php-general Digest 15 Sep 2011 11:54:26 -0000 Issue 7479
Topics (messages 314858 through 314867):
Re: Querying a database for 50 users' information: 50 queries or a WHERE array?
314858 by: Dotan Cohen
314859 by: Alex Nikitin
Re: What would you like to see in most in a text editor?
314860 by: Jonesy
Dereferencing an array.
314861 by: Richard Quadling
314862 by: Alex Nikitin
Re: Repetitive answers . . .
314863 by: Joshua Stoutenburg
314865 by: Nathan Nobbe
Re: Sort problem
314864 by: yeer tai
314867 by: Marc Guay
innerHTML triple quotes issue
314866 by: Grega Leskovšek
Administrivia:
To subscribe to the digest, e-mail:
php-general-digest-subscr...@lists.php.net
To unsubscribe from the digest, e-mail:
php-general-digest-unsubscr...@lists.php.net
To post to the list, e-mail:
php-gene...@lists.php.net
----------------------------------------------------------------------
--- Begin Message ---
On Wed, Sep 14, 2011 at 21:01, Alex Nikitin <niks...@gmail.com> wrote:
> You can use a limit with a nested select, you just can't use it in
> some cases, like inside an "IN" statement, but something like this
> should work:
>
> SELECT id, data, etc FROM table JOIN (SELECT special_id as id FROM
> special_table ORDER BY special_id LIMIT 0, 1000) AS table2 USING (id)
>
> Note: syntax may not be valid, but should be fairly straight forward
> to fix, have no time to play with it though...
>
Thanks.
--
Dotan Cohen
http://gibberish.co.il
http://what-is-what.com
--- End Message ---
--- Begin Message ---
<rant from="tired of constantly having to explain it, developer">
MySQL real escape string doesn't work, it's a bad solution to the
problem that has been with the internets since the very beginning, and
if people program like they are taught to by books, doesn't look like
it's going away any time soon. The problem of course is that various
programming languages don't know how to talk to other languages, and
we as devs see no better way to do this then concatenate strings.
Basically this is the core reason why XSS and SQL injection is rampant
on the interwebs. Escaping only seems like it's a good idea to you,
but if you analyze what it does and compare it to today's technology,
you quickly realize how wrong of a concept it actually is. Escaping
looks for certain characters, and if found escapes them in some form.
The problem here is that rather then say defining all safe characters,
it defines what the developers believe to be bad characters, and the
affect that you get is not dissimilar to creating a firewall rule set
where the bottom rule is accept all, as long as my character doesn't
match what they thought was a bad character, it is allowed. This was
fine in the days of ASCII, but the tubes are hardly ASCII anymore,
with Unicode, UTF-16, i have 1,112,064 code points, they are not even
called characters anymore, because they really aren't. And if you are
familiar with best-fit mapping, you would know that there are now
dozens of characters that can represent any single symbol in ASCII,
meaning that using the above type of blocking mechanisms is silly and
technically insecure.
Another problem with it is the fact that security-wise this again is a
bad solution from another perspective. A programmer comes in, and
starts debugging code, the first thing they always seem to do is to
turn off the security and comment out the escape line, and you know
what happens, the bug gets found and fixed completely else-where, but
the security never gets re-enabled. This is called failing open, and
it again goes with the concept above where the escape in itself fails
open as well.
So if you look into the problem at the core, what you have are two
types of code, code that you know is good, and crap data that you have
to somehow make safe. So you know how you do it in the same language?
Right, you assign that data to a storage container called a variable,
and the interpreter knows that this data here, i execute, and that
data there i use as data and don't execute. Well what happens when you
add another language into the mix? Well language a passes known good
code that it string concatenates to bad code, and what you get as a
result is the second language parser thinking "hey, all of this stuff
is good code, let me execute it!"... This is why a stringent delimiter
between known good and not good data needs to be portrayed to the
second language.
How do we do it with SQL? There are a few ways, one of the more common
ones is to use a prepared statement, this clearly separates the code
from the data for the SQL interpreter on the other side. This works
really well, with one HUGE down-side, it can be a REAL pain in the
butt to use, the more complex your query gets, the more pain in the
butt it is to use prepared statements.
Another way, and this works for mostly any language is to use an
in-common function that jumbles the known-bad data on one end, and
unjumbles it as data on the other. For example base64. It works
extremely well, you take any data on the PHP side, base 64 encode it,
and send it to SQL or JS or whatever. you can string concatenate the
b64'd data, because you know what b64'd data looks like? Yep, data,
its not JS, it's not SQL, bunch of garbled junk. You can then use
b64decode on that data, and by the design of the function the result
will be just that, data. So with this you keep the code/data
separation even with string concatenation...
Base 64 performs really well, and is well worth the few extra cycles
for the above-mentioned guaranteed code/data separation barrier, it's
easy to implement. More importantly, this by default fails closed. You
would have to disable at least 4 security points and change 2 queries
to disable this (and if you are using a stored procedure this is even
harder), and that's beyond what you want to do during troubleshooting
usually, and if you disable one point, your application fails to work
all together and it fails closed.
More over you can make this completely transparent to your devs by
changing your data access libraries (for SQL, or Ajax functions for JS
for example). They can pass in crap data, and the first thing your
data access library does before doing anything else is it encodes the
data into a bunch of gibberish... And when they pull the data back,
your library gets the data and unencodes it. the devs don't have to
worry about SQL injection, you don't have to worry about their
competence, you win ;)
</rant>
sources:
Dan Kaminsky - HOPE keynote - http://dankaminsky.com/interpolique/
Mike Samuel - Secure string interpolation in JS-
http://google-caja.googlecode.com/svn/changes/mikesamuel/string-interpolation-29-Jan-2008/trunk/src/js/com/google/caja/interp/index.html
--
The trouble with programmers is that you can never tell what a
programmer is doing until it’s too late. ~Seymour Cray
On Wed, Sep 14, 2011 at 5:02 PM, Dotan Cohen <dotanco...@gmail.com> wrote:
> On Wed, Sep 14, 2011 at 16:02, Eric Butera <eric.but...@gmail.com> wrote:
>> Just out of curiosity, where are these ids coming from? Doing a raw
>> implode on them like that is a sql injection vuln.
>>
>
> They are in an array. I do of course is_int() them first, plus some
> other sanitation including mysql_real_escape_string().
>
> --
> Dotan Cohen
>
> http://gibberish.co.il
> http://what-is-what.com
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--- End Message ---
--- Begin Message ---
On Wed, 14 Sep 2011 14:08:09 +0100, Richard Quadling wrote:
> On 14 September 2011 13:18, Tim Streater <t...@clothears.org.uk> wrote:
>> On 14 Sep 2011 at 12:40, Richard Quadling <rquadl...@gmail.com> wrote:
>>> On 14 September 2011 01:23, tamouse wrote:
>>>> On Tue, Sep 13, 2011 at 3:35 PM, Robert Cummings wrote:
>>>>> I'm a big fan of editors that work in the terminal.
>>>>
>>>> You'll get my emacs when you pry it out of my cold dead hands.
>>>
>>> Pah! You and your full screen editor.
>>>
>>> EDLIN is the way to go.
>>
>> Is that more or less terse than TECO?
>>
>
> TECO - OUCH.
heh. I built my first website with WordStar 6.0 under OS/2.
Jonesy -- yup, I've used TECO, too -- on an ASR-35 TTY
--
Marvin L Jones | jonz | W3DHJ | linux
38.24N 104.55W | @ config.com | Jonesy | OS/2
* Killfiling google & XXXXbanter.com: jonz.net/ng.htm
--- End Message ---
--- Begin Message ---
Hi.
Based upon ...
<?php
$name = Null;
$age = Null;
$boundParams = array('name' => &$name, 'age' => &$age);
$records = array();
$name = 'Richard';
$age = 43;
$records[] = $boundParams;
$name = 'Sally';
$age = 37;
$records[] = $boundParams;
print_r($records);
?>
outputs Sally twice.
Whilst that is the correct output based upon the code, it is undesired.
I want the boundParams to have the references (the actual data from my
mysqli_stmt::fetch() with bound results), but I want to be able to
copy the values and not maintain the references.
The best I've come up with is ...
<?php
$name = Null;
$age = Null;
$boundParams = array('name' => &$name, 'age' => &$age);
$records = array();
$columns = array_keys($boundParams);
$name = 'Richard';
$age = 43;
//$records[] = $boundParams;
$records[] = array_combine($columns,
array_map(function($m_Value){return $m_Value;}, $boundParams));
$name = 'Sally';
$age = 37;
//$records[] = $boundParams;
$records[] = array_combine($columns,
array_map(function($m_Value){return $m_Value;}, $boundParams));
print_r($records);
?>
Is there a more efficient way?
--
Richard Quadling
Twitter : EE : Zend : PHPDoc
@RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY : bit.ly/lFnVea
--- End Message ---
--- Begin Message ---
it's only marginally faster, but it does look a bit cleaner, and is a
bit more memory efficient:
$records[] = unserialize(serialize($boundParams));
--
The trouble with programmers is that you can never tell what a
programmer is doing until it’s too late. ~Seymour Cray
On Wed, Sep 14, 2011 at 6:36 PM, Richard Quadling <rquadl...@gmail.com> wrote:
> Hi.
>
> Based upon ...
>
> <?php
> $name = Null;
> $age = Null;
> $boundParams = array('name' => &$name, 'age' => &$age);
> $records = array();
>
> $name = 'Richard';
> $age = 43;
> $records[] = $boundParams;
>
> $name = 'Sally';
> $age = 37;
> $records[] = $boundParams;
>
> print_r($records);
> ?>
>
> outputs Sally twice.
>
> Whilst that is the correct output based upon the code, it is undesired.
>
> I want the boundParams to have the references (the actual data from my
> mysqli_stmt::fetch() with bound results), but I want to be able to
> copy the values and not maintain the references.
>
>
> The best I've come up with is ...
>
> <?php
> $name = Null;
> $age = Null;
> $boundParams = array('name' => &$name, 'age' => &$age);
> $records = array();
>
>
> $columns = array_keys($boundParams);
>
> $name = 'Richard';
> $age = 43;
> //$records[] = $boundParams;
> $records[] = array_combine($columns,
> array_map(function($m_Value){return $m_Value;}, $boundParams));
>
> $name = 'Sally';
> $age = 37;
> //$records[] = $boundParams;
> $records[] = array_combine($columns,
> array_map(function($m_Value){return $m_Value;}, $boundParams));
>
> print_r($records);
> ?>
>
> Is there a more efficient way?
> --
> Richard Quadling
> Twitter : EE : Zend : PHPDoc
> @RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY : bit.ly/lFnVea
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--- End Message ---
--- Begin Message ---
On Wed, Sep 14, 2011 at 11:59 AM, Govinda <govinda.webdnat...@gmail.com> wrote:
>> As for duplicate answers...,
>
>> [snip]
>
>
> Also newbies may tend to like the multiples answers.. for the different
> perspectives, as Dan said, but also when they are exact dupe answers -
> because then the newbie knows the answer is definitive.. and then stops
> asking the list.. and starts doing what work is called for.
>
> -Govinda
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
That's a good point. The absence of objection to a provided answer
doesn't necessarily make it definitive since it could just be the
masses passed over the conversation. Therefore, yes, duplicate
answers are a good thing.
Thanks everybody for your patience in helping this mailing list
newcomer understand how things work.
--- End Message ---
--- Begin Message ---
On Wed, Sep 14, 2011 at 10:06 PM, Joshua Stoutenburg
<jehoshu...@gmail.com>wrote:
> On Wed, Sep 14, 2011 at 11:59 AM, Govinda <govinda.webdnat...@gmail.com>
> wrote:
> >> As for duplicate answers...,
> >
> >> [snip]
> >
> >
> > Also newbies may tend to like the multiples answers.. for the different
> perspectives, as Dan said, but also when they are exact dupe answers -
> because then the newbie knows the answer is definitive.. and then stops
> asking the list.. and starts doing what work is called for.
> >
> > -Govinda
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
>
> That's a good point. The absence of objection to a provided answer
> doesn't necessarily make it definitive since it could just be the
> masses passed over the conversation. Therefore, yes, duplicate
> answers are a good thing.
>
> Thanks everybody for your patience in helping this mailing list
> newcomer understand how things work.
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
wait, it sounds like we could use another answer .., yes ppl like to answer
things many times here, often with almost identical suggestions, and many
spins on how to approach the problem, including alternative perspectives on
life..; the ebb-&-flow of php-general ;)
-nathan
--- End Message ---
--- Begin Message ---
use natsort.
--- End Message ---
--- Begin Message ---
> use natsort.
For the "repetitive answers" specialists: Is it possible that 15
hours later someone is still only seeing the original question?
Marc
--- End Message ---
--- Begin Message ---
<h3>My Heavenly profession is being <span class="see"
onmouseover='<?php echo "this.innerHTML=' <img
src=\"http://imagecache2.allposters.com/images/PF_New/102008/3070943.jpg\";
alt =\"close to my heavenly face\" />'";?>'
onmouseout="this.innerHTML='an angel'">an angel</span>,
I first tried this but got a mistake and then I tried to use php to
settle this look above, but got parsing mistake.
although not fully liberated I came to work in this world for <span class="see"
onmouseover="this.innerHTML='<img
src=\"http://t1.gstatic.com/images?q=tbn:ANd9GcTaxIC0HvMMWTlZ2ozXMcwTsqRcStUXRWItISeVyDrVkzVtv2s-AVmn6v3x\";
alt =\"Lord Krishna in His garden of flowers, that's a spiritual world\" />'"
onmouseout="this.innerHTML='Lord Krishna\'s Realisation.'">Lord
Krishna's Realisation.</span></h3>
Could YOu please look a t my code and exlpain me what to do if I need
to use triple quotoes - we only have " and ' in onmouseover 1,
thisINNERHTML 2 and in src 3
Please help me!
♥♥♥ When the sun rises I receive and when it sets I forgive! ♥♥♥
˜♥ -> http://moj.skavt.net/gleskovs/ <- ♥ Always, Grega Leskovšek
--- End Message ---
![http://imagecache2.allposters.com/images/PF_New/102008/3070943.jpg\"](http://imagecache2.allposters.com/images/PF_New/102008/3070943.jpg\"){kind=link}