php-general Digest 27 May 2006 10:02:36 -0000 Issue 4151
Topics (messages 236991 through 236997):
Re: Serialize
236991 by: Al
Re: Escaping quotes for DB Entry
236992 by: Ford, Mike
236993 by: Ford, Mike
Re: 5.1.4, mysqli, and fastcgi leaving connections open.
236994 by: steve
Re: anti SQL injection method in php manual.
236995 by: Dotan Cohen
What is best framwork?
236996 by: Pham Huu Le Quoc Phuc
Fatal error: Call to undefined function mysql_create_db()
236997 by: Mark Sargent
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[email protected]
----------------------------------------------------------------------
--- Begin Message ---
[EMAIL PROTECTED] wrote:
Hi,
Is a serialized array a "safe" string to insert into a mysql text field? Or is a
function such as mysql_real_escape_string always needed?
regards
Simon
Seems like you can use mySQL bloob fields and serialize
--- End Message ---
--- Begin Message ---
> From: Brad Bonkoski [mailto:[EMAIL PROTECTED]
> Sent: Fri 26/05/2006 15:41
>
> A lot has been said recently about the dangers of the family of
> magic_quotes...
> I understand the dangers.
> The question is, for those of us using a database that does not have a
> *real_escape_string function...Oracle for example.
> What is the *best* way to escape quotes for DB insertion?
Well, since Oracle escapes single-quotes with another single quote, on the few
occasions when I actually have to escape I generally just run:
$safe_str = str_replace("'", "''", $str);
---------------------------------------------------------------------
Mike Ford, Electronic Information Services Adviser,
Learning Support Services, Learning & Information Services,
JG125, James Graham Building, Leeds Metropolitan University,
Headingley Campus, LEEDS, LS6 3QS, United Kingdom
Email: [EMAIL PROTECTED]
Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211
To view the terms under which this email is distributed, please go to
http://disclaimer.leedsmet.ac.uk/email.htm
--- End Message ---
--- Begin Message ---
> From: Jochem Maas [mailto:[EMAIL PROTECTED]
> Sent: Fri 26/05/2006 15:54
>
> Brad Bonkoski wrote:
> > All...
> > A lot has been said recently about the dangers of the family of
> > magic_quotes...
> > I understand the dangers.
> > The question is, for those of us using a database that does not have a
> > *real_escape_string function...Oracle for example.
> > What is the *best* way to escape quotes for DB insertion?
>
> looking at the manual I would assume that ora_bind() is the best way of safely
> stuffing things into an oracle DB:
>
> http://php.net/manual/en/function.ora-bind.php
Whoa, that is waaaay out of date - the ora_ functions have been deprecated as
long as I've been using PHP, which is several years now! You should be using
the OCI extension, and oci_bind_by_name().
> if this function is of any worth it *should* be doing any/all proper escaping
> of
> data 'under water' and hopefully much more thoroughly/correctly than anything
> you/we
> could do in userland.
>
> <remark type="biased">
> of course you could use firebird DB (php5 interbase extension) and just make
> use of
> the built in parameterized query functionality - which is simple to use,
> doesn't
> require endless reams of parameter binding declaration and is rock solid
> (i.e. no
> matter how crap my input filtering is SQL injection remains impossible ;-))
> </remark>
oci_bind_by_name() (and, presumably, ora-bind() before it) *is* Oracle's
parameterized query equivalent -- admittedly not quite as elegant, but no
escaping required and is "rock solid (i.e. no matter how crap [your] input
filtering is SQL injection remains impossible"!).
---------------------------------------------------------------------
Mike Ford, Electronic Information Services Adviser,
Learning Support Services, Learning & Information Services,
JG125, James Graham Building, Leeds Metropolitan University,
Headingley Campus, LEEDS, LS6 3QS, United Kingdom
Email: [EMAIL PROTECTED]
Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211
To view the terms under which this email is distributed, please go to
http://disclaimer.leedsmet.ac.uk/email.htm
--- End Message ---
--- Begin Message ---
mysqli does not have persistent connections. Kinda wish it did, as
using fascgi has the about the same number of processes that I would
want connections in a connection pooling scheme under a module
scenario.
anyhow, its a 5.1.4 bug and its reported.
--- End Message ---
--- Begin Message ---
On 5/26/06, Eric Butera <[EMAIL PROTECTED]> wrote:
> > > What is the purpose of the sprintf?
It's just a way of creating the string without escaping it with quotes
to call the function over and over to keep it clean.
Thanks. I think that I'll stick with the simpler code (to my eyes) and
eliminate the sprintf. In any case, it works.
Dotan Cohen
http://auto-car.info
--- End Message ---
--- Begin Message ---
Hi!
I intend to write a sale online web use PHP and MySQL.
I want to find a "best framework"(available) of php.
Could you give me some advice?
Thanks.
--- End Message ---
--- Begin Message ---
Hi All,
I get the following,
*Fatal error*: Call to undefined function mysql_create_db() in
*/usr/local/apache2/htdocs/createmovie.php* on line 6
for this code,
5 //create the moviesite database
6 mysql_create_db("moviesite") or die(mysql_error());
which is from a tutorial in the book I'm using. Any pointers? Code looks
identical to the book's. Cheers.
P.S. I also tried this,
mysql_create_db("moviesite", $connect) or die(mysql_error());
and
mysql_create_db("moviesite", "$connect") or die(mysql_error());
Mark Sargent.
--- End Message ---
