php-general Digest 16 Jun 2009 02:51:12 -0000 Issue 6177
Topics (messages 294048 through 294059):
how to extract fields from associative array into different variables
294048 by: PJ
294049 by: Jay Blanchard
294050 by: PJ
294051 by: Eddie Drapkin
294053 by: Jay Blanchard
294055 by: PJ
fopen() on a network share?
294052 by: Brian Dunning
294057 by: Brian Dunning
294058 by: Shawn McKenzie
294059 by: Andrew Ballard
Re: Preventing XSS Attacks
294054 by: Paul M Foster
populate form input option dropdown box from existing data
294056 by: PJ
Administrivia:
To subscribe to the digest, e-mail:
[email protected]
To unsubscribe from the digest, e-mail:
[email protected]
To post to the list, e-mail:
[email protected]
----------------------------------------------------------------------
--- Begin Message ---
Is there an easier or simpler way to do this?
code:
$sql = "SELECT first_name, last_name, book_author.ordinal
FROM author, book_author
WHERE book_author.bookID = $idIN && book_author.authID = author.id
ORDER BY ordinal";
$author = array();
if ( ( $results = mysql_query($sql, $db) ) !== false ) {
while ( $row = mysql_fetch_array($results, MYSQL_ASSOC) ) {
$author[] = $row;
}
}
$numrows = mysql_num_rows($results);
switch ($numrows)
{
case 5:
$first_nameIN = $author[0]['first_name'];
$last_nameIN = $author[0]['last_name'];
$first_name2IN = $author[1]['first_name'];
$last_name2IN = $author[1]['last_name'];
$first_name3IN = $author[2]['first_name'];
$last_name3IN = $author[2]['last_name'];
$first_name4IN = $author[3]['first_name'];
$last_name4IN = $author[3]['last_name'];
$first_name5IN = $author[4]['first_name'];
$last_name5IN = $author[4]['last_name'];
break;
case 4:
$first_nameIN = $author[0]['first_name'];
$last_nameIN = $author[0]['last_name'];
snip....
--
Hervé Kempf: "Pour sauver la planète, sortez du capitalisme."
-------------------------------------------------------------
Phil Jourdan --- [email protected]
http://www.ptahhotep.com
http://www.chiccantine.com/andypantry.php
--- End Message ---
--- Begin Message ---
[snip]
Is there an easier or simpler way to do this?
[/snip]
http://us2.php.net/manual/en/function.mysql-fetch-row.php
--- End Message ---
--- Begin Message ---
Jay Blanchard wrote:
> [snip]
> Is there an easier or simpler way to do this?
> [/snip]
>
> http://us2.php.net/manual/en/function.mysql-fetch-row.php
>
In what way would this simplify or ease my pain?
The difficulty, it seems to me, is not in retrieving the rows, but
rather how to pass the row data to the variables. And since the number
of rows is variable, I believe that the only way to assign the variables
is by use of a loop? I think I'm beating my head against the wall for
nothing... :-(
I know I'm a newbie (a very lazy and ignorant one, apparently) but I
don't quite understand. Or is there a gain in execution time or resource
usage?
--
Hervé Kempf: "Pour sauver la planète, sortez du capitalisme."
-------------------------------------------------------------
Phil Jourdan --- [email protected]
http://www.ptahhotep.com
http://www.chiccantine.com/andypantry.php
--- End Message ---
--- Begin Message ---
You could use list() a la
list($foo, $bar) = mysql_fetch_row();
On Mon, Jun 15, 2009 at 4:19 PM, PJ <[email protected]> wrote:
> Jay Blanchard wrote:
> > [snip]
> > Is there an easier or simpler way to do this?
> > [/snip]
> >
> > http://us2.php.net/manual/en/function.mysql-fetch-row.php
> >
> In what way would this simplify or ease my pain?
> The difficulty, it seems to me, is not in retrieving the rows, but
> rather how to pass the row data to the variables. And since the number
> of rows is variable, I believe that the only way to assign the variables
> is by use of a loop? I think I'm beating my head against the wall for
> nothing... :-(
> I know I'm a newbie (a very lazy and ignorant one, apparently) but I
> don't quite understand. Or is there a gain in execution time or resource
> usage?
>
>
> --
> Hervé Kempf: "Pour sauver la planète, sortez du capitalisme."
> -------------------------------------------------------------
> Phil Jourdan --- [email protected]
> http://www.ptahhotep.com
> http://www.chiccantine.com/andypantry.php
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--- End Message ---
--- Begin Message ---
[snip]
In what way would this simplify or ease my pain?
The difficulty, it seems to me, is not in retrieving the rows, but
rather how to pass the row data to the variables. And since the number
of rows is variable, I believe that the only way to assign the variables
is by use of a loop? I think I'm beating my head against the wall for
nothing... :-(
[/snip]
You asked for easier. In this way the data is assigned to a usable
variable right out of the gate and that is an array variable. You can
actually use it with either mysql_fetch_array or mysql_fetch_row.
Here is your query;
$sql = "SELECT first_name, last_name, book_author.ordinal
FROM author, book_author
WHERE book_author.bookID = $idIN && book_author.authID = author.id
ORDER BY ordinal";
You need not declare another array, but do it this way instead;
if ($results = mysql_query($sql, $db)) {
while ( $row = mysql_fetch_array($results, MYSQL_ASSOC) ) {
echo $row['first_name'];
echo $row['last_name'];
....etcetera.....
}
}
The lazy part I will agree with :)
--- End Message ---
--- Begin Message ---
Jay Blanchard wrote:
> [snip]
> In what way would this simplify or ease my pain?
> The difficulty, it seems to me, is not in retrieving the rows, but
> rather how to pass the row data to the variables. And since the number
> of rows is variable, I believe that the only way to assign the variables
> is by use of a loop? I think I'm beating my head against the wall for
> nothing... :-(
> [/snip]
>
> You asked for easier. In this way the data is assigned to a usable
> variable right out of the gate and that is an array variable. You can
> actually use it with either mysql_fetch_array or mysql_fetch_row.
>
> Here is your query;
>
> $sql = "SELECT first_name, last_name, book_author.ordinal
> FROM author, book_author
> WHERE book_author.bookID = $idIN && book_author.authID = author.id
> ORDER BY ordinal";
>
> You need not declare another array, but do it this way instead;
>
> if ($results = mysql_query($sql, $db)) {
> while ( $row = mysql_fetch_array($results, MYSQL_ASSOC) ) {
> echo $row['first_name'];
> echo $row['last_name'];
>
Then I have to add some loopy thing to assign the values to the
$variables... a real pita since my variable do not lend themselves too
well to linear alterations ($varIn, $var2IN, $var3IN... etc... so $i=0
and $i++ arren't going to be too cooperative here... I guess I'd have to
change that to $var1IN... and then figure out how to do $var.$i.IN ... I
already tried, but don't seem to have it right
> ....etcetera.....
> }
> }
>
> The lazy part I will agree with :)
>
Well, I shouldn't say it, but laziness is a characteristic of
"intelligence": why do more than you have to when you can be doing
something else. Actually, I am anything but lazy, I spend innumerable
hours trying to understand what all this coding is about... searching
the web and rummaging (and I do mean "rummaging") in all the lists and
posts ... but just going through 20 or 30 listings out of more than
20,000 is already taxing... much easier to ask on the list... if someone
can understand my fuzzy questions, they may find the grace and
generosity to take pity on the ignoramus... ;-)
And I enjoy the ribbing and the humour ... it's a really very nice list!
--
Hervé Kempf: "Pour sauver la planète, sortez du capitalisme."
-------------------------------------------------------------
Phil Jourdan --- [email protected]
http://www.ptahhotep.com
http://www.chiccantine.com/andypantry.php
--- End Message ---
--- Begin Message ---
Running on Windows... I have a network share, \\sharename\foldername,
and I want to write a file. How do I format the pathname with fopen()
for this?
--- End Message ---
--- Begin Message ---
Extra info, in case needed: my code says
fopen('\\servername\sharename\folder\file.xml', 'w');
and it returns "Failed to open stream, no such file or directory".
I've verified that the PHP machine does have unrestricted permissions
to that share and to the directory. Thanks.
On Jun 15, 2009, at 1:39 PM, Brian Dunning wrote:
Running on Windows... I have a network share, \\sharename
\foldername, and I want to write a file. How do I format the
pathname with fopen() for this?
--- End Message ---
--- Begin Message ---
Brian Dunning wrote:
> Extra info, in case needed: my code says
>
> fopen('\\servername\sharename\folder\file.xml', 'w');
>
> and it returns "Failed to open stream, no such file or directory". I've
> verified that the PHP machine does have unrestricted permissions to that
> share and to the directory. Thanks.
>
>
> On Jun 15, 2009, at 1:39 PM, Brian Dunning wrote:
>
>> Running on Windows... I have a network share, \\sharename\foldername,
>> and I want to write a file. How do I format the pathname with fopen()
>> for this?
>
>
>
As I remember, you either have to double slash or use the other slash.
\\\\servername\\sharename\\folder\\file.xml
or
//servername/sharename/folder/file.xml
--
Thanks!
-Shawn
http://www.spidean.com
--- End Message ---
--- Begin Message ---
On Mon, Jun 15, 2009 at 7:24 PM, Shawn McKenzie<[email protected]> wrote:
> Brian Dunning wrote:
>> Extra info, in case needed: my code says
>>
>> fopen('\\servername\sharename\folder\file.xml', 'w');
>>
>> and it returns "Failed to open stream, no such file or directory". I've
>> verified that the PHP machine does have unrestricted permissions to that
>> share and to the directory. Thanks.
>>
>>
>> On Jun 15, 2009, at 1:39 PM, Brian Dunning wrote:
>>
>>> Running on Windows... I have a network share, \\sharename\foldername,
>>> and I want to write a file. How do I format the pathname with fopen()
>>> for this?
>>
>>
>>
> As I remember, you either have to double slash or use the other slash.
>
> \\\\servername\\sharename\\folder\\file.xml
>
> or
>
> //servername/sharename/folder/file.xml
>
> --
> Thanks!
> -Shawn
> http://www.spidean.com
>
I think '\\\\servername\sharename\folder\file.xml' will work if you're
using single quotes around the string. The only slashes that would
need escaped are the first two since the first slash in '\\' escapes
the second.
Andrew
--- End Message ---
--- Begin Message ---
On Mon, Jun 15, 2009 at 10:48:04AM -0400, Bob McConnell wrote:
> From: Ashley Sheridan
> > On Wed, 2009-06-10 at 18:28 +0200, Nitsan Bin-Nun wrote:
> >> mysql_real_escape_string() only sanitise the input. I would
> personally
> >> only allow [a-zA-Z0-9-_] in search string but that's just me ;)
> >> Validate the input in some way, or make extra sanitisation of it
> >> before running the search query.
> >>
> >> Regarding the HTML output, just entities() it and you'll be good :)
> >>
> >> On Wed, Jun 10, 2009 at 6:32 PM, Ashley Sheridan
> >> <[email protected]> wrote:
> >>
> >> On Wed, 2009-06-10 at 18:18 +0200, Nitsan Bin-Nun wrote:
> >> > As far for the output, just html entities () it and you
> will
> >> be good.
> >> >
> >> > You better check the search query for sql injection, which
> >> is more
> >> > dangerous.
> >> >
> >> > HTH
> >> > Nitsan
> >> >
> >> > On Wed, Jun 10, 2009 at 6:19 PM, Ashley Sheridan
> >> > <[email protected]> wrote:
> >> > Hi all,
> >> >
> >> > I'm looking at adding a new search feature to my
> >> site, and one
> >> > of the
> >> > elements of this is to echo back in the search
> >> results page,
> >> > the
> >> > original string the user searched for. Up until
> now,
> >> XSS
> >> > hasn't (afaik)
> >> > been an issue for my site, but I can see from a
> mile
> >> off this
> >> > will be.
> >> > What would you guys recommend to avoid this?
> >> >
> >> > I'd thought initially of using a mixture of
> >> > html_special_chars() and a
> >> > regex (as yet not sure what I'll be stripping out
> >> with this)
> >> > to sanitise
> >> > the output for display on the results page, but is
> >> this
> >> > enough?
> >> >
> >>
> >> I always use mysql_real_escape_string() for that sort of
> >> thing, not had
> >> a problem with it, but is there anything you think I should
> be
> >> wary of?
> >>
> >
> > Well, I don't understand, what is the problem with
> > mysql_real_escape_string() for sanitising input to use for a search?
> It
> > should escape anything out so that the query can't be used in ways
> that
> > I don't want no?
> >
> > I'd thought about using a whitelist-only regex, but that seems a
> little
> > limiting tbh, and as my site contains code, it's not unreasonable to
> > expect some people might want to search for particular code excerpts.
>
> What if we don't use MySQL? We are using Postgres on our web servers.
> None of the MySQL libraries are available. I am currently reviewing a
> half-dozen different and incomplete black-list sanitization functions
> that don't to a very good job while removing characters that we need to
> be able to use. I need to identify a clean strategy to replace or
> restructure them.
PostgreSQL has a function called pg_escape_string() which probably
performs a function similar to MySQL's function. See
http://us2.php.net/manual/en/function.pg-escape-string.php
But you'll still need other functions (as above in this thread) to do a
thorough job.
Paul
--
Paul M. Foster
--- End Message ---
--- Begin Message ---
I am having difficulties figuring out how enter retrieved data into a
dropdown box for editing. Here's a snippet:
...snip
<select name="categoriesIN[]" multiple size="8">
<option value="1">Civilization</option>
<option value="2">Monuments, Temples & Tombs</option>
<option value="3">Pharaohs and Queens</option>... snip
As I understand it, I need to put an array ( $categoriesIN[] ) somewhere
in the above code... or do I need to insert a series of value "selected"
fields for the values?
The closest thing to what I need, seems to be in this post:
http://www.hpfreaks.com/forums/index.php?topic=165215
But it doesn't appear too inviting... not sure if they ever got it to
work...
--
Hervé Kempf: "Pour sauver la planète, sortez du capitalisme."
-------------------------------------------------------------
Phil Jourdan --- [email protected]
http://www.ptahhotep.com
http://www.chiccantine.com/andypantry.php
--- End Message ---
