php-general Digest 18 Oct 2009 07:11:18 -0000 Issue 6396
php-general Digest 18 Oct 2009 07:11:18 - Issue 6396 Topics (messages 299019 through 299025): Re: How to pronounce PHP code over the phone? 299019 by: LinuxManMikeC Re: Sanitizing potential MySQL strings with no database connection 299020 by: Dotan Cohen 299023 by: Tommy Pham 299025 by: Jim Lucas Re: PHP broadcast mailer 299021 by: Manuel Lemos 299022 by: George Langley 299024 by: Paul M Foster Administrivia: To subscribe to the digest, e-mail: php-general-digest-subscr...@lists.php.net To unsubscribe from the digest, e-mail: php-general-digest-unsubscr...@lists.php.net To post to the list, e-mail: php-gene...@lists.php.net -- ---BeginMessage--- On Sat, Oct 17, 2009 at 11:42 AM, Dotan Cohen dotanco...@gmail.com wrote: As for following a convention, just get the PHP terminology right, That is what I was hoping to learn! http://www.php.net/manual/en/langref.php ---End Message--- ---BeginMessage--- I don't think so since the mysql_real_escape_string() requires a connection handler. Why not use bind param? Thanks. I just googled bind param but I am still a bit unclear as to what is going on. To be clear, I have a file of functions that I use in many scripts, lets call it functions.inc. One of the functions calls mysql_real_escape_string() but in order to do that it looks like I have to connect to a database. However, different scripts connect to different databases, and some do not connect to a database at all, so I cannot simple connect to a database from the functions.inc file as that will interfere with the database connections going on in the scripts including that file. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il ---End Message--- ---BeginMessage--- - Original Message From: Dotan Cohen dotanco...@gmail.com To: Tommy Pham tommy...@yahoo.com Cc: php-general. php-gene...@lists.php.net Sent: Sat, October 17, 2009 10:59:52 AM Subject: Re: [PHP] Sanitizing potential MySQL strings with no database connection I don't think so since the mysql_real_escape_string() requires a connection handler. Why not use bind param? Thanks. I just googled bind param but I am still a bit unclear as to what is going on. To be clear, I have a file of functions that I use in many scripts, lets call it functions.inc. One of the functions calls mysql_real_escape_string() but in order to do that it looks like I have to connect to a database. However, different scripts connect to different databases, and some do not connect to a database at all, so I cannot simple connect to a database from the functions.inc file as that will interfere with the database connections going on in the scripts including that file. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php I assumed the reason you wanted to do escape the string so that you could perform DB operations. In your select/insert/update class(es)/function(s), you could just use prepare statement and bind param. Thus, no need to escape the string to protect against injection. It's also faster if by chance you're doing several updates/inserts due to the nature of prepare statement. You could use a call back function in case you have a varying size array of parameters, making your code more adaptable and somewhat smaller. I generally prefer using prepare statement + bind param over escape string + query for speed and flexibility. http://www.php.net/manual/en/mysqli.prepare.php http://www.php.net/manual/en/mysqli-stmt.bind-param.php have good examples. Regards, Tommy ---End Message--- ---BeginMessage--- Dotan Cohen wrote: How can I configure mysql_real_escape_string() to _not_ need a database connection in order to do it's work on a string. I understand that the function wants a database connection to determine which charset / encoding is in use, but in my case it will always be UTF-8. I have a file of reusable functions that I include in several scripts, one of them is a MySQL sanitation function, like this: function clean_mysql ($dirty) { $dirty=trim($dirty); $clean=mysql_real_escape_string($dirty); return $clean; } As different scripts reuse this code but connect to different databases, I need the function to work independently of the database connection. In other words, the include file cannot connect to the database but it still must perform the mysql_real_escape_string() function on UTF-8 data. Thanks in advance for any ideas. What is your intension when calling this function, if you are not connecting to a DB? I realize you want to sanitize a string, but why? The only reason to use mysql_real_escape_string() would be to sanitize a string to prepare it to be used in a query against a mysql
php-general Digest 18 Oct 2009 19:21:08 -0000 Issue 6397
php-general Digest 18 Oct 2009 19:21:08 - Issue 6397 Topics (messages 299026 through 299034): Re: Sanitizing potential MySQL strings with no database connection 299026 by: Dotan Cohen 299027 by: Kim Madsen 299034 by: Dotan Cohen Using setters/getters with array of objects 299028 by: mbneto 299029 by: Andy Shellam (Mailing Lists) 299030 by: Tommy Pham ip-to-country 299031 by: SED 299032 by: Michael Shadle 299033 by: Per Jessen Administrivia: To subscribe to the digest, e-mail: php-general-digest-subscr...@lists.php.net To unsubscribe from the digest, e-mail: php-general-digest-unsubscr...@lists.php.net To post to the list, e-mail: php-gene...@lists.php.net -- ---BeginMessage--- I assumed the reason you wanted to do escape the string so that you could perform DB operations. Yes, that is my intention. However, the function is found in an include file of functions used in many different scripts, each of which connect to a different database or may not connect to a database at all, so I cannot rely on there existing a database connection. The workaround would be to include this particular function in a separate include file to only be included when a database connection is present, but I would like to find a better way as I find it most maintainable to have all my reused functions in a single file. To give you an idea, the file contains these funtions: function clean_mysql ($dirty) function clean_html ($dirty) function make_paginated_links_menu ($pages, $difference) function obfuscate_email_address ($address) Not all functions are used in all pages, however, this file of reusable functions is included in all of them. Only the clean_mysql function gives me trouble because I cannot ensure a database connection. In your select/insert/update class(es)/function(s), you could just use prepare statement and bind param. Thus, no need to escape the string to protect against injection. It's also faster if by chance you're doing several updates/inserts due to the nature of prepare statement. You could use a call back function in case you have a varying size array of parameters, making your code more adaptable and somewhat smaller. I generally prefer using prepare statement + bind param over escape string + query for speed and flexibility. http://www.php.net/manual/en/mysqli.prepare.php http://www.php.net/manual/en/mysqli-stmt.bind-param.php have good examples. Thanks. Going through those pages, I see that it is not what I need. It is good to know, though. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il ---End Message--- ---BeginMessage--- Dotan Cohen wrote on 2009-10-18 10:52: I assumed the reason you wanted to do escape the string so that you could perform DB operations. Yes, that is my intention. However, the function is found in an include file of functions used in many different scripts, each of which connect to a different database or may not connect to a database at all, so I cannot rely on there existing a database connection. test if you have a db connection in the function, if not, skip MRES and other mysql_ functions? In my opinion it's bad code to use a mysql_* function on a Oracle db (and vice versa) or on a string for that matter. It lies in the naming of the function what it's designed to do and work on. If you want a general function to sanitize an input, make your own function sanitize_input() based on ereg_* and/or str_replace and the likes. -- Kind regards Kim Emax ---End Message--- ---BeginMessage--- test if you have a db connection in the function, if not, skip MRES and other mysql_ functions? I thought that one could not test if a database connection is established or not, this is the most relevant thing that I found while googling that: http://bugs.php.net/bug.php?id=29645 In my opinion it's bad code to use a mysql_* function on a Oracle db (and vice versa) or on a string for that matter. It lies in the naming of the function what it's designed to do and work on. If you want a general function to sanitize an input, make your own function sanitize_input() based on ereg_* and/or str_replace and the likes. All the connections are to MySQL databases, but to _different_ MySQL databases on the same host. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il ---End Message--- ---BeginMessage--- Hi, I have two classes User and Email where one User can have many Emails so I've done like this class Email { protected $_email; public function __get($name) { $property = '_' . $name; return $this-$property; } public function __set($name, $value) { $property = '_' . $name; $this-$property = $value; } } class User { protected $_name; protected $_emails = array(); public
Re: [PHP] Sanitizing potential MySQL strings with no database connection
Dotan Cohen wrote: How can I configure mysql_real_escape_string() to _not_ need a database connection in order to do it's work on a string. I understand that the function wants a database connection to determine which charset / encoding is in use, but in my case it will always be UTF-8. I have a file of reusable functions that I include in several scripts, one of them is a MySQL sanitation function, like this: function clean_mysql ($dirty) { $dirty=trim($dirty); $clean=mysql_real_escape_string($dirty); return $clean; } As different scripts reuse this code but connect to different databases, I need the function to work independently of the database connection. In other words, the include file cannot connect to the database but it still must perform the mysql_real_escape_string() function on UTF-8 data. Thanks in advance for any ideas. What is your intension when calling this function, if you are not connecting to a DB? I realize you want to sanitize a string, but why? The only reason to use mysql_real_escape_string() would be to sanitize a string to prepare it to be used in a query against a mysql database. If you are simply looking to escape a (UTF-8) string, why not just use the other built in escape functions from PHP? What does mysql_real_escape_string() offer you that addslashes(), addcslashes(), htmlentities(), quotemeta(), htmlspecialchars(), etc... would not offer you? What type of data are you trying to protect yourself from? And what are you planning on doing with the output? -- Jim Lucas Some men are born to greatness, some achieve greatness, and some have greatness thrust upon them. Twelfth Night, Act II, Scene V by William Shakespeare -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sanitizing potential MySQL strings with no database connection
I assumed the reason you wanted to do escape the string so that you could perform DB operations. Yes, that is my intention. However, the function is found in an include file of functions used in many different scripts, each of which connect to a different database or may not connect to a database at all, so I cannot rely on there existing a database connection. The workaround would be to include this particular function in a separate include file to only be included when a database connection is present, but I would like to find a better way as I find it most maintainable to have all my reused functions in a single file. To give you an idea, the file contains these funtions: function clean_mysql ($dirty) function clean_html ($dirty) function make_paginated_links_menu ($pages, $difference) function obfuscate_email_address ($address) Not all functions are used in all pages, however, this file of reusable functions is included in all of them. Only the clean_mysql function gives me trouble because I cannot ensure a database connection. In your select/insert/update class(es)/function(s), you could just use prepare statement and bind param. Thus, no need to escape the string to protect against injection. It's also faster if by chance you're doing several updates/inserts due to the nature of prepare statement. You could use a call back function in case you have a varying size array of parameters, making your code more adaptable and somewhat smaller. I generally prefer using prepare statement + bind param over escape string + query for speed and flexibility. http://www.php.net/manual/en/mysqli.prepare.php http://www.php.net/manual/en/mysqli-stmt.bind-param.php have good examples. Thanks. Going through those pages, I see that it is not what I need. It is good to know, though. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sanitizing potential MySQL strings with no database connection
Dotan Cohen wrote on 2009-10-18 10:52: I assumed the reason you wanted to do escape the string so that you could perform DB operations. Yes, that is my intention. However, the function is found in an include file of functions used in many different scripts, each of which connect to a different database or may not connect to a database at all, so I cannot rely on there existing a database connection. test if you have a db connection in the function, if not, skip MRES and other mysql_ functions? In my opinion it's bad code to use a mysql_* function on a Oracle db (and vice versa) or on a string for that matter. It lies in the naming of the function what it's designed to do and work on. If you want a general function to sanitize an input, make your own function sanitize_input() based on ereg_* and/or str_replace and the likes. -- Kind regards Kim Emax -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Using setters/getters with array of objects
Hi, I have two classes User and Email where one User can have many Emails so I've done like this class Email { protected $_email; public function __get($name) { $property = '_' . $name; return $this-$property; } public function __set($name, $value) { $property = '_' . $name; $this-$property = $value; } } class User { protected $_name; protected $_emails = array(); public function __get($name) { $property = '_' . $name; return $this-$property; } public function __set($name, $value) { $property = '_' . $name; $this-$property = $value; } } So I'd like to $u = new User(); $u-name = ''; $e = new Email(); $e-email = 'x...@.com'; $u-emails[] = $e; But that does not work. I've managed to achieve similar result using a different setter in User public function __set($name, $value) { $property = '_' . $name; switch($name) { case 'emails': array_push($this-$property, $value); break; default: $this-$property = $value; } } And then $u = new User(); $u-name = ''; $e = new Email(); $e-email = 'x...@.com'; $u-emails = $e; But this can confuse the programmer. Any ideas of why it is not working?
Re: [PHP] Using setters/getters with array of objects
Hi, $u-emails[] = $e; I would hazard a guess because $u-emails isn't a concrete object (whereas $u-_emails is, but is private.) It's sort of a virtual reference - PHP has no way of knowing that $u-emails actually translates into _emails which is an array, if you see what I mean (it's difficult to explain.) But that does not work. I've managed to achieve similar result using a different setter in User public function __set($name, $value) { $property = '_' . $name; switch($name) { case 'emails': array_push($this-$property, $value); break; default: $this-$property = $value; } } You could also have done: if (is_array($this-$property)) { array_push($this-$property, $value); } else { $this-$property = $value; } which would handle any array property, not just the e-mails property. If this was me, I would probably create a concrete method, called addEmail which would do $this-_emails[] = $value, but allow a programmer to call $user-emails to get the e-mails (not set.)
Re: [PHP] Using setters/getters with array of objects
- Original Message From: mbneto mbn...@gmail.com To: php-general@lists.php.net Sent: Sun, October 18, 2009 8:31:53 AM Subject: [PHP] Using setters/getters with array of objects Hi, I have two classes User and Email where one User can have many Emails so I've done like this class Email { protected $_email; public function __get($name) { $property = '_' . $name; return $this-$property; } public function __set($name, $value) { $property = '_' . $name; $this-$property = $value; } } class User { protected $_name; protected $_emails = array(); public function __get($name) { $property = '_' . $name; return $this-$property; } public function __set($name, $value) { $property = '_' . $name; $this-$property = $value; } } So I'd like to $u = new User(); $u-name = ''; $e = new Email(); $e-email = 'x...@.com'; $u-emails[] = $e; But that does not work. I've managed to achieve similar result using a different setter in User Of course it doesn't work because you didn't have 'set' method for the protected $_emails. http://www.php.net/manual/en/language.oop5.visibility.php public function __set($name, $value) { $property = '_' . $name; switch($name) { case 'emails': array_push($this-$property, $value); break; default: $this-$property = $value; } } And then $u = new User(); $u-name = ''; $e = new Email(); $e-email = 'x...@.com'; $u-emails = $e; But this can confuse the programmer. Any ideas of why it is not working? I suggest you don't use magic methods as it's too ambiguous and hard to expand your code later. Your 2 classes could be summarized as 1 class below: class User { protected $_name; protected $_emails = array(); public function getName() { return $this-_name; } public function setName($value) { $this-_name = $value; } public function getEmails() { return $this-_emails(); } public function setEmails($arrayList) { $this-_emails = $arrayList; } public function setEmail($name, $value) { $this-_emails[$name] = $value; } public fuction getEmail($name) { if (isset($this-_emails[$name])) return $this-_emails[$name]; else return null; } } $u = new User(); $u-setName('jon doe'); $u-setEmail('email1', 'j...@inter.net'); Regards, Tommy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] ip-to-country
Hi, How can I access an index for IP to a country (or a more detailed location)? I have not yet found a function for that in PHP nor a free to use website that offers a remote search. Perhaps, there is another solution - any ideas? Regards, Summi -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ip-to-country
http://pecl.php.net/package/geoip however i tried a few IPs once and it was unknowns On Sun, Oct 18, 2009 at 12:03 PM, SED s...@sed.is wrote: Hi, How can I access an index for IP to a country (or a more detailed location)? I have not yet found a function for that in PHP nor a free to use website that offers a remote search. Perhaps, there is another solution - any ideas? Regards, Summi -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ip-to-country
SED wrote: Hi, How can I access an index for IP to a country (or a more detailed location)? I have not yet found a function for that in PHP nor a free to use website that offers a remote search. Perhaps, there is another solution - any ideas? DNS lookup - see http://countries.nerd.dk /Per -- Per Jessen, Zürich (4.9°C) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sanitizing potential MySQL strings with no database connection
test if you have a db connection in the function, if not, skip MRES and other mysql_ functions? I thought that one could not test if a database connection is established or not, this is the most relevant thing that I found while googling that: http://bugs.php.net/bug.php?id=29645 In my opinion it's bad code to use a mysql_* function on a Oracle db (and vice versa) or on a string for that matter. It lies in the naming of the function what it's designed to do and work on. If you want a general function to sanitize an input, make your own function sanitize_input() based on ereg_* and/or str_replace and the likes. All the connections are to MySQL databases, but to _different_ MySQL databases on the same host. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ip-to-country
On 18-Oct-09, at 1:03 PM, SED wrote: How can I access an index for IP to a country (or a more detailed location)? http://www.maxmind.com/app/ip-location has both free and various paid services. George -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php