php-general Digest 21 Feb 2009 11:36:17 -0000 Issue 5971

Sat, 21 Feb 2009 03:38:17 -0800 

php-general Digest 21 Feb 2009 11:36:17 -0000 Issue 5971

Topics (messages 288638 through 288644):

Re: Unique User Hashes
        288638 by: Nathan Rixham
        288639 by: tedd

mysql_real_escape_string("asdasddas") ??? wtf
        288640 by: Tim | iHostNZ
        288641 by: Ross McKay
        288642 by: German Geek
        288643 by: Ashley Sheridan
        288644 by: Ross McKay

Administrivia:

To subscribe to the digest, e-mail:
        [email protected]

To unsubscribe from the digest, e-mail:
        [email protected]

To post to the list, e-mail:
        [email protected]


----------------------------------------------------------------------
--- Begin Message --- 
Michael A. Peters wrote:

Nathan Rixham wrote:
it's all a bit pointless, the only way to ensure only one vote per person is to get take and test a dns sample from each user. 

anything else is going to be flawed



Hey now, what do you have against us clones?
;)
and nobody noticed I said DNS sample not DNA sample - jesus thought somebody would have jumped on that one :p
--- End Message ---
--- Begin Message --- 
At 11:09 PM +0000 2/20/09, Nathan Rixham wrote:

Michael A. Peters wrote:

Nathan Rixham wrote:
it's all a bit pointless, the only way to ensure only one vote per person is to get take and test a dns sample from each user. 

anything else is going to be flawed



Hey now, what do you have against us clones?
;)
and nobody noticed I said DNS sample not DNA sample - jesus thought somebody would have jumped on that one :p
I saw it -- I just didn't want to get into the debate again with a troll lurking about.
Some people are so focused on the point they want to make that they don't hear what others are saying. 

Cheers,

tedd

--
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com

--- End Message ---
--- Begin Message --- 
Hi everyone,

Can anyone here tell me why mysql_real_escape_string("asdasddas") returns an
empty string?

Just writing a data import...

Anyway, for security but also simply because i might have a ' in the string,
i need to escape it. Apparently it is good practice to use
mysql_real_escape_string() but it simply doesn't work at all on this
machine. I thought it's a rather standard function.

Is it maybe my Apache server setup? But i thought the function wouldn't
exist then and throw an error in the php script, but it runs through fine.

Please help, we need this data import by next week hence i'm working now...

I can send you details of the server setup if required. Please let me know
what as there are quite a few things... It's xampp on windows xp
(testing/dev machine).

Regards,
Tim

Tim-Hinnerk Heuer

http://www.ihostnz.com
P. J. O'Rourke  - "Everybody knows how to raise children, except the people
who have them."

--- End Message ---
--- Begin Message --- 
On Sat, 21 Feb 2009 19:19:44 +1300, [email protected] wrote:

>Can anyone here tell me why mysql_real_escape_string("asdasddas") returns an
>empty string?

Have you opened a connection to a MySQL database? It won't work without
an open connection.
-- 
Ross McKay, Toronto, NSW Australia
"Let the laddie play wi the knife - he'll learn"
- The Wee Book of Calvin

--- End Message ---
--- Begin Message --- 
Ah, ic. Mh, why wouldn't a function like that function without a db
connection? Does it use the db? Isn't that less efficient? I might just use
str_replace, because i can't think of any way that one could get a sql
injection into

str_replace("'", "\\\'", $value); // might need to replace a literal \ too.

If you can, please enlighten me.

Maybe if they enter something like \c ?? Like one of the mysql special
commands? But if it's inside a string literal??

Thanks a lot, i would have never thought about that.

Will try.

Tim-Hinnerk Heuer

http://www.ihostnz.com
George Burns  - "I would go out with women my age, but there are no women my
age."

2009/2/21 Ross McKay <[email protected]>

> On Sat, 21 Feb 2009 19:19:44 +1300, [email protected] wrote:
>
> >Can anyone here tell me why mysql_real_escape_string("asdasddas") returns
> an
> >empty string?
>
> Have you opened a connection to a MySQL database? It won't work without
> an open connection.
> --
> Ross McKay, Toronto, NSW Australia
> "Let the laddie play wi the knife - he'll learn"
> - The Wee Book of Calvin
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

--- End Message ---
--- Begin Message --- 
On Sat, 2009-02-21 at 22:55 +1300, German Geek wrote:
> Ah, ic. Mh, why wouldn't a function like that function without a db
> connection? Does it use the db? Isn't that less efficient? I might just use
> str_replace, because i can't think of any way that one could get a sql
> injection into
> 
> str_replace("'", "\\\'", $value); // might need to replace a literal \ too.
> 
> If you can, please enlighten me.
> 
> Maybe if they enter something like \c ?? Like one of the mysql special
> commands? But if it's inside a string literal??
> 
> Thanks a lot, i would have never thought about that.
> 
> Will try.
> 
> Tim-Hinnerk Heuer
> 
> http://www.ihostnz.com
> George Burns  - "I would go out with women my age, but there are no women my
> age."
> 
> 2009/2/21 Ross McKay <[email protected]>
> 
> > On Sat, 21 Feb 2009 19:19:44 +1300, [email protected] wrote:
> >
> > >Can anyone here tell me why mysql_real_escape_string("asdasddas") returns
> > an
> > >empty string?
> >
> > Have you opened a connection to a MySQL database? It won't work without
> > an open connection.
> > --
> > Ross McKay, Toronto, NSW Australia
> > "Let the laddie play wi the knife - he'll learn"
> > - The Wee Book of Calvin
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
It doesn't actually use the connection, but it requires one to be open
before you can use it. You said you're using this on a query anyway, so
why not open the connection to mysql?


Ash
www.ashleysheridan.co.uk

--- End Message ---
--- Begin Message --- 
German Geek wrote:

>Ah, ic. Mh, why wouldn't a function like that function without a db
>connection? Does it use the db? Isn't that less efficient? 

It doesn't use the db - at least, it doesn't make a call to the db. It
probably wants a db resource handle so that it can know what character
set it is meant to be handling, which is established as a property on
the connection.

>I might just use
>str_replace, because i can't think of any way that one could get a sql
>injection into
>
>str_replace("'", "\\\'", $value); // might need to replace a literal \ too.
>
>If you can, please enlighten me.

And also: NUL, LF, CR, " and ^Z

Or you could just call mysql_real_escape_string and know that you
haven't coded your str_replace with some hole in it :)
-- 
Ross McKay, Toronto, NSW Australia
"The chief cause of problems is solutions" -Eric Sevareid

--- End Message ---

Reply via email to