[PHP] Including Functions; one file or many?
Hi I'm writing a set of db abstraction functions for an internal app which will give us a set of simple function calls for dealing with the db, like $result = db_AddEmployee($EmployeeData); $EmployeeData = db_GetEmployee($EmployeeID); etc. There will be quite a few functions needed to deal with all the different ways the app touches the db, so my question is: Am I better off putting all these functions into one big include file (which could get pretty big) or using a seperate 'include' file for each function? I'm thinking about the tradeoff between simplifying code by only having a single include file (parsing a lot of functions that aren't used, but less disk access) and having several include files (no extra funcs but lots more disk access). I realise there probably isn't a 'correct' way to do this, I'm curious about which methods folk here use in situations like this. TIA in advance for any advice, Mark -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Including Functions; one file or many?
Mark, I use one functions file per site, then I know that if I include it, and all of my functions are available. George -Original Message- From: Mark Kelly [mailto:[EMAIL PROTECTED] Sent: 26 May 2006 9:02 am To: php-general@lists.php.net Subject: [PHP] Including Functions; one file or many? Hi I'm writing a set of db abstraction functions for an internal app which will give us a set of simple function calls for dealing with the db, like $result = db_AddEmployee($EmployeeData); $EmployeeData = db_GetEmployee($EmployeeID); etc. There will be quite a few functions needed to deal with all the different ways the app touches the db, so my question is: Am I better off putting all these functions into one big include file (which could get pretty big) or using a seperate 'include' file for each function? I'm thinking about the tradeoff between simplifying code by only having a single include file (parsing a lot of functions that aren't used, but less disk access) and having several include files (no extra funcs but lots more disk access). I realise there probably isn't a 'correct' way to do this, I'm curious about which methods folk here use in situations like this. TIA in advance for any advice, Mark -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Why does this preg_replace function not work?
PHP List, In the code below, I want to take the text within $content, and change every instance of [h3] into h3, and every instance of [/h3] into /h3. And then do the same for [em], [/em], [strong], and so on. However, this code does absolutely nothing to the text stored in content: $tags = array (h3, em, strong, hr); $content = preg_replace([ . $tags . ], . $tags . , $content); $content = preg_replace([/ . $tags . ], / . $tags . , $content); Clearly I've either misunderstood the use of preg_replace(), or regular expressions, or arrays, despite having looked them up in the PHP online manual. I also tried str_replace(), but predictably that did not help. As far as I understand it, it does not accept arrays. What am I doing wrong in the above code? And can the two preg_replace() commands be achieved in one line? Thank you for any advice. -- Dave M G -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Including Functions; one file or many?
Mark Kelly wrote:
Hi
I'm writing a set of db abstraction functions for an internal app which will
give us a set of simple function calls for dealing with the db, like
$result = db_AddEmployee($EmployeeData);
$EmployeeData = db_GetEmployee($EmployeeID);
etc.
There will be quite a few functions needed to deal with all the different
ways the app touches the db, so my question is:
Am I better off putting all these functions into one big include file (which
could get pretty big) or using a seperate 'include' file for each function?
I'm thinking about the tradeoff between simplifying code by only having a
single include file (parsing a lot of functions that aren't used, but less
disk access) and having several include files (no extra funcs but lots more
disk access).
I realise there probably isn't a 'correct' way to do this, I'm curious about
which methods folk here use in situations like this.
TIA in advance for any advice,
Mark
Mark, first of all, have you considered writing a class/object to handle
this? eg.
class EmployeeManager {
function Add(data) {
// add employee to database
}
function Get($employeeId) {
return employeeData
}
}
Usually objects/classes are used when it's logical to group a set of
functions (members) together because of shared functionality/shared
purpose. Not that you couldn't do it like you do, which isn't at all
wrong either :)
Now, to your next question. I would say, the world is grey and your
thoughts are either black or white. You're looking at extremes; store
*everything* in 1 file or store *every function* in its *own* file.
Well, I'll tell you, don't attempt the last one because it will just
cause you a lot of pain having to manage so many files. As for speed,
the last one (with 1 file per function) will be slightly slower, since
the overhead of 1 (or was it 2?) statcalls per included file will slow
it down. Not that it'll be even remotely noticable until you include
thousands of files, but it's there (and you asked for it).
Now, as to the other extreme, everything in 1. The overhead for this is
minimal when it comes to loading, but the question I would ask myself
is, do I really need all those functions *everywhere* I include the
file?. Usually, this is a no, you only need a couple. So basically
what's hapenning is, you need a few, say 5 functions from the file, but
you include it entirely, all 500 of em, just to get those 5. The
overhead you would incur at this point isn't due to the stat calls but
due to defining functions and never using them.
Right, now back to my advice. I advise you group together your functions
in a logical order and then move them per group to separate files. Example:
employee_management_functions.inc:
AddEmployee()
RemoveEmployee()
GetEmployee()
etc.
employee_project_functions.inc:
GetProjectByEmployee()
SetProjectByEmployee()
GetAllProjects()
etc.
So, when you need just a few functions you can specifically include that
part and use them.
goodluck,
- tul
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Why does this preg_replace function not work?
Dave M G wrote:
PHP List,
In the code below, I want to take the text within $content, and change
every instance of [h3] into h3, and every instance of [/h3] into
/h3. And then do the same for [em], [/em], [strong], and so on.
However, this code does absolutely nothing to the text stored in content:
$tags = array (h3, em, strong, hr);
$content = preg_replace([ . $tags . ], . $tags . , $content);
$content = preg_replace([/ . $tags . ], / . $tags . , $content);
Clearly I've either misunderstood the use of preg_replace(), or regular
expressions, or arrays, despite having looked them up in the PHP online
manual.
I also tried str_replace(), but predictably that did not help. As far as
I understand it, it does not accept arrays.
What am I doing wrong in the above code?
And can the two preg_replace() commands be achieved in one line?
Thank you for any advice.
--
Dave M G
First of all, why the hell are you using preg_* functions for this?
You're feeding static content to it, no modifiers *at all* (not even
case-insensitivity). I recommend you go back to str_replace() as that is
what you need. You'd also be wise to read up on arrays and regular
expressions (a lot).
preg_replace() uses regular-expressions. Regular expressions require (in
php) 2 delimiters, one at the start of the expression and one at the
end, followed by optional modifiers/flags. Eg:
/regexpGoesHere/i
this would match regexpGoesHere and be case-insensitive.
You don't use delimiters (first problem).
Second problem with your code is that you're assuming that [, ], and
are not meta-characters. Unfortunately, [ and ] ARE meta-characters.
This means that when you would pass it [h3] it would see that as any
character which is an 'h' or '3' is a valid candidate for this
expression. You would either need to escape it so it becomes \[h3\]
which would mean any string looking like '[h3]' is a valid candidate.
Right, well, first let's go and fix the mess you've made of your arrays.
Here's a lesson for you:
Say you have
$array = array('a','b','c');
print($array);
print($array);
What do you expect to see?
a
b
?
Because looking at your code it seems like you're expecting something
very strange. The thing you'll see is:
Array
Array
Your correct version would be to either loop over it using a construct
such as foreach(), while() or the like, OR use the special case of
preg_replace and str_replace functions, which may also take 2 arrays as
their parameters. Remember though, you CAN NOT MIX ARRAYS WITH STRINGS
just like that.
So, a more correct version for you would be (using str_replace because
i's faster and easier and more appropriate):
$tagsOld = array ([h3], [em], [strong], [hr],[/h3], [/em],
[/strong], [/hr]);
$tagsNew = array (h3, em, strong, hr,/h3, /em,
/strong, /hr);
$content = str_replace($tagsOld, $tagsNew, $content);
What I've done here is made an array with what is to be replaced and a
second one with what it is to be replaced with. Internally, str_replace
goes over the whole list of $tagsOld and replaces each value with the
corresponding value from $tagsNew (based on position in the array,
meansing the 2nd value from $tagsOld will be replaced with the 2nd value
from $tagsNew).
hope you understand what you did (wrong) now,
- tul
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Why does this preg_replace function not work?
On 5/26/06, Dave M G [EMAIL PROTECTED] wrote:
PHP List,
In the code below, I want to take the text within $content, and change
every instance of [h3] into h3, and every instance of [/h3] into
/h3. And then do the same for [em], [/em], [strong], and so on.
However, this code does absolutely nothing to the text stored in content:
$tags = array (h3, em, strong, hr);
$content = preg_replace([ . $tags . ], . $tags . , $content);
$content = preg_replace([/ . $tags . ], / . $tags . , $content);
Clearly I've either misunderstood the use of preg_replace(), or regular
expressions, or arrays, despite having looked them up in the PHP online
manual.
I also tried str_replace(), but predictably that did not help. As far as
I understand it, it does not accept arrays.
You want str_replace. It does accept arrays. You put in all the things
you want to replace in one array, and all the things they will be replaced
by into another array and call str_replace:
$from = array('[h3]', '[/h3]');
$to = array('h3', '/h3');
$content = str_replace($from, $to, $content);
This will work if you a list of the tag names. If you want to
generically replace
[anyword] with anyword, you'll have to go for preg_replace and regular
expressions.
Rabin
--
http://rab.in
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Why does this preg_replace function not work?
[snip] [ . $tags . ] [/snip] This in the regex would need to be \[ . $tags . \] as the square brackets ([]) represent a character class in regular expressions, so must be escaped to be matched literally Also /'s should be escaped (\/) There may be more mistakes but I thought I'd point this one out :) HTH Dan -- Dan Parry Senior Developer Virtua Webtech Ltd http://www.virtuawebtech.co.uk -Original Message- From: Dave M G [mailto:[EMAIL PROTECTED] Sent: 26 May 2006 10:26 To: php-general@lists.php.net Subject: [PHP] Why does this preg_replace function not work? PHP List, In the code below, I want to take the text within $content, and change every instance of [h3] into h3, and every instance of [/h3] into /h3. And then do the same for [em], [/em], [strong], and so on. However, this code does absolutely nothing to the text stored in content: $tags = array (h3, em, strong, hr); $content = preg_replace([ . $tags . ], . $tags . , $content); $content = preg_replace([/ . $tags . ], / . $tags . , $content); Clearly I've either misunderstood the use of preg_replace(), or regular expressions, or arrays, despite having looked them up in the PHP online manual. I also tried str_replace(), but predictably that did not help. As far as I understand it, it does not accept arrays. What am I doing wrong in the above code? And can the two preg_replace() commands be achieved in one line? Thank you for any advice. -- Dave M G -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.392 / Virus Database: 268.7.0/346 - Release Date: 23/05/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.392 / Virus Database: 268.7.0/346 - Release Date: 23/05/2006 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Upload files problems
It's very hard to read code, when either there is no comments, or the
comments are in a language you don't understand.
Hablo pocito Espanol, pero no entiendo bastante para entiender que quiere
decir.
Rory
On 5/25/06, Ing. Tomás Liendo [EMAIL PROTECTED] wrote:
Hi!
When the users of my system try to go up files of more than 460 K, they
receive the message:
Fatal error: Maximum execution time of 90 seconds exceeded in
c:\websites\iracbiogenar48\iracbiogen.com.ar\virtual\procesa_msjpriv.php
on
line 2
I'm using the following method to up load the files:
if($archivo_name)
{
$dpath=./archivos_recibidos/.$archivo_name;
if(move_uploaded_file($archivo, $dpath))
{//Se realiza la transmision del archivo al servidor.
echo font size=2 face=Arial, Helvetica, sans-serifEl
archivo
.$archivo_name.. ha sido transferido exitosamente./font/div/td;
}
else
{
echo font size=2 face=Arial, Helvetica,
sans-serifADVERTENCIA: El arcvhio .$archivo_name.. no ha podido
enviarse./font/div/td;
}
Do I have control on these 90 seconds? or is a parameter of the server?
What can I do to solve this problem?
Ahead of time thank you very much,
Tom.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Upload files problems
I believe that those 90 seconds start counting as soon as php starts
interpreting the request, ie. after getting the file and form, not
when it starts uploading.
The second one wouldn't make much sense.
On 5/26/06, Rory Browne [EMAIL PROTECTED] wrote:
It's very hard to read code, when either there is no comments, or the
comments are in a language you don't understand.
Hablo pocito Espanol, pero no entiendo bastante para entiender que quiere
decir.
Rory
On 5/25/06, Ing. Tomás Liendo [EMAIL PROTECTED] wrote:
Hi!
When the users of my system try to go up files of more than 460 K, they
receive the message:
Fatal error: Maximum execution time of 90 seconds exceeded in
c:\websites\iracbiogenar48\iracbiogen.com.ar\virtual\procesa_msjpriv.php
on
line 2
I'm using the following method to up load the files:
if($archivo_name)
{
$dpath=./archivos_recibidos/.$archivo_name;
if(move_uploaded_file($archivo, $dpath))
{//Se realiza la transmision del archivo al servidor.
echo font size=2 face=Arial, Helvetica, sans-serifEl
archivo
.$archivo_name.. ha sido transferido exitosamente./font/div/td;
}
else
{
echo font size=2 face=Arial, Helvetica,
sans-serifADVERTENCIA: El arcvhio .$archivo_name.. no ha podido
enviarse./font/div/td;
}
Do I have control on these 90 seconds? or is a parameter of the server?
What can I do to solve this problem?
Ahead of time thank you very much,
Tom.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] str_replace(), and correctly positioned HTML tags
Dave M G wrote: PHP list, ... take a look at: http://textism.com/ especially the 'textism' stuff which if nothing else mgiht give you some good ideas about plain text markup for conversion to HTML. -- Dave M G -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Why does this preg_replace function not work?
On 26/05/06, Dave M G [EMAIL PROTECTED] wrote:
I also tried str_replace(), but predictably that did not help. As far as
I understand it, it does not accept arrays.
It does, and you can do it with str_replace.
What am I doing wrong in the above code?
And can the two preg_replace() commands be achieved in one line?
They can, however you need to build the pattern properly.
?php
function to_html($content, $tags) {
$regexp = '#\[(/?(' . join('|',array_map('preg_quote', $tags)) . '))\]#';
return preg_replace($regexp, '$1', $content);
}
$tags = array (h3, em, strong, hr);
$content = '[em] this [/em] is converted and [ignore] this [/ignore] is not.';
$content = to_html($content, $tags);
?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] PHP Developer/Architect needed
Hi Firstly, I hope it is ok to post this type of message to the group, if not, could you advise where I could look please... We need a PHP developer to help create a system management interface. The developer needs to be able to create/understand UML diagrams and have an understanding of; PHP5 (and OOP) MySQL LDAP v3 DNS UML and programming design We need to create a Management Interface which will administer various mail, ldap, dns servers we have. We are essentially a service provider to schools in the Yorkshire and Humber region, and need this system to aid our support desk. Ideally we are looking for a contractor in the Yorkshire/Humber area of the UK, but we are not ruling out further afield. If you are interested, please contact me - details below, and I will provide a more detailed requirement... Regards Steve -- Steve Turnbull Digital Content Developer YHGfL Foundation e [EMAIL PROTECTED] t 01724 275030 The YHGfL Foundation Disclaimer can be found at: http://www.yhgfl.net/foundation-services/yhgfl-email-disclaimer/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Upload files problems
On 5/25/06, Ryan Creaser [EMAIL PROTECTED] wrote:
Ing. Tomás Liendo wrote:
Hi!
When the users of my system try to go up files of more than 460 K, they
receive the message:
Fatal error: Maximum execution time of 90 seconds exceeded in
c:\websites\iracbiogenar48\iracbiogen.com.ar\virtual\procesa_msjpriv.php on
line 2
I'm using the following method to up load the files:
if($archivo_name)
{
$dpath=./archivos_recibidos/.$archivo_name;
if(move_uploaded_file($archivo, $dpath))
{//Se realiza la transmision del archivo al servidor.
echo font size=2 face=Arial, Helvetica, sans-serifEl archivo
.$archivo_name.. ha sido transferido exitosamente./font/div/td;
}
else
{
echo font size=2 face=Arial, Helvetica,
sans-serifADVERTENCIA: El arcvhio .$archivo_name.. no ha podido
enviarse./font/div/td;
}
Do I have control on these 90 seconds? or is a parameter of the server?
What can I do to solve this problem?
Ahead of time thank you very much,
Tom.
See http://php.net/set_time_limit, although it might not work if your
host uses safe mode.
In addition to using set_time_limit, you'll probably also need to change
the value of the max_input_time option:
http://php.net/manual/en/ref.info.php#ini.max-input-time
Rabin
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Slow query-building function
On 5/25/06, George Pitcher [EMAIL PROTECTED] wrote:
Last year I switched from using FileMaker Pro to MySQL. One of FileMaker's
quirks was that if, in a text field, you searched for say, 'free ass boo',
it would find any records with those three substrings in that field (in this
example, its 'Free Association Books').
I want to have this quirkiness on my site, along with the option of adding +
or ! before substrings.
Have you considered using MySQL's full text or boolean search
features?
I've got it working using the following function:
It looks messy, and I didn't try to find out how exactly
it works, but I'll suggest some general improvements
that will speed it up.
If the speed improvements are not good enough, you
should rethink how the function works, maybe come
up with a different method using preg_replace and
regular expressions.
function sql_fltr($sql,$field,$input){
$input = addslashes($input);
if(strlen($input)0){
if(substr_count($input,*)0 || substr_count($input,!)0 ||
substr_count($input,^)0 || substr_count($input,+)0){
Don't use substr_count just to check if a character is
in a string. Use php.net/strpos.
$output=;
/* search for substring conditions */
$tempy = str_replace( +,|+,str_replace( !,|!,str_replace(
*,|*,str_replace( ^,|^,($input);
Don't chain str_replace's. str_replace can also accept arrays
as parameters so you can do all that with just one call to
str_replace. php.net/str_replace.
$temp = explode(|,$tempy);
$i=0;
while($i sizeof($temp)){
Don't have the sizeof in the loop. This will count the array
in every iteration which will cause a performance hit. You
want something like:
$sz = sizeof($temp);
while ($i $sz) {
if(substr($temp[$i],0,1)==*){
$temp[$i]= and .$field. LIKE
'%.strim(str_replace(*,,$temp[$i])).%';
Since you're just removing the initial character, you
don't need to use str_replace for it. Use
substr($thestring, 1); instead. php.net/substr.
Same thing for the other cases below.
[snipped other cases]
}
$i++;
}
$output = strim(substr($output,0,strlen($output)-1));
You don't need to do strlen and then subtract one to remove
the last character. Just put a -1 for the length argument to
substr and it will do the same thing. php.net/substr.
if(substr(strtolower(strim($output)),0,3)=='and'){
Didn't you create the and? If so, why do you need to
strtolower() it?
[stripped rest of code]
For the rest of the code, the same changes as above apply.
For info the strim() function combines ltrim() and rtrim().
Why? PHP has its own function to do that. php.net/trim.
--
Rabin Vincent
http://rab.in/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Including Functions; one file or many?
At 9:02 AM +0100 5/26/06, Mark Kelly wrote: Hi I'm writing a set of db abstraction functions for an internal app which will give us a set of simple function calls for dealing with the db, like $result = db_AddEmployee($EmployeeData); $EmployeeData = db_GetEmployee($EmployeeID); etc. There will be quite a few functions needed to deal with all the different ways the app touches the db, so my question is: Am I better off putting all these functions into one big include file (which could get pretty big) or using a seperate 'include' file for each function? I'm thinking about the tradeoff between simplifying code by only having a single include file (parsing a lot of functions that aren't used, but less disk access) and having several include files (no extra funcs but lots more disk access). I realise there probably isn't a 'correct' way to do this, I'm curious about which methods folk here use in situations like this. TIA in advance for any advice, Mark Mark: When I started started using includes (in another language, long long ago), I placed all my functions into one large file. However, I soon found that doing that lead to one big include, which because of it's size had it's own problems. So, thinking think heuristic, I started dividing things into logical groups, like all dB operations into one include and all whatever into other whatever includes. This isn't original by any means, but is a good canonical approach. If you think about it, that's what classes are in OOP. So, my advice is to divide your functions into logical groups that work for you. As for disk IO times, I wouldn't be concerned, because whatever they are today (which is minor), tomorrow they will be even less. tedd -- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Including Functions; one file or many?
At 9:02 AM +0100 5/26/06, Mark Kelly wrote: TIA in advance for any advice, And thanks in arrears to all who responded. Since there appears to be no compelling reason to go either way, and we already have subdivided include files for functions (to a limited extent) I've decided to go with a different file for each kind of data; ie. db_employees.inc, db_contacts.inc, db_products.inc etc. so I can load the ones that are relevant to the current page, not all 2 squillion funcs. This was TBH my preference anyway, I just wanted to make sure that more experienced heads than mine didn't know of any compelling reasons for another method. Thanks again for all the replies. Mark -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] weird characters problem
Hi all. I have a situation where people enter values into a textfield can include the following: 1 ! 2 @ 3 # 4 $ 5 % 6 ^ 7 8 * 9 ( 10 ) 11 ; 12 : 13 14 ' 15 ? 16 - 17 _ 18 now once the move to another page and then come back to the page where the textfield is I echo out the value they previously entered, from a session variable. When the values are saved in a session variable I addslashes and when I echo I stripslashes, however because of the double quote it screws up my page. because the textfield's value is escaped prematurely. input name=subject type=text class=textbox id=subject4 value=?php if (isset($_SESSION['subject'])) echo stripslashes($_SESSION['subject']); ? size=90 maxlength=250 onBlur=writeSubject(); now Im not sure how to display the results because if I set the value to either value=' or value= and the actual value has a ' or a respectively its going to escape the value of the textfield and cause issues... are there any pointers or if someone can make a suggestion?? thanks.. -- Angelo Zanetti Z Logic www.zlogic.co.za [c] +27 72 441 3355 [t] +27 21 469 1052 [f] +27 86 681 5885 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] weird characters problem
Angelo Zanetti wrote: Hi all. I have a situation where people enter values into a textfield can include the following: 1 ! 2 @ 3 # 4 $ 5 % 6 ^ 7 8 * 9 ( 10 ) 11 ; 12 : 13 14 ' 15 ? 16 - 17 _ 18 now once the move to another page and then come back to the page where the textfield is I echo out the value they previously entered, from a session variable. When the values are saved in a session variable I addslashes and when I echo I stripslashes, however because of the double quote it screws up my page. because the textfield's value is escaped prematurely. input name=subject type=text class=textbox id=subject4 value=?php if (isset($_SESSION['subject'])) echo stripslashes($_SESSION['subject']); ? size=90 maxlength=250 onBlur=writeSubject(); do this: echo htmlentities($_SESSION['subject'], ENT_QUOTES); stripslashes() and addslashes() are for dealing with the nightmare that is known as 'magic quotes' - add are not to be used to escape output (there is probably a caveat but I can't think of one). now Im not sure how to display the results because if I set the value to either value=' or value= and the actual value has a ' or a respectively its going to escape the value of the textfield and cause issues... are there any pointers or if someone can make a suggestion?? thanks.. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] weird characters problem
Jochem Maas wrote: Angelo Zanetti wrote: Hi all. I have a situation where people enter values into a textfield can include the following: 1 ! 2 @ 3 # 4 $ 5 % 6 ^ 7 8 * 9 ( 10 ) 11 ; 12 : 13 14 ' 15 ? 16 - 17 _ 18 now once the move to another page and then come back to the page where the textfield is I echo out the value they previously entered, from a session variable. When the values are saved in a session variable I addslashes and when I echo I stripslashes, however because of the double quote it screws up my page. because the textfield's value is escaped prematurely. input name=subject type=text class=textbox id=subject4 value=?php if (isset($_SESSION['subject'])) echo stripslashes($_SESSION['subject']); ? size=90 maxlength=250 onBlur=writeSubject(); do this: echo htmlentities($_SESSION['subject'], ENT_QUOTES); stripslashes() and addslashes() are for dealing with the nightmare that is known as 'magic quotes' - add are not to be used to escape output (there is probably a caveat but I can't think of one). thanks it works well but now say the user has entered: My FIrst book it gets returned as My \FIrst\ book is there a way for it to be returned as it was originally entered? thanks again! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] str_replace(), and correctly positioned HTML tags
At 12:26 PM +0900 5/26/06, Dave M G wrote: Tedd, Adam, Thank you for your advice. While I'm very grateful for your advice, unfortunately, it seems that the core of what you suggest do not fit my situation. First, with Adam's suggestion that I use br / instead of p. The output I am generating is akin to what csszengarden.com generates, so that I can have complete CSS control over page layout and style. br / tags are limited in their scope of design control as compared to p tags, so they are insufficient. Second, with Tedd's advice that I place the variable without formatting within the HTML code. I apologize if I was unclear, as I seem to have given you the wrong impression. I am absolutely trying to separate content from design, which is why everything the user stores is in plain text, and all the formatting happens when it is displayed. None of the modifications which add HTML to the variable get put back into the database. The only small formatting consideration that does get stored in the database are the simulated tags (eg: --++ for h3). I'm not totally thrilled about letting users create some formatting with simulated tags, but the trade off is for giving the users more flexibility. I'm following the same model as WikiMedia, SMF Forums, and other PHP based user input interfaces. And I am trying to be more strict and less expansive than they are. I really am grateful for your advice, but it seems that I really do need to find a way to create p tags around the text when it is displayed. But I definitely thank you for giving me something to think about, and also the tips on how to make my code more efficient. It's my hope that someone can still steer me towards the ability to get p tags surrounding paragraphs, and to be able to separate h3 and other tags from within those p tags. -- Dave M G Dave: If you want to go that way, then I suggest that you place a preview page for the poster. Most people don't want to post something that's all screwed up and will take the time to fix it IF they are given the chance. That way, the only real problem you have to deal with is what happens when someone enters something that isn't correct. I might also suggest that there are functions that will help you sort out acceptable html from unacceptable html. For example, strip_tags($text, 'p'); will allow both p and /p tags, but will prohibit everything else. If you want a more complete answer to your problem, you can use regular expressions to extract and manipulate tags, but it's complex. A good read, and what appears to be a solution, can be found on pages 153-159 of PHP String Handling Handbook by Matt Wade et al published by Wrok (ISBN 1-86100-835-X) in 2003. I've looked for the download support files they claim to have, but found none. http://support.apress.com/books.asp?bID=186100835xs=0Go=Select+Book I've contacted one of the authors, let's see if he provides the code. If he does, I'll send it to you. hth's. tedd -- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] weird characters problem
Angelo Zanetti wrote: Jochem Maas wrote: Angelo Zanetti wrote: Hi all. I have a situation where people enter values into a textfield can include the following: 1 ! 2 @ 3 # 4 $ 5 % 6 ^ 7 8 * 9 ( 10 ) 11 ; 12 : 13 14 ' 15 ? 16 - 17 _ 18 now once the move to another page and then come back to the page where the textfield is I echo out the value they previously entered, from a session variable. When the values are saved in a session variable I addslashes and when I echo I stripslashes, however because of the double quote it screws up my page. because the textfield's value is escaped prematurely. input name=subject type=text class=textbox id=subject4 value=?php if (isset($_SESSION['subject'])) echo stripslashes($_SESSION['subject']); ? size=90 maxlength=250 onBlur=writeSubject(); do this: echo htmlentities($_SESSION['subject'], ENT_QUOTES); stripslashes() and addslashes() are for dealing with the nightmare that is known as 'magic quotes' - add are not to be used to escape output (there is probably a caveat but I can't think of one). thanks it works well but now say the user has entered: My FIrst book it gets returned as My \FIrst\ book is there a way for it to be returned as it was originally entered? thanks again! Read here... http://us3.php.net/manual/en/security.magicquotes.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Escaping quotes for DB Entry
All... A lot has been said recently about the dangers of the family of magic_quotes... I understand the dangers. The question is, for those of us using a database that does not have a *real_escape_string function...Oracle for example. What is the *best* way to escape quotes for DB insertion? It seems that addslashes gets a lot of flack, but is there any other/better way? -Brad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] weird characters problem
the problem you have in that the data in the DB is slightly borked (something that occurred/occurs at the time it's first entered into the DB). read the section of the manual that Brad pointed out in his reply to learn about what is going, how to do it properly, etc - but in the short term it looks like you'll have to run stripslashes() on the data before running it through htmlentities(); Angelo Zanetti wrote: ... thanks it works well but now say the user has entered: My FIrst book it gets returned as My \FIrst\ book is there a way for it to be returned as it was originally entered? thanks again! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] str_replace(), and correctly positioned HTML tags
with regard to clean HTML - check out the tidy extension - it can do wonders with crufty output. http://php.net/tidy tedd wrote: At 12:26 PM +0900 5/26/06, Dave M G wrote: Tedd, Adam, Thank you for your advice. While I'm very grateful for your advice, unfortunately, it seems that the core of what you suggest do not fit my situation. First, with Adam's suggestion that I use br / instead of p. The output I am generating is akin to what csszengarden.com generates, so that I can have complete CSS control over page layout and style. br / tags are limited in their scope of design control as compared to p tags, so they are insufficient. Second, with Tedd's advice that I place the variable without formatting within the HTML code. I apologize if I was unclear, as I seem to have given you the wrong impression. I am absolutely trying to separate content from design, which is why everything the user stores is in plain text, and all the formatting happens when it is displayed. None of the modifications which add HTML to the variable get put back into the database. The only small formatting consideration that does get stored in the database are the simulated tags (eg: --++ for h3). I'm not totally thrilled about letting users create some formatting with simulated tags, but the trade off is for giving the users more flexibility. I'm following the same model as WikiMedia, SMF Forums, and other PHP based user input interfaces. And I am trying to be more strict and less expansive than they are. I really am grateful for your advice, but it seems that I really do need to find a way to create p tags around the text when it is displayed. But I definitely thank you for giving me something to think about, and also the tips on how to make my code more efficient. It's my hope that someone can still steer me towards the ability to get p tags surrounding paragraphs, and to be able to separate h3 and other tags from within those p tags. -- Dave M G Dave: If you want to go that way, then I suggest that you place a preview page for the poster. Most people don't want to post something that's all screwed up and will take the time to fix it IF they are given the chance. That way, the only real problem you have to deal with is what happens when someone enters something that isn't correct. I might also suggest that there are functions that will help you sort out acceptable html from unacceptable html. For example, strip_tags($text, 'p'); will allow both p and /p tags, but will prohibit everything else. If you want a more complete answer to your problem, you can use regular expressions to extract and manipulate tags, but it's complex. A good read, and what appears to be a solution, can be found on pages 153-159 of PHP String Handling Handbook by Matt Wade et al published by Wrok (ISBN 1-86100-835-X) in 2003. I've looked for the download support files they claim to have, but found none. http://support.apress.com/books.asp?bID=186100835xs=0Go=Select+Book I've contacted one of the authors, let's see if he provides the code. If he does, I'll send it to you. hth's. tedd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Including Functions; one file or many?
On Friday 26 May 2006 14:56, Matt Carlson wrote: One note on include files. Usually it's best practice to not name them .inc Name them .inc.php so that they cannot be opened by a webbrowser, thus giving more information to a potential attacker. Is this still a concern when all include files are stored outside the webroot (and thus in theory not directly accessible) anyway? Just my $.02 And much appreciated it is too - I'd *far* rather have too much advice than not enough - especially where security is concerned. Mark -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping quotes for DB Entry
Brad Bonkoski wrote: All... A lot has been said recently about the dangers of the family of magic_quotes... I understand the dangers. The question is, for those of us using a database that does not have a *real_escape_string function...Oracle for example. What is the *best* way to escape quotes for DB insertion? It seems that addslashes gets a lot of flack, but is there any other/better way? if this is about escaping single quotes (and there maybe other stuff that needs escaping - stuff I can't think of right now - stuff that may or may not be related to the encoding one is using [e.g. unicode]) then one should be escaping single quotes with single quotes: UPDATE blatable SET blafield = 'my ''blablabla'''; which all decent/recent DBMS' support IIRC. -Brad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping quotes for DB Entry
Jochem Maas wrote: Brad Bonkoski wrote: All... A lot has been said recently about the dangers of the family of magic_quotes... I understand the dangers. The question is, for those of us using a database that does not have a *real_escape_string function...Oracle for example. What is the *best* way to escape quotes for DB insertion? It seems that addslashes gets a lot of flack, but is there any other/better way? if this is about escaping single quotes (and there maybe other stuff that needs escaping - stuff I can't think of right now - stuff that may or may not be related to the encoding one is using [e.g. unicode]) then one should be escaping single quotes with single quotes: UPDATE blatable SET blafield = 'my ''blablabla'''; which all decent/recent DBMS' support IIRC. Understood what the esacpe character needs to be...the question is the best way to get it there? Currently I have: magic_quotes_sybase = On so a function call like addslashes() would actually escape single quotes with another single quote... Is there a better/more secure wahy? -Brad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping quotes for DB Entry
Brad Bonkoski wrote: All... A lot has been said recently about the dangers of the family of magic_quotes... I understand the dangers. The question is, for those of us using a database that does not have a *real_escape_string function...Oracle for example. What is the *best* way to escape quotes for DB insertion? looking at the manual I would assume that ora_bind() is the best way of safely stuffing things into an oracle DB: http://php.net/manual/en/function.ora-bind.php if this function is of any worth it *should* be doing any/all proper escaping of data 'under water' and hopefully much more thoroughly/correctly than anything you/we could do in userland. remark type=biased of course you could use firebird DB (php5 interbase extension) and just make use of the built in parameterized query functionality - which is simple to use, doesn't require endless reams of parameter binding declaration and is rock solid (i.e. no matter how crap my input filtering is SQL injection remains impossible ;-)) /remark It seems that addslashes gets a lot of flack, but is there any other/better way? -Brad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] weird characters problem
Angelo Zanetti Z Logic www.zlogic.co.za [c] +27 72 441 3355 [t] +27 21 469 1052 [f] +27 86 681 5885 Jochem Maas wrote: the problem you have in that the data in the DB is slightly borked (something that occurred/occurs at the time it's first entered into the DB). read the section of the manual that Brad pointed out in his reply to learn about what is going, how to do it properly, etc - but in the short term it looks like you'll have to run stripslashes() on the data before running it through htmlentities(); Angelo Zanetti wrote: ... thanks it works well but now say the user has entered: My FIrst book it gets returned as My \FIrst\ book is there a way for it to be returned as it was originally entered? thanks again! thanks guys will check it out -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping quotes for DB Entry
Brad Bonkoski wrote: Jochem Maas wrote: ... Understood what the esacpe character needs to be...the question is the best way to get it there? Currently I have: magic_quotes_sybase = On this adds single quotes automatically - addslashes (unless Im mistaken - wouldnt be the first time) would add slashes (and not single quotes) which is not what you want. so a function call like addslashes() would actually escape single quotes with another single quote... Is there a better/more secure wahy? my preference is to have all magic_quote_BLA ini settings set to off and explicitly escape my data (after validation/cleaning) according to the context the data is being use in (e.g. DB insertion as per this discussion) if/when trying to write truly portable code you will have to have routines that check the actual magic quotes settings and depending on the actual values/settings normalize your data accordingly... which can be a right PITA to do properly :-) -Brad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping quotes for DB Entry
Jochem Maas wrote: Brad Bonkoski wrote: Jochem Maas wrote: ... Understood what the esacpe character needs to be...the question is the best way to get it there? Currently I have: magic_quotes_sybase = On this adds single quotes automatically - addslashes (unless Im mistaken - wouldnt be the first time) would add slashes (and not single quotes) which is not what you want. Only done automatically IFF magic_quotes_gpc is ALSO on, which in my case it is off. excerpts from manual magic_quotes_sybase *boolean* http://www.php.net/manual/en/language.types.boolean.php If magic_quotes_sybase is on, a single-quote is escaped with a single-quote instead of a backslash if magic_quotes_gpc http://www.php.net/manual/en/ref.info.php#ini.magic-quotes-gpc or magic_quotes_runtime http://www.php.net/manual/en/ref.info.php#ini.magic-quotes-runtime are enabled. -and - An example use of *addslashes()* is when you're entering data into a database. For example, to insert the name O'reilly into a database, you will need to escape it. Most databases do this with a \ which would mean O\'reilly. This would only be to get the data into the database, the extra \ will not be inserted. Having the PHP directive magic_quotes_sybase http://www.php.net/manual/en/ref.sybase.php#ini.magic-quotes-sybase set to on will mean ' is instead escaped with another '. so a function call like addslashes() would actually escape single quotes with another single quote... Is there a better/more secure wahy? my preference is to have all magic_quote_BLA ini settings set to off and explicitly escape my data (after validation/cleaning) according to the context the data is being use in (e.g. DB insertion as per this discussion) if/when trying to write truly portable code you will have to have routines that check the actual magic quotes settings and depending on the actual values/settings normalize your data accordingly... which can be a right PITA to do properly :-) Understood... The Oracle work I do is in a 'controlled' environment, but portability should be factored in at some point! I will test out the ora_bind function to see if that does escaping for me, but that is a PITA! especially with large queries... What about your firebird suggestion, does this work well with Oracle connections and queries? -Brad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Best way to handle multiple snmpgets
Greetings, I'm creating a more or less 'dashboard' where people can enter the server name, then I'll snmpget a bunch of different oids and show the status of the device. Now the problem is snmpget doesn't allow multiple OIDs in one go, so I have to snmpget(server, community, oid1);, snmpget(server, community, oid2);, snmpget(server, community, oid3);, etc etc. I can't always use snmpwalkoid(), especially on really long trees where I only need 4-5 different items. So how would you handle this? And array of OIDs and a foreach? Just curious as to what people suggest, as I'm very new to PHP but.. Oddly falling in love with it fast. Also, another question since I'm on the topic. If I know that an snmpwalkoid will always return a set number of values, I make an array with my 'table of contents' and then use array_combine to take the keys from my ToC with the values from the returned walk. Now, with certain things (Like the Compaq logical disk oids) it will return a varied amount of things, such as 2 logical drives, 3 logical drives, etc. Now, would it work if I did something like this? Create my 'table of contents' key array, Snmpwalkoid(), then move through both at once and dump it to a new array: Since the key from the snmpwalkoid() is the OID, I'd have my ToC matched against the key in the walk array and essentially do string matching So if .cpqDaPhyDrvModel.0.128 is found, it puts Drive Model: as the key then it looks at the next OID in the array and sees it is .cpqDaPhyDrvModel.0.129, so it puts it in as Drive Model 2: . I hope you guys are getting this. It's so clear in my head! I'm telling you, I use a half dozen languages here because I have to, as glue between systems, and the 2 things that always get me are arrays and map/hashes. Some day I hope to figure this out! Jeremy Pavleck Sr. Network Engineer - Systems Management IT Networks and Infrastructure Capella University -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping quotes for DB Entry
Brad Bonkoski wrote: ... this adds single quotes automatically - addslashes (unless Im mistaken - wouldnt be the first time) would add slashes (and not single quotes) which is not what you want. Only done automatically IFF magic_quotes_gpc is ALSO on, which in my case it is off. excerpts from manual magic_quotes_sybase *boolean* http://www.php.net/manual/en/language.types.boolean.php If magic_quotes_sybase is on, a single-quote is escaped with a single-quote instead of a backslash if magic_quotes_gpc http://www.php.net/manual/en/ref.info.php#ini.magic-quotes-gpc or magic_quotes_runtime http://www.php.net/manual/en/ref.info.php#ini.magic-quotes-runtime are enabled. -and - An example use of *addslashes()* is when you're entering data into a database. For example, to insert the name O'reilly into a database, you will need to escape it. Most databases do this with a \ which would mean O\'reilly. This would only be to get the data into the database, the extra \ will not be inserted. Having the PHP directive magic_quotes_sybase http://www.php.net/manual/en/ref.sybase.php#ini.magic-quotes-sybase set to on will mean ' is instead escaped with another '. consider this a reminder to myself to RTFM. ;-) ... Is there a better/more secure wahy? ... Understood... The Oracle work I do is in a 'controlled' environment, but portability should be factored in at some point! I will test out the ora_bind function to see if that does escaping for me, but that is a PITA! especially with large queries... indeed - probably work the time to write some kind of generic routine to do the binding based on field datatypes etc - then again that probably will cost you performance... you know the saying you can't have your cake and eat it What about your firebird suggestion, does this work well with Oracle connections and queries? no my firebird suggestion only works at all when connecting to firebird databases. :-) but when you do connect to a firebird db it works very well indeed ;-) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Best way to handle multiple snmpgets
Pavleck, Jeremy D. wrote: Greetings, I'm creating a more or less 'dashboard' where people can enter the server name, then I'll snmpget a bunch of different oids and show the status of the device. Now the problem is snmpget doesn't allow multiple OIDs in one go, so I have to snmpget(server, community, oid1);, snmpget(server, community, oid2);, snmpget(server, community, oid3);, etc etc. I can't always use snmpwalkoid(), especially on really long trees where I only need 4-5 different items. So how would you handle this? And array of OIDs and a foreach? Just using an array of OIDs and a foreach loop would make for a nice compact bit of code. seems reasonable to do given that snmpget() seems to be a blocking function. curious as to what people suggest, as I'm very new to PHP but.. Oddly falling in love with it fast. Also, another question since I'm on the topic. If I know that an snmpwalkoid will always return a set number of values, I make an array with my 'table of contents' and then use array_combine to take the keys from my ToC with the values from the returned walk. Now, with certain things (Like the Compaq logical disk oids) it will return a varied amount of things, such as 2 logical drives, 3 logical drives, etc. Now, would it work if I did something like this? Create my 'table of contents' key array, Snmpwalkoid(), then move through both at once and dump it to a new array: Since the key from the snmpwalkoid() is the OID, I'd have my ToC matched against the key in the walk array and essentially do string matching So if .cpqDaPhyDrvModel.0.128 is found, it puts Drive Model: as the key then it looks at the next OID in the array and sees it is .cpqDaPhyDrvModel.0.129, so it puts it in as Drive Model 2: . the asnwer to your second question is most probably - I can't say for sure because I don't fully grok the question ... but I do know that php array are very very flexible in their nature so the chances that they can do want you want is quite high :-) I hope you guys are getting this. It's so clear in my head! I'm telling you, I use a half dozen languages here because I have to, as glue between systems, and the 2 things that always get me are arrays and map/hashes. Some day I hope to figure this out! the thig to remember about php arrays is that they are arrays in the classic sense BUT at the same time they are also hashes (in the sens that you may be used to in langauges such as perl) - numeric keys and associative keys can be mixed and matched as and when you like it. the one caveat is that php will auto cast numeric strings into numeric keys so that the following 2 are equivelant: $r = array(1 = test); $r = array(1 = test); --- mix'n'match array key types: $r = array(foo, bar, qux, a = foo, b = bar, c = qux); var_dump($r); hint: you get an array with 6 items in it! HTH Jeremy Pavleck Sr. Network Engineer - Systems Management IT Networks and Infrastructure Capella University -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] anti SQL injection method in php manual.
In the php manual:
http://www.php.net/manual/en/function.mysql-real-escape-string.php
The following method is suggested:
?php
// Quote variable to make safe
function quote_smart($value)
{
// Stripslashes
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
// Quote if not a number or a numeric string
if (!is_numeric($value)) {
$value = ' . mysql_real_escape_string($value) . ';
}
return $value;
}
// Connect
$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password')
OR die(mysql_error());
// Make a safe query
$query = sprintf(SELECT * FROM users WHERE user=%s AND password=%s,
quote_smart($_POST['username']),
quote_smart($_POST['password']));
mysql_query($query);
?
What is the purpose of the sprintf? If it were using %d on integers I
could see the point, but as we're talking about %s strings, what is
the advantage to using sprintf? How does this differ from:
$query = SELECT * FROM users WHERE user=.$_POST['username']. AND
password=.$_POST['password'];
Dotan Cohen
http://linux-apache-mysql-php.org
23
Re: [PHP] Including Functions; one file or many?
Mark Kelly wrote: On Friday 26 May 2006 14:56, Matt Carlson wrote: One note on include files. Usually it's best practice to not name them .inc Name them .inc.php so that they cannot be opened by a webbrowser, thus giving more information to a potential attacker. Is this still a concern when all include files are stored outside the webroot (and thus in theory not directly accessible) anyway? in practice this would no longer be a concern - but using inc.php makes the file instantly recognizable as a php file by the guy that will be doing you work in 5 years time ;-) and if ever you move the files somewhere inside the webroot (or someone else happens to make an apache alias that makes them available) then your still safe :-) besides .inc.php seems to be/becoming a sort of defacto std (no need for filenaming jihad people ;-) Just my $.02 And much appreciated it is too - I'd *far* rather have too much advice than not enough - especially where security is concerned. always look both ways when crossing the street. ;-) Mark -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Including Functions; one file or many?
Mark Kelly wrote: At 9:02 AM +0100 5/26/06, Mark Kelly wrote: TIA in advance for any advice, And thanks in arrears to all who responded. Since there appears to be no compelling reason to go either way, and we already have subdivided include files for functions (to a limited extent) I've decided to go with a different file for each kind of data; ie. db_employees.inc, db_contacts.inc, db_products.inc etc. so I can load the ones that are relevant to the current page, not all 2 squillion funcs. seems like a sane comprimise between performance and maintainability - pretty much what I would go for too. I would suggest, as someone else has, considering refactoring your functions into classes (even though you may only be using the classes as namespaces - i.e. calling methods statically) because it means you lesseen the possiblity of function name conflicts ... it's always recommended practice to avoid polluting the global namespace whenever/where-ever possible. using objects (or even just classes if your using php5) means you can avoid have global declarations at the top of each function for things like db connnections - instead you can store such resources/stuff as properties of the object/class - again avoiding coing a few extra lines AND at the same time polluting the global namespace a little less. This was TBH my preference anyway, I just wanted to make sure that more experienced heads than mine didn't know of any compelling reasons for another method. Thanks again for all the replies. Mark -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] anti SQL injection method in php manual.
Dotan Cohen wrote:
In the php manual:
http://www.php.net/manual/en/function.mysql-real-escape-string.php
The following method is suggested:
?php
// Quote variable to make safe
function quote_smart($value)
{
// Stripslashes
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
// Quote if not a number or a numeric string
if (!is_numeric($value)) {
$value = ' . mysql_real_escape_string($value) . ';
}
return $value;
}
// Connect
$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password')
OR die(mysql_error());
// Make a safe query
$query = sprintf(SELECT * FROM users WHERE user=%s AND password=%s,
quote_smart($_POST['username']),
quote_smart($_POST['password']));
mysql_query($query);
?
What is the purpose of the sprintf? If it were using %d on integers I
could see the point, but as we're talking about %s strings, what is
the advantage to using sprintf? How does this differ from:
$query = SELECT * FROM users WHERE user=.$_POST['username']. AND
password=.$_POST['password'];
Dotan Cohen
http://linux-apache-mysql-php.org
23
Well they are passing the result of the quote_smart function into the
string.
so it would be the same as say:
$user = quote_smart($_POST['username']);
$pass = quote_smart($_POST['pasword']);
$query = select * from users where user=$user and password=$pass;
Your query would not use the quote_smart() function, as well as be wrong
it those values were strings
-Brad
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] anti SQL injection method in php manual.
- Original Message -
From: Dotan Cohen [EMAIL PROTECTED]
// Make a safe query
$query = sprintf(SELECT * FROM users WHERE user=%s AND password=%s,
quote_smart($_POST['username']),
quote_smart($_POST['password']));
mysql_query($query);
?
What is the purpose of the sprintf?
Can't see any reason for that.
I don't know if I already posted this on this list or perhaps in the Spanish
one, but below I'm copying my SQL building function, like an sprintf but for
SQL.
Notice it assumes a global variable $table_prefix that is meant for
customized table prefixes, to avoid conflicts with existing applications.
Depending on the font and line length, it will be broken in many parts. The
arrows showing the different parts of the regular expresion point anywhere,
but should be fine if shown in a fixed pitch font.
Satyam
/**
* Builds a properly formatted and escaped SQL statement using an SQL
template and a list of arguments.
*
* The function scans the template for query marks ? which are placeholders
for the arguments
* Query marks are to be followed by format descriptors.
*
* The first argument, the template, is mandatory. If the template
contains no query marks
* and no argument is given, the function does nothing.
*
* Placeholders have the following format and are not case sensitive:
*
* b?[nn][m]t/b
*
* Where:
*
* b?/b Begining of placeholder for argument
*
* bnn - iposition/i/b number of the argument to be replaced.
* Argument 0 is the template itself and is not valid.
* The first argument after the SQL template is number 1
* If no number is given, arguments are taken sequentially.
* Numbered replacements do not move the sequential argument pointer.
* Arguments beyond the actual number present are considered null
*
* bm - imodifier/i/b [optional] indicates what to do if the
argument is null
* - m: mandatory, if the argument contains null, it will give a fatal
error.
* - z: null, if the argument is 0 or an empty string, it will be replaced
by null
*
* bt - idata type/i/b the placeholder will be replaced by the
argument as follows
* - s: string, if not null, it will be escaped and enclosed in quotes
* - i: integer, the integer value (intval() function) of the argument
* - f: float, the floating point value (floatval() function) of the
argument
* - d: date, the argument will be assumed to represent a timestamp and it
will be converted to -mm-dd and quoted
* - b: boolean, anything evaluated to false will be 0, otherwise 1
* - t: table prefix, the value of the global variable
i$table_prefix/i, escaped and unquoted
* It takes no argument from the argument list
*
* Example:
* code
* echo BuildSql('Insert into ?ttable
(?s,?ns,?mi,?d,?ni,?i)','Something','',5,time(),0,null);
* /code
* will return:
* pre
* Insert into wp_table ('Something',null,5,'2006-05-15',null,0)
* /pre
*
* Note that placeholders do not need to be quoted, if quotes are required
(strings or dates) they will be provided
*
* @param string $query Template of SQL statement
*
*
* @param mixed $value,... Values to be replaced into placeholders,
sequentially unless stated otherwise
*
* @return string properly formated and escaped SQL statement
*
* The function will trigger a fatal error if an unknown formatting
character is found.
* Unused arguments will produce warnings.
* Missing arguments will be assumed null and will trigger a fatal error
*if the placeholder has the mandatory modifier m.
* There is no provision to put a literal ? into the SQL statement since
the ? is not a valid SQL operator,
*the only valid place for query marks are in literal string constants,
which can be passed to this
*function in an argument
*/
$table_prefix = 'wp_';
echo BuildSql('Insert into ?ttable
(?s,?ns,?mi,?d,?ni,?i)','Something','',5,time(),0,null);
function BuildSql($query) {
global $table_prefix;
$num_args = func_num_args(); // number of arguments available
$args_used = (1 $num_args) -2; // bit mask to check if arguments are
used
/* +-Anything up to first query mark
| +-- query mark, start of placeholder
| |+ position of argument
| || +- modifier
| || | +--- data type
| || | | */
if
(preg_match_all('|([^\?]*)(\?(\d?\d)?([mn]?)([sifdbt])?)*|i',$query,$matches,PREG_SET_ORDER))
{
$arg_pointer = 1; // sequential pointer to arguments
$s = ''; // output SQL statement
foreach($matches as $match) {
$NullIfEmpty = false;
$s .= $match[1];//concatenate everything up to question mark
$type = strtolower($match[5]); // read datatype
// read the value of the argument
if ($type =='t') {
$value = $table_prefix; // t is a special case, it takes no argument
from the list
[PHP] Wath�s wrong?
Hi everyone. I have a var that gets the follow string: $var=R$font color=\.GE_COR_VALOR.\.number_format($con-result['preco_v'],2,,,.)./font; When a print it i receive the follow result: R$nbsp;nbsp;font color=#FF150,00/font Someone knows wath´s happening here? Thanks. -- João Cândido de Souza Neto Curitiba Online -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Sparse 1.02b released
Yet another new release, this time with some great new features including a calendar widget and the ability to populate select boxes on the fly - all still without doing any programming! You can see what's new here: http://sparse-php.sourceforge.net/whatsnew.html -- Sparse - a new way to write MySQL-based programs with little to no actual programming. Save yourself time and effort! http://sparse-php.sourceforge.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Wath´s wrong?
[snip] I have a var that gets the follow string: $var=R$font color=\.GE_COR_VALOR.\.number_format($con-result['preco_v'],2,,,.)./font; When a print it i receive the follow result: R$nbsp;nbsp;font color=#FF150,00/font Someone knows wath´s happening here? [/snip] Yes, you printed out your $var. Did you expect something else? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sparse 1.02b released
[snip] Yet another new release [/snip] Please place [ANNOUNCEMENT] in the subject line of your message when making these announcements. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sparse 1.02b released
My apologies. I'll try and remember to do so in the future. --Daniel Jay Blanchard wrote: [snip] Yet another new release [/snip] Please place [ANNOUNCEMENT] in the subject line of your message when making these announcements. -- Sparse - a new way to write MySQL-based programs with little to no actual programming. Save yourself time and effort! http://sparse-php.sourceforge.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Wath´s wrong?
Jay Blanchard wrote: [snip] I have a var that gets the follow string: $var=R$font color=\.GE_COR_VALOR.\.number_format($con-result['preco_v'],2,,,.)./font; When a print it i receive the follow result: R$nbsp;nbsp;font color=#FF150,00/font Someone knows wath´s happening here? [/snip] Yes, you printed out your $var. Did you expect something else? I think he's referring to the two nbsp;s which magically appeared before the font tag. --Daniel -- Sparse - a new way to write MySQL-based programs with little to no actual programming. Save yourself time and effort! http://sparse-php.sourceforge.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Including Functions; one file or many?
On Friday 26 May 2006 16:41, Jochem Maas wrote: besides .inc.php seems to be/becoming a sort of defacto std (no need for filenaming jihad people ;-) That's certainly worth considering (particularly as the project is still at the very early stages), thank you both for mentioning it. My experience has been that de facto standards are often the most resilient in the long run. And much appreciated it is too - I'd *far* rather have too much advice than not enough - especially where security is concerned. always look both ways when crossing the street. ;-) See, if someone had said that to me 30 years ago I'd still have all three legs and a functioning ink sac :) Cheers, Mark -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] anti SQL injection method in php manual.
On 5/26/06, Brad Bonkoski [EMAIL PROTECTED] wrote:
Dotan Cohen wrote:
In the php manual:
http://www.php.net/manual/en/function.mysql-real-escape-string.php
The following method is suggested:
?php
// Quote variable to make safe
function quote_smart($value)
{
// Stripslashes
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
// Quote if not a number or a numeric string
if (!is_numeric($value)) {
$value = ' . mysql_real_escape_string($value) . ';
}
return $value;
}
// Connect
$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password')
OR die(mysql_error());
// Make a safe query
$query = sprintf(SELECT * FROM users WHERE user=%s AND password=%s,
quote_smart($_POST['username']),
quote_smart($_POST['password']));
mysql_query($query);
?
What is the purpose of the sprintf? If it were using %d on integers I
could see the point, but as we're talking about %s strings, what is
the advantage to using sprintf? How does this differ from:
$query = SELECT * FROM users WHERE user=.$_POST['username']. AND
password=.$_POST['password'];
Dotan Cohen
http://linux-apache-mysql-php.org
23
Well they are passing the result of the quote_smart function into the
string.
so it would be the same as say:
$user = quote_smart($_POST['username']);
$pass = quote_smart($_POST['pasword']);
$query = select * from users where user=$user and password=$pass;
Your query would not use the quote_smart() function, as well as be wrong
it those values were strings
-Brad
I meant:
$query = SELECT * FROM users WHERE
user=.quote_smart($_POST['username']). AND
password=.quote_smart($_POST['password']);
The point was, what's the advantage of the sprintf?
Dotan Cohen
http://what-is-what.com
921
Re: [PHP] Wath�s wrong?
I think that one of the issues is that when you assign a variable using instead of '', it will auto-replace your variable names inline. I don't know, but I think you should be escaping the $ before the . --- Jo�o C�ndido de Souza Neto [EMAIL PROTECTED] wrote: Hi everyone. I have a var that gets the follow string: $var=R$font color=\.GE_COR_VALOR.\.number_format($con-result['preco_v'],2,,,.)./font; When a print it i receive the follow result: R$nbsp;nbsp;font color=#FF150,00/font Someone knows wath�s happening here? Thanks. -- Jo�o C�ndido de Souza Neto Curitiba Online -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] anti SQL injection method in php manual.
On 5/26/06, Satyam [EMAIL PROTECTED] wrote:
- Original Message -
From: Dotan Cohen [EMAIL PROTECTED]
// Make a safe query
$query = sprintf(SELECT * FROM users WHERE user=%s AND password=%s,
quote_smart($_POST['username']),
quote_smart($_POST['password']));
mysql_query($query);
?
What is the purpose of the sprintf?
Can't see any reason for that.
I don't know if I already posted this on this list or perhaps in the Spanish
one, but below I'm copying my SQL building function, like an sprintf but for
SQL.
Notice it assumes a global variable $table_prefix that is meant for
customized table prefixes, to avoid conflicts with existing applications.
Depending on the font and line length, it will be broken in many parts. The
arrows showing the different parts of the regular expresion point anywhere,
but should be fine if shown in a fixed pitch font.
Satyam
/**
* Builds a properly formatted and escaped SQL statement using an SQL
template and a list of arguments.
*
* The function scans the template for query marks ? which are placeholders
for the arguments
* Query marks are to be followed by format descriptors.
*
* The first argument, the template, is mandatory. If the template
contains no query marks
* and no argument is given, the function does nothing.
*
* Placeholders have the following format and are not case sensitive:
*
* b?[nn][m]t/b
*
* Where:
*
* b?/b Begining of placeholder for argument
*
* bnn - iposition/i/b number of the argument to be replaced.
* Argument 0 is the template itself and is not valid.
* The first argument after the SQL template is number 1
* If no number is given, arguments are taken sequentially.
* Numbered replacements do not move the sequential argument pointer.
* Arguments beyond the actual number present are considered null
*
* bm - imodifier/i/b [optional] indicates what to do if the
argument is null
* - m: mandatory, if the argument contains null, it will give a fatal
error.
* - z: null, if the argument is 0 or an empty string, it will be replaced
by null
*
* bt - idata type/i/b the placeholder will be replaced by the
argument as follows
* - s: string, if not null, it will be escaped and enclosed in quotes
* - i: integer, the integer value (intval() function) of the argument
* - f: float, the floating point value (floatval() function) of the
argument
* - d: date, the argument will be assumed to represent a timestamp and it
will be converted to -mm-dd and quoted
* - b: boolean, anything evaluated to false will be 0, otherwise 1
* - t: table prefix, the value of the global variable
i$table_prefix/i, escaped and unquoted
* It takes no argument from the argument list
*
* Example:
* code
* echo BuildSql('Insert into ?ttable
(?s,?ns,?mi,?d,?ni,?i)','Something','',5,time(),0,null);
* /code
* will return:
* pre
* Insert into wp_table ('Something',null,5,'2006-05-15',null,0)
* /pre
*
* Note that placeholders do not need to be quoted, if quotes are required
(strings or dates) they will be provided
*
* @param string $query Template of SQL statement
*
*
* @param mixed $value,... Values to be replaced into placeholders,
sequentially unless stated otherwise
*
* @return string properly formated and escaped SQL statement
*
* The function will trigger a fatal error if an unknown formatting
character is found.
* Unused arguments will produce warnings.
* Missing arguments will be assumed null and will trigger a fatal error
*if the placeholder has the mandatory modifier m.
* There is no provision to put a literal ? into the SQL statement since
the ? is not a valid SQL operator,
*the only valid place for query marks are in literal string constants,
which can be passed to this
*function in an argument
*/
$table_prefix = 'wp_';
echo BuildSql('Insert into ?ttable
(?s,?ns,?mi,?d,?ni,?i)','Something','',5,time(),0,null);
function BuildSql($query) {
global $table_prefix;
$num_args = func_num_args(); // number of arguments available
$args_used = (1 $num_args) -2; // bit mask to check if arguments are
used
/* +-Anything up to first query mark
| +-- query mark, start of placeholder
| |+ position of argument
| || +- modifier
| || | +--- data type
| || | | */
if
(preg_match_all('|([^\?]*)(\?(\d?\d)?([mn]?)([sifdbt])?)*|i',$query,$matches,PREG_SET_ORDER))
{
$arg_pointer = 1; // sequential pointer to arguments
$s = ''; // output SQL statement
foreach($matches as $match) {
$NullIfEmpty = false;
$s .= $match[1];//concatenate everything up to question mark
$type = strtolower($match[5]); // read datatype
// read the value of the argument
if ($type =='t') {
Re: [PHP] anti SQL injection method in php manual.
- Original Message -
From: Dotan Cohen [EMAIL PROTECTED]
To: Satyam [EMAIL PROTECTED]
Cc: PHP General (E-mail) php-general@lists.php.net
Sent: Friday, May 26, 2006 6:36 PM
Subject: Re: [PHP] anti SQL injection method in php manual.
On 5/26/06, Satyam [EMAIL PROTECTED] wrote:
- Original Message -
From: Dotan Cohen [EMAIL PROTECTED]
// Make a safe query
$query = sprintf(SELECT * FROM users WHERE user=%s AND password=%s,
quote_smart($_POST['username']),
quote_smart($_POST['password']));
mysql_query($query);
?
What is the purpose of the sprintf?
Can't see any reason for that.
I don't know if I already posted this on this list or perhaps in the
Spanish
one, but below I'm copying my SQL building function, like an sprintf but
for
SQL.
Notice it assumes a global variable $table_prefix that is meant for
customized table prefixes, to avoid conflicts with existing applications.
Depending on the font and line length, it will be broken in many parts.
The
arrows showing the different parts of the regular expresion point
anywhere,
but should be fine if shown in a fixed pitch font.
Satyam
/**
* Builds a properly formatted and escaped SQL statement using an SQL
template and a list of arguments.
*
* The function scans the template for query marks ? which are
placeholders
for the arguments
* Query marks are to be followed by format descriptors.
*
* The first argument, the template, is mandatory. If the template
contains no query marks
* and no argument is given, the function does nothing.
*
* Placeholders have the following format and are not case sensitive:
*
* b?[nn][m]t/b
*
* Where:
*
* b?/b Begining of placeholder for argument
*
* bnn - iposition/i/b number of the argument to be replaced.
* Argument 0 is the template itself and is not valid.
* The first argument after the SQL template is number 1
* If no number is given, arguments are taken sequentially.
* Numbered replacements do not move the sequential argument pointer.
* Arguments beyond the actual number present are considered null
*
* bm - imodifier/i/b [optional] indicates what to do if the
argument is null
* - m: mandatory, if the argument contains null, it will give a fatal
error.
* - z: null, if the argument is 0 or an empty string, it will be
replaced
by null
*
* bt - idata type/i/b the placeholder will be replaced by the
argument as follows
* - s: string, if not null, it will be escaped and enclosed in quotes
* - i: integer, the integer value (intval() function) of the argument
* - f: float, the floating point value (floatval() function) of the
argument
* - d: date, the argument will be assumed to represent a timestamp and
it
will be converted to -mm-dd and quoted
* - b: boolean, anything evaluated to false will be 0, otherwise 1
* - t: table prefix, the value of the global variable
i$table_prefix/i, escaped and unquoted
* It takes no argument from the argument list
*
* Example:
* code
* echo BuildSql('Insert into ?ttable
(?s,?ns,?mi,?d,?ni,?i)','Something','',5,time(),0,null);
* /code
* will return:
* pre
* Insert into wp_table ('Something',null,5,'2006-05-15',null,0)
* /pre
*
* Note that placeholders do not need to be quoted, if quotes are
required
(strings or dates) they will be provided
*
* @param string $query Template of SQL statement
*
*
* @param mixed $value,... Values to be replaced into placeholders,
sequentially unless stated otherwise
*
* @return string properly formated and escaped SQL statement
*
* The function will trigger a fatal error if an unknown formatting
character is found.
* Unused arguments will produce warnings.
* Missing arguments will be assumed null and will trigger a fatal error
*if the placeholder has the mandatory modifier m.
* There is no provision to put a literal ? into the SQL statement since
the ? is not a valid SQL operator,
*the only valid place for query marks are in literal string
constants,
which can be passed to this
*function in an argument
*/
$table_prefix = 'wp_';
echo BuildSql('Insert into ?ttable
(?s,?ns,?mi,?d,?ni,?i)','Something','',5,time(),0,null);
function BuildSql($query) {
global $table_prefix;
$num_args = func_num_args(); // number of arguments available
$args_used = (1 $num_args) -2; // bit mask to check if arguments are
used
/* +-Anything up to first query mark
| +-- query mark, start of
placeholder
| |+ position of argument
| || +- modifier
| || | +--- data type
| || | | */
if
(preg_match_all('|([^\?]*)(\?(\d?\d)?([mn]?)([sifdbt])?)*|i',$query,$matches,PREG_SET_ORDER))
{
$arg_pointer = 1; // sequential pointer to arguments
$s = '';
Re: [PHP] Wath�s wrong?
Look at carefully, when i print my $var, two nbsp; are inserted into it. Do you know why it´s happen? Matt Carlson [EMAIL PROTECTED] escreveu na mensagem news:[EMAIL PROTECTED] I think that one of the issues is that when you assign a variable using instead of '', it will auto-replace your variable names inline. I don't know, but I think you should be escaping the $ before the . --- Jo�o C�ndido de Souza Neto [EMAIL PROTECTED] wrote: Hi everyone. I have a var that gets the follow string: $var=R$font color=\.GE_COR_VALOR.\.number_format($con-result['preco_v'],2,,,.)./font; When a print it i receive the follow result: R$nbsp;nbsp;font color=#FF150,00/font Someone knows wath�s happening here? Thanks. -- Jo�o C�ndido de Souza Neto Curitiba Online -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Wath�s wrong?
[snip] Look at carefully, when i print my $var, two nbsp; are inserted into it. Do you know why it´s happen? [/snip] What is the R$ for? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] anti SQL injection method in php manual.
On 5/26/06, Satyam [EMAIL PROTECTED] wrote:
The escaping of invalid characters is already included and beside, you can
simplify your SQL statements such as the example (taken from the phpdocs
header).
echo BuildSql('Insert into ?ttable
(?s,?ns,?mi,?d,?ni,?i)','Something','',5,time(),0,null);
will return:
Insert into wp_table ('Something',null,5,'2006-05-15',null,0)
So, as you see, it will handle date conversion from internal PHP to SQL, it
will quote and escape strings, it will either use null or 0 o '' according
to formatting options and it will add the contents of the $table_prefix
variable wherever you put a ?t. It spares you a lot of trouble on the whole
SQL instruction, not just on escaping every individual field.
And you don't need to check the code, just read the comments, that's why I
bothered putting them there.
Satyam
Of course I read through the comments and the code. However I am no
maintenance programmer and without a real idea of what the code was
trying to acomplish, I couldn't fathom why it was doing what is was
doing. Once again, that's not criticism- it's me trying to learn.
I think that it is a little involved for what I'm currently doing, but
I will certainly save the code for use when I'm more skilled. I most
appreciate your help. Thanks!
Dotan Cohen
http://what-is-what.com
41
Re: [PHP] Wath�s wrong?
It´s the brazilian currency simbol. Jay Blanchard [EMAIL PROTECTED] escreveu na mensagem news:[EMAIL PROTECTED] [snip] Look at carefully, when i print my $var, two nbsp; are inserted into it. Do you know why it´s happen? [/snip] What is the R$ for? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Wath�s wrong?
[snip] [snip] Look at carefully, when i print my $var, two nbsp; are inserted into it. Do you know why it´s happen? [/snip] What is the R$ for? [/snip] Never mind. My output is R$50,00 Even though the $ is not single-quoted(to avoid confusion) as it should be; $var='R$'.font.number_format(50,2,,,.)./font; -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Wath�s wrong?
I tried to singlequote it, i tried to addslashes in it, but nothing work. Jay Blanchard [EMAIL PROTECTED] escreveu na mensagem news:[EMAIL PROTECTED] [snip] [snip] Look at carefully, when i print my $var, two nbsp; are inserted into it. Do you know why it´s happen? [/snip] What is the R$ for? [/snip] Never mind. My output is R$50,00 Even though the $ is not single-quoted(to avoid confusion) as it should be; $var='R$'.font.number_format(50,2,,,.)./font; -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Upload files problems
My host uses safe mode...
What other thing can I do?
Some other method exists to send files besides POST method?
Thank you,
Tom.
Ryan Creaser [EMAIL PROTECTED] escribió en el mensaje
news:[EMAIL PROTECTED]
Ing. Tomás Liendo wrote:
Hi!
When the users of my system try to go up files of more than 460 K, they
receive the message:
Fatal error: Maximum execution time of 90 seconds exceeded in
c:\websites\iracbiogenar48\iracbiogen.com.ar\virtual\procesa_msjpriv.php
on line 2
I'm using the following method to up load the files:
if($archivo_name)
{
$dpath=./archivos_recibidos/.$archivo_name;
if(move_uploaded_file($archivo, $dpath))
{//Se realiza la transmision del archivo al servidor.
echo font size=2 face=Arial, Helvetica, sans-serifEl
archivo .$archivo_name.. ha sido transferido
exitosamente./font/div/td;
}
else
{
echo font size=2 face=Arial, Helvetica,
sans-serifADVERTENCIA: El arcvhio .$archivo_name.. no ha podido
enviarse./font/div/td;
}
Do I have control on these 90 seconds? or is a parameter of the server?
What can I do to solve this problem?
Ahead of time thank you very much,
Tom.
See http://php.net/set_time_limit, although it might not work if your host
uses safe mode.
- Ryan
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] anti SQL injection method in php manual.
What is the purpose of the sprintf? It's just a way of creating the string without escaping it with quotes to call the function over and over to keep it clean. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Including Functions; one file or many?
Name them .inc.php so that they cannot be opened by a webbrowser, thus giving more information to a potential attacker. As always, there's another side to that augment. If you give them the .php suffix, then they can be ran via a browser as-is , which may not be something you want. Need to consider if running your includes will do any harm. tedd -- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Including Functions; one file or many?
Since we're talking about include()ing functions specifically, I don't think
there's going to be much trouble to be had. Your file may be something like
this:
?php
function somefuncname() {
// some code
}
?
If that's executed by PHP by being called directly, it won't do anything.
It's worth noting your point for completeness' sake so someone doesn't put
faulty code into their .inc.php file that's going to cause damage if it doesn't
receive proper parameters from code that usually comes before it's included.
But the whole purpose of moving code outside the main script combined with
using a .inc.php extension so your web server doesn't accidentally serve it out
as text would be to make the code more modular and secure. You're not likely
to have an included file echo'ing your database admin passwords or displaying
secure data (that it wouldn't display just by running your main script that
includes that .inc.php file)
The worst case scenario I can think of would be something like:
?php
switch ($var) {
case select:
// do db select function;
break;
case insert:
// do db insert;
break;
case... whatever
break;
default:
// do database delete function (like 'delete from sometable where somecol
'$someundefinedvar')
break;
}
Executing an include is almost always far less dangerous than being able to
view them.
-TG
?
= = = Original message = = =
Name them .inc.php so that they cannot be opened by a webbrowser, thus
giving more information to a potential attacker.
As always, there's another side to that augment. If you give them the
.php suffix, then they can be ran via a browser as-is , which may
not be something you want. Need to consider if running your includes
will do any harm.
tedd
___
Sent by ePrompter, the premier email notification software.
Free download at http://www.ePrompter.com.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Upload files problems
On 5/27/06, Ing. Tomás Liendo [EMAIL PROTECTED] wrote: My host uses safe mode... What other thing can I do? Some other method exists to send files besides POST method? ftp? You haven't solved your problem which actually has nothing to do with file uploading (460k is nothing and should upload very quickly). We haven't seen enough code to work out your actual problem. Track down where all of your time is going by using the 'time()' function and go from there. -- Postgresql php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Serialize
[EMAIL PROTECTED] wrote: Hi, Is a serialized array a safe string to insert into a mysql text field? Or is a function such as mysql_real_escape_string always needed? regards Simon Seems like you can use mySQL bloob fields and serialize -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Escaping quotes for DB Entry
From: Brad Bonkoski [mailto:[EMAIL PROTECTED]
Sent: Fri 26/05/2006 15:41
A lot has been said recently about the dangers of the family of
magic_quotes...
I understand the dangers.
The question is, for those of us using a database that does not have a
*real_escape_string function...Oracle for example.
What is the *best* way to escape quotes for DB insertion?
Well, since Oracle escapes single-quotes with another single quote, on the few
occasions when I actually have to escape I generally just run:
$safe_str = str_replace(', '', $str);
-
Mike Ford, Electronic Information Services Adviser,
Learning Support Services, Learning Information Services,
JG125, James Graham Building, Leeds Metropolitan University,
Headingley Campus, LEEDS, LS6 3QS, United Kingdom
Email: [EMAIL PROTECTED]
Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211
To view the terms under which this email is distributed, please go to
http://disclaimer.leedsmet.ac.uk/email.htm
RE: [PHP] Escaping quotes for DB Entry
From: Jochem Maas [mailto:[EMAIL PROTECTED] Sent: Fri 26/05/2006 15:54 Brad Bonkoski wrote: All... A lot has been said recently about the dangers of the family of magic_quotes... I understand the dangers. The question is, for those of us using a database that does not have a *real_escape_string function...Oracle for example. What is the *best* way to escape quotes for DB insertion? looking at the manual I would assume that ora_bind() is the best way of safely stuffing things into an oracle DB: http://php.net/manual/en/function.ora-bind.php Whoa, that is wy out of date - the ora_ functions have been deprecated as long as I've been using PHP, which is several years now! You should be using the OCI extension, and oci_bind_by_name(). if this function is of any worth it *should* be doing any/all proper escaping of data 'under water' and hopefully much more thoroughly/correctly than anything you/we could do in userland. remark type=biased of course you could use firebird DB (php5 interbase extension) and just make use of the built in parameterized query functionality - which is simple to use, doesn't require endless reams of parameter binding declaration and is rock solid (i.e. no matter how crap my input filtering is SQL injection remains impossible ;-)) /remark oci_bind_by_name() (and, presumably, ora-bind() before it) *is* Oracle's parameterized query equivalent -- admittedly not quite as elegant, but no escaping required and is rock solid (i.e. no matter how crap [your] input filtering is SQL injection remains impossible!). - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning Information Services, JG125, James Graham Building, Leeds Metropolitan University, Headingley Campus, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 To view the terms under which this email is distributed, please go to http://disclaimer.leedsmet.ac.uk/email.htm
Re: [PHP] 5.1.4, mysqli, and fastcgi leaving connections open.
mysqli does not have persistent connections. Kinda wish it did, as using fascgi has the about the same number of processes that I would want connections in a connection pooling scheme under a module scenario. anyhow, its a 5.1.4 bug and its reported. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] anti SQL injection method in php manual.
On 5/26/06, Eric Butera [EMAIL PROTECTED] wrote: What is the purpose of the sprintf? It's just a way of creating the string without escaping it with quotes to call the function over and over to keep it clean. Thanks. I think that I'll stick with the simpler code (to my eyes) and eliminate the sprintf. In any case, it works. Dotan Cohen http://auto-car.info
[PHP] What is best framwork?
Hi! I intend to write a sale online web use PHP and MySQL. I want to find a best framework(available) of php. Could you give me some advice? Thanks. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
