[PHP-DB] Multi Page Form
Hidden fields are preferred to visible fields and far preferred to query string data, but hidden fields can still be modified. The user can save the form page on their desktop, modify the html source (and include the full http path in the form action) then use their browser to send the modified form on to the server. Do most people have that much time on their hands? Of course not. But it's still a risk. (As is a session hijack too.) Why not create some HEAP tables that will work as session tables, and just insert the data into the HEAP tables, then when you're done, do an INSERT INTO...SELECT to take the data from the HEAP table and store it in the real table (then DELETE the entries from the temporary HEAP table)? That way you're not passing the data page to page, but storing it as you go.
RE: [PHP-DB] Re: Basic MySQL Query Question
That's what escapeshellcmd() is for - never ever trust user data. At minimum, I would
always use addslashes() or the new mysql_real_escape_string() around every bit of user
data if it's touching the db. At minimum, and in lieu of data validation that is
really checking what the user entered (alpha plus spaces, hyphen, period, apostrophe
only) I would do this:
$query = Insert into members (name) values ('.addslashes($_POST['name']).');
-Original Message-
From: Ed Lazor [mailto:[EMAIL PROTECTED]
Sent: Mon 8/16/2004 10:06 AM
To: 'Torsten Roehr'; [EMAIL PROTECTED]
Cc:
Subject:RE: [PHP-DB] Re: Basic MySQL Query Question
Is it just me or is this a very bad thing from a security standpoint? It
seems to me that user input should always be filtered before use. Otherwise
there's nothing stopping a hacker from embedding sql into the value of the
name variable.
-Original Message-
Insert into members (name) values ($_POST['name']);
[PHP-DB] RE: SQL Insert problem
All you have done here is just assigned the query string to a variable. This alone
does absolutely nothing as far as the db is concerned. You need to execute the query
against the db for it to have an effect. The mysql_query() function is used for all
queries, not just selects.
$sql = INSERT INTO rmarequest (firstname, lastname, address, address2,
city, state, zip, phone, email, serial, product, reason, rmanumber)VALUES
('$firstname', '$lastname', '$address', '$city', '$state', '$zip', '$phone',
'$email', '$serial', '$product', '$reason', '$rmanumber');
$result = mysql_query ($sql, $connect) or die (mysql_error($connect));
-Original Message-
From: Vincent Jordan [mailto:[EMAIL PROTECTED]
Sent: Thu 8/5/2004 7:24 AM
To: [EMAIL PROTECTED]
Cc:
Subject:SQL Insert problem
Im having a problem inserting data. Ive looked over this again and again and
can not find what ive missed. Everything else works besides the db insert.
!DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Transitional//EN
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd;
?php
ini_set ('display_errors', 1);
error_reporting (E_ALL ~E_NOTICE);
// Define
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$address = $_POST['address'];
$address2 = $_POST['address2'];
$city = $_POST['city'];
$state = $_POST['state'];
$zip = $_POST['zip'];
$phone = $_POST['phone'];
$email = $_POST['email'];
$serial = $_POST['serial'];
$product = $_POST['product'];
$reason = $_POST['reason'];
$gold = $_POST['gold_button_y'];
$goldaccount = $_POST['goldaccount'];
$rmanumber = $lastname{0}.date(ndyGi);
$connect = mysql_connect(SERVER , USER, PASSWORD) or die
(mysql_error());
$select = mysql_select_db (spdata) or die (mysql_error());
$sql = INSERT INTO rmarequest (firstname, lastname, address, address2,
city, state, zip, phone, email, serial, product, reason, rmanumber)VALUES
('$firstname', '$lastname', '$address', '$city', '$state', '$zip', '$phone',
'$email', '$serial', '$product', '$reason', '$rmanumber') or die
(mysql_error());
if (isset($_POST['submit'])) {
$sql;
}
// Send and put in email message
$htmlheader = Content-Type: text/html; charset=us-ascii\n;
$htmlheader .= Content-Transfer-Encoding: 7bit;
$header = $from; // set the from field in the header
$header .= \n; // add a line feed
$header .= MIME-version: 1.0\n; //add the mime-version header
$header .= $htmlheader.\n;
$from = From: RMA Request [EMAIL PROTECTED];
$message = $firstname $lastname
$address
$address2
$city
$state
$zip
$phone
$email
$product
$serial
$gold
$goldaccount
$reason
$rmanumber;
// Send email to support
mail([EMAIL PROTECTED], RMA Request, $message, $header);
?
html xmlns=http://www.w3.org/1999/xhtml;
head
titleUntitled Document/title
/head
body
pstrongRMA Request Sent/strong/p
pYour RMA Number is strong ? echo $rmanumber ? /strong /p
pPlease include a note within your package with your shipping address,
phone number and discription of the problem.br /When shipping Smart Parts
reccomends insuring your package for the full replacment cost.
We also advise purchasing tracking services if using the postal
service./p
pstrongShip your return to: /strong/p
pSmart Parts, Incbr /
ATTN ? echo $rmanumber ?br /
Loyanhanna Business Complexbr /
100 Station St.br /
Loyalhanna Pa. 15661/p
pbr /
Please allow up to one week for package delivery.
For status information please call 800-992-2147 and ask for the returns
department./p
a href=# onClick=window.print();Click Here to print this page/abr
/
a href=form.htmClick here to return to RMA Request form/a
/body
/html
[PHP-DB] RE: Urgent JOIN help needed
Why you are getting multiple results is because a JOIN attempts to find all the possible combinations in the output. (It's called a Cartesian product, not that you care at this very moment.) Also, when doing joins, it's a bad idea to do a select * since you will have two fields with the same value (the field on which you are joining. Also, it's best to use the . notation for table reference so that you have no abiguity. This is one picky note, but not all dbs are as flexible as MySQL: when you are specifying the ON clause, your LEFT table should always be the table to the LEFT of the equal sign. MySQL does not care, but it's good practice. I would change it to: $sql = SELECT vendorprices.*, fooditems.Description FROM vendorprices LEFT JOIN fooditems on (vendorprices.VendorNumber = fooditems.CategoryNumber) WHERE (vendorprices.CategoryNumber = '$VendorID'). You are on the right track with LEFT Join, that is precisely what is needed for the output you want. -Original Message- From: Chris Payne [mailto:[EMAIL PROTECTED] Sent: Fri 7/30/2004 8:25 PM To: [EMAIL PROTECTED] Cc: Subject:Urgent JOIN help needed Hi there everyone, I'm new to JOINS and have followed some info in the MySQL manual but I'm at a loss, using the code I'll paste below, I get each result 4 times and I am confused as to why? Basically I'm trying to display ALL fields from the vendorprices table, and grab just the Description column from the fooditems table, the factor which joins them both is the string $VendorID which in the vendorprices table is VendorNumber and in the fooditems table is CategoryNumber. $sql = SELECT * FROM vendorprices LEFT JOIN fooditems on (vendorprices.VendorNumber = fooditems.CategoryNumber AND fooditems.CategoryNumber = '$VendorID') WHERE vendorprices.VendorNumber='$VendorID' AND fooditems.CategoryNumber='$VendorID'; Can anyone see where I'm going wrong? This is driving me nuts and I need to figure it out urgently. Thank you for your help. Regards Chris
[PHP-DB] RE: MySQL '!=' ???
Whenever you are trying to exclude a list, you should use AND, not OR. This is a logic
issue. However, to make it more exact, streamlined and simpler use the NOT IN clause.
SELECT ... FROM ... WHERE country NOT IN ('Argentina', 'USA', 'Mexico', etc.)
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Tue 7/20/2004 4:40 PM
To: [EMAIL PROTECTED]
Cc:
Subject:[BULK] - php-db Digest 20 Jul 2004 23:40:15 - Issue 2503
php-db Digest 20 Jul 2004 23:40:15 - Issue 2503
Topics (messages 35403 through 35420):
Re: howto get PK id after INSERT??
35403 by: Vincent Jordan
35404 by: Jason Wong
35405 by: jeffrey_n_Dyke.Keane.com
35410 by: John W. Holmes
MySQL '!=' ???
35406 by: Tristan.Pretty.risk.sungard.com
35407 by: Hutchins, Richard
35408 by: VANDOORINE A RsrhCppRfaRva
Re: Wait Statement... ?
35409 by: John W. Holmes
35413 by: Daevid Vincent
35414 by: John W. Holmes
35415 by: Ignatius Reilly
35416 by: Pablo M. Rivas
35417 by: Tim Van Wassenhove
35418 by: Jason Wong
35420 by: John W. Holmes
Re: DB table creation question
35411 by: Swan, Nicole
pg_end_copy error using PHP with PostgreSQL
35412 by: Robert Fitzpatrick
Concurrent rutines
35419 by: Luis Morales
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[EMAIL PROTECTED]
--
Re: [PHP-DB] DB table creation question
In addition to making sure both tables are type InnoDB, also make sure you have indexed both the foreign key and its corresponding reference first (this will fix the obtuse errno(150) message). One suggestion I have is to take a bootcamp style class, even online, to solidify the grasp of database concepts. I created my first site without completely understanding data modelling, other than the lip service paid in the reference books - sure we can all list the five norms but to apply that knowledge is another thing. and I cringe at some of the hacks I then employed. I'm sure you're under a tight deadline, but take it from someone who learned the hard (and hardheaded) way, it's worth your time to take a class first. Or, it may be time to hire a consultant to work with you one on one. There are plenty of developers who would love to break down everything for you, so long as they are compensated for their time.
[PHP-DB] RE: Case sensitive search
Two options: 1. Use ALTER to make the field BINARY. 2. Use the BINARY modifier in your SELECT select * from test where BINARY data='a' -Original Message- From: Rosen [mailto:[EMAIL PROTECTED] Sent: Sun 7/18/2004 2:45 AM To: [EMAIL PROTECTED] Cc: Subject:Case sensitive search Hi, I have a simple table: test ( id int unsigned NOT NULL auto_increment, data varchar(30) default NULL, PRIMARY KEY (id)) with two simple records: id data 1 a 2 A When I perform select * from test where data='a' - it return me both rows. By default in MySQL comparing of strings is case-insensitive. How can I perform a case sensitive search in text fields ? Tnanks in advance, Rosen
[PHP-DB] RE: Rewrite value from form data
I have an even easier solution - why not just use three form fields, run a reg exp test on each individually for appropriate # of digits and then concatenate with - prior to insert? input type=text name=area size=3 maxlength=3 - input type=text name=prefix size=3 maxlength=3- - input type=text name=suffix size=4 maxlength=4
[PHP-DB] Validate value
1. You have to allow for a space in your pattern - you can do so by hitting the space
bar or using \s. Here are some options
$pattern=/^[a-zA-Z ]+$/;
if(preg_match($pattern,$_POST['name']))
{
$pattern=/^[a-zA-Z\s]+$/;
if(preg_match($pattern,$_POST['name']))
{
$pattern=/^[a-zA-Z]+[\s]?[a-zA-Z]*$/;
if(preg_match($pattern,$_POST['name']))
{
2. Do you want other characters besides numbers in the phone, such as 333-333-?
Otherwise, this should do it:
$pattern=/^[\d]{10}$/;
if(preg_match($pattern,$_POST['phone']))
{
[PHP-DB] Web host offering beta versions?
Does anyone know of a free/low cost Web host that lets you play with PHP 5 and MySQL 4.1? Thanks
[PHP-DB] mysql versus mysqli versus db abstraction
Hello, I was wondering how many of you have made the switch to mysqli from the mysql library? I teach a class in PHP/MySQL and want to keep current with what industry folks are doing. I did not immediately adopt mysqli into my classroom and am wondering if it's time. I was also wondering how many of you are working strictly with DB abstraction classes at this point. Any input you can share is most appreciated. Cheers, Kimberlee Jensen
