php-general Digest 18 Oct 2009 07:11:18 -0000 Issue 6396
php-general Digest 18 Oct 2009 07:11:18 - Issue 6396
Topics (messages 299019 through 299025):
Re: How to pronounce PHP code over the phone?
299019 by: LinuxManMikeC
Re: Sanitizing potential MySQL strings with no database connection
299020 by: Dotan Cohen
299023 by: Tommy Pham
299025 by: Jim Lucas
Re: PHP broadcast mailer
299021 by: Manuel Lemos
299022 by: George Langley
299024 by: Paul M Foster
Administrivia:
To subscribe to the digest, e-mail:
php-general-digest-subscr...@lists.php.net
To unsubscribe from the digest, e-mail:
php-general-digest-unsubscr...@lists.php.net
To post to the list, e-mail:
php-gene...@lists.php.net
--
---BeginMessage---
On Sat, Oct 17, 2009 at 11:42 AM, Dotan Cohen dotanco...@gmail.com wrote:
As for following a convention, just
get the PHP terminology right,
That is what I was hoping to learn!
http://www.php.net/manual/en/langref.php
---End Message---
---BeginMessage---
I don't think so since the mysql_real_escape_string() requires a connection
handler. Why not use bind param?
Thanks. I just googled bind param but I am still a bit unclear as to
what is going on.
To be clear, I have a file of functions that I use in many scripts,
lets call it functions.inc. One of the functions calls
mysql_real_escape_string() but in order to do that it looks like I
have to connect to a database. However, different scripts connect to
different databases, and some do not connect to a database at all, so
I cannot simple connect to a database from the functions.inc file as
that will interfere with the database connections going on in the
scripts including that file.
--
Dotan Cohen
http://what-is-what.com
http://gibberish.co.il
---End Message---
---BeginMessage---
- Original Message
From: Dotan Cohen dotanco...@gmail.com
To: Tommy Pham tommy...@yahoo.com
Cc: php-general. php-gene...@lists.php.net
Sent: Sat, October 17, 2009 10:59:52 AM
Subject: Re: [PHP] Sanitizing potential MySQL strings with no database
connection
I don't think so since the mysql_real_escape_string() requires a connection
handler. Why not use bind param?
Thanks. I just googled bind param but I am still a bit unclear as to
what is going on.
To be clear, I have a file of functions that I use in many scripts,
lets call it functions.inc. One of the functions calls
mysql_real_escape_string() but in order to do that it looks like I
have to connect to a database. However, different scripts connect to
different databases, and some do not connect to a database at all, so
I cannot simple connect to a database from the functions.inc file as
that will interfere with the database connections going on in the
scripts including that file.
--
Dotan Cohen
http://what-is-what.com
http://gibberish.co.il
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
I assumed the reason you wanted to do escape the string so that you could
perform DB operations. In your select/insert/update class(es)/function(s), you
could just use prepare statement and bind param. Thus, no need to escape the
string to protect against injection. It's also faster if by chance you're
doing several updates/inserts due to the nature of prepare statement. You
could use a call back function in case you have a varying size array of
parameters, making your code more adaptable and somewhat smaller. I generally
prefer using prepare statement + bind param over escape string + query for
speed and flexibility.
http://www.php.net/manual/en/mysqli.prepare.php
http://www.php.net/manual/en/mysqli-stmt.bind-param.php
have good examples.
Regards,
Tommy
---End Message---
---BeginMessage---
Dotan Cohen wrote:
How can I configure mysql_real_escape_string() to _not_ need a
database connection in order to do it's work on a string. I understand
that the function wants a database connection to determine which
charset / encoding is in use, but in my case it will always be UTF-8.
I have a file of reusable functions that I include in several scripts,
one of them is a MySQL sanitation function, like this:
function clean_mysql ($dirty) {
$dirty=trim($dirty);
$clean=mysql_real_escape_string($dirty);
return $clean;
}
As different scripts reuse this code but connect to different
databases, I need the function to work independently of the database
connection. In other words, the include file cannot connect to the
database but it still must perform the mysql_real_escape_string()
function on UTF-8 data.
Thanks in advance for any ideas.
What is your intension when calling this function, if you are not connecting to a DB? I realize you
want to sanitize a string, but why? The only reason to use mysql_real_escape_string() would be to
sanitize a string to prepare it to be used in a query against a mysql
php-general Digest 18 Oct 2009 19:21:08 -0000 Issue 6397
php-general Digest 18 Oct 2009 19:21:08 - Issue 6397
Topics (messages 299026 through 299034):
Re: Sanitizing potential MySQL strings with no database connection
299026 by: Dotan Cohen
299027 by: Kim Madsen
299034 by: Dotan Cohen
Using setters/getters with array of objects
299028 by: mbneto
299029 by: Andy Shellam (Mailing Lists)
299030 by: Tommy Pham
ip-to-country
299031 by: SED
299032 by: Michael Shadle
299033 by: Per Jessen
Administrivia:
To subscribe to the digest, e-mail:
php-general-digest-subscr...@lists.php.net
To unsubscribe from the digest, e-mail:
php-general-digest-unsubscr...@lists.php.net
To post to the list, e-mail:
php-gene...@lists.php.net
--
---BeginMessage---
I assumed the reason you wanted to do escape the string so that you could
perform DB operations.
Yes, that is my intention. However, the function is found in an
include file of functions used in many different scripts, each of
which connect to a different database or may not connect to a database
at all, so I cannot rely on there existing a database connection. The
workaround would be to include this particular function in a separate
include file to only be included when a database connection is
present, but I would like to find a better way as I find it most
maintainable to have all my reused functions in a single file.
To give you an idea, the file contains these funtions:
function clean_mysql ($dirty)
function clean_html ($dirty)
function make_paginated_links_menu ($pages, $difference)
function obfuscate_email_address ($address)
Not all functions are used in all pages, however, this file of
reusable functions is included in all of them. Only the clean_mysql
function gives me trouble because I cannot ensure a database
connection.
In your select/insert/update class(es)/function(s), you could just use
prepare statement and bind param. Thus, no need
to escape the string to protect against injection. It's also faster if by
chance you're doing several updates/inserts due
to the nature of prepare statement. You could use a call back function in
case you have a varying size array of
parameters, making your code more adaptable and somewhat smaller. I
generally prefer using prepare statement +
bind param over escape string + query for speed and flexibility.
http://www.php.net/manual/en/mysqli.prepare.php
http://www.php.net/manual/en/mysqli-stmt.bind-param.php
have good examples.
Thanks. Going through those pages, I see that it is not what I need.
It is good to know, though.
--
Dotan Cohen
http://what-is-what.com
http://gibberish.co.il
---End Message---
---BeginMessage---
Dotan Cohen wrote on 2009-10-18 10:52:
I assumed the reason you wanted to do escape the string so that you could
perform DB operations.
Yes, that is my intention. However, the function is found in an
include file of functions used in many different scripts, each of
which connect to a different database or may not connect to a database
at all, so I cannot rely on there existing a database connection.
test if you have a db connection in the function, if not, skip MRES and
other mysql_ functions?
In my opinion it's bad code to use a mysql_* function on a Oracle db
(and vice versa) or on a string for that matter. It lies in the naming
of the function what it's designed to do and work on. If you want a
general function to sanitize an input, make your own function
sanitize_input() based on ereg_* and/or str_replace and the likes.
--
Kind regards
Kim Emax
---End Message---
---BeginMessage---
test if you have a db connection in the function, if not, skip MRES and
other mysql_ functions?
I thought that one could not test if a database connection is
established or not, this is the most relevant thing that I found while
googling that:
http://bugs.php.net/bug.php?id=29645
In my opinion it's bad code to use a mysql_* function on a Oracle db (and
vice versa) or on a string for that matter. It lies in the naming of the
function what it's designed to do and work on. If you want a general
function to sanitize an input, make your own function sanitize_input() based
on ereg_* and/or str_replace and the likes.
All the connections are to MySQL databases, but to _different_ MySQL
databases on the same host.
--
Dotan Cohen
http://what-is-what.com
http://gibberish.co.il
---End Message---
---BeginMessage---
Hi,
I have two classes User and Email where one User can have many Emails so
I've done like this
class Email
{
protected $_email;
public function __get($name)
{
$property = '_' . $name;
return $this-$property;
}
public function __set($name, $value)
{
$property = '_' . $name;
$this-$property = $value;
}
}
class User
{
protected $_name;
protected $_emails = array();
public
Re: [PHP] Sanitizing potential MySQL strings with no database connection
Dotan Cohen wrote:
How can I configure mysql_real_escape_string() to _not_ need a
database connection in order to do it's work on a string. I understand
that the function wants a database connection to determine which
charset / encoding is in use, but in my case it will always be UTF-8.
I have a file of reusable functions that I include in several scripts,
one of them is a MySQL sanitation function, like this:
function clean_mysql ($dirty) {
$dirty=trim($dirty);
$clean=mysql_real_escape_string($dirty);
return $clean;
}
As different scripts reuse this code but connect to different
databases, I need the function to work independently of the database
connection. In other words, the include file cannot connect to the
database but it still must perform the mysql_real_escape_string()
function on UTF-8 data.
Thanks in advance for any ideas.
What is your intension when calling this function, if you are not connecting to a DB? I realize you
want to sanitize a string, but why? The only reason to use mysql_real_escape_string() would be to
sanitize a string to prepare it to be used in a query against a mysql database.
If you are simply looking to escape a (UTF-8) string, why not just use the other built in escape
functions from PHP?
What does mysql_real_escape_string() offer you that addslashes(), addcslashes(), htmlentities(),
quotemeta(), htmlspecialchars(), etc... would not offer you?
What type of data are you trying to protect yourself from? And what are you planning on doing with
the output?
--
Jim Lucas
Some men are born to greatness, some achieve greatness,
and some have greatness thrust upon them.
Twelfth Night, Act II, Scene V
by William Shakespeare
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sanitizing potential MySQL strings with no database connection
I assumed the reason you wanted to do escape the string so that you could perform DB operations. Yes, that is my intention. However, the function is found in an include file of functions used in many different scripts, each of which connect to a different database or may not connect to a database at all, so I cannot rely on there existing a database connection. The workaround would be to include this particular function in a separate include file to only be included when a database connection is present, but I would like to find a better way as I find it most maintainable to have all my reused functions in a single file. To give you an idea, the file contains these funtions: function clean_mysql ($dirty) function clean_html ($dirty) function make_paginated_links_menu ($pages, $difference) function obfuscate_email_address ($address) Not all functions are used in all pages, however, this file of reusable functions is included in all of them. Only the clean_mysql function gives me trouble because I cannot ensure a database connection. In your select/insert/update class(es)/function(s), you could just use prepare statement and bind param. Thus, no need to escape the string to protect against injection. It's also faster if by chance you're doing several updates/inserts due to the nature of prepare statement. You could use a call back function in case you have a varying size array of parameters, making your code more adaptable and somewhat smaller. I generally prefer using prepare statement + bind param over escape string + query for speed and flexibility. http://www.php.net/manual/en/mysqli.prepare.php http://www.php.net/manual/en/mysqli-stmt.bind-param.php have good examples. Thanks. Going through those pages, I see that it is not what I need. It is good to know, though. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sanitizing potential MySQL strings with no database connection
Dotan Cohen wrote on 2009-10-18 10:52: I assumed the reason you wanted to do escape the string so that you could perform DB operations. Yes, that is my intention. However, the function is found in an include file of functions used in many different scripts, each of which connect to a different database or may not connect to a database at all, so I cannot rely on there existing a database connection. test if you have a db connection in the function, if not, skip MRES and other mysql_ functions? In my opinion it's bad code to use a mysql_* function on a Oracle db (and vice versa) or on a string for that matter. It lies in the naming of the function what it's designed to do and work on. If you want a general function to sanitize an input, make your own function sanitize_input() based on ereg_* and/or str_replace and the likes. -- Kind regards Kim Emax -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Using setters/getters with array of objects
Hi,
I have two classes User and Email where one User can have many Emails so
I've done like this
class Email
{
protected $_email;
public function __get($name)
{
$property = '_' . $name;
return $this-$property;
}
public function __set($name, $value)
{
$property = '_' . $name;
$this-$property = $value;
}
}
class User
{
protected $_name;
protected $_emails = array();
public function __get($name)
{
$property = '_' . $name;
return $this-$property;
}
public function __set($name, $value)
{
$property = '_' . $name;
$this-$property = $value;
}
}
So I'd like to
$u = new User();
$u-name = '';
$e = new Email();
$e-email = 'x...@.com';
$u-emails[] = $e;
But that does not work. I've managed to achieve similar result using a
different setter in User
public function __set($name, $value)
{
$property = '_' . $name;
switch($name)
{
case 'emails':
array_push($this-$property, $value);
break;
default:
$this-$property = $value;
}
}
And then
$u = new User();
$u-name = '';
$e = new Email();
$e-email = 'x...@.com';
$u-emails = $e;
But this can confuse the programmer. Any ideas of why it is not working?
Re: [PHP] Using setters/getters with array of objects
Hi,
$u-emails[] = $e;
I would hazard a guess because $u-emails isn't a concrete object
(whereas $u-_emails is, but is private.) It's sort of a virtual
reference - PHP has no way of knowing that $u-emails actually
translates into _emails which is an array, if you see what I mean
(it's difficult to explain.)
But that does not work. I've managed to achieve similar result
using a
different setter in User
public function __set($name, $value)
{
$property = '_' . $name;
switch($name)
{
case 'emails':
array_push($this-$property, $value);
break;
default:
$this-$property = $value;
}
}
You could also have done:
if (is_array($this-$property))
{
array_push($this-$property, $value);
}
else
{
$this-$property = $value;
}
which would handle any array property, not just the e-mails property.
If this was me, I would probably create a concrete method, called
addEmail which would do $this-_emails[] = $value, but allow a
programmer to call $user-emails to get the e-mails (not set.)
Re: [PHP] Using setters/getters with array of objects
- Original Message
From: mbneto mbn...@gmail.com
To: php-general@lists.php.net
Sent: Sun, October 18, 2009 8:31:53 AM
Subject: [PHP] Using setters/getters with array of objects
Hi,
I have two classes User and Email where one User can have many Emails so
I've done like this
class Email
{
protected $_email;
public function __get($name)
{
$property = '_' . $name;
return $this-$property;
}
public function __set($name, $value)
{
$property = '_' . $name;
$this-$property = $value;
}
}
class User
{
protected $_name;
protected $_emails = array();
public function __get($name)
{
$property = '_' . $name;
return $this-$property;
}
public function __set($name, $value)
{
$property = '_' . $name;
$this-$property = $value;
}
}
So I'd like to
$u = new User();
$u-name = '';
$e = new Email();
$e-email = 'x...@.com';
$u-emails[] = $e;
But that does not work. I've managed to achieve similar result using a
different setter in User
Of course it doesn't work because you didn't have 'set' method for the
protected $_emails.
http://www.php.net/manual/en/language.oop5.visibility.php
public function __set($name, $value)
{
$property = '_' . $name;
switch($name)
{
case 'emails':
array_push($this-$property, $value);
break;
default:
$this-$property = $value;
}
}
And then
$u = new User();
$u-name = '';
$e = new Email();
$e-email = 'x...@.com';
$u-emails = $e;
But this can confuse the programmer. Any ideas of why it is not working?
I suggest you don't use magic methods as it's too ambiguous and hard to expand
your code later. Your 2 classes could be summarized as 1 class below:
class User
{
protected $_name;
protected $_emails = array();
public function getName()
{
return $this-_name;
}
public function setName($value)
{
$this-_name = $value;
}
public function getEmails() {
return $this-_emails();
}
public function setEmails($arrayList) {
$this-_emails = $arrayList;
}
public function setEmail($name, $value) {
$this-_emails[$name] = $value;
}
public fuction getEmail($name) {
if (isset($this-_emails[$name]))
return $this-_emails[$name];
else
return null;
}
}
$u = new User();
$u-setName('jon doe');
$u-setEmail('email1', 'j...@inter.net');
Regards,
Tommy
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] ip-to-country
Hi, How can I access an index for IP to a country (or a more detailed location)? I have not yet found a function for that in PHP nor a free to use website that offers a remote search. Perhaps, there is another solution - any ideas? Regards, Summi -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ip-to-country
http://pecl.php.net/package/geoip however i tried a few IPs once and it was unknowns On Sun, Oct 18, 2009 at 12:03 PM, SED s...@sed.is wrote: Hi, How can I access an index for IP to a country (or a more detailed location)? I have not yet found a function for that in PHP nor a free to use website that offers a remote search. Perhaps, there is another solution - any ideas? Regards, Summi -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ip-to-country
SED wrote: Hi, How can I access an index for IP to a country (or a more detailed location)? I have not yet found a function for that in PHP nor a free to use website that offers a remote search. Perhaps, there is another solution - any ideas? DNS lookup - see http://countries.nerd.dk /Per -- Per Jessen, Zürich (4.9°C) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sanitizing potential MySQL strings with no database connection
test if you have a db connection in the function, if not, skip MRES and other mysql_ functions? I thought that one could not test if a database connection is established or not, this is the most relevant thing that I found while googling that: http://bugs.php.net/bug.php?id=29645 In my opinion it's bad code to use a mysql_* function on a Oracle db (and vice versa) or on a string for that matter. It lies in the naming of the function what it's designed to do and work on. If you want a general function to sanitize an input, make your own function sanitize_input() based on ereg_* and/or str_replace and the likes. All the connections are to MySQL databases, but to _different_ MySQL databases on the same host. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ip-to-country
On 18-Oct-09, at 1:03 PM, SED wrote: How can I access an index for IP to a country (or a more detailed location)? http://www.maxmind.com/app/ip-location has both free and various paid services. George -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
