php-general Digest 26 May 2006 08:02:37 -0000 Issue 4149
Topics (messages 236900 through 236929):
Re: preg_replace learning resources? Regex tuts? Tips? (and yes, I have been
rtfm)
236900 by: Micky Hulse
236901 by: Eric Butera
236903 by: Adam Zey
problems with xml parser
236902 by: Merlin
236916 by: Chris
Escaping double quotes
236904 by: Pavleck, Jeremy D.
236905 by: Dave Goodchild
236906 by: siavash1979.telus.net
236907 by: John Nichel
236908 by: Mindaugas L
236909 by: Shane
Re: Filtering (was storing single and double quote in MySQL)
236910 by: afan.afan.net
236911 by: Eric Butera
236912 by: Chrome
236913 by: tedd
236914 by: Chrome
236918 by: tedd
236920 by: Chrome
236922 by: Chris
Re: syntax highlighting for Shell scripts and C?
236915 by: Chris
236928 by: Daevid Vincent
5.1.4, mysqli, and fastcgi leaving connections open.
236917 by: steve
236925 by: Chris
Re: How to disable PHP's POST caching?
236919 by: steve
streamlining php.ini; php.ini is not parsable with parse_ini_file
236921 by: D. Dante Lorenso
Re: str_replace(), and correctly positioned HTML tags
236923 by: Dave M G
Parse error: syntax error, unexpected T_VARIABLE, expecting ',' or ';' in
236924 by: Mark Sargent
236926 by: Ryan Creaser
236927 by: Mark Sargent
Including Functions; one file or many?
236929 by: Mark Kelly
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[email protected]
----------------------------------------------------------------------
--- Begin Message ---
Kevin Waterson wrote:
Try this quicky
http://phpro.org/tutorials/Introduction-to-PHP-Regular-Expressions.html
Sweet, good links all. Thanks for sharing! :)
Have a great day.
Cheers,
Micky
--- End Message ---
--- Begin Message ---
On 5/25/06, Micky Hulse <[EMAIL PROTECTED]> wrote:
Kevin Waterson wrote:
> Try this quicky
> http://phpro.org/tutorials/Introduction-to-PHP-Regular-Expressions.html
Sweet, good links all. Thanks for sharing! :)
Have a great day.
Cheers,
Micky
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
I built something similar to the situation that you are describing.
One difference though is I used preg_replace_callback
(http://us2.php.net/preg_replace_callback) so that I can do custom
scripting with the matched string to be replaced.
--- End Message ---
--- Begin Message ---
Eric Butera wrote:
On 5/25/06, Micky Hulse <[EMAIL PROTECTED]> wrote:
Kevin Waterson wrote:
> Try this quicky
> http://phpro.org/tutorials/Introduction-to-PHP-Regular-Expressions.html
Sweet, good links all. Thanks for sharing! :)
Have a great day.
Cheers,
Micky
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
I built something similar to the situation that you are describing.
One difference though is I used preg_replace_callback
(http://us2.php.net/preg_replace_callback) so that I can do custom
scripting with the matched string to be replaced.
I know I'm entering this discussion a bit late, but one tool that I've
found indispensible in writing regular expressions (even after knowing
how to write them) is The Regex Coach (http://www.weitz.de/regex-coach)
(Free, and runs on Windows and Linux).
Essentially, you paste the text to search into the bottom textbox, and
then start typing your regular expression into the top one. As you type,
it shows you what it is matching in the bottom one. It can also show you
what individual submatches are matching, and all sorts of neat stuff.
So, if I have an HTML web page and I want to suck some specific
information out of it, I'll paste the information in, write up a regex,
and make sure it's matching what it's supposed to. But the feedback AS
you're typing it is super handy. For example, if I have a regex, and I
add a "[a-z]", then the indicator will show it matching the next
character, then if I add "*", the text selection will expand to show it
matching the rest of the letters, and so on.
Anyhow, I find the feedback as I write a regex to be addictively useful.
Regards, Adam Zey.
--- End Message ---
--- Begin Message ---
Hi there,
I am having some trouble in parsing some XML. No idea where I have that xml
parser for php from, but I believe it worked ok in the past. Now I do have a
file to parse with following structure:
<SEARCHRESULTS>
<RESULTSET DATABASE>
<RESULT POS="1">
<TITLE>I want to grab this title</TITLE>
With my xml parser I do just get "RESULT = "
Could anybody please give me a hand to get this running. I am some how lost
since I do not have to do as much with XML so far.
Thank you in advance,
Merlin
Here comes my xml-parser.php code:
<?PHP
class XMLParser {
var $xml_url;
var $xml;
var $data;
function XMLParser($xml_url) {
$this->xml_url = $xml_url;
$this->xml = xml_parser_create();
xml_set_object($this->xml, $this);
xml_set_element_handler($this->xml, 'startHandler', 'endHandler');
xml_set_character_data_handler($this->xml, 'dataHandler');
$this->parse($xml_url);
}
function parse($xml_url) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $xml_url);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
$store = curl_exec ($ch);
$data = curl_exec ($ch);
curl_close ($ch);
$parse = xml_parse($this->xml, $data, sizeof($data));
if (!$parse) {
die(sprintf("XML error: %s at line %d",
xml_error_string(xml_get_error_code($this->xml)),
xml_get_current_line_number($this->xml)));
xml_parser_free($this->xml
);
}
return true;
}
function startHandler($parser, $name, $attributes) {
$data['name'] = $name;
if ($attributes) { $data['attributes'] = $attributes; }
$this->data[] = $data;
}
function dataHandler($parser, $data) {
if ($data = trim($data)) {
$index = count($this->data) - 1;
// begin multi-line bug fix (use the .= operator)
$this->data[$index]['content'] .= $data;
// end multi-line bug fix
}
}
function endHandler($parser, $name) {
if (count($this->data) > 1) {
$data = array_pop($this->data);
$index = count($this->data) - 1;
$this->data[$index]['child'][] = $data;
}
}
}
$url = ("http://this ist the url with the xml file");
$myFile = new XMLParser($url);
$xmlRoot = $myFile->data[0]; // GEO Element
if (sizeof($xmlRoot) > 0 ) {
$geoLocation = $xmlRoot['child'];
if (sizeof($geoLocation) > 0) {
$geoLocationProperties = $geoLocation[0]['child'];
for ($i = 0 ; $i < sizeof($geoLocationProperties); $i++) {
echo $geoLocationProperties[$i]['name'] . " = " .
$geoLocationProperties[$i]['content']."<br/>";
}
}
}
?>
--- End Message ---
--- Begin Message ---
Merlin wrote:
Hi there,
I am having some trouble in parsing some XML. No idea where I have that
xml parser for php from, but I believe it worked ok in the past. Now I
do have a file to parse with following structure:
<SEARCHRESULTS>
<RESULTSET DATABASE>
<RESULT POS="1">
<TITLE>I want to grab this title</TITLE>
With my xml parser I do just get "RESULT = "
First of all do you have valid xml? If you don't have valid xml then you
will have issues with it being parsed properly.
To check if it's valid, put a php header:
header("Content-Type: text/xml");
then print out your xml - or save the whole lot as an .xml file.
Once you have that, view it in a browser.
If that comes back as broken, then you need to fix that first before
anything else.
--
Postgresql & php tutorials
http://www.designmagick.com/
--- End Message ---
--- Begin Message ---
So I'm writing this page (PHP Newbie here) and it checks to see if a var
is set, if it isn't it spits out the form info like so: echo "<form
action="myform.php" method="post">";
Now is there a way to 'wrap' that so I don't have to escape quotes?
Something like perls 'qq' function is what I'm looking for.
I tried a few different functions from the website, magic_quotes,
addslashes, htmlspecial etc etc but none did what I was looking for
Jeremy Pavleck
Network Engineer - Systems Management
IT Networks and Infrastructure
Direct Line: 612-977-5881
Toll Free: 1-888-CAPELLA ext. 5881
Fax: 612-977-5053
E-mail: [EMAIL PROTECTED]
Capella University
225 South 6th Street, 9th Floor
Minneapolis, MN 55402
www.capella.edu
--- End Message ---
--- Begin Message ---
On 25/05/06, Pavleck, Jeremy D. <[EMAIL PROTECTED]> wrote:
So I'm writing this page (PHP Newbie here) and it checks to see if a var
is set, if it isn't it spits out the form info like so: echo "<form
action="myform.php" method="post">";
Now is there a way to 'wrap' that so I don't have to escape quotes?
Something like perls 'qq' function is what I'm looking for.
I tried a few different functions from the website, magic_quotes,
addslashes, htmlspecial etc etc but none did what I was looking for
You know you can switch the php parser on and off like so:
<?php if (isset($var)) { ?>
<form action="myform.php" method="post">
<?php } ?>
which is a bit more efficient and better than all those echo statements and
escapes?
--
http://www.web-buddha.co.uk
dynamic web programming from Reigate, Surrey UK (php, mysql, xhtml, css)
look out for project karma, our new venture, coming soon!
--- End Message ---
--- Begin Message ---
> So I'm writing this page (PHP Newbie here) and it checks to see if a var
> is set, if it isn't it spits out the form info like so: echo "<form
> action="myform.php" method="post">";
> Now is there a way to 'wrap' that so I don't have to escape quotes?
> Something like perls 'qq' function is what I'm looking for.
> I tried a few different functions from the website, magic_quotes,
> addslashes, htmlspecial etc etc but none did what I was looking for
>
> Jeremy Pavleck
> Network Engineer - Systems Management
> IT Networks and Infrastructure
>
> Direct Line: 612-977-5881
> Toll Free: 1-888-CAPELLA ext. 5881
> Fax: 612-977-5053
> E-mail: [EMAIL PROTECTED]
>
> Capella University
> 225 South 6th Street, 9th Floor
> Minneapolis, MN 55402
>
> www.capella.edu
I believe you can just use single qiote for this example of yours.
echo '<form action="myform.php" method="post">';
--- End Message ---
--- Begin Message ---
Pavleck, Jeremy D. wrote:
So I'm writing this page (PHP Newbie here) and it checks to see if a var
is set, if it isn't it spits out the form info like so: echo "<form
action="myform.php" method="post">";
Now is there a way to 'wrap' that so I don't have to escape quotes?
Something like perls 'qq' function is what I'm looking for.
I tried a few different functions from the website, magic_quotes,
addslashes, htmlspecial etc etc but none did what I was looking for
http://us2.php.net/manual/en/language.types.string.php#language.types.string.syntax.heredoc
--
John C. Nichel IV
Programmer/System Admin (ÜberGeek)
Dot Com Holdings of Buffalo
716.856.9675
[EMAIL PROTECTED]
--- End Message ---
--- Begin Message ---
or heredeoc syntax :)
On 5/25/06, John Nichel <[EMAIL PROTECTED]> wrote:
Pavleck, Jeremy D. wrote:
> So I'm writing this page (PHP Newbie here) and it checks to see if a var
> is set, if it isn't it spits out the form info like so: echo "<form
> action="myform.php" method="post">";
> Now is there a way to 'wrap' that so I don't have to escape quotes?
> Something like perls 'qq' function is what I'm looking for.
> I tried a few different functions from the website, magic_quotes,
> addslashes, htmlspecial etc etc but none did what I was looking for
>
http://us2.php.net/manual/en/language.types.string.php#language.types.string.syntax.heredoc
--
John C. Nichel IV
Programmer/System Admin (ÜberGeek)
Dot Com Holdings of Buffalo
716.856.9675
[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
Mindaugas
--- End Message ---
--- Begin Message ---
Not sure I understand your question correctly. I think you can just use
soemthing like:
echo '<form action="myform.php" method="post">';
Mindaugas L wrote:
or heredeoc syntax :)
On 5/25/06, John Nichel <[EMAIL PROTECTED]> wrote:
Pavleck, Jeremy D. wrote:
> So I'm writing this page (PHP Newbie here) and it checks to see if a
var
> is set, if it isn't it spits out the form info like so: echo "<form
> action="myform.php" method="post">";
> Now is there a way to 'wrap' that so I don't have to escape quotes?
> Something like perls 'qq' function is what I'm looking for.
> I tried a few different functions from the website, magic_quotes,
> addslashes, htmlspecial etc etc but none did what I was looking for
>
http://us2.php.net/manual/en/language.types.string.php#language.types.string.syntax.heredoc
--
John C. Nichel IV
Programmer/System Admin (ÜberGeek)
Dot Com Holdings of Buffalo
716.856.9675
[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
As you said: Filtering. My next queston.
I have small form to activate/deactivate member's account.
<form method=post action=members.php>
<input type=hidden name=username value=<?= $Usename ?>
<input type=hidden name=status value=<?= $Status ?>
<input type=image name=action value=change src=images/status_live.gif
border=0>
</form>
and once adminisrtrator clicks on button:
if(isset($_POST['action']))
{
$Username = $_POST['Username'];
$action = '';
switch($action)
{
case 'change':
mysql_query("UPDATE members SET status='live' WHERE Username =
'".$Username."'");
break;
case 'edit':
// ...
break;
}
}
Do I have to filter $Username with mysql_real_escape_string() function
even if $Username will not be stored in DB and I use it in WHERE part?
If no - how to filter it?
Thanks
-afan
> At 4:28 PM +0200 5/24/06, [EMAIL PROTECTED] wrote:
>>after these very helpfull comments, I rad (again) Shiflett's (and few
>>others) Security articles about filtering input and output. And more I
>>read - less is clear :(
>
> and
>
> At 6:07 PM +0200 5/24/06, [EMAIL PROTECTED] wrote:
>>Ok. Looks like I DID miss the point :)
>>I thought that with mysql_real_escape_string() HAVE TO add slash in front
>>of a quote and THAT's filtering.
>
> No, that's NOT filtering input, as per Shiflett's book.
>
> Filtering input is proving that the data coming is -- IS -- valid data!
>
> Take for example the code he shows on page 11 of his book (Essential
> PHP Security) where:
>
> <?php
>
> $clean = array();
>
> switch($$_POST['color'])
> {
> case 'red':
> case 'green':
> case 'blue':
> $clean['color'} = $_POST['color'];
> break;
> }
>
> ?>
>
> If you inspect this code, you will see that the array $clean will
> never have anything in it that's not 'red', 'green', or 'blue' --
> that's filtering input as per Shiflett.
>
> And, that makes prefect sense to me.
>
> tedd
>
> PS: I changed the subject line because it's a different subject. :-)
> --
> ------------------------------------------------------------------------------------
> http://sperling.com http://ancientstones.com http://earthstones.com
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--- End Message ---
--- Begin Message ---
On 5/25/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
As you said: Filtering. My next queston.
I have small form to activate/deactivate member's account.
<form method=post action=members.php>
<input type=hidden name=username value=<?= $Usename ?>
<input type=hidden name=status value=<?= $Status ?>
<input type=image name=action value=change src=images/status_live.gif
border=0>
</form>
and once adminisrtrator clicks on button:
if(isset($_POST['action']))
{
$Username = $_POST['Username'];
$action = '';
switch($action)
{
case 'change':
mysql_query("UPDATE members SET status='live' WHERE Username =
'".$Username."'");
break;
case 'edit':
// ...
break;
}
}
Do I have to filter $Username with mysql_real_escape_string() function
even if $Username will not be stored in DB and I use it in WHERE part?
If no - how to filter it?
Thanks
-afan
Yes, you're sending it into the DB which means it is a command that
needs to be escaped. All MySQL commands need to be escaped.
--- End Message ---
--- Begin Message ---
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Sent: 25 May 2006 22:19
> To: tedd
> Cc: Eric Butera; php
> Subject: Re: [PHP] Filtering (was storing single and double quote in
> MySQL)
>
> As you said: Filtering. My next queston.
>
> I have small form to activate/deactivate member's account.
>
> <form method=post action=members.php>
> <input type=hidden name=username value=<?= $Usename ?>
> <input type=hidden name=status value=<?= $Status ?>
> <input type=image name=action value=change src=images/status_live.gif
> border=0>
> </form>
>
> and once adminisrtrator clicks on button:
>
> if(isset($_POST['action']))
> {
> $Username = $_POST['Username'];
> $action = '';
> switch($action)
> {
> case 'change':
> mysql_query("UPDATE members SET status='live' WHERE Username =
> '".$Username."'");
> break;
>
> case 'edit':
> // ...
> break;
> }
> }
>
> Do I have to filter $Username with mysql_real_escape_string() function
> even if $Username will not be stored in DB and I use it in WHERE part?
> If no - how to filter it?
>
> Thanks
>
> -afan
Always sanitise data provided externally; whether it's from the user
directly (e.g. a POST form or a URL query string (GET)) or from the browser
(e.g. cookie data)... always assume it can never be trusted (there are some
nasty people out there)
In this case using mysql_real_escape_string() on the supplied username
should be enough for most injection attacks (
http://www.google.co.uk/search?hl=en&q=sql+injection&meta= ), but to be more
sure try this (if your username is alphanumeric only with spaces):
if(isset($_POST['action']))
{
$Username = preg_replace('/[^a-zA-Z0-9]+/', '', $_POST['Username']);
$action = '';
switch($action)
{
case 'change':
if (!empty($Username)) mysql_query("UPDATE members SET status='live'
WHERE Username = '".$Username."'");
break;
case 'edit':
// ...
break;
}
}
I think that's right :)
Dan
--
http://chrome.me.uk
--- End Message ---
--- Begin Message ---
At 11:19 PM +0200 5/25/06, [EMAIL PROTECTED] wrote:
As you said: Filtering. My next queston.
I have small form to activate/deactivate member's account.
<form method=post action=members.php>
<input type=hidden name=username value=<?= $Usename ?>
<input type=hidden name=status value=<?= $Status ?>
<input type=image name=action value=change src=images/status_live.gif
border=0>
</form>
and once adminisrtrator clicks on button:
if(isset($_POST['action']))
{
$Username = $_POST['Username'];
$action = ''; <================= ERROR
switch($action)
{
case 'change':
mysql_query("UPDATE members SET status='live' WHERE Username =
'".$Username."'");
break;
case 'edit':
// ...
break;
}
}
Do I have to filter $Username with mysql_real_escape_string() function
even if $Username will not be stored in DB and I use it in WHERE part?
If no - how to filter it?
Thanks
-afan
-afan:
Two things:
1. Anytime you put anything into a dB then use
mysql_real_escape_string() function. If you are NOT going to put it
in a dB, then you don't need mysql_real_escape_string() function --
understand?
2. Filtering is like the example I gave you before. You take
something that comes in from a POST and then compare that with what
you expect.
As with your example above -- what do you want $_POST('action") to
contain? (Please note the ERROR -- your code would never get into the
switch).
If you want $_POST('action") contain 'change' or 'edit' or whatever,
then test for that in the switch. It's the same as the example I gave
you. At some point here, you're going to have to start thinking about
what you're doing.
tedd
--
------------------------------------------------------------------------------------
http://sperling.com http://ancientstones.com http://earthstones.com
--- End Message ---
--- Begin Message ---
[snip]
1. Anytime you put anything into a dB then use
mysql_real_escape_string() function. If you are NOT going to put it
in a dB, then you don't need mysql_real_escape_string() function --
understand?
[/snip]
Untrue... It isn't just inserting into a DB that requires this function...
Consider:
User enters:
anything'; DROP TABLE x; SELECT 'a' = 'a
into the form for username... Now your unescaped SQL statement reads:
UPDATE members SET status='live' WHERE Username = 'anything'; DROP TABLE x;
SELECT 'a' = 'a'
Where x can be a brute-forced table name... I can't remember if MySQL allows
multiple statements but I seem to remember hearing that MySQL5 does... If
I'm wrong correct me and tell me to RTFM :)
Nice catch on the error... I didn't notice that :)
HTH (and that I'm right :) )
Dan
--
http://chrome.me.uk
--- End Message ---
--- Begin Message ---
At 11:51 PM +0100 5/25/06, Chrome wrote:
[snip]
1. Anytime you put anything into a dB then use
mysql_real_escape_string() function. If you are NOT going to put it
in a dB, then you don't need mysql_real_escape_string() function --
understand?
[/snip]
Untrue... It isn't just inserting into a DB that requires this function...
Consider:
User enters:
anything'; DROP TABLE x; SELECT 'a' = 'a
into the form for username... Now your unescaped SQL statement reads:
UPDATE members SET status='live' WHERE Username = 'anything'; DROP TABLE x;
SELECT 'a' = 'a'
Where x can be a brute-forced table name... I can't remember if MySQL allows
multiple statements but I seem to remember hearing that MySQL5 does... If
I'm wrong correct me and tell me to RTFM :)
Nice catch on the error... I didn't notice that :)
HTH (and that I'm right :) )
Dan
Dan:
A couple of things: One, I'm not sure if afan understands multiple
statements, so I didn't want to confuse him; Two, I don't use
multiple statements because they confuse me. I'm much more of a
step-by-step programmer.
I find that sometimes it's best to provide something simple for
someone to learn rather than confuse them with remote possibilities.
I taught at college level and believe me when I say there is nothing
dumber than a student. Baby steps are best -- and the same for me
when I'm learning as well.
In the exchange I had with afan, we were talking about placing data
into a dB without the need for escapes and I think the advice I gave
him was correct.
I realize that there are exceptions to just about anything IF you dig
deep enough. For example did you know that if magic_quotes are turned
ON and you use escape_data() that function will use
mysql_real_escape_string(). So, here's an example that proves your
point, but if I was to inform afan of that, what good would it do?
Knowing that hasn't done anything for me.
In any event, your point is well taken -- thanks for the clarification.
tedd
--
------------------------------------------------------------------------------------
http://sperling.com http://ancientstones.com http://earthstones.com
--- End Message ---
--- Begin Message ---
> -----Original Message-----
> From: tedd [mailto:[EMAIL PROTECTED]
> Sent: 26 May 2006 02:27
> To: Chrome; 'tedd'; [EMAIL PROTECTED]
> Cc: 'Eric Butera'; 'php'
> Subject: RE: [PHP] Filtering (was storing single and double quote in
> MySQL)
>
> At 11:51 PM +0100 5/25/06, Chrome wrote:
> >[snip]
> >1. Anytime you put anything into a dB then use
> >mysql_real_escape_string() function. If you are NOT going to put it
> >in a dB, then you don't need mysql_real_escape_string() function --
> >understand?
> >[/snip]
> >
> >Untrue... It isn't just inserting into a DB that requires this
> function...
> >Consider:
> >
> >User enters:
> >anything'; DROP TABLE x; SELECT 'a' = 'a
> >
> >into the form for username... Now your unescaped SQL statement reads:
> >
> >UPDATE members SET status='live' WHERE Username = 'anything'; DROP TABLE
> x;
> >SELECT 'a' = 'a'
> >
> >Where x can be a brute-forced table name... I can't remember if MySQL
> allows
> >multiple statements but I seem to remember hearing that MySQL5 does... If
> >I'm wrong correct me and tell me to RTFM :)
> >
> >Nice catch on the error... I didn't notice that :)
> >
> >HTH (and that I'm right :) )
> >
> >Dan
>
> Dan:
>
> A couple of things: One, I'm not sure if afan understands multiple
> statements, so I didn't want to confuse him; Two, I don't use
> multiple statements because they confuse me. I'm much more of a
> step-by-step programmer.
I don't use them either; hence my uncertainty :)
> I find that sometimes it's best to provide something simple for
> someone to learn rather than confuse them with remote possibilities.
> I taught at college level and believe me when I say there is nothing
> dumber than a student. Baby steps are best -- and the same for me
> when I'm learning as well.
I'm still learning... very much so... which is why all my advice is subject
to correction by a higher mortal... step forward, you know who you are :)
> In the exchange I had with afan, we were talking about placing data
> into a dB without the need for escapes and I think the advice I gave
> him was correct.
Never doubted that :)... I have seen much of your advice
> I realize that there are exceptions to just about anything IF you dig
> deep enough. For example did you know that if magic_quotes are turned
> ON and you use escape_data() that function will use
> mysql_real_escape_string(). So, here's an example that proves your
> point, but if I was to inform afan of that, what good would it do?
> Knowing that hasn't done anything for me.
I only sought to provide knowledge... knowing the pitfalls regardless of how
bad the advice is set out/worded surely must be good
Security should be foremost and ignorance no excuse... That's not to say
anyone can't make a mistake :)
>
> In any event, your point is well taken -- thanks for the clarification.
>
> tedd
>
> --
> --------------------------------------------------------------------------
> ----------
> http://sperling.com http://ancientstones.com http://earthstones.com
>
> __________ NOD32 1.1559 (20060525) Information __________
>
> This message was checked by NOD32 antivirus system.
> http://www.eset.com
Dan
--
http://chrome.me.uk
--- End Message ---
--- Begin Message ---
tedd wrote:
At 11:51 PM +0100 5/25/06, Chrome wrote:
[snip]
1. Anytime you put anything into a dB then use
mysql_real_escape_string() function. If you are NOT going to put it
in a dB, then you don't need mysql_real_escape_string() function --
understand?
[/snip]
Untrue... It isn't just inserting into a DB that requires this
function...
Consider:
User enters:
anything'; DROP TABLE x; SELECT 'a' = 'a
into the form for username... Now your unescaped SQL statement reads:
UPDATE members SET status='live' WHERE Username = 'anything'; DROP
TABLE x;
SELECT 'a' = 'a'
Where x can be a brute-forced table name... I can't remember if MySQL
allows
multiple statements but I seem to remember hearing that MySQL5 does... If
I'm wrong correct me and tell me to RTFM :)
Nice catch on the error... I didn't notice that :)
HTH (and that I'm right :) )
Dan
Dan:
A couple of things: One, I'm not sure if afan understands multiple
statements, so I didn't want to confuse him; Two, I don't use multiple
statements because they confuse me. I'm much more of a step-by-step
programmer.
Dan was giving you an example of a really bad sql injection attack where
instead of one query:
select * from members where email='email_address';
you end up with three:
select * from members where email='anything';
DROP TABLE x;
SELECT 'a' = 'a';
The point being never trust user data - always escape it whether you're
inserting, updating, deleting or selecting.
Using mysql_real_escape_string or your db's equivalent means it becomes
only one query (which won't return any results, but stops your data from
being destroyed).
Multiple statements means running multiple queries within the same
function call:
so
mysql_query("select * from members where email='anything';
DROP TABLE x;
SELECT 'a' = 'a';");
is actually 3 sql statements (select, drop table, select), but only one
call to mysql_query.
Whether mysql_query allows this to happen is another thing and one left
to the readers to check.
--
Postgresql & php tutorials
http://www.designmagick.com/
--- End Message ---
--- Begin Message ---
Michelle Konzack wrote:
Hello,
since I include source sniplets into some of my webpages I like
this syntax highlighting for php scripts... because it make
scripts more readable.
My question is: Does such thing exist for Shell scripts and C?
pastebin.com has it and the code is GPL'ed so you could use that as a
starting point (go to the blog - http://blog.dixo.net/category/pastebin/
and you can download it).
--
Postgresql & php tutorials
http://www.designmagick.com/
--- End Message ---
--- Begin Message ---
Check out Geshi
http://qbnz.com/highlighter/
> -----Original Message-----
> From: Chris [mailto:[EMAIL PROTECTED]
> Sent: Thursday, May 25, 2006 5:54 PM
> To: Michelle Konzack
> Cc: PHP - General
> Subject: Re: [PHP] syntax highlighting for Shell scripts and C?
>
> Michelle Konzack wrote:
> > Hello,
> >
> > since I include source sniplets into some of my webpages I like
> > this syntax highlighting for php scripts... because it make
> > scripts more readable.
> >
> > My question is: Does such thing exist for Shell scripts and C?
>
> pastebin.com has it and the code is GPL'ed so you could use that as a
> starting point (go to the blog -
> http://blog.dixo.net/category/pastebin/
> and you can download it).
--- End Message ---
--- Begin Message ---
When using PHP 5.1.4 under FastCGI and using mysqli, we are seeing
that the connections do not close (filling up the max_connections
limit for MySQL 5.0). In fact, the number of connections to mysql
quickly become GREATER than the number of FastCGI processes.
Restarting apache (and thus fastcgi) takes them out.
Has anyone else noticed this? I can't imagine anyone with this
configuration not noticing this. Another server with 5.1.2 is fine.
Considering this knocks out all webservers connecting to the database,
I think this is a critical bug in PHP 5.1.4. I'd like to know if
anyone else has this issue or not before I spend a couple hours
reverifying it.
Thanks!
-steve--
--- End Message ---
--- Begin Message ---
steve wrote:
When using PHP 5.1.4 under FastCGI and using mysqli, we are seeing
that the connections do not close (filling up the max_connections
limit for MySQL 5.0). In fact, the number of connections to mysql
quickly become GREATER than the number of FastCGI processes.
Restarting apache (and thus fastcgi) takes them out.
Has anyone else noticed this? I can't imagine anyone with this
configuration not noticing this. Another server with 5.1.2 is fine.
Considering this knocks out all webservers connecting to the database,
I think this is a critical bug in PHP 5.1.4. I'd like to know if
anyone else has this issue or not before I spend a couple hours
reverifying it.
Thanks!
-steve--
Sounds like you're using persistent connections. Change from
mysql_pconnect to mysql_connect or whatever the mysqli version is.
--
Postgresql & php tutorials
http://www.designmagick.com/
--- End Message ---
--- Begin Message ---
Why not reconfigure the webserver to proxy a certain url subdirectory
to your php script that can be running on any old port?
--- End Message ---
--- Begin Message ---
All,
I want to clean up my PHP.ini file on production to be as streamlined as
possible so that it's easier to work with and maintain. It is easier to
do a diff of my INI and the recommended INI if both files are very
similar with whitespace removed, comments cleaned out, and keys sorted,
etc. I've tried to use parse_ini_file() function to parse the INI file,
but that won't work because the 'extension = *' key is used multiple
times in the php.ini. parse_ini_file assumes unique assoc array is
returned.
I'm guessing PHP doesn't actually use the parse_ini_file to read its own
ini.
So, I then started parsing the ini myself with my own custom code and
soon realized that PHP might not be using the [section] tags either as
it uses the INI key=values. Seems like the [section] tags are used more
like suggestions for key grouping than for anything functional. Is this
a correct assumption? If so, I've got the following INI reading code
which will munch the php.ini-recommended and output just the strings
which are not commented out.
See here and let me know if this looks like robust code:
//----------------------------------------------------------------------
#!/usr/bin/php
<?php
// we pass the name of an INI file on the command line
$script = array_shift($argv);
$ini_file_name = array_shift($argv);
if (!$ini_file_name || !file_exists($ini_file_name)) {
die("usage: $script <php.ini file>\n");
}
// slurp in the whole ini file and init
$lines = file($ini_file_name);
$data = array();
foreach ($lines as $line) {
// remove trailing comments, newlines, and start/end whitespace
$line = trim(preg_replace("/;[^\"\']*$/", "", trim($line)));
// skip blank lines, commented lines, ini sections, or anything
without an '=' in the line
if (!$line || $line{0} === ';' || $line{0} === '[' || strpos($line,
'=') < 1) {
continue;
}
// fix spacing between equal sign
list ($key, $value) = preg_split("/\s*=\s*/", $line, 2);
$line = "$key = $value";
// save this key=value pair
array_push($data, $line);
}
// sort and print all keys
sort($data);
print join("\n", $data);
?>
//----------------------------------------------------------------------
Dante
--- End Message ---
--- Begin Message ---
Tedd, Adam,
Thank you for your advice. While I'm very grateful for your advice,
unfortunately, it seems that the core of what you suggest do not fit my
situation.
First, with Adam's suggestion that I use <br /> instead of <p>. The
output I am generating is akin to what csszengarden.com generates, so
that I can have complete CSS control over page layout and style. <br />
tags are limited in their scope of design control as compared to <p>
tags, so they are insufficient.
Second, with Tedd's advice that I place the variable without formatting
within the HTML code. I apologize if I was unclear, as I seem to have
given you the wrong impression. I am absolutely trying to separate
content from design, which is why everything the user stores is in plain
text, and all the formatting happens when it is displayed. None of the
modifications which add HTML to the variable get put back into the database.
The only small formatting consideration that does get stored in the
database are the simulated tags (eg: --++ for <h3>). I'm not totally
thrilled about letting users create some formatting with simulated tags,
but the trade off is for giving the users more flexibility. I'm
following the same model as WikiMedia, SMF Forums, and other PHP based
user input interfaces. And I am trying to be more strict and less
expansive than they are.
I really am grateful for your advice, but it seems that I really do need
to find a way to create <p> tags around the text when it is displayed.
But I definitely thank you for giving me something to think about, and
also the tips on how to make my code more efficient.
It's my hope that someone can still steer me towards the ability to get
<p> tags surrounding paragraphs, and to be able to separate <h3> and
other tags from within those <p> tags.
--
Dave M G
--- End Message ---
--- Begin Message ---
Hi All,
I get the error for line 15 for this code,
<?php
15 echo "<font face='"$_SESSION['font']"'";
16 echo " size='"$_SESSION['size']"'";
17 echo " color='"$_SESSION['colour']"'>";
18 echo "$_SESSION['text']";
19 echo "</font>";
20 ?>
I have put ' ' quotes around the " " quotes for each font attribute so
that the parser doesn't think the echo is finished too early. Is that
wrong? I know that this code would get tedious for lots of text and CSS
would be better, but, it's just a little study project from the book I'm
following. Cheers.
Mark Sargent.
--- End Message ---
--- Begin Message ---
Mark Sargent wrote:
Hi All,
I get the error for line 15 for this code,
<?php
15 echo "<font face='"$_SESSION['font']"'";
16 echo " size='"$_SESSION['size']"'";
17 echo " color='"$_SESSION['colour']"'>";
18 echo "$_SESSION['text']";
19 echo "</font>";
20 ?>
I have put ' ' quotes around the " " quotes for each font attribute so
that the parser doesn't think the echo is finished too early. Is that
wrong? I know that this code would get tedious for lots of text and
CSS would be better, but, it's just a little study project from the
book I'm following. Cheers.
Mark Sargent.
any of these will work:
echo "<font face='".$_SESSION['font']."'"; //note the . before and
after the variable.
echo "<font face='{$_SESSION['font']}'";
echo "<font face='$_SESSION[font]'";//no quotes around the index key
ryan
--- End Message ---
--- Begin Message ---
Mark Sargent wrote:
Hi All,
I get the error for line 15 for this code,
<?php
15 echo "<font face='"$_SESSION['font']"'";
16 echo " size='"$_SESSION['size']"'";
17 echo " color='"$_SESSION['colour']"'>";
18 echo "$_SESSION['text']";
19 echo "</font>";
20 ?>
I have put ' ' quotes around the " " quotes for each font attribute so
that the parser doesn't think the echo is finished too early. Is that
wrong? I know that this code would get tedious for lots of text and
CSS would be better, but, it's just a little study project from the
book I'm following. Cheers.
Mark Sargent.
Hi All,
sorry, I forgot the fundamentals again,
. variableName .
echo "<font face='" . $_SESSION['font'] . "'";
and no " " around the variable in an echo statement when no other text
in it.
echo $_SESSION['text'];
Cheers.
Mark Sargent.
--- End Message ---
--- Begin Message ---
Hi
I'm writing a set of db abstraction functions for an internal app which will
give us a set of simple function calls for dealing with the db, like
$result = db_AddEmployee($EmployeeData);
$EmployeeData = db_GetEmployee($EmployeeID);
etc.
There will be quite a few functions needed to deal with all the different
ways the app touches the db, so my question is:
Am I better off putting all these functions into one big include file (which
could get pretty big) or using a seperate 'include' file for each function?
I'm thinking about the tradeoff between simplifying code by only having a
single include file (parsing a lot of functions that aren't used, but less
disk access) and having several include files (no extra funcs but lots more
disk access).
I realise there probably isn't a 'correct' way to do this, I'm curious about
which methods folk here use in situations like this.
TIA in advance for any advice,
Mark
--- End Message ---
