php-general Digest 6 May 2009 07:49:12 -0000 Issue 6106
php-general Digest 6 May 2009 07:49:12 - Issue 6106
Topics (messages 292307 through 292327):
Re: elseif statements
292307 by: tedd
292326 by: Jim Lucas
Re: how to enable ttf support in php 5.2.9
292308 by: Ashley Sheridan
292312 by: tedd
292319 by: Michael A. Peters
How to deal with identical fields in db
292309 by: PJ
292310 by: Richard S. Crawford
292311 by: Stephen
292313 by: tedd
292314 by: Tom Worster
292317 by: PJ
Re: Generating dynamic PDFs
292315 by: O. Lavell
292323 by: Phpster
Re: Avoid to open mysql querries then times in the page
292316 by: Daevid Vincent
292318 by: Daevid Vincent
292327 by: Michael A. Peters
Need Help! - Looking over a wireframe doc...
292320 by: bruce
Re: Newbie - Setting Up Some Basic Sendmail Scripts
292321 by: Manuel Lemos
Re: speaking of control structures...
292322 by: Clancy
Re: Muticast Support in PHP
292324 by: Shameem Muhammed
Re: SimpleXML output encoding
292325 by: Ondrej Kulaty
Administrivia:
To subscribe to the digest, e-mail:
php-general-digest-subscr...@lists.php.net
To unsubscribe from the digest, e-mail:
php-general-digest-unsubscr...@lists.php.net
To post to the list, e-mail:
php-gene...@lists.php.net
--
---BeginMessage---
At 1:11 PM -0400 5/5/09, Paul M Foster wrote:
I hate to dogpile on Tedd, ...
No problem.
Some days you're the windshield and some days you're the bug.
Hey, I've been wrong before -- I'm used to it.
But in my defense, I've always had major problems understanding long ifelse's.
You see, I'm dyslexic and I can not follow those long constructs
(i.e., more than two decisions). I've always been able to work around
the problem.
Sure the way php allows switch(true) is very opportunistic for me,
but it's legal. I've seen a lot worse, not that my practicing such
grants me permission to do so. But I don't seriously think that
anyone who reviews my code would be confused as to what I was doing
using a switch in such fashion.
Cheers,
tedd
--
---
http://sperling.com http://ancientstones.com http://earthstones.com
---End Message---
---BeginMessage---
Well, since nobody seems to want to answer your question, I will... :)
It has to do with you using an assignment '=' instead of a comparison '=='
operator in your condition.
Follow along with my inline notes below.
Gary wrote:
I am trying to get this to work, however it only reads the second if
statement. I get no error messages, but as I change counties, the % stays
the same.
Can someone enlighten me, or should I be looking at switch statements?
Thanks for your help.
Gary
?php
$_SESSION['sale_session']=$_POST['sale'];
$_SESSION['assess_session']=$_POST['assess'];
$_SESSION['county_session']=$_POST['county'];
// checks if bot
if ($_POST['address'] != '' ){
exit(Changed field);
}
$sale_value=$_POST['sale'];
$assess_value=$_POST['assess'];
$county=$_POST['county'];
$chester_ratio=.51;
$montco_ratio=.53;
$delco_ratio=.58;
/*$ratio=.51;
/*$correct_assess=($sale_value)*($ratio); this is now the assessment should
be */
$chester_correct_assess=($sale_value)*($chester_ratio);
$montco_correct_assess=($sale_value)*($montco_ratio);
$delco_correct_assess=($sale_value)*($delco_ratio);
$chester_assess_difference=($assess_value)-($chester_correct_assess);
$montco_assess_difference=($assess_value)-($montco_correct_assess);
$delco_assess_difference=($assess_value)-($delco_correct_assess);
/* $assess_difference=($assess_value)-($sale_value * $ratio);
$percent_difference=($assess_difference)/($assess_value);*/
$chester_percent_difference=($chester_assess_difference)/($assess_value);
$delco_percent_difference=($delco_assess_difference)/($assess_value);
$montco_percent_difference=($montco_assess_difference)/($assess_value);
$chester_percent_savings=($chester_percent_difference)*100;
$delco_percent_savings=($delco_percent_difference)*100;
$montco_percent_savings=($montco_percent_difference)*100;
if(($_COOKIE['county_cookie'] ='Chester') ($chester_assess_difference
=5))
The previous line should be, notice the missing == comparison ???
if(($_COOKIE['county_cookie'] == 'Chester') ($chester_assess_difference =
5))
{
echo 'h2 style=margin:0;color:#ff;Yes, Your property appears to
qualify!/h2br /br /';
echo You 1 believe your home would today sell for b
$.number_format($sale_value). /bbr /;
echo Your current tax assessment isb
$.number_format($assess_value)./bbr /;
echo You live in b$county /bbr /;
echo Your potential savings could beb
.number_format($chester_percent_savings,0).%/bbr /br /;
echo According to preliminary calculations based on the information you
have entered, you may enjoy a savings of b
.number_format($chester_percent_savings,0).% /boff a
Re: [PHP] Avoid to open mysql querries then times in the page
tedd wrote:
On 5/4/09, Matthieu spama...@gmail.com wrote:
Hello,
I'm a totally newbie to php/Mysql but I'd like to know if it is
normal that
I have to connect 3 times to the db in one page.
For example, I have
1. A connection for the login / pass a $_SESSION['login'] before the
HTML
tags
2. I need to say hello to the user so I reconnect, run a query to
select the
user having the login and echo 'Hello '.$user['login'].'!''
3. I need to show him his friends a bit later, so I have to connect a
last
time and re-run a querry because I can't use the data $user that I
used in
my upper php code...
Is there a walkthroug to have only one connection for the page?
Thanks
Matthieu
Matthieu:
The way I usually have a user navigate a protected site is to first to
have them identify themselves via a logon/password script -- and then I
store their user_id in a SESSION. Note, I do not store all their data in
a SESSION, just their user_id. The user_id should be an unique
auto_increment integer primary key from your users' table.
At the start of each protected page, I have:
?php session_start();
$user_id = isset($_SESSION['user_id']) ? $_SESSION['user_id'] : 0;
if($user_id == 0)
{
header('location: login.php);
exit();
}
// proceed with processing
As such, I check if $user_id 0 -- if so, then I process the request as
directed. If not, then I send the user back to login.
That's basically what i do.
I don't store much in sessions, just the id of the logged in user (set
to 0 for not logged in) and maybe a few temporary things (IE a page that
requires login, if the uid is set to 0 I'll store the page in the
session so that after login they can be redirected back). There's a few
other things I do in session data, but not much.
Since I only use non persistent cookies for security reasons, almost
anything worth saving is worth saving as a db record tied to the user
id. Sessions for me mostly are just a way to know a user is
authenticated and who they are authenticated as.
As for connecting to the database, I connect as needed to get
information needed. I do not use SESSIONs to store all the data to be
passed from page to page, I gather only what's needed for that page.
I also make sure that when I open a connection, I close the connection I
may have several open/close statements within a page, but normally I try
to avoid that.
I just use pear mdb2 - they make it easy to deal with multiple different
databases etc. and I just let the connection close when the page
finished executing, I don't explicitly close any connections.
I do explicitly unset prepared statements, but only on pages that do
many queries (short fast pages free up the memory when the page finishes
executing anyway).
Since I generally use the same database for session handling as I use
for rest of the app, the database will be opened when the page starts
and need to be open when the page finishes execution for writing any new
session data, so it doesn't make sense to me to explicitly close the
connection except for my search engine (it uses a different database) -
but when the search query has run, the search results are displayed and
the script finishes executing anyway, so closing that connection isn't
needed anyway - the job is done and the script exits quickly closing the
connection on it's own.
HTH's
tedd
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to deal with identical fields in db
tedd wrote: (and I added in some extra bits...) You need to normalize. Authors should have an unique id in an authors table. The authors table has all the specific information about authors, but not the books they have written. Books should have an unique id in a books table. The books table has all the specific information about books, but not the contributing authors. Like the ISBN, for example - that should be unique enough for anyone... I suppose if you deal in antique books, there might not be an ISBN. Then you connect the two tables with a Book-Author table that has only the id's of both -- no real need for any other information. This also has the advantage that when you come to add new books by authors already in the database, you only have to look the name up, and you can avoid duplicating authors with misspelt names, etc. You will have to allow for the case of a book with multiple authors, but that should work out fine - you just have two (or more) records in the Book-Author table to link the same book to several authors, and logic that watches out for that when you extract the data. That way when you want to see all the books an author has written, then you pull out all the records that has the author's id and look up each book via the book id. Likewise, when you want to see all the authors who have contributed to a book, then you pull out all records that has the book's id and look up each author via their author id. Do you see how it works? Cheers, tedd It always surprises me how many people need to have database normalisation explained to them - it seems obvious to me... (and tedd, clearly!) -- Peter Ford phone: 01580 89 Developer fax: 01580 893399 Justcroft International Ltd., Staplehurst, Kent -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] how to enable ttf support in php 5.2.9
On Tue, 2009-05-05 at 16:22 -0700, Michael A. Peters wrote:
Ashley Sheridan wrote:
content coming from MS Office clipboard pastes generally contain
characters that are encoded wrong, and do not display correctly in web
pages unless they have very relaxed doctypes. The function I generally
use is:
function removeMSCrap($crap)
{
$find = Array(chr(128), chr(133), chr(8226), chr(145), chr(8217),
chr(146), chr(8220), chr(147), chr(8221), chr(148), chr(8226), chr(149),
chr(8211), chr(150), chr(8212), chr(151), chr(8282), chr(153), chr(169),
chr(174));
$replace = Array(euro;, #133;, #8243;, #039;, #039;,
#039;, #039;, #034;, #034;, #034;, #034;, #149;,
#149;, #150;, #150;, #151;, #151;, #153;, #153;,
copy;, reg;);
$roses = str_replace($find, $replace, $crap);
return $roses;
}
Is that something you would suggest be used in any web app that has a
textarea for input?
It is valid for that also. I've used it on standard input type=text/
tags before as well.
Ash
www.ashleysheridan.co.uk
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to deal with identical fields in db
Peter Ford wrote: tedd wrote: (and I added in some extra bits...) You need to normalize. Authors should have an unique id in an authors table. The authors table has all the specific information about authors, but not the books they have written. Books should have an unique id in a books table. The books table has all the specific information about books, but not the contributing authors. Like the ISBN, for example - that should be unique enough for anyone... I suppose if you deal in antique books, there might not be an ISBN. Unfortunately sometimes an otherwise identical but different printing of the same book has different ISBN numbers. Sometimes the difference is hardback vs softcover, special edition, or just a reprint. The L.O.C. catalog number may be better, AFAIK there is typically only one LOC number per edition of a book. It is a good idea to record both (if both exist) and use an internally assigned substitute number when one, the other, or both don't exist (small run self published works often don't have a LOC number for example, if the author didn't want to pay for it). -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] elseif statements
On Tue, 2009-05-05 at 22:31 -0700, Jim Lucas wrote: Well, since nobody seems to want to answer your question, I will... :) It has to do with you using an assignment '=' instead of a comparison '==' operator in your condition. He already found the problem and fixed it :) Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] speaking of control structures...
Tom Worster wrote: there's a control structure i wish php had: a simple block that you can break out of, e.g. As Maarten pointed out you could use a function. Another alternative is to use Exceptions which might be the most proper way to do it. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] speaking of control structures...
On Wed, 2009-05-06 at 12:56 +0200, Marcus Gnaß wrote: Tom Worster wrote: there's a control structure i wish php had: a simple block that you can break out of, e.g. As Maarten pointed out you could use a function. Another alternative is to use Exceptions which might be the most proper way to do it. That seems like an abuse of exceptions. But then we're already abusing loops. I just don't think one could say it's the proper way to do it :) Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: elseif statements
Hi Gary,
2009/5/5 Gary gwp...@ptd.net:
Jan
Thanks for your note.
So your wrote:
$x = (3)*(2) makes no sense.
$x = 3 * 2 works, as
$x = (3 * 2) does, too.
But this is not an error at all.
^^
In the first example($x = (3)*(2) makes no sense.), which is the way I have
it, works. So if it works, is there a real compelling reason to change it?
No!
I understand that less is more when it comes to writing code, but does it
slow things down, does it give erroneus results, or is it developing a poor
writing habit?
I would enjoy your opinion.
It's an opinion thing, I'd say.
But having single values in brackets can't speed anything up. if
anything, it' gonna be slower.
Anyway, this was just meant as a comment, that's why I wrote this is
not an error.
I for myself believe that a lot of bracket enclosing can make code
more unreadable, but on the other hand sometimes you want more
bracket-enclosed statements.
if (1 == 2 || (2 != 3 3 != 4)) { /* this would be my approach */ }
if (1 == 2 || ((2 != 3) (3 != 4))) {
/* this makes it harder to read for me, because of the ending )))
I think, that this may be slightly faster for the interpreter.
*/
}
if (((1) == (2)) || (((2) != (3)) ((3 != 4 { /* this is
overkill for humans and interpreter */ }
My intention to post actually was to tell you about the wrong
IF-Statement way down. I removed the quoting around, now:
2009/5/5 Gary gwp...@ptd.net:
elseif(isset($chester_assess_difference) =1000){
You got an error here.
isset($var) returns true OR false, which equals 1 OR 0.
You might not compare it with your integer 1000, because it's always
smaller.
correct would be:
elseif (isset($chester_assess_difference)
$chester_assess_difference = 1000) {
// do something
}
Regards,
Jan
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] elseif statements
He already found the problem and fixed it :) Correction: His problem was pointed out to him and he was able to follow instructions he he. I think I posted yesterday, but I had the double= in the script earlier, but it was givning inconsisitant answers, however when I changed the = for== AND changed from calling the information from the $_COOKIE to the variable, it worked as I had hoped. Again, thank you to all for helping. Gary Robert Cummings rob...@interjinn.com wrote in message news:1241606832.610.108.ca...@localhost... On Tue, 2009-05-05 at 22:31 -0700, Jim Lucas wrote: Well, since nobody seems to want to answer your question, I will... :) It has to do with you using an assignment '=' instead of a comparison '==' operator in your condition. He already found the problem and fixed it :) Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to deal with identical fields in db
At 3:14 AM -0700 5/6/09, Michael A. Peters wrote: Peter Ford wrote: tedd wrote: (and I added in some extra bits...) You need to normalize. Authors should have an unique id in an authors table. The authors table has all the specific information about authors, but not the books they have written. Books should have an unique id in a books table. The books table has all the specific information about books, but not the contributing authors. Like the ISBN, for example - that should be unique enough for anyone... I suppose if you deal in antique books, there might not be an ISBN. Unfortunately sometimes an otherwise identical but different printing of the same book has different ISBN numbers. Sometimes the difference is hardback vs softcover, special edition, or just a reprint. The L.O.C. catalog number may be better, AFAIK there is typically only one LOC number per edition of a book. It is a good idea to record both (if both exist) and use an internally assigned substitute number when one, the other, or both don't exist (small run self published works often don't have a LOC number for example, if the author didn't want to pay for it). But for a database, a book identifier would probably be best (differing opinions on this) if it was simply an auto_increment unsigned integer primary key. A key that is generated upon entry of a book record. Certainly one can argue that using a different unique key might provide more information and make the table require one less field, but if one uses a primary key, then the field can be searched faster than using a ISBN or L.O.C., which may be duplicated, amended, or not even present. My thinking on this is a unique identifier for the book should not be tied to any attribute of the book, which may change, but rather something completely detached and artificial. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] speaking of control structures...
On 5/6/09 7:05 AM, Robert Cummings rob...@interjinn.com wrote: That seems like an abuse of exceptions. But then we're already abusing loops. I just don't think one could say it's the proper way to do it :) i don't have a lot of interest in the proper way to do things. i'm interested in how other programmers actually do things. and i'm not even sure it's _possible_ to abuse a programming language. whatever works... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to deal with identical fields in db
tedd wrote: At 3:14 AM -0700 5/6/09, Michael A. Peters wrote: Peter Ford wrote: tedd wrote: (and I added in some extra bits...) You need to normalize. Authors should have an unique id in an authors table. The authors table has all the specific information about authors, but not the books they have written. Books should have an unique id in a books table. The books table has all the specific information about books, but not the contributing authors. Like the ISBN, for example - that should be unique enough for anyone... I suppose if you deal in antique books, there might not be an ISBN. Unfortunately sometimes an otherwise identical but different printing of the same book has different ISBN numbers. Sometimes the difference is hardback vs softcover, special edition, or just a reprint. The L.O.C. catalog number may be better, AFAIK there is typically only one LOC number per edition of a book. It is a good idea to record both (if both exist) and use an internally assigned substitute number when one, the other, or both don't exist (small run self published works often don't have a LOC number for example, if the author didn't want to pay for it). But for a database, a book identifier would probably be best (differing opinions on this) if it was simply an auto_increment unsigned integer primary key. A key that is generated upon entry of a book record. Certainly one can argue that using a different unique key might provide more information and make the table require one less field, but if one uses a primary key, then the field can be searched faster than using a ISBN or L.O.C., which may be duplicated, amended, or not even present. My thinking on this is a unique identifier for the book should not be tied to any attribute of the book, which may change, but rather something completely detached and artificial. Cheers, tedd tedd, That is, in fairness, probably what I'd do too: I might have the ISBN or LOC number as a detail field in the book record, and have it available for look-ups, but the primary key would just be a sequence number generated automatically. Same with authors, just a sequence number for the key. (I am not a number, I am a free man...) These things do not need to be visible to the user. Just an implementation detail, nothing to see here... :) Cheers Pete -- Peter Ford phone: 01580 89 Developer fax: 01580 893399 Justcroft International Ltd., Staplehurst, Kent -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] speaking of control structures...
On 5/6/09 6:56 AM, Marcus Gnaß gona...@gmx.de wrote: Tom Worster wrote: there's a control structure i wish php had: a simple block that you can break out of, e.g. As Maarten pointed out you could use a function. Another alternative is to use Exceptions which might be the most proper way to do it. in a thread off-list i commented on the use of a function. here's what i said: yes, it's just like that. i could wrap a function around the logic. and sometimes i use that trick. the downside to that is access to globals. for many of my scripts there's a common pattern: 1 get set up. 2 process inputs, checking and preparing data for use 3 and 4 or aborting to an error handler at the end of this section (which is what the breaks all jump to) if there's a problem with the input. 3 do some work 4 prepare an output page in this scheme, it's convenient if 2, 3 and 4 all have access to the same namespace, so i don't usually use the function approach. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] speaking of control structures...
On Wed, 2009-05-06 at 08:41 -0400, Tom Worster wrote: On 5/6/09 7:05 AM, Robert Cummings rob...@interjinn.com wrote: That seems like an abuse of exceptions. But then we're already abusing loops. I just don't think one could say it's the proper way to do it :) i don't have a lot of interest in the proper way to do things. i'm interested in how other programmers actually do things. I highly doubt they use exceptions. and i'm not even sure it's _possible_ to abuse a programming language. whatever works... Then you haven't been programming long enough. Whatever works is an idiot's guide to programming... one where they remain an idiot. Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] speaking of control structures...
On Wed, 2009-05-06 at 08:43 -0400, Tom Worster wrote: On 5/6/09 6:56 AM, Marcus Gnaß gona...@gmx.de wrote: Tom Worster wrote: there's a control structure i wish php had: a simple block that you can break out of, e.g. As Maarten pointed out you could use a function. Another alternative is to use Exceptions which might be the most proper way to do it. in a thread off-list i commented on the use of a function. here's what i said: yes, it's just like that. i could wrap a function around the logic. and sometimes i use that trick. the downside to that is access to globals. for many of my scripts there's a common pattern: 1 get set up. 2 process inputs, checking and preparing data for use 3 and 4 or aborting to an error handler at the end of this section (which is what the breaks all jump to) if there's a problem with the input. 3 do some work 4 prepare an output page in this scheme, it's convenient if 2, 3 and 4 all have access to the same namespace, so i don't usually use the function approach. Then create a shared namespace... $GLOBALS['myWhateverWorksNamespace']['varName'] = 'varValue'; Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] speaking of control structures...
On 5/5/09 8:55 PM, Clancy clanc...@cybec.com.au wrote:
On Tue, 05 May 2009 14:13:23 -0400, rob...@interjinn.com (Robert Cummings)
wrote:
On Tue, 2009-05-05 at 13:56 -0400, Tom Worster wrote:
there's a control structure i wish php had: a simple block that you can
...
But PHP 5.3 introduces goto:
?php
header:
if( $something ) ...
goto body;
body:
if( $soemthingElse ) ...
goto footer;
if( $seomthingerElse ) ...
goto footer;
footer:
// blah blah blah
goto done;
done;
I heartily agree. In my opinion 'break' is like a 'goto' without a label. As I
used to
tell my students if I say 'break' the one thing I can be sure of is that you
will all
disappear. I had no idea where most of you go, or what you do, and I'm not
even sure if
I'll ever see some of you again.
'Goto' makes it possible to set up the more complex control sequences you
sometimes need,
yet have them clearly defined. For example:
?php
begin: ...
if ( ... ) { goto error; }
...
if ( ) { goto footer; }
...
goto body;
repeat:
if ( ) { goto footer; }
...
if ( ... ) { goto error; }
body: .
if ($error) { goto error; }
if (!$error) { goto footer; }
error:
footer:
if ( ) { goto repeat; }
?
I find it very difficult to set up sequences like this using if/else if (or
switches, but
I don't like them anyway), and have to resort to setting flags and very
careful
indentation to make sure that I'm doing what I intended. Unfortunately my
provider is
still using PHP 4.something, and I have been too busy to switch to someone
more
up-to-date.
clancy, i can't argue with you. my desired usage of break is really just a
cover-up for a goto. i know.
it makes no logical sense but i think i'd sooner adopt oop than gotos. my
mom taught me to program back in the late 70s and early 80s. she was an old
hand. when FORTRAN 4 came out she thought it was the bees knees. when Z80
micros with MS-BASIC came out, she thought they were cute. when turbo pascal
came out on CP/M, she was impressed and taught me to quit using gotos.
so while it makes no logical sense, perhaps you can see that it makes
emotional sense.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] speaking of control structures...
Tom Worster wrote: On 5/6/09 6:56 AM, Marcus Gnaß gona...@gmx.de wrote: Tom Worster wrote: there's a control structure i wish php had: a simple block that you can break out of, e.g. As Maarten pointed out you could use a function. Another alternative is to use Exceptions which might be the most proper way to do it. in a thread off-list i commented on the use of a function. here's what i said: Shawn McKenzie already posted the right solution - did you miss it? /Per -- Per Jessen, Zürich (19.6°C) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] speaking of control structures...
On 5/6/09 8:55 AM, Per Jessen p...@computer.org wrote:
Shawn McKenzie already posted the right solution - did you miss it?
no, per, i didn't. i like do {} while (0) very much. thanks, shawn!
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] SQL Injection - Solution
Hi folks,
Someone know how i can improve this function to protect my envairounment
vars of sql injection attacks.
that is the function i use to do this, but, some people think is not enough:
* @uses $_REQUEST= _antiSqlInjection($_REQUEST);
* @uses $_POST = _antiSqlInjection($_POST);
* @uses $_GET = _antiSqlInjection($_GET);
*
* @author Igor Escobar
* @email blog [at] igorescobar [dot] com
*
*/
function _antiSqlInjection($Target){
$sanitizeRules =
array('OR','FROM,'SELECT','INSERT','DELETE','WHERE','DROP TABLE','SHOW
TABLES','*','--','=');
foreach($Target as $key = $value):
if(is_array($value)): $arraSanitized[$key] =
_antiSqlInjection($value);
else:
$arraSanitized[$key] =
addslashes(strip_tags(trim(str_replace($sanitizeRules,,$value;
endif;
endforeach;
return $arraSanitized;
}
You can help me to improve them?
Regards,
Igor Escobar
Systems Analyst Interface Designer
--
Personal Blog
~ blog.igorescobar.com
Online Portifolio
~ www.igorescobar.com
Twitter
~ @igorescobar
[PHP] Re: SQL Injection - Solution
Igor Escobar wrote:
Hi folks,
Someone know how i can improve this function to protect my envairounment
vars of sql injection attacks.
that is the function i use to do this, but, some people think is not enough:
* @uses $_REQUEST= _antiSqlInjection($_REQUEST);
* @uses $_POST = _antiSqlInjection($_POST);
* @uses $_GET = _antiSqlInjection($_GET);
*
* @author Igor Escobar
* @email blog [at] igorescobar [dot] com
*
*/
function _antiSqlInjection($Target){
$sanitizeRules =
array('OR','FROM,'SELECT','INSERT','DELETE','WHERE','DROP TABLE','SHOW
TABLES','*','--','=');
foreach($Target as $key = $value):
if(is_array($value)): $arraSanitized[$key] =
_antiSqlInjection($value);
else:
$arraSanitized[$key] =
addslashes(strip_tags(trim(str_replace($sanitizeRules,,$value;
endif;
endforeach;
return $arraSanitized;
}
You can help me to improve them?
Just at first glance, if you're going to use this type of function you
should at least use str_ireplace(). 'drop table' works just as well as
'DROP TABLE'. Also, you might want to use mysql_real_escape_string() or
similar for your DB (if you have a connection). Or you can skip the
slash stuff until the actual query. This may negate the need for your
replace, as quotes are normally needed to get the SQL commands to work
in your query anyway.
Finally, if magic_quotes are on you'll end up with multiple slashes in
your code as it is and if you changed the addslashes() to
mysql_real_escape_string(). Normally this is good:
if(get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
$arraSanitized[$key] = mysql_real_escape_string($value);
I also think strip_tags() or htmlentities() belongs more in a display
filter.
Regards,
Igor Escobar
Systems Analyst Interface Designer
--
Personal Blog
~ blog.igorescobar.com
Online Portifolio
~ www.igorescobar.com
Twitter
~ @igorescobar
--
Thanks!
-Shawn
http://www.spidean.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] SQL Injection - Solution
Hi there!
2009/5/6 Igor Escobar titiolin...@gmail.com
Hi folks,
Someone know how i can improve this function to protect my envairounment
vars of sql injection attacks.
that is the function i use to do this, but, some people think is not enough:
* @uses $_REQUEST= _antiSqlInjection($_REQUEST);
* @uses $_POST = _antiSqlInjection($_POST);
* @uses $_GET = _antiSqlInjection($_GET);
*
* @author Igor Escobar
* @email blog [at] igorescobar [dot] com
*
*/
function _antiSqlInjection($Target){
$sanitizeRules =
array('OR','FROM,'SELECT','INSERT','DELETE','WHERE','DROP TABLE','SHOW
TABLES','*','--','=');
foreach($Target as $key = $value):
if(is_array($value)): $arraSanitized[$key] =
_antiSqlInjection($value);
else:
$arraSanitized[$key] =
addslashes(strip_tags(trim(str_replace($sanitizeRules,,$value;
endif;
endforeach;
return $arraSanitized;
}
You can help me to improve them?
What if someone posts, in any form of your app, a message containing
or, from or where? Those are very common words, and eliminate
them is not the best solution, IMO.
Use mysql_real_escape_string() like Shawn said, possibly something
like this would do the trick (from
http://br2.php.net/manual/en/function.mysql-query.php):
$query = sprintf(SELECT firstname, lastname, address, age FROM
friends WHERE firstname='%s' AND lastname='%s',
mysql_real_escape_string($firstname),
mysql_real_escape_string($lastname));
Cheers,
Bruno.
Regards,
Igor Escobar
Systems Analyst Interface Designer
--
Personal Blog
~ blog.igorescobar.com
Online Portifolio
~ www.igorescobar.com
Twitter
~ @igorescobar
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] SQL Injection - Solution
On Wed, May 6, 2009 at 12:06 PM, Bruno Fajardo bsfaja...@gmail.com wrote:
Hi there!
2009/5/6 Igor Escobar titiolin...@gmail.com
Hi folks,
Someone know how i can improve this function to protect my envairounment
vars of sql injection attacks.
that is the function i use to do this, but, some people think is not enough:
* @uses $_REQUEST= _antiSqlInjection($_REQUEST);
* @uses $_POST = _antiSqlInjection($_POST);
* @uses $_GET = _antiSqlInjection($_GET);
*
* @author Igor Escobar
* @email blog [at] igorescobar [dot] com
*
*/
function _antiSqlInjection($Target){
$sanitizeRules =
array('OR','FROM,'SELECT','INSERT','DELETE','WHERE','DROP TABLE','SHOW
TABLES','*','--','=');
foreach($Target as $key = $value):
if(is_array($value)): $arraSanitized[$key] =
_antiSqlInjection($value);
else:
$arraSanitized[$key] =
addslashes(strip_tags(trim(str_replace($sanitizeRules,,$value;
endif;
endforeach;
return $arraSanitized;
}
You can help me to improve them?
What if someone posts, in any form of your app, a message containing
or, from or where? Those are very common words, and eliminate
them is not the best solution, IMO.
Use mysql_real_escape_string() like Shawn said, possibly something
like this would do the trick (from
http://br2.php.net/manual/en/function.mysql-query.php):
$query = sprintf(SELECT firstname, lastname, address, age FROM
friends WHERE firstname='%s' AND lastname='%s',
mysql_real_escape_string($firstname),
mysql_real_escape_string($lastname));
Cheers,
Bruno.
+1
I would stick with parameterized queries if available, or just use
mysql_real_escape_string() for these and a few more reasons:
1) You'll find lots of posts in the archives explaining why
mysql_real_escape_string() is preferred over addslashes() for this
purpose.
2) strip_tags has absolutely nothing to do with SQL injection. Neither
does trim(). There are cases where you would not want to use either of
those functions on input, but you would still need to guard against
injection.
3) DROP TABLE will work no matter how many white-space characters
appeared between the words. For that matter, I am pretty sure that
'DROP /* some bogus SQL comment to make it past your filter */ TABLE'
will work also.
Andrew
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] SQL Injection - Solution
I know that use the mysql_real_escape_string to do de job is better but you
should consider that the this function don't have any access to the data
base, to objective of this function is sanitize the string.
And please, see my second answer, i make some updates in the function that
possibly is relevant.
Regards,
Igor Escobar
Systems Analyst Interface Designer
--
Personal Blog
~ blog.igorescobar.com
Online Portifolio
~ www.igorescobar.com
Twitter
~ @igorescobar
On Wed, May 6, 2009 at 1:14 PM, Andrew Ballard aball...@gmail.com wrote:
On Wed, May 6, 2009 at 12:06 PM, Bruno Fajardo bsfaja...@gmail.com
wrote:
Hi there!
2009/5/6 Igor Escobar titiolin...@gmail.com
Hi folks,
Someone know how i can improve this function to protect my envairounment
vars of sql injection attacks.
that is the function i use to do this, but, some people think is not
enough:
* @uses $_REQUEST= _antiSqlInjection($_REQUEST);
* @uses $_POST = _antiSqlInjection($_POST);
* @uses $_GET = _antiSqlInjection($_GET);
*
* @author Igor Escobar
* @email blog [at] igorescobar [dot] com
*
*/
function _antiSqlInjection($Target){
$sanitizeRules =
array('OR','FROM,'SELECT','INSERT','DELETE','WHERE','DROP TABLE','SHOW
TABLES','*','--','=');
foreach($Target as $key = $value):
if(is_array($value)): $arraSanitized[$key] =
_antiSqlInjection($value);
else:
$arraSanitized[$key] =
addslashes(strip_tags(trim(str_replace($sanitizeRules,,$value;
endif;
endforeach;
return $arraSanitized;
}
You can help me to improve them?
What if someone posts, in any form of your app, a message containing
or, from or where? Those are very common words, and eliminate
them is not the best solution, IMO.
Use mysql_real_escape_string() like Shawn said, possibly something
like this would do the trick (from
http://br2.php.net/manual/en/function.mysql-query.php):
$query = sprintf(SELECT firstname, lastname, address, age FROM
friends WHERE firstname='%s' AND lastname='%s',
mysql_real_escape_string($firstname),
mysql_real_escape_string($lastname));
Cheers,
Bruno.
+1
I would stick with parameterized queries if available, or just use
mysql_real_escape_string() for these and a few more reasons:
1) You'll find lots of posts in the archives explaining why
mysql_real_escape_string() is preferred over addslashes() for this
purpose.
2) strip_tags has absolutely nothing to do with SQL injection. Neither
does trim(). There are cases where you would not want to use either of
those functions on input, but you would still need to guard against
injection.
3) DROP TABLE will work no matter how many white-space characters
appeared between the words. For that matter, I am pretty sure that
'DROP /* some bogus SQL comment to make it past your filter */ TABLE'
will work also.
Andrew
Re: [PHP] SQL Injection - Solution
mysql_escape_string can be used instead. You just lose the ability to
have it match coallation. I still think there should be the
mysql_escape_string or real one and allow it to pass the coallation
without a database handle -or- just make a unicode/utf8 one and be
done with it.
On May 6, 2009, at 9:40 AM, Igor Escobar titiolin...@gmail.com wrote:
I know that use the mysql_real_escape_string to do de job is better
but you
should consider that the this function don't have any access to the
data
base, to objective of this function is sanitize the string.
And please, see my second answer, i make some updates in the
function that
possibly is relevant.
Regards,
Igor Escobar
Systems Analyst Interface Designer
--
Personal Blog
~ blog.igorescobar.com
Online Portifolio
~ www.igorescobar.com
Twitter
~ @igorescobar
On Wed, May 6, 2009 at 1:14 PM, Andrew Ballard aball...@gmail.com
wrote:
On Wed, May 6, 2009 at 12:06 PM, Bruno Fajardo bsfaja...@gmail.com
wrote:
Hi there!
2009/5/6 Igor Escobar titiolin...@gmail.com
Hi folks,
Someone know how i can improve this function to protect my
envairounment
vars of sql injection attacks.
that is the function i use to do this, but, some people think is
not
enough:
* @uses $_REQUEST= _antiSqlInjection($_REQUEST);
* @uses $_POST = _antiSqlInjection($_POST);
* @uses $_GET = _antiSqlInjection($_GET);
*
* @author Igor Escobar
* @email blog [at] igorescobar [dot] com
*
*/
function _antiSqlInjection($Target){
$sanitizeRules =
array('OR','FROM,'SELECT','INSERT','DELETE','WHERE','DROP
TABLE','SHOW
TABLES','*','--','=');
foreach($Target as $key = $value):
if(is_array($value)): $arraSanitized[$key] =
_antiSqlInjection($value);
else:
$arraSanitized[$key] =
addslashes(strip_tags(trim(str_replace($sanitizeRules,,
$value;
endif;
endforeach;
return $arraSanitized;
}
You can help me to improve them?
What if someone posts, in any form of your app, a message containing
or, from or where? Those are very common words, and eliminate
them is not the best solution, IMO.
Use mysql_real_escape_string() like Shawn said, possibly something
like this would do the trick (from
http://br2.php.net/manual/en/function.mysql-query.php):
$query = sprintf(SELECT firstname, lastname, address, age FROM
friends WHERE firstname='%s' AND lastname='%s',
mysql_real_escape_string($firstname),
mysql_real_escape_string($lastname));
Cheers,
Bruno.
+1
I would stick with parameterized queries if available, or just use
mysql_real_escape_string() for these and a few more reasons:
1) You'll find lots of posts in the archives explaining why
mysql_real_escape_string() is preferred over addslashes() for this
purpose.
2) strip_tags has absolutely nothing to do with SQL injection.
Neither
does trim(). There are cases where you would not want to use either
of
those functions on input, but you would still need to guard against
injection.
3) DROP TABLE will work no matter how many white-space characters
appeared between the words. For that matter, I am pretty sure that
'DROP /* some bogus SQL comment to make it past your filter */ TABLE'
will work also.
Andrew
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: SQL Injection - Solution
Igor Escobar wrote:
Hunnn...
So, what do you think now?
function _antiSqlInjection($Target){
$sanitizeRules =
array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP
TABLE','SHOW TABLES','*','--','=');
foreach($Target as $key = $value):
if(is_array($value)): $arraSanitized[$key] =
_antiSqlInjection($value);
else:
$arraSanitized[$key] = (!get_magic_quotes_gpc()) ?
addslashes(str_ireplace(trim($sanitizeRules,,$value))) :
str_ireplace(trim($sanitizeRules,,$value));
endif;
endforeach;
return $arraSanitized;
}
Stay on list please. I don't like the ternary or the brace omissions
(alternate syntax) :-) however
My point was that in my opinion you don't need the replace at all.
Also, do you really want to strip all 'or', * and = from all fields?
These may be perfectly valid in your app. Or is a very, very common
word, so is from and come to think of it, where, select, insert and delete.
For any of the SQL injections to work in your query, there will need to
be quotes or the backtick ` in the user supplied content. The quotes
are escaped by mysql_real_escape_string().
I don't see any way for a SQL injection without the user input
containing quotes or the backtick to break out of your query or
prematurely terminate an expression. Some examples here, however they
don't mention the backtick:
http://us2.php.net/manual/en/security.database.sql-injection.php
This might be more useful:
||function _antiSqlInjection($Target)
{
if(is_array($Target)) {
$Value = array_map('_antiSqlInjection', $Target);
} else {
if(get_magic_quotes_gpc()) {
$Target = stripslashes($Target);
}
// replace backtick with single quote or whatever
$Target = str_replace(`, ', $Target);
$Value = mysql_real_escape_string($Target);
}
return $Value;
}
Thanks!
-Shawn
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: SQL Injection - Solution
hun...by the way I forgot to mention, I am Brazilian and here in Brazil
these words are not common ...
That is a recursive function and i can use array_map becouse i some cases we
obtain arrays of arrays and that will generate a error.
Regards,
Igor Escobar
Systems Analyst Interface Designer
--
Personal Blog
~ blog.igorescobar.com
Online Portifolio
~ www.igorescobar.com
Twitter
~ @igorescobar
On Wed, May 6, 2009 at 2:36 PM, Shawn McKenzie nos...@mckenzies.net wrote:
Igor Escobar wrote:
Hunnn...
So, what do you think now?
function _antiSqlInjection($Target){
$sanitizeRules =
array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP
TABLE','SHOW TABLES','*','--','=');
foreach($Target as $key = $value):
if(is_array($value)): $arraSanitized[$key] =
_antiSqlInjection($value);
else:
$arraSanitized[$key] = (!get_magic_quotes_gpc()) ?
addslashes(str_ireplace(trim($sanitizeRules,,$value))) :
str_ireplace(trim($sanitizeRules,,$value));
endif;
endforeach;
return $arraSanitized;
}
Stay on list please. I don't like the ternary or the brace omissions
(alternate syntax) :-) however
My point was that in my opinion you don't need the replace at all.
Also, do you really want to strip all 'or', * and = from all fields?
These may be perfectly valid in your app. Or is a very, very common
word, so is from and come to think of it, where, select, insert and delete.
For any of the SQL injections to work in your query, there will need to
be quotes or the backtick ` in the user supplied content. The quotes
are escaped by mysql_real_escape_string().
I don't see any way for a SQL injection without the user input
containing quotes or the backtick to break out of your query or
prematurely terminate an expression. Some examples here, however they
don't mention the backtick:
http://us2.php.net/manual/en/security.database.sql-injection.php
This might be more useful:
||function _antiSqlInjection($Target)
{
if(is_array($Target)) {
$Value = array_map('_antiSqlInjection', $Target);
} else {
if(get_magic_quotes_gpc()) {
$Target = stripslashes($Target);
}
// replace backtick with single quote or whatever
$Target = str_replace(`, ', $Target);
$Value = mysql_real_escape_string($Target);
}
return $Value;
}
Thanks!
-Shawn
Re: [PHP] Re: SQL Injection - Solution
Now i realize... i sent only to the Shawn the modified functions... here
goes:
function _antiSqlInjection($Target){
$sanitizeRules =
array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP TABLE','SHOW
TABLES','*','--','=');
foreach($Target as $key = $value):
if(is_array($value)): $arraSanitized[$key] =
_antiSqlInjection($value);
else:
$arraSanitized[$key] = (!get_magic_quotes_gpc()) ?
addslashes(str_ireplace(trim($sanitizeRules,,$value))) :
str_ireplace(trim($sanitizeRules,,$value));
endif;
endforeach;
return $arraSanitized;
}
Regards,
Igor Escobar
Systems Analyst Interface Designer
--
Personal Blog
~ blog.igorescobar.com
Online Portifolio
~ www.igorescobar.com
Twitter
~ @igorescobar
On Wed, May 6, 2009 at 2:55 PM, Igor Escobar titiolin...@gmail.com wrote:
hun...by the way I forgot to mention, I am Brazilian and here in Brazil
these words are not common ...
That is a recursive function and i can use array_map becouse i some cases
we obtain arrays of arrays and that will generate a error.
Regards,
Igor Escobar
Systems Analyst Interface Designer
--
Personal Blog
~ blog.igorescobar.com
Online Portifolio
~ www.igorescobar.com
Twitter
~ @igorescobar
On Wed, May 6, 2009 at 2:36 PM, Shawn McKenzie nos...@mckenzies.netwrote:
Igor Escobar wrote:
Hunnn...
So, what do you think now?
function _antiSqlInjection($Target){
$sanitizeRules =
array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP
TABLE','SHOW TABLES','*','--','=');
foreach($Target as $key = $value):
if(is_array($value)): $arraSanitized[$key] =
_antiSqlInjection($value);
else:
$arraSanitized[$key] = (!get_magic_quotes_gpc()) ?
addslashes(str_ireplace(trim($sanitizeRules,,$value))) :
str_ireplace(trim($sanitizeRules,,$value));
endif;
endforeach;
return $arraSanitized;
}
Stay on list please. I don't like the ternary or the brace omissions
(alternate syntax) :-) however
My point was that in my opinion you don't need the replace at all.
Also, do you really want to strip all 'or', * and = from all fields?
These may be perfectly valid in your app. Or is a very, very common
word, so is from and come to think of it, where, select, insert and
delete.
For any of the SQL injections to work in your query, there will need to
be quotes or the backtick ` in the user supplied content. The quotes
are escaped by mysql_real_escape_string().
I don't see any way for a SQL injection without the user input
containing quotes or the backtick to break out of your query or
prematurely terminate an expression. Some examples here, however they
don't mention the backtick:
http://us2.php.net/manual/en/security.database.sql-injection.php
This might be more useful:
||function _antiSqlInjection($Target)
{
if(is_array($Target)) {
$Value = array_map('_antiSqlInjection', $Target);
} else {
if(get_magic_quotes_gpc()) {
$Target = stripslashes($Target);
}
// replace backtick with single quote or whatever
$Target = str_replace(`, ', $Target);
$Value = mysql_real_escape_string($Target);
}
return $Value;
}
Thanks!
-Shawn
Re: [PHP] Re: SQL Injection - Solution
2009/5/6 Igor Escobar titiolin...@gmail.com:
hun...by the way I forgot to mention, I am Brazilian and here in Brazil
these words are not common ...
Igor,
I'm brazilian too, but that is not the point. Deny the use of *any*
word as input in your app is unnecessary. The problem that you're
trying to solve, has been solved a long time ago.
Bruno.
That is a recursive function and i can use array_map becouse i some cases we
obtain arrays of arrays and that will generate a error.
Regards,
Igor Escobar
Systems Analyst Interface Designer
--
Personal Blog
~ blog.igorescobar.com
Online Portifolio
~ www.igorescobar.com
Twitter
~ @igorescobar
On Wed, May 6, 2009 at 2:36 PM, Shawn McKenzie nos...@mckenzies.net wrote:
Igor Escobar wrote:
Hunnn...
So, what do you think now?
function _antiSqlInjection($Target){
$sanitizeRules =
array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP
TABLE','SHOW TABLES','*','--','=');
foreach($Target as $key = $value):
if(is_array($value)): $arraSanitized[$key] =
_antiSqlInjection($value);
else:
$arraSanitized[$key] = (!get_magic_quotes_gpc()) ?
addslashes(str_ireplace(trim($sanitizeRules,,$value))) :
str_ireplace(trim($sanitizeRules,,$value));
endif;
endforeach;
return $arraSanitized;
}
Stay on list please. I don't like the ternary or the brace omissions
(alternate syntax) :-) however
My point was that in my opinion you don't need the replace at all.
Also, do you really want to strip all 'or', * and = from all fields?
These may be perfectly valid in your app. Or is a very, very common
word, so is from and come to think of it, where, select, insert and delete.
For any of the SQL injections to work in your query, there will need to
be quotes or the backtick ` in the user supplied content. The quotes
are escaped by mysql_real_escape_string().
I don't see any way for a SQL injection without the user input
containing quotes or the backtick to break out of your query or
prematurely terminate an expression. Some examples here, however they
don't mention the backtick:
http://us2.php.net/manual/en/security.database.sql-injection.php
This might be more useful:
||function _antiSqlInjection($Target)
{
if(is_array($Target)) {
$Value = array_map('_antiSqlInjection', $Target);
} else {
if(get_magic_quotes_gpc()) {
$Target = stripslashes($Target);
}
// replace backtick with single quote or whatever
$Target = str_replace(`, ', $Target);
$Value = mysql_real_escape_string($Target);
}
return $Value;
}
Thanks!
-Shawn
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: SQL Injection - Solution
Yeah yeah, i understood that, but, the point is... i sad previously, my
function is not tied to any database.
Is a generic function, i dont know who be use this, so i don't know, what is
your data base so, i can't use functions like mysql_real_scape_string etc...
Regards,
Igor Escobar
Systems Analyst Interface Designer
--
Personal Blog
~ blog.igorescobar.com
Online Portifolio
~ www.igorescobar.com
Twitter
~ @igorescobar
On Wed, May 6, 2009 at 3:00 PM, Bruno Fajardo bsfaja...@gmail.com wrote:
2009/5/6 Igor Escobar titiolin...@gmail.com:
hun...by the way I forgot to mention, I am Brazilian and here in
Brazil
these words are not common ...
Igor,
I'm brazilian too, but that is not the point. Deny the use of *any*
word as input in your app is unnecessary. The problem that you're
trying to solve, has been solved a long time ago.
Bruno.
That is a recursive function and i can use array_map becouse i some cases
we
obtain arrays of arrays and that will generate a error.
Regards,
Igor Escobar
Systems Analyst Interface Designer
--
Personal Blog
~ blog.igorescobar.com
Online Portifolio
~ www.igorescobar.com
Twitter
~ @igorescobar
On Wed, May 6, 2009 at 2:36 PM, Shawn McKenzie nos...@mckenzies.net
wrote:
Igor Escobar wrote:
Hunnn...
So, what do you think now?
function _antiSqlInjection($Target){
$sanitizeRules =
array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP
TABLE','SHOW TABLES','*','--','=');
foreach($Target as $key = $value):
if(is_array($value)): $arraSanitized[$key] =
_antiSqlInjection($value);
else:
$arraSanitized[$key] = (!get_magic_quotes_gpc()) ?
addslashes(str_ireplace(trim($sanitizeRules,,$value))) :
str_ireplace(trim($sanitizeRules,,$value));
endif;
endforeach;
return $arraSanitized;
}
Stay on list please. I don't like the ternary or the brace omissions
(alternate syntax) :-) however
My point was that in my opinion you don't need the replace at all.
Also, do you really want to strip all 'or', * and = from all fields?
These may be perfectly valid in your app. Or is a very, very common
word, so is from and come to think of it, where, select, insert and
delete.
For any of the SQL injections to work in your query, there will need to
be quotes or the backtick ` in the user supplied content. The quotes
are escaped by mysql_real_escape_string().
I don't see any way for a SQL injection without the user input
containing quotes or the backtick to break out of your query or
prematurely terminate an expression. Some examples here, however they
don't mention the backtick:
http://us2.php.net/manual/en/security.database.sql-injection.php
This might be more useful:
||function _antiSqlInjection($Target)
{
if(is_array($Target)) {
$Value = array_map('_antiSqlInjection', $Target);
} else {
if(get_magic_quotes_gpc()) {
$Target = stripslashes($Target);
}
// replace backtick with single quote or whatever
$Target = str_replace(`, ', $Target);
$Value = mysql_real_escape_string($Target);
}
return $Value;
}
Thanks!
-Shawn
Re: [PHP] Re: SQL Injection - Solution
Igor Escobar wrote:
hun...by the way I forgot to mention, I am Brazilian and here in Brazil
these words are not common ...
Yes, but you can reuse your function even if you start accepting english
posts/comments, etc. You don't want this function to be specific to
your app or data because it isn't extensible or portable. Also, I
suspect that there are some words in portuguese that contain or,
which would be removed.
That is a recursive function and i can use array_map becouse i some cases we
obtain arrays of arrays and that will generate a error.
Yes, it is recursive, so that it works on arrays of arrays :-) No error
that I have seen.
$_GET = array(
'test' = 'some stuff here',
'test_array' = array('aa','b`b',array('xx','y`y','z'))
);
print_r(_antiSqlInjection($_GET));
Array
(
[test] = some stuff \here\
[test_array] = Array
(
[0] = a\a
[1] = b\'b
[2] = Array
(
[0] = x\x
[1] = y\'y
[2] = z
)
)
)
--
Thanks!
-Shawn
http://www.spidean.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: SQL Injection - Solution
Igor Escobar wrote: Yeah yeah, i understood that, but, the point is... i sad previously, my function is not tied to any database. Is a generic function, i dont know who be use this, so i don't know, what is your data base so, i can't use functions like mysql_real_scape_string etc... Then the best you can do is replace mysql_real_scape_string() with addslashes() or possibly addcslashes() and build your own list. -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: SQL Injection - Solution
Please reply all. Do you test with associative arrays? Yes. Array ( [test] = some stuff \here\ [test_array] = Array ( [a] = a\a [0] = b\'b [c] = Array ( [x] = x\x [0] = y\'y [1] = z ) ) ) Thanks! -Shawn -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: SQL Injection - Solution
On Wed, May 6, 2009 at 2:25 PM, Shawn McKenzie nos...@mckenzies.net wrote: Igor Escobar wrote: Yeah yeah, i understood that, but, the point is... i sad previously, my function is not tied to any database. Is a generic function, i dont know who be use this, so i don't know, what is your data base so, i can't use functions like mysql_real_scape_string etc... Then the best you can do is replace mysql_real_scape_string() with addslashes() or possibly addcslashes() and build your own list. You can't just use addslashes() or addcslashes(). You have to know what database you are using because the escape sequences are different. In MySQL, single quote characters are escaped by a backslash. In SQL Server, they are escaped by doubling them. There are a lot of libraries available that already do this. If someone wants to write yet another one, it would probably be worthwhile to dissect some of those existing libraries to see how they handle work under the hood. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: speaking of control structures...
Tom Worster wrote:
there's a control structure i wish php had: a simple block that you can
break out of, e.g.
block {
if ( condition )
break;
blah...
blah...
if ( another condition )
break;
blah...
blah...
etc...
}
the block is just like a loop except that it is executed once only.
this would be a handy structure for writing input validation code. the blah
blah fragments can be used for opening files, talking to the db,
manipulating strings, processing dates and times, etc., the conditions for
testing if the input is unacceptable.
i'm sure many of the programmers here do this kind of thing routinely and
have their own habits and solutions. i'd be curious what they are. please
let us know!
i guess i ought to go first. it's fugly but it works:
$once = true;
while ( $once ) {
$once = false;
stuff using break where needed ...
}
tom
Here's the way I handle validating user form inputs. Each function validates
several things and throws an error with the message stating what's wrong.
try
{
checkEmailAddr($userSubmitedDataArray[EMAIL_ADDR_FIELD]);
checkPhoneDigits($userSubmitedDataArray[PHONE_NUM_FIELD], 'phone');
checkNotes($userSubmitedDataArray, $sizesArray);
if(!empty($userSubmitedDataArray[CELLPHONE_NUM_FIELD]))
{
checkPhoneDigits($userSubmitedDataArray[CELLPHONE_NUM_FIELD],
'cell');
checkCellCarrier($userSubmitedDataArray['carrier']);
}
}
catch (Exception $e)
{
$userErrorMsg = $e-getMessage(); //Message text in check function
}
A typical function looks like this:
function checkEmailAddr($emailAddr)
{
if(empty($emailAddr))
{
throw new Exception(No email address provided);
}
if(!preg_match(%...@%, $emailAddr))
{
throw new Exception(Email address missing mailbox name.);
}
if(!filter_var($emailAddr, FILTER_VALIDATE_EMAIL))
{
throw new Exception(Email address error. Syntax is wrong. );
}
$domain = substr(strchr($emailAddr, '@'), 1);
if(!checkdnsrr($domain))
{
throw new Exception(Email address warning. Specified domain
\$domain\ appears to be invalid. Check carefully.);
}
return true;
}
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] speaking of control structures...
Robert Cummings wrote: On Wed, 2009-05-06 at 12:56 +0200, Marcus Gnaß wrote: Tom Worster wrote: there's a control structure i wish php had: a simple block that you can break out of, e.g. As Maarten pointed out you could use a function. Another alternative is to use Exceptions which might be the most proper way to do it. That seems like an abuse of exceptions. But then we're already abusing loops. I just don't think one could say it's the proper way to do it :) Cheers, Rob. Why do you think it's an abuse of exceptions? If I have a block of code which I expect to run from the beginning to the end and I discover a situation wher its not appropriate to continue this block of code I is what I would call an exception. Exception don't have to be errors or such. It's just a special situation ... Marcus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: SQL Injection - Solution
Andrew Ballard wrote: On Wed, May 6, 2009 at 2:25 PM, Shawn McKenzie nos...@mckenzies.net wrote: Igor Escobar wrote: Yeah yeah, i understood that, but, the point is... i sad previously, my function is not tied to any database. Is a generic function, i dont know who be use this, so i don't know, what is your data base so, i can't use functions like mysql_real_scape_string etc... Then the best you can do is replace mysql_real_scape_string() with addslashes() or possibly addcslashes() and build your own list. You can't just use addslashes() or addcslashes(). You have to know what database you are using because the escape sequences are different. In MySQL, single quote characters are escaped by a backslash. In SQL Server, they are escaped by doubling them. There are a lot of libraries available that already do this. If someone wants to write yet another one, it would probably be worthwhile to dissect some of those existing libraries to see how they handle work under the hood. Andrew Good points. I haven't had much experience with any DB other than mysql or sqlite. Without knowing the DB, you'll either need to use one of these libraries or convert the chars to something else like html entities. -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] speaking of control structures...
Marcus Gnaß wrote: Robert Cummings wrote: On Wed, 2009-05-06 at 12:56 +0200, Marcus Gnaß wrote: Tom Worster wrote: there's a control structure i wish php had: a simple block that you can break out of, e.g. As Maarten pointed out you could use a function. Another alternative is to use Exceptions which might be the most proper way to do it. That seems like an abuse of exceptions. But then we're already abusing loops. I just don't think one could say it's the proper way to do it :) Cheers, Rob. Why do you think it's an abuse of exceptions? If I have a block of code which I expect to run from the beginning to the end and I discover a situation wher its not appropriate to continue this block of code I is what I would call an exception. Exception don't have to be errors or such. It's just a special situation ... Marcus In the corner to my right, wearing black trunks, with orange and yellow trim, Marcus Gnaß... In the corner to my left, wearing pink trunks, trimmed in pink, Robert Cumings... DING! -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] speaking of control structures...
On Wed, 2009-05-06 at 22:23 +0200, Marcus Gnaß wrote: Robert Cummings wrote: On Wed, 2009-05-06 at 12:56 +0200, Marcus Gnaß wrote: Tom Worster wrote: there's a control structure i wish php had: a simple block that you can break out of, e.g. As Maarten pointed out you could use a function. Another alternative is to use Exceptions which might be the most proper way to do it. That seems like an abuse of exceptions. But then we're already abusing loops. I just don't think one could say it's the proper way to do it :) Cheers, Rob. Why do you think it's an abuse of exceptions? If I have a block of code which I expect to run from the beginning to the end and I discover a situation wher its not appropriate to continue this block of code I is what I would call an exception. Exception don't have to be errors or such. It's just a special situation ... While exceptions can certainly be used in this context and in a valid manner, there's a fine line between an exception and a condition. The OP was processing code that didn't appear exceptional, he was merely managing flow control of the logic. This is a condition, not an exception. Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] speaking of control structures...
On Wed, 2009-05-06 at 15:50 -0500, Shawn McKenzie wrote: Marcus Gnaß wrote: Robert Cummings wrote: On Wed, 2009-05-06 at 12:56 +0200, Marcus Gnaß wrote: Tom Worster wrote: there's a control structure i wish php had: a simple block that you can break out of, e.g. As Maarten pointed out you could use a function. Another alternative is to use Exceptions which might be the most proper way to do it. That seems like an abuse of exceptions. But then we're already abusing loops. I just don't think one could say it's the proper way to do it :) Cheers, Rob. Why do you think it's an abuse of exceptions? If I have a block of code which I expect to run from the beginning to the end and I discover a situation wher its not appropriate to continue this block of code I is what I would call an exception. Exception don't have to be errors or such. It's just a special situation ... Marcus In the corner to my right, wearing black trunks, with orange and yellow trim, Marcus Gnaß... In the corner to my left, wearing pink trunks, trimmed in pink, Robert Cumings... DING! Is that your fantasy Shawn? Me in a boxing ring in pink trim?? *shudder* ;) Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] SimpleXML Class
Could you help me clarify one thing that I don't understand... let's
put it simple, just imagine that I have a tiny XML document with a
list of movies:
movies
title
iGone/i with bthe/b wind
/title
/movies
I want to read this XML file and write the name of the first (and
only) movie in the list; for this reason I have choose to use
SimpleXML since it was looking quite user-friendly.
But there's a thing I don't understand... when I have some children,
how do I understand which is the first child and which is the last ? I
have tried to write this, but I'm getting a wrong result: instead of
Gone with the wind I got with wind Gone the, because I understand
that the tag title contains all the text that is not formatted, and
then it writes all the children of title: iGone/i and bthe/b
?php
$xml = new SimpleXMLElement(moviestitleiGone/i with bthe/
b wind/title/movies);
echo ($xml-title . );
foreach ($xml-title-children() as $element) {
echo ($element . );
}
// Returns with wind Gone the
?
I'm using PHP 5.2.5, could you tell me what am I doing wrong ? Thank you
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] speaking of control structures...
Robert Cummings wrote: On Wed, 2009-05-06 at 22:23 +0200, Marcus Gnaß wrote: Robert Cummings wrote: On Wed, 2009-05-06 at 12:56 +0200, Marcus Gnaß wrote: Tom Worster wrote: there's a control structure i wish php had: a simple block that you can break out of, e.g. As Maarten pointed out you could use a function. Another alternative is to use Exceptions which might be the most proper way to do it. That seems like an abuse of exceptions. But then we're already abusing loops. I just don't think one could say it's the proper way to do it :) Why do you think it's an abuse of exceptions? If I have a block of code which I expect to run from the beginning to the end and I discover a situation where its not appropriate to continue this block of code I is what I would call an exception. Exception don't have to be errors or such. It's just a special situation ... While exceptions can certainly be used in this context and in a valid manner, there's a fine line between an exception and a condition. The OP was processing code that didn't appear exceptional, he was merely managing flow control of the logic. This is a condition, not an exception. Agreed! He wrote: if ( condition ) break; Although I had the impression that he expected the whole block of code to be executed and just wanted to break from this block in an exceptional situation. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] speaking of control structures...
Robert Cummings wrote: On Wed, 2009-05-06 at 08:41 -0400, Tom Worster wrote: On 5/6/09 7:05 AM, Robert Cummings rob...@interjinn.com wrote: That seems like an abuse of exceptions. But then we're already abusing loops. I just don't think one could say it's the proper way to do it :) i don't have a lot of interest in the proper way to do things. i'm interested in how other programmers actually do things. I highly doubt they use exceptions. lol hello - I always seem to want to reply to your posts Rob! with exceptions.. if you're using an n-tier architecture then exceptions are the best thing to use here, you've got an exceptional state where criteria isn't met and this exception should be caught by the display layer and handled. But this isn't a discussion with an OOP variant it's more procedural, so def out of place imho. at the same time.. the functionality required and what is essentially a want for advanced separation of concerns is very oop so.. really.. this could easily be solved with OOP and it'd be an elegant reusable solution regards! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] speaking of control structures...
On Wed, 06 May 2009 08:54:14 -0400, f...@thefsb.org (Tom Worster) wrote: ... clancy, i can't argue with you. my desired usage of break is really just a cover-up for a goto. i know. it makes no logical sense but i think i'd sooner adopt oop than gotos. my mom taught me to program back in the late 70s and early 80s. she was an old hand. when FORTRAN 4 came out she thought it was the bees knees. when Z80 micros with MS-BASIC came out, she thought they were cute. when turbo pascal came out on CP/M, she was impressed and taught me to quit using gotos. so while it makes no logical sense, perhaps you can see that it makes emotional sense. I can understand your reluctance to disregard your mother's advice, but unfortunately she had been brainwashed to accept the dogma of the day. I could never understand the hysteria relating to GOTO. Certainly it could be abused, as I knew to my cost, but it is clear and explicit, whereas both break and exception are disguised GOTO's with ill-defined targets. I started programming in 1967, in Fortran. There were only the most basic computer manuals, and CSIRO (for whom I worked) had a little computer (a CDC3200, with 32K of 24 bit words, and costing only $500,000) in each capital city, and a big computer (a CDC3600, with 64K of 48 bit words, and costing $2 million) in Canberra. Our local computer was at Clayton, and I worked at Highett, so a courier collected our punch cards twice a day and took them to the local computer, then brought back the results of the previous run, giving effectively one and a half runs a day. When I got ambitious, and needed to use the big computer, my cards were put on to mag tape at Clayton, and flown to Canberra, where they were run through the 3600 overnight, and the results written back to mag tape. Next morning the tapes were flown back to Melbourne, driven to Clayton, run through the 3200 to produce listings, and these were then delivered back to Highett. The flights were often delayed by fog in Canberra, and on average we got three runs a week. Programming was in its infancy, and the idea of using a stack to handle subroutines had not been introduced (at least by CDC). The Fortran provided an assigned GOTO, which really was the perfect instruction for writing 'write only' code. It also permitted you to jump indiscriminately into, or out of, loops and subroutines, and it was probably abuse of these options which gave the GOTO its bad name. I was developing a program for analysing linear electronic circuits, and effectively developed my own interpreted language. The program was very simple; it consisted of a loop containing three assigned GOTO's: start: assign begin to switch_one assign next: read the next character if it's a number, GOTO switch_one if it's a punctuation mark, GOTO switch_two GOTO switch_three begin: . GOTO next end: I left CSIRO in 1973, and did not have access to a big computer until about 1983. By this time the assigned GOTO had long since vanished, and I had great difficulty understanding my original logic, until I unrolled the inner loop into a logical progression through the possible inputs. For the next 20 years most of my programming was in 8x86 MASM. This also had the GOTO, and I was able to write extremely complex programs, despite its inherent verbosity, by developing subroutines to handle all the basic procedures, and using GOTO's to define the control structure. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: SimpleXML Class
Cesco wrote:
Could you help me clarify one thing that I don't understand... let's put
it simple, just imagine that I have a tiny XML document with a list of
movies:
movies
title
iGone/i with bthe/b wind
/title
/movies
I want to read this XML file and write the name of the first (and only)
movie in the list; for this reason I have choose to use SimpleXML since
it was looking quite user-friendly.
But there's a thing I don't understand... when I have some children, how
do I understand which is the first child and which is the last ? I have
tried to write this, but I'm getting a wrong result: instead of Gone
with the wind I got with wind Gone the, because I understand that the
tag title contains all the text that is not formatted, and then it
writes all the children of title: iGone/i and bthe/b
?php
$xml = new SimpleXMLElement(moviestitleiGone/i with
bthe/b wind/title/movies);
echo ($xml-title . );
foreach ($xml-title-children() as $element) {
echo ($element . );
}
// Returns with wind Gone the
?
I'm using PHP 5.2.5, could you tell me what am I doing wrong ? Thank you
cdata
movies
title
![CDATA[iGone/i with bthe/b wind]]
/title
/movies
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Remote MySQL Connecton Problems
Hello everyone,
I've run into a bit of a sticky situation trying to connect to a remote
MySQL database. Here's the background:
Connecting from the command line on the web server works.
Connecting from a different vhost works.
There's no information in mysql_error. In fact, mysql_select_db('db')
or die(mysql_error()); doesn't produce any output.
The only way I know this isn't working is when I try to run a query, the
result resource is NULL.
If I copy the contents of the query and run it on the command line, from
the web server, I get the results I expected.
I manage both servers. I added the new login on the MySQL server and
also ran flush privileges. I've gone so far as to reboot both the MySQL
process and the apache process.
The versions of MySQL are slightly different 5.0.24a (web) vs 5.0.36(db).
It's getting late and I'm just grasping for straws.
Thanks!
Ray
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] XPath 2.0 in PHP 5.3
Hi, Does any one knows if XPath 2.0 will be supported in 5.3? __ Raymond Irving -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
