syntax near 'and Tit like > > and Aut like and Auty like ' at line 4 > [s

Re: [PHP] Further help for PHP, SQL syntax, and register_globals

Sugimoto wrote: Bad query: You have an error in your SQL syntax near 'and Tit like and Aut like and Auty like ' at line 4 [snip] foreach ($_GET as $value) { if (empty($value)) $value = "%"; You have an issue here. You're looping through $_GET and attempting to set a default value (which is

Re: [PHP] sql & trim problem

On Mon, 18 Oct 2004 21:43:18 -0700, Dale Hersowitz <[EMAIL PROTECTED]> wrote: > Recently, I had to format my db server and when I re-attached the database, > I noticed some unusal behavior. I have some fields in certain tables with a > width of 60. When I would extract data from the table for that

[PHP] sql & trim problem

Recently, I had to format my db server and when I re-attached the database, I noticed some unusal behavior. I have some fields in certain tables with a width of 60. When I would extract data from the table for that specific field, the data would contain extra blank chars. As a result, I am forced t

Re: [PHP] SQL Functions

At 10:26 AM -0700 8/10/04, Justin Patrin wrote: Of course, this begs the question of why you're re-implementing what has been done so many times in the past. At 11:56 AM -0700 8/10/04, Ed Lazor wrote: Hey, while you guys are talking about those DB classes, I've always opted to not use them because

RE: [PHP] SQL Functions

> > > http://pear.php.net/package/DB > > > http://pear.php.net/package/MDB > > > http://pear.php.net/package/MDB2 > > > http://adodb.sourceforge.net/ > > > http://www.phpclasses.org/browse/package/20.html > > > > I'm building a class for use with our PHP applications. > Packages > > like w

Re: [PHP] SQL Functions

From: "Dan Joseph" <[EMAIL PROTECTED]> > > Of course, this begs the question of why you're re-implementing what > > has been done so many times in the past. > > > > http://pear.php.net/package/DB > > http://pear.php.net/package/MDB > > http://pear.php.net/package/MDB2 > > http://adodb.sourceforge.n

RE: [PHP] SQL Functions

> > I'm building a class for use with our PHP applications. > Packages > > like what you've linked me to are nice, but we need a little flexibility > > here, so we're writing a few methods of our own. > > > > Flexibility?? Those classes are very flexible and have many useful > utility meth

Re: [PHP] SQL Functions

On Tue, 10 Aug 2004 13:37:50 -0400, Dan Joseph <[EMAIL PROTECTED]> wrote: > Hi, > > > > Of course, this begs the question of why you're re-implementing what > > has been done so many times in the past. > > > > http://pear.php.net/package/DB > > http://pear.php.net/package/MDB > > http://pear.php.

RE: [PHP] SQL Functions

Hi, > Of course, this begs the question of why you're re-implementing what > has been done so many times in the past. > > http://pear.php.net/package/DB > http://pear.php.net/package/MDB > http://pear.php.net/package/MDB2 > http://adodb.sourceforge.net/ > http://www.phpclasses.org/browse/packag

Re: [PHP] SQL Functions

On Tue, 10 Aug 2004 10:31:36 -0400, Dan Joseph <[EMAIL PROTECTED]> wrote: > Hi Everyone, > > I'm trying to build a class to handle various SQL functions. > One of them is to take a query, and return all rows. Here's what I have so > far: > > function selectRows( $sql ) > > { > >

Re: [PHP] SQL Functions

John Nichel wrote: John W. Holmes wrote: Change that to: $array = array(); $results = mysql_query( $sql, DB::connect() ); while($data = mysql_fetch_array($result)) { $array[] = $data; } return $array; Would there be any speed/performance issuse with using something like... array_push ( $array, $d

Re: [PHP] SQL Functions

Robby Russell wrote: Run some tests and let us know. ;-) I'd be interested in knowing as well. Not really worth worrying about according to this... array_push() averaged 0.20226655006409 seconds when running the test 10 times array[] averaged 0.20317406654358 seconds when running the test 10 times

Re: [PHP] SQL Functions

On Tue, 2004-08-10 at 08:33, John Nichel wrote: > John W. Holmes wrote: > > > > Change that to: > > > > $array = array(); > > $results = mysql_query( $sql, DB::connect() ); > > while($data = mysql_fetch_array($result)) > > { $array[] = $data; } > > > > return $array; > > Would there be any spee

RE: [PHP] SQL Functions

Hi, > Would there be any speed/performance issuse with using something like... > > array_push ( $array, $data ); > > vs. > > $array[] = $data; They seem to react the same in my test script. -Dan Joseph -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://w

Re: [PHP] SQL Functions

John W. Holmes wrote: Change that to: $array = array(); $results = mysql_query( $sql, DB::connect() ); while($data = mysql_fetch_array($result)) { $array[] = $data; } return $array; Would there be any speed/performance issuse with using something like... array_push ( $array, $data ); vs. $array[]

RE: [PHP] SQL Functions

Hi, > $array = array(); > $results = mysql_query( $sql, DB::connect() ); > while($data = mysql_fetch_array($result)) > { $array[] = $data; } > > return $array; > > No need to loop through $data. Ahh, thanks for that tip. That's much cleaner. -Dan Joseph -- PHP General Mailing List

Re: [PHP] SQL Functions

From: "Dan Joseph" <[EMAIL PROTECTED]> > > In order to get all of the data back you are going to have to loop > > through it and return the array so that it will be available for > > manipulation. > > Hmm.. I suspected this might be the case. I have modified my > functiona bit: > >

RE: [PHP] SQL Functions

Hi, > In order to get all of the data back you are going to have to loop > through it and return the array so that it will be available for > manipulation. Hmm.. I suspected this might be the case. I have modified my functiona bit: function selectRows( $sql )

RE: [PHP] SQL Functions

[snip] I'm trying to build a class to handle various SQL functions. One of them is to take a query, and return all rows. Here's what I have so far: function selectRows( $sql ) { $count = 0; $results = mysql_query( $sql, DB::connect() ); $data = mysql_fetch

[PHP] SQL Functions

Hi Everyone, I'm trying to build a class to handle various SQL functions. One of them is to take a query, and return all rows. Here's what I have so far: function selectRows( $sql ) { $count = 0; $results = mysql_query( $sql, DB::connect() );

Re: [PHP] SQL Join query

On Tuesday 10 August 2004 17:28, Peter Brodersen wrote: > .. but this is rather an SQL-related question. That's what I pointed out last week when this thread started! Glad someone's paying attention :) -- Jason Wong -> Gremlins Associates -> www.gremlins.biz Open Source Software Systems Integr

Re: [PHP] SQL Join query

Hi, On Mon, 9 Aug 2004 18:12:42 +, in php.general you wrote: >* Thus wrote Jonathan Haddad: >> The only problem there is when you group the LEFT JOIN pictures that >> have a count of 0 return a count of 1. Unfortunately there's no single >> query that I figured out when I did this same pro

Re: [PHP] SQL Join query

(Sorry about all the quoting but I thought it makes sense for clarity - Mattias) Curt Zirzow wrote: * Thus wrote Lenar Lhmus: Mattias Thorslund wrote: Though, (regardless of SQL database platform) in a case like this, it MAY be both more straightforward and efficient to use two separate q

Re: [PHP] SQL Join query

* Thus wrote Jonathan Haddad: > The only problem there is when you group the LEFT JOIN pictures that > have a count of 0 return a count of 1. Unfortunately there's no single > query that I figured out when I did this same project that would give > accurate results. SELECT pics.*, pic_comm

Re: [PHP] SQL Join query

The only problem there is when you group the LEFT JOIN pictures that have a count of 0 return a count of 1. Unfortunately there's no single query that I figured out when I did this same project that would give accurate results. John Holmes wrote: Mattias Jönsson wrote: SELECT pics.*, pic_comme

Re: [PHP] SQL Join query

* Thus wrote Lenar Lhmus: > Mattias Thorslund wrote: > > > Though, (regardless of SQL database platform) in a case like this, it > > MAY be both more straightforward and efficient to use two separate > > queries for the pictures and comments, given the one-to-many cardinality > > between them. Th

Re: [PHP] SQL Join query

Mattias Thorslund wrote: > Though, (regardless of SQL database platform) in a case like this, it > MAY be both more straightforward and efficient to use two separate > queries for the pictures and comments, given the one-to-many cardinality > between them. The above statement causes redundant dat

Re: [PHP] SQL Join query

Lenar Lõhmus wrote: Raditha Dissanayake wrote: try postgres instead http://www.postgresql.org/ It's the most helpful comment I've seen for a long time. You are most welcome. -- Raditha Dissanayake. http://www.radink

Re: [PHP] SQL Join query

Lenar Lõhmus wrote: Anyway, instead of writing this: SELECT pics.*, pic_comments.*, count(*) AS num_comments FROM pics, pic_comments WHERE pics.category = 1 AND pics.id = pic_comments.pic_id GROUP BY pic_comments.pic_id; Write this: SELECT pics.*, pic_comments.*, count(*) AS num_comments FROM pi

Re: [PHP] SQL Join query

Mattias Jönsson wrote: SELECT pics.*, pic_comments.*, count(*) AS num_comments FROM pics, pic_comments WHERE pics.category = 1 AND pics.id = pic_comments.pic_id GROUP BY pic_comments.pic_id; [snip] The problem is that i only get the the pictures that have comments, i want even the pictures where

Re: [PHP] SQL Join query

Raditha Dissanayake wrote: > try postgres instead http://www.postgresql.org/ It's the most helpful comment I've seen for a long time. You know, it won't work in Postgre too probably. If you like Postgre - use it and don't force others to use it (for wrong reasons nevertheless). Everyone should p

Re: [PHP] SQL Join query

Mattias Jönsson wrote: I have a problem with my mysql query try postgres instead http://www.postgresql.org/ -- Raditha Dissanayake. http://www.radinks.com/sftp/ | http://www.raditha.com/megaupload Lean and mean Secure

Re: [PHP] SQL Join query

On Saturday 07 August 2004 17:27, Mattias Jönsson wrote: > I have a problem with my mysql query This is a PHP list. -- Jason Wong -> Gremlins Associates -> www.gremlins.biz Open Source Software Systems Integrators * Web Design & Hosting * Internet & Intranet Applications Development * --

[PHP] SQL Join query

I have a problem with my mysql query SELECT pics.*, pic_comments.*, count(*) AS num_comments FROM pics, pic_comments WHERE pics.category = 1 AND pics.id = pic_comments.pic_id GROUP BY pic_comments.pic_id; pics table: | id | submitter | time | date | category | pic_comments table: | pic_id | comm

Re: [PHP] sql statement help needed

- Original Message - From: "Chris W. Parker" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, July 01, 2004 3:33 AM Subject: [PHP] sql statement help needed > hello, > > i've had to change some of my tables to accomodate some greater &

[PHP] sql statement help needed

hello, i've had to change some of my tables to accomodate some greater flexibility in the application that uses it and because of this i need to go through and update all the records. i've done one table by hand and it had about 100 records and took about 20 minutes. but this next table has about

Re: [PHP] SQL Case sensitivity

http://dev.mysql.com/doc/mysql/en/Fulltext_Search.html should do the trick, provided you're using MySQL. On Wednesday 23 Jun 2004 20:14, Gabe wrote: > I hope I don't get too chastised for a double post ( posted in .db first > ), but I'm hoping someone can help me. > > I'm using PHP with ADOdb ( a

[PHP] SQL Case sensitivity

I hope I don't get too chastised for a double post ( posted in .db first ), but I'm hoping someone can help me. I'm using PHP with ADOdb ( and an MS Access 2000 db ) to write a simple SQL statement but was running into some case sensitivity issues. Here's my SQL currently: SELECT autoQuesID,f

RE: [PHP] SQL Query Statement for MySQL... (DataType --> TEXT vs BLOB)

Probably a good question for a MySQL e-mail list. > [Original Message] > From: Scott Fletcher <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Date: 06/10/2004 12:49:07 PM > Subject: [PHP] SQL Query Statement for MySQL... (DataType --> TEXT vs BLOB) > > I

[PHP] SQL Query Statement for MySQL... (DataType --> TEXT vs BLOB)

I'm wrestling over deciding on which data type to go with, TEXT or BLOB. I have one table with one column of 400 characters, I was thinking that TEXT may be the way to go for that one. I also have another table that use 4 columns of 800 characters along with 5 columns that use 250 characters. I'

Re: [PHP] SQL Hell

* Thus wrote Marc Greenstock ([EMAIL PROTECTED]): > Hi all, > > Wondering if someone could help me with an sql statement > > MySQL version 4.0.18 > > I have three tables: > 1. visitor_data (Visitor_ID, IP Address) > 2. visit_data (Visit_ID, Visitor_ID) > 3. page_data (Page_ID, Visit_

[PHP] SQL Hell

Hi all, Wondering if someone could help me with an sql statement MySQL version 4.0.18 I have three tables: 1. visitor_data (Visitor_ID, IP Address) 2. visit_data (Visit_ID, Visitor_ID) 3. page_data (Page_ID, Visit_ID, Visitor_ID, URI) If you look closely you can see the relationship

[PHP] SQL like processing on array of keyed arrays ?

Suppose I don't have access to a database server. I have any indexed array of like keyed arrays, essentially mimicing a database table. Are there any libraries or functions that I can use to 'query' the array in a SQL like manner ? e.g. $data = array (array(a=>1,b=>2,c=>3) ,array(a=>2,b=>3,c=>4)

RE: [PHP] SQL Injection check (mysql)

On Tue, 23 Mar 2004 12:05:17 -0800, Pablo Gosse wrote: >> I think you have misunderstod the concepts of making queries based on >> user input. It is not the users who should create the query, all to >> should do is provide the input to narrow down the queries. > > I have not misunderstood the con

RE: [PHP] SQL Injection check (mysql)

PG A RARE case, in the world of web applications??? Hardly! PG PG I agree that in an optimal situation queries will not be based on PG user input, but in the world of the web this is a pipe dream. In PG 99.99% of the cases there will be some dynamic element to a query. PG The only safeguard

RE: [PHP] SQL Injection check (mysql)

--- Michael Rasmussen <[EMAIL PROTECTED]> wrote: > I think you have misunderstod the concepts of making queries based > on user input. It is not the users who should create the query, all > to should do is provide the input to narrow down the queries. To be honest, I think Pablo understands the co

RE: [PHP] SQL Injection check (mysql)

On Tue, 23 Mar 2004 09:27:29 -0800, Chris Shiflett wrote: > > This argument still makes no sense to me. Originally, you stated that a > better option to filtering and escaping data was to use a prepared > statement. Some of us have decided that you are referring to stored > procedures. > > You s

RE: [PHP] SQL Injection check (mysql)

On Tue, 23 Mar 2004 08:25:32 -0800, Pablo Gosse wrote: > > A RARE case, in the world of web applications??? Hardly! > > I agree that in an optimal situation queries will not be based on user > input, but in the world of the web this is a pipe dream. In 99.99% of the > cases there will be so

RE: [PHP] SQL Injection check (mysql)

--- Michael Rasmussen <[EMAIL PROTECTED]> wrote: > The idea is exactly not to do any queries dynamically generated based > on user input! This argument still makes no sense to me. Originally, you stated that a better option to filtering and escaping data was to use a prepared statement. Some of us

RE: [PHP] SQL Injection check (mysql)

> The idea is exactly not to do any queries dynamically generated based > on user input! In the rare cases where this is needed you should not > allow any unparsed input. A RARE case, in the world of web applications??? Hardly! I agree that in an optimal situation queries will not be base

RE: [PHP] SQL Injection check (mysql)

On 23 Mar 2004 Michael Rasmussen wrote: > The idea is exactly not to do any queries dynamically generated based on > user input! In the rare cases where this is needed you should not > allow any unparsed input. There are some applications for which queries based on typed user input are rare. B

RE: [PHP] SQL Injection check (mysql)

On Mon, 22 Mar 2004 14:36:44 -0800, Pablo Gosse wrote: > > Huh? How does this accommodate for a dynamically generated query which is > based upon user input? > Have you read my arguments? A prepared statement cannot be dynamically generated! > > It is validated and its type set before it is i

RE: [PHP] SQL Injection check (mysql)

> The reason is security. A prepared statement cannot comprimize the > security of our database because all sql-statements are precompiled > in the DBMS. An example using pear: > > $res = & DB:connect('mysql://someuser:[EMAIL PROTECTED]/thedb'); > $sth = $res->prepare('select * from sometable w

Re: [PHP] SQL Injection check (mysql)

On Sun, 21 Mar 2004 18:39:39 -0800, Chris Shiflett wrote: > > Can you explain that (and defend it)? > The reason is security. A prepared statement cannot comprimize the security of our database because all sql-statements are precompiled in the DBMS. An example using pear: $res = & DB:connect('m

Re: [PHP] SQL Injection check (mysql)

On 21 Mar 2004 Chris Shiflett wrote: > I would never argue that something is an absolute defense, but I would > characterize my recommendation as a best practice. Fair enough. > > I agree with you that checking for valid characters is safer than > > checking for malicious characters, but even t

Re: [PHP] SQL Injection check (mysql)

On Sunday 21 March 2004 06:39 pm, Chris Shiflett wrote: > --- Michael Rasmussen <[EMAIL PROTECTED]> wrote: > > > To be clear: make sure the data that the user submitted only > > > contains the characters you think are valid (don't bother trying > > > to guess malicious characters - you're sure to m

Re: [PHP] SQL Injection check (mysql)

--- [EMAIL PROTECTED] wrote: > Recently I've been in the middle of trying to build defenses against > SQL injection on a site I'm working on (proactively, we haven't had a > problem). While this principle seems exactly right, I find it's not as > easy to implement as it sounds, and I'd argue tha

Re: [PHP] SQL Injection check (mysql)

On 21 Mar 2004 Chris Shiflett wrote: > SQL injection vulnerabilities exist when you use data that the user gave > you to create your SQL statement. So, anytime that this happens, simply > make absolutely sure that the data you are using from the user fits a very > specific format that you are expe

Re: [PHP] SQL Injection check (mysql)

--- Michael Rasmussen <[EMAIL PROTECTED]> wrote: > > To be clear: make sure the data that the user submitted only > > contains the characters you think are valid (don't bother trying > > to guess malicious characters - you're sure to miss one) and is a > > valid length. Once you've done this, and y

Re: [PHP] SQL Injection check (mysql)

On Sun, 21 Mar 2004 13:49:22 -0800, Chris Shiflett wrote: > > To be clear: make sure the data that the user submitted only contains the > characters you think are valid (don't bother trying to guess malicious > characters - you're sure to miss one) and is a valid length. Once you've > done this,

Re: [PHP] SQL Injection check (mysql)

--- Ali Ashrafzadeh <[EMAIL PROTECTED]> wrote: > I'm looking for a function To check SQL Injection in Mysql RDBMS > please tell me if anyone know good function or solution In my opinion, this is the wrong approach. SQL injection vulnerabilities exist when you use data that the user gave you to cr

[PHP] SQL Injection check (mysql)

Hi I'm looking for a function To check SQL Injection in Mysql RDBMS please tell me if anyone know good function or solution thank's

RE: [PHP] SQL in the database..little help please

Ryan A on Tuesday, March 09, 2004 5:24 PM said: > I did that but when I checked in the DB I couldnt find the O/'reilly > as it saves it normally as "O'reilly". fyi, escaping is done with a \ and not a /. chris. -- PHP General Mailing List (http://www.php.net/)

Re[2]: [PHP] SQL in the database..little help please

Hello Ryan, Wednesday, March 10, 2004, 1:39:40 AM, you wrote: RA> Yep, I got the above...but should I (or do I) need to use a stripslashes RA> when reading from the DB? Depends if you have magic quotes turned off or not! :) If they are OFF then yes, you need it. -- Best regards, Richard Davey

Re: [PHP] SQL in the database..little help please

> Hello Ryan, > > Wednesday, March 10, 2004, 1:24:04 AM, you wrote: > > RA> I have first put off magic_quotes...now can anybody tell me how > RA> YOU are doing it so I can do it the same damn exact way...reading > RA> online is a problem coz I am getting conflicting ways of doing > RA> itor am

Re: [PHP] SQL in the database..little help please

Hello Ryan, Wednesday, March 10, 2004, 1:24:04 AM, you wrote: RA> I have first put off magic_quotes...now can anybody tell me how RA> YOU are doing it so I can do it the same damn exact way...reading RA> online is a problem coz I am getting conflicting ways of doing RA> itor am just braindead

[PHP] SQL in the database..little help please

Hi, I need to save some SQL queries into the MySql database for later use, I thought this was done pretty simply by doing a addslashes before insert so that someones name like like " O'reilly " does not screw up the insert and a stripslashes for reading from the DB. I did that but when I checked i

<    1   2   3   4   5   6   7   >