Re: [PHP] Newbie is trying to set up OOP With PHP and MySQL or MySQLi database class (using CRUD)
I recommend a third option, that is PDO. Start here please. http://net.tutsplus.com/?s=pdo On Thu, Feb 14, 2013 at 9:49 AM, dealTek deal...@gmail.com wrote: Hi everybody, Newbie is trying to set up OOP With PHP and MySQL or MySQLi database class (using CRUD) Simple story: creating this class database by myself is way over my head. So it be best for me to find something on the Internet that has already been created and working to pro specs (using CRUD with good security etc). In my studying, it seems that there is a difference between MySQL and MySQLi - MySQLi being the preferred choice if I understand correctly. There are lots of examples on the Internet however I don't know enough about it to know a good starting example from a bad starting example, so I would much appreciate any assistance pointing me towards a good starting point This seems a good start to me untrained eye, but it seems to be for mysql - not mysqli... http://net.tutsplus.com/tutorials/php/real-world-oop-with-php-and-mysql/ http://www.dreamincode.net/forums/topic/223360-connect-to-your-database-using-oop-php5-with-mysql-and-mysqli/ http://snipplr.com/view/8417/ http://snipplr.com/view/12535/ any assistance is appreciated! -- Thanks, Dave - DealTek deal...@gmail.com [db-3] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Newbie is trying to set up OOP With PHP and MySQL or MySQLi database class (using CRUD)
Also worth checking http://justinvincent.com/ezsql Which is the class behind the WordPress' wpdb class. This is a great read too - http://www.devarticles.com/c/a/MySQL/PHP-and-Databases-for-the-Lazy-Sod/ On Thu, Feb 14, 2013 at 10:30 AM, dealTek deal...@gmail.com wrote: On Feb 14, 2013, at 9:49 AM, dealTek deal...@gmail.com wrote: Hi everybody, Newbie is trying to set up OOP With PHP and MySQL or MySQLi database class (using CRUD) Simple story: creating this class database by myself is way over my head. So it be best for me to find something on the Internet that has already been created and working to pro specs (using CRUD with good security etc). In my studying, it seems that there is a difference between MySQL and MySQLi - MySQLi being the preferred choice if I understand correctly. There are lots of examples on the Internet however I don't know enough about it to know a good starting example from a bad starting example, so I would much appreciate any assistance pointing me towards a good starting point This seems a good start to me untrained eye, but it seems to be for mysql - not mysqli... http://net.tutsplus.com/tutorials/php/real-world-oop-with-php-and-mysql/ http://www.dreamincode.net/forums/topic/223360-connect-to-your-database-using-oop-php5-with-mysql-and-mysqli/ http://snipplr.com/view/8417/ http://snipplr.com/view/12535/ any assistance is appreciated! An Here Jeffry Way discusses the PDO API http://net.tutsplus.com/tutorials/php/php-database-access-are-you-doing-it-correctly/ -- Thanks, Dave - DealTek deal...@gmail.com [db-3] -- Thanks, Dave - DealTek deal...@gmail.com [db-3] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Joining a team, where no wiki or docs are available
I would first start out with checking the code where user input is taken and then placed into SQL statements from a SQL Injection point of view, I would also take a look if user input is echoed back without any treatment to see if there are issues with XSS. If these checks yield that the previous programming done carelessly, I would call IT department to an immediate meeting to discuss this matter. At that time, you either convince the IT department that the code needs to be re-written or a great patch work is due. But many times, writing code from the ground up yields way better results than trying to fix the problematic code. I think there are two kinds of programmers. Those with do what they are told and could not care less the rest and Those who stop their bosses and guide them in the proper track. On Mon, Sep 24, 2012 at 7:05 AM, AmirBehzad Eslami behzad.esl...@gmail.com wrote: Hi, i'm going to join a mid-size company with a few PHP-driven projects written in procedural PHP, million years old. At the moment, they don't have a wiki or any documentation about their projects. For me, the first challenge in probation period is to understand how their code works. * Considering that there is no wiki or docs, How can I see the Big Picture?* i'm sure this is a common problem for programmers everywhere. What approach do you use in a similar situation? Is there a systematic approach for this? Is there reverse-engineering technique to understand the design of code? Please share your experience and thoughts. -Thanks in advance, Behzad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] include selectively or globally?
With this question, I aim to understand the inner workings of PHP a little better. Assume that you got a 50K library. The library is loaded with a bunch of handy functions that you use here and there. Also assume that these functions are needed/used by say 10% of the pages of your site. But your home page definitely needs it. Now, the question is... should you use a global include that points to this library - across the board - so that ALL the pages ( including the 90% that do not need the library ) will get it, or should you selectively add that include reference only on the pages you need? Before answering this question, let me point why I ask this question... When you include that reference, PHP may be caching it. So the performance hit I worry may be one time deal, as opposed to every time. Once that one time out of the way, subsequent loads may not be as bad as one might think. That's all because of the smart caching mechanisms that PHP deploys - which I do not have a deep knowledge of, hence the question... Since the front page needs that library anyway, the argument could be why not keep that library warm and fresh in the memory and get it served across the board? When answering this question, please approach the matter strictly from a caching/performance point of view, not from a convenience point of view just to avoid that the discussion shifts to a programming style and the do's and don'ts. Thank you http://stackoverflow.com/questions/12148966/include-selectively-or-globally -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] date conversion/extraction issues
This is my code and the output is right after that...
$PDate = $row['PDate'];
//row is tapping into ms-sql date field.
//and the ms-sql data field has a value like this for the PDate;
//07/12/2001
$PDate = $PDate-date;
echo h1[, $PDate , ]/h1;
echo h1[, var_dump($row['PDate']) , ]/h1;
echo h1[, serialize($row['PDate']) , ]/h1hr;
the output is as follows. And my question is embedded in the output.
[] ??? WHY IS THIS BLANK? WHY IS THIS NOT 2001-12-07 00:00:00?
[object(DateTime)#3 (3) { [date]= string(19) 2001-12-07 00:00:00
[timezone_type]= int(3) [timezone]= string(19)
America/Los_Angeles } ]
[O:8:DateTime:3:{s:4:date;s:19:2001-12-07
00:00:00;s:13:timezone_type;i:3;s:8:timezone;s:19:America/Los_Angeles;}]
if I were to directly insert the $row['date'] ms-sql value into mysq,
I get this error;
Catchable fatal error: Object of class DateTime could not be converted
to string in sql.php on line 379
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] is it possible to change the html title from the WYSIWYG editor?
you may find it weird, actually very weird, but is the following possible
load up a post or page into the admin panel and place something like
this in to the editor;
?php
//assume exec-PHP already active
$current_page_url_here = get_current_url();
echo a href='{$current_page_url_here}?var1=val1'click me/a;
if ( $_GET['var1']=='val1' )
{
//change the current post's html title to titleval1/title
without using javascript/jquery
}
?
so when the visitor, clicks on the click me, same page reloads but
this time, the title reads val1, and that's what search engines see
too.
and if it is also possible to change, the_title() to be equal to val1,
that's even better.
But, is such a thing technically possible? Or is it too late at that
time to make those changes?
Could ob_start in any shape or form be deployed here to achieve this goal?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is it possible to change the html title from the WYSIWYG editor?
Yeah, but n the context of wordpress, that does not fly. If I do a die; in the middle of wp's tinymce editor, and check back the page, the title is already out there. first 5 lines would be something like !DOCTYPE html html dir=ltr lang=en-US head meta charset=UTF-8 / titlethe wordpress page title we were trying toi change is already here.../title link rel=profile href=http://gmpg.org/xfn/11; / But this question is a wp question. I accidentally dropped it in the PHP group. On Mon, Feb 13, 2012 at 2:24 PM, Daniel Brown danbr...@php.net wrote: On Mon, Feb 13, 2012 at 17:15, Haluk Karamete halukkaram...@gmail.com wrote: Please keep the replies on the list for all to benefit, including the archives. Isn't it TinyMCE considered a WYSIWYG one? but, anyway, that's beside the main point. Indeed. Hence: even web-based things like TinyMCE, et al. To your suggestion... I don't think your snippet would do any good as far as search engines... search engines would still take the title in the head. here, we are already in the the_content(). Did you understand what I meant by very basic example? You'd need to modify your title.*/title tag in the head, as well, obviously. That's all quite logical, and well beyond the scope of the initial question. -- /Daniel P. Brown Network Infrastructure Manager http://www.php.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is it possible to change the html title from the WYSIWYG editor?
Search engines would still be indexing the original page's title. I need each unique URL to have its own unique, robot friendly title. Again, this question is strictly within WP context. On Mon, Feb 13, 2012 at 6:49 PM, Bastien phps...@gmail.com wrote: Bastien Koert On 2012-02-13, at 5:34 PM, Haluk Karamete halukkaram...@gmail.com wrote: Yeah, but n the context of wordpress, that does not fly. If I do a die; in the middle of wp's tinymce editor, and check back the page, the title is already out there. first 5 lines would be something like !DOCTYPE html html dir=ltr lang=en-US head meta charset=UTF-8 / titlethe wordpress page title we were trying toi change is already here.../title link rel=profile href=http://gmpg.org/xfn/11; / But this question is a wp question. I accidentally dropped it in the PHP group. On Mon, Feb 13, 2012 at 2:24 PM, Daniel Brown danbr...@php.net wrote: On Mon, Feb 13, 2012 at 17:15, Haluk Karamete halukkaram...@gmail.com wrote: Please keep the replies on the list for all to benefit, including the archives. Isn't it TinyMCE considered a WYSIWYG one? but, anyway, that's beside the main point. Indeed. Hence: even web-based things like TinyMCE, et al. To your suggestion... I don't think your snippet would do any good as far as search engines... search engines would still take the title in the head. here, we are already in the the_content(). Did you understand what I meant by very basic example? You'd need to modify your title.*/title tag in the head, as well, obviously. That's all quite logical, and well beyond the scope of the initial question. -- /Daniel P. Brown Network Infrastructure Manager http://www.php.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Any reason you can't just use JS to alter the title tag on the page loading? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: sql injection protection
when we do b64e and then back b64d, you are saying. we get the org input all as clear text but this time as a string. because it is now a string, (which by definition can not be executed) what's the difference between b64e+b64d vs (string) casting then? if you were to cast the original input into string using (string), wouldn't you be in the same shoes? also on another note, if you know the userinput is in UTF-8, ( you verify that by running mb_detect_encoding($str, 'UTF-8', true); ), is there a situation where you think mysql_real_escape_string would fail in SQLINjection against string based user input ? The reason I ask this about specifically for strings is because it is fairly easy to validate againsts integers,floats,booleans using the built in validation filters my biggest issue is on strings... also what do you think about filter_sanitize_string. and finally, where do you think PHP community plus Rasmus is having a hard time implementing what you have in mind - that is a one liner that will do the inline string interpolation you are talking about.. what's the issue that it hasn't been done before? On Tue, Jan 24, 2012 at 1:45 PM, Alex Nikitin niks...@gmail.com wrote: You don't need to store it in the database as b64, just undo the encoding into your inputs for the purpose of the explanation, this is language independent b64e - encoding function b64d - decoding function pseudo code given: bad_num = ') union select * from foo --' bad_str = good_num = 123456 good_str = some searchable text the b64 way: bad_num=b64e(bad_num) ... good_str=b64e(good_str) inserts: query(insert into foo (num, str) values (b64d(\+bad_num+\), b64d(\+bad_str+\))); query(insert into foo (num, str) values (b64d(\+good_num+\), b64d(\+good_str+\))); Can you see that this will safely insert clear text into the database? This is because when you convert anything from b64, it will return from the function as a string and will not be executed as code... Now let's try a search: bad_num= '1 or 2 not like 5' bad_str = ' or \40oz\ like \40oz\ again we: bad_num=b64e(bad_num) bad_str=b64e(bad_str) then we can do a full text search: query(select * from foo where match(str) against(b64d(\+bad_str+\))) or even a number search query(select * from foo where num=b64d(\+bad_num+\)) again this is possible because no matter what you put in bad num, it will never be able to make post b64e bad_num look like code, just looks like junk, until b64d converts it to a string (which by definition can not be executed) make sense now? by check i mean, run utf8_decode for example... Problem is, that i can tell you how to write the most secure code, but if it's hard, or worse yet creates more problems than it solves (seemingly), nobody other than a few individuals with some passion for security will ever find the code useful. We need to fix this on the language level, then we can go around and tell programmers how to do it right. I mean imagine telling a programmer, that something that takes them 2 lines of code now, can be done much more securely in 5-7, and it creates code that doesn't read linearly... Most programmers will just ignore you. I want to say, hey programmer, what you do in 2 lines of code, you can do in 1 and make it impossible to inject into, then, then people will listen, maybe... This is where inline string interpolation syntax comes in, but it is not implemented in any programming languages, sadly actually. This is what i want to talk to Rasmus about. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: sql injection protection
Re-read his example. He encodes the data in PHP. But decodes the data in SQL. So, if you echo the SQL statement, you would see a base64 encoded string that SQL then decodes. Got it this time! Up until reading your reply, I was reading Alex's example with my pseudo-code glasses. I did not realize that the decoding was being done by SQL! I though it was still in PHP. And that's where I got confused with the hey why not string casting it then and got into what's the difference situation. But, you were laser sharp on that! Thanks a bunch! as to the other issue, the one with utf-8 and mb_detect_encoding, not working for it - cause there are ways of getting around. I still don't get it. First q comes to mind, why the heck use mb_detect_encoding then if it can be hacked around? see what I'm saying. but i don't want to go off on a tangent.. all i'm trying to do is to safely protect myself from a possible sql injection by using the available filters and sanitizations and techniques but without the PDO. That's the requirement. No PDO. From the earlier recommendations, I understand PDO is the way to go - cause it effectively separates the sql code from the user input to make sure user input does not get executed.. that explanation ... i get that... no problems there... yes, do use PDO... but my question is not what's the safest way in general?. But rather, what's the safest way without the PDO? Without the PDO, it seems like b64'ing it will do the job! And since the data will be stored as clear text, the searches against that data will also work too. I can take this implementation and build my library function based on that - instead of making it 1- first check if the in user string is in utf-8, 2- reject the input if not in utf-8 3- accept the input if utf-8 and apply the applicable filters to it starting with filter_sanitize_string 4- and on top of that, also mysql_real_escape it but from what i understand, you guys are saying just don't do this, because it may be overcome and that's not because of the fact filter_sanitize_string or mysql_real_escape_string is not effective, but because of the fact that there is NO WAY to reliably detect whether the incoming user input is in utf-8 or not. On Thu, Jan 26, 2012 at 9:14 AM, Jim Lucas li...@cmsws.com wrote: On 01/26/2012 06:46 AM, Haluk Karamete wrote: when we do b64e and then back b64d, you are saying. we get the org input all as clear text but this time as a string. because it is now a string, (which by definition can not be executed) what's the difference between b64e+b64d vs (string) casting then? if you were to cast the original input into string using (string), wouldn't you be in the same shoes? Re-read his example. He encodes the data in PHP. But decodes the data in SQL. So, if you echo the SQL statement, you would see a base64 encoded string that SQL then decodes. also on another note, if you know the userinput is in UTF-8, ( you verify that by running mb_detect_encoding($str, 'UTF-8', true); ), is there a situation where you think mysql_real_escape_string would fail in SQLINjection against string based user input ? The reason I ask this about specifically for strings is because it is fairly easy to validate againsts integers,floats,booleans using the built in validation filters my biggest issue is on strings... also what do you think about filter_sanitize_string. read this: http://www.php.net/manual/en/filter.filters.sanitize.php Then read this: http://www.php.net/manual/en/filter.filters.flags.php It seems to me that filter_sanitize_string does not deal with anything other then ASCII. YMMV and finally, where do you think PHP community plus Rasmus is having a hard time implementing what you have in mind - that is a one liner that will do the inline string interpolation you are talking about.. what's the issue that it hasn't been done before? On Tue, Jan 24, 2012 at 1:45 PM, Alex Nikitinniks...@gmail.com wrote: You don't need to store it in the database as b64, just undo the encoding into your inputs for the purpose of the explanation, this is language independent b64e - encoding function b64d - decoding function pseudo code given: bad_num = ') union select * from foo --' bad_str = good_num = 123456 good_str = some searchable text the b64 way: bad_num=b64e(bad_num) ... good_str=b64e(good_str) inserts: query(insert into foo (num, str) values (b64d(\+bad_num+\), b64d(\+bad_str+\))); query(insert into foo (num, str) values (b64d(\+good_num+\), b64d(\+good_str+\))); Can you see that this will safely insert clear text into the database? This is because when you convert anything from b64, it will return from the function as a string and will not be executed as code... Now let's try a search: bad_num= '1 or 2 not like 5' bad_str = ' or \40oz\ like \40oz\ again we: bad_num=b64e(bad_num) bad_str=b64e(bad_str) then we can
Re: [PHP] Re: sql injection protection
4 questions... which is basically all it comes to.. After all this back and forth emails, I think we should nail down these questions cause they are still not completely covered in my mind. question 1 If you use the PHP filters sanitizations, and you plan on using PDO with binded params, are you absolutely safe? And if not, why? What are the other ways for them to still make it in - even with PD0 and binded params properly in place? Just curious. question 2 If you use the PHP filters sanitizations, and for some reason, you CANNOT use PDO, what do you do against those situations where the user input is expected to be coming as a string and it's perfectly OK for it to be in say, around 1000 chars! For example, you are receiving a guest book comment. Use b64? But isn't with b64 search capability go down the drain? So we basically give up on search? Can we not come up with a solution which allows the search but yet still safe? What do we do? question 3 is there really no way to stop the user input's if char set is not utf8? Can we not enforce the userinput to be in UTF8 only and reject all input? If there is such a way, wouldn't we better of using mysq-_real_escape to allow both search and be safe? Or is there really no way to understand the incoming user input char set by PHP? question 4 do you have any white paper or any article that covers your most recommended solution against lengthy user input while you still want the search to work? you seem to know a lot and I think you should have at at least an article where we people can discuss the article at the bottom? It's always useful. If you don't have one, I strongly recommend you come up with one cause I'm sure it will be useful. On Mon, Jan 23, 2012 at 2:35 PM, Alex Nikitin niks...@gmail.com wrote: Start off with the fact that that article is from 2006, and its written by a programmer... I was simply asking expert opinion with the intention to learn. There is so much docs out there (I mean not just out there but at top security sites like owasp ) that recommends database specific escape solution as one of the viable alternatives. Escaping can work with a very specific set of circumstances, and it can be secure, however it fails as a security practice, and thus fails as a security solution. You make it seem like anyone who does not use PDO ( for one reason or another ), and rely on the mysql_real_escape_string can be by passed and SQL injected. I can't tell you for sure, however any project that uses it as their sole mean of sql injection protection can be exploited, yes. Just because OWASP says that it is a solution, doesn't mean that it's a good solution. Sometimes it's the only solution, yes, but it should not be the only security practice. So you're saying the mysql_real_escape_string() isn't 100% secure either? Crikey, if that's true, then I'm willing to bet A LOT of scripts are vulnerable to this problem. Any script that uses escaping as the sole means of protection, or doesn't do good checking, which is a lot of scripts. But i mean i hope it's no surprise, a lot of the web is vulnerable... Is there a fix that doesn't involve perpared statements? Perhaps a function that checks for this problem, and filters it? My charset/encoding knowledge is a bit limited, so I'd very much appreciate an answer. Thanks! Sure, i have already mentioned it... The glorious base 64 hack... Is it really that simple? It's hard to believe that all these implementations out there that honors the recommended filter database specific escape mechanisms would *easily* be vulnerable by simply someone sending ut7, is that what you are saying? A lot are... likewise UTF16, and even UTF8 can often be an issue. The issue with escaping is knowing what characters are bad, if you think you can escape a ' - tick and be safe, think again, in utf there are dozens if not hundreds of characters that can represent a tick in various circumstances. Again escaping fails as a security practice. Yes it can work and make your code uninjectable, but it still fails as a solution, even if secure... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: sql injection protection
My reply is in delims. question 1 If you use the PHP filters sanitizations, and you plan on using PDO with binded params, are you absolutely safe? And if not, why? What are the other ways for them to still make it in - even with PD0 and binded params properly in place? Just curious. There are no known exploits or techniques on injecting into parameterized queries. that's very good know. question 2 If you use the PHP filters sanitizations, and for some reason, you CANNOT use PDO, what do you do against those situations where the user input is expected to be coming as a string and it's perfectly OK for it to be in say, around 1000 chars! For example, you are receiving a guest book comment. Use b64? But isn't with b64 search capability go down the drain? So we basically give up on search? Can we not come up with a solution which allows the search but yet still safe? What do we do? Search depends on your search, for example if i have 1000 chars, i may not want to search on all the words, only some key words, in which case b64 doesn't mean that you can't search. Doing full text index on a 1000char field in a decently large database can be quite hazardous to performance... On another note, you can still insert as clear text: insert into foo (bar, pub) values(b64d(c2hvdHM=), b64d(YmVlcg==)) it doesnt matter what is encoded in the b64, what matters is that it is NOT code that SQL will execute, you see what i'm saying? You can be decently secure with escaping, but again, it fails as a security solution. If you can do neither, then set the default char set on the page, database and even in php do a utf8_decode or something, validate, check, escape and you will be reasonably secure. I'm not getting this one, in fact, I am totally lost in it. that's because I am not familiar with b64 encoding... look, I supplied the user input ; drop table members and then did a b64 on it, it gave me back OyBkcm9wIHRhYmxlIG1lbWJlcnM=. When I decode that back, I ended up with what I started that is ; drop table members. Knowing that, are you suggesting we do the following then? take the user input.example ; drop table members b64 it . now it's OyBkcm9wIHRhYmxlIG1lbWJlcnM= then store it like that in the db. and when you need to output back to screen, b64d to it ( that is b64 decode ) Well, If that's true, how do we allow user to search for say drop table for example? All you got in the db is OyBkcm9wIHRhYmxlIG1lbWJlcnM=. For a moment, I thought, if I do b64 on the user's search string that is drop table, search would work. But when I tested, the b64 of the partial string drop table is ZHJvcCB0YWJsZQ== and it is not part of the full string OyBkcm9wIHRhYmxlIG1lbWJlcnM=. Can you elaborate then how the searching would work? Any PHP sample may help where you used b64 trick in an implementation.. Otherwise, I'm still lost in this one. Also. when you say set the default char set on the page.. , do you mean this? meta http-equiv=content-type content=text/html; charset=UTF-8 and when you say set the default char set on the page.. , do you mean this? header(Content-Type: text/html; charset=UTF-8); Isn't page and php here in this context the same thing? In other words, isn't header(Content-Type: text/html; charset=UTF-8); produces on the resulting page meta http-equiv=content-type content=text/html; charset=UTF-8? What is that going to do to me if the user supplied the evil string right from the browser bar - where the referer is blank. I don't see how setting the default char set by page or php is of any help. And on the other hand when you say set the default char set on the database.. , do you mean to use SET NAMES 'utf8';? By doing so, we would make sure mysql_real_escape_string won't be get fooled. Is this understanding correct? question 3 is there really no way to stop the user input's if char set is not utf8? Can we not enforce the userinput to be in UTF8 only and reject all input? If there is such a way, wouldn't we better of using mysq-_real_escape to allow both search and be safe? Or is there really no way to understand the incoming user input char set by PHP? Set the default encoding on page and db, check in php when you say check in php, do you check it with mb_detect_encoding($str, 'UTF-8', true); Is that your way of checking too? And if you determine that it is UTF-8, are you completely fine with the mysql_real_escape_string for your non PDA insert/select/updates? yes/no. question 4 do you have any white paper or any article that covers your most recommended solution against lengthy user input while you still want the search to work? you seem to know a lot and I think you should have at at least an article where we people can discuss the article at the bottom? It's always useful. If you don't have one, I strongly recommend you come up with one cause I'm sure it will be useful. I do not, however i am thinking about talking to
Re: [PHP] Re: sql injection protection
I was simply asking expert opinion with the intention to learn.
There is so much docs out there (I mean not just out there but at top
security sites like owasp ) that recommends database specific escape
solution as one of the viable alternatives.
You make it seem like anyone who does not use PDO ( for one reason or
another ), and rely on the mysql_real_escape_string can be by passed
and SQL injected.
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet#Defense_Option_3:_Escaping_All_User_Supplied_Input
http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html
quote from
http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html
So you're saying the mysql_real_escape_string() isn't 100% secure either?
Crikey, if that's true, then I'm willing to bet A LOT of scripts are
vulnerable to this problem.
Is there a fix that doesn't involve perpared statements? Perhaps a
function that checks for this problem, and filters it? My
charset/encoding knowledge is a bit limited, so I'd very much
appreciate an answer. Thanks!
#1 Dennis Pallett (Homepage) on 2006-01-22 14:08 (Reply)
As Ilia points out, it only applies to situations where the script
actually modifies the charset, for instance using SET CHARACTER SET.
Personally, I've never used this functionality and if you haven't
either you're fine.
#1.1 jome on 2006-01-22 14:48 (Reply)
That is precisely what the example demonstrates. The bottom line while
the problem is serious, it would only affect people changing character
sets from single-byte encodings to multibyte ones. As long as you stay
away from multibyte encodings, with the exception of UTF8 you should
be safe.
#1.2 Ilia Alshanetsky (Homepage) on 2006-01-22 15:15 (Reply)
/quote
I don't understand from what you say here...
When i send you something in UTF7, it will go through the escape as
utf7, since apache will push whatever i send into your vars, web
servers don't care about the char set, and PHP doesnt care what's in
the var either, especially in terms of a char set, so, it will hit
your database as utf7, which will change it to UTF8 for example or
whatever its default charset is...
Is it really that simple? It's hard to believe that all these
implementations out there that honors the recommended filter
database specific escape mechanisms would *easily* be vulnerable by
simply someone sending ut7, is that what you are saying?
On Mon, Jan 23, 2012 at 10:26 AM, Alex Nikitin niks...@gmail.com wrote:
There is so much no, answers are in line.
At the top of each php page which interacts with a database, just have
this one liner
This has already been mentioned, but again, no, no connection if you
are not actually interacting with the database.
$DBH = safe_connection(database_name_here); //$DBH stands for
database handle
Another no, obfuscating away the user/pass doesn't make it a safe
function. Not saying there is no benefit to it, but where i would say
you would benefit is from making this into a singleton object for
example...
obviously the safe_connection is not a built-in PHP function so we
have to come up with it...
The idea behind this safe_connection function is this;
It takes the dbname, uses it in looking up to retrieve the database
username, the password, the host name and the hostname, and the host
type ( whether the host is mysql or mssql etc) - for the specified
database.
Shouldn't it also accept access type, for example i don't want to use
a user with input privileges if i am just looking stuff up in the
database... Also what year are we in? You do this, at least make it an
object so i dont need to remember what prefix i need to call...
Then it uses all this data to establish a db connection and thus get
the $DBHandle.
Yeah with an unknown type...
Once the $DBHandle is obtained, then mysql_real_escape_string ( or the
mysqli_real_escape_string version ) can be used
(However, the mentioned mysql_real_escape_string function here would
be the right choice **only if** the hosttype is mysql! ) So, that;s
where we use the hosttype. Microsoft SQL may require a different
escaping mechanism.
Did you not read anything i wrote above? Escape=fail... use a PDO
prepare and exec methods...
Now, the question is where do we use this mysql_real_escape_string function?
You DON'T!
Well, on the usual suspects! the dirty 5 arrays; namely _GET, _POST,
_COOKIE, _REQUEST and the _SERVER. Yes, the _SERVER too. ( that's due
to the http_referer, remote_addr etc spoofing ).
Here is a basic example handling the _GET array!
foreach ($_GET as $k = $v)
{
$_GET[$k] = mysql_real_escape_string($v); // this is good if
host type is mysql...
}
So, the basic idea is to clean up the entire GET array and be safe and
thorough. And do this across all global arrays where a user input can
possible come from.
[PHP] which server variables from this list can be spoofed?
I marked those I already know as can, $_SERVER['REMOTE_ADDR'] CAN $_SERVER['HTTP_REFERER'] CAN $_SERVER['HTTP_USER_AGENT'] CAN $_SERVER['REQUEST_URI'] CAN ( cause it contains the query string part and user/hacker can easily change that ) Those I'm not too sure are as follows; $_SERVER['SERVER_NAME'] $_SERVER['DOCUMENT_ROOT'] $_SERVER['SCRIPT_NAME'] $_SERVER['PHP_SELF'] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sql injection protection
This is an interesting conversation, so I'm glad it got brought up,but I find myself curious: Are you actually trying to avoid PDO, or just trying to learn how the security actually works? Well, It's a learning process. my point is this... If I can make it safe and sound without the PDO, then I really got to the bottom of it. Because once you reach there and I would be in a much better shape cause at the end, I will still use PDO level. PDO is not safe. I should say, it is not SAFE ENOUGH. You are still vulnerable with PDO as well. Cause PDO still requires you to validate your input. If you don't do a good job at it, then you are using PDO as a drug. You have to go down to bottom of it and that's validating the darn user input. Well, if you validate your input well, then one can turn the question around and ask, then why use PDO? It's not going to make it any safer! It was already so. The danger with the PDO articles... Using/or Recommending PDO without the nitty/gritty details of how important it is to validate your input is unfortunately leading people ( unexp. dev ) into thinking that it's a safer method, therefore they can go relax at certain things and PDO will cover them. I think one should try to make his data secure, first and foremost - without *relying* PDO to take care of things. Therefore, we should learn the crux of the matter. By that, I mean all that multibyte and GPK Greek and some other weird char sets that one should be aware of and what to do to really safe guard the databases against all kinds of user data. Only then and only then, one should START thinking about using PDO. http://stackoverflow.com/questions/134099/are-pdo-prepared-statements-sufficient-to-prevent-sql-injection That's why I started this thread. On Tue, Jan 17, 2012 at 4:39 AM, Andy McKenzie amckenz...@gmail.com wrote: On Mon, Jan 16, 2012 at 10:34 PM, Haluk Karamete halukkaram...@gmail.com wrote: I understand some ways are better than others in this one, and it looks like the PDO based implementations shine the most as far as SQL Injection. But would not the following be good enough - without implementing a PDO solution? This is an interesting conversation, so I'm glad it got brought up, but I find myself curious: Are you actually trying to avoid PDO, or just trying to learn how the security actually works? Personally, my decision was that I could spend a lot of time learning all the ins and outs, or I could just use PDO and some basic input validation, and be more-or-less secure. I'm sure there are cases where that's not sensible, but it's always worked for me. -Andy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions and expirations and isolations
Back to this session expiration... that old quote said... begin The default behaviour for sessions is to keep a session open indefinitely and only to expire a session when the browser is closed. This behaviour can be changed in the php.ini file by altering the line: session.cookie_lifetime = 0 If you wanted the session to finish in 5 minutes you would set this to: session.cookie_lifetime = 300. end Reflecting on this a little more, I got interested in the part that says The default behaviour for sessions is to keep a session open indefinitely and only to expire a session when the browser is closed. How would do the server know that a browser is closed? No browser sends such a data to a server. If you re-open your browser, sure you will get asked to relogin ( cause that session id cookie is gone ) but that does not mean that old session data has been erased form the server. How could it? The only way for that to happen is to run session_destroy programmatically but for that your users has to click on a link. Certainly, closing a browser won't cause that! This brings the question to the following; WHEN DOES THE SERVER KNOW THAT A USER IS REALLY GONE OR HE CLOSED HIS BROWSER? I'm afraid session.cookie_lifetime = 0 keeps all session data ( that is past and present ) in server memory until a server restart/stop takes place. Correct me if I'm wrong. On Mon, Jan 16, 2012 at 4:19 PM, Stuart Dallas stu...@3ft9.com wrote: On 16 Jan 2012, at 22:51, Haluk Karamete wrote: Hi, in ASP, sessions expire when the client does not request an asp page for more than 20 min. (The 20 min thing is a server level setting - which can be changed by IIS settings ) And sessions work out of the box. I use sessions a lot. So, most likely, I would keep that style in my PHP apps too. I read the following about PHP sessions... I wanted to know how accurate this info is. quote The default behaviour for sessions is to keep a session open indefinitely and only to expire a session when the browser is closed. This behaviour can be changed in the php.ini file by altering the line: session.cookie_lifetime = 0 If you wanted the session to finish in 5 minutes you would set this to: Listing 23 Keeping a session alive for five minutes (listing-23.txt) session.cookie_lifetime = 300. Remember to restart your web server after making this change. /quote That's totally accurate, except that it doesn't touch upon how sessions are cleaned up... Now, if this info is correct and it is this simple, why do we have some elaborate posts like this one? http://stackoverflow.com/questions/520237/how-do-i-expire-a-php-session-after-30-minutes ...which explains that post. The session.cookie_lifetime is simply the expiry time that will be set on the cookie that specifies the visitor's session ID. That ID is used as the unique identifier on the server in the session storage system (defaults to files of serialized data). If you want to have more precise control over the session lifetime (though I can't see any reason why you would need to) then you can write your own session handler and implement the timeout logic yourself. You could also handle it by storing a timestamp in the session and using that to decide whether the session data should be considered valid (as described in the accepted answer on that post). What do you do when you write a PHP app that relies on sessions? how do you manage the server memory allocation issues? Say you wanted to keep session vars alive for 20 min ( from the last request from the client ) and you wanted your server to completely empty the session if there no request, no new php page is requested from that client within that next 20 min. And if a client requests a page say on the 19th min, session gets extended another 20 from that time on, just like the ASP works. The only reason there would be memory allocation issues is if you're storing huge amounts of data in the session. If you are then I'd suggest that you either re-architect your application so you don't need to, or implement a custom storage mechanism for that data that doesn't use the session system. My second question on session is abut keeping sessions apart from one another - if such a concept exists... Let's say you have a session var FirstName in app1 and another session variable exactly named as FirstName in app2. how do you keep them seperate? In ASP, I create a virtual app at the IIS server - assigning a virtual dir path to the app, and from that point on, any page being served under that virtual path is treated as an isolated ASP app and thus the sessions are kept isolated and not get mixed up by asp pages that do not live under that virtual app path. I don't know much about the way ASP implements sessions but I highly doubt there is anything significantly different in there to the way PHP does it. For all intents and purposes the isolation of a given user's session
Re: [PHP] Re: sql injection protection
Thanks Alex. I re-read Ross's reply but I don't think you and him ( and even me ) is saying something different. It's all about validating the input. In my dictionary of programming vocabulary, validation is not just validating user input but also sanitizing it. You summed it up nicely by saying programmer's string vs user's string. It's the user's string where we want to focus on... If we go to the source of the problem that is receiving user input, that's where we start. So, every single user input ( not just query-string and form-post data or cookies but even the server variables such as the *http_referer must be considered as potential threats. If we are to store the user ip based on the server var http_referer value - without validating/sanitizing it - then we are really risking things! I Aren't we? So we should not think that hey that's a $_SERVER variable so why worry about it... I wanted to bring this matter up as a side parenthesis cause I don't think http_referer would be on many programmers' list of things to be watched out and to be sanitized! So first things first, we ned to identify all possible ways that a user input can take place. and that's not limited to querystings/form-posts and cookies. Server vars are in my list too, not all of them but those that have issues with. If you guys can think of some other types ( like the server variables that one would not think from the userland ) that I may be missing, I'd appreciate your filling in here. Once we know what possible places are out there that a user string can make it, we apply our function right there and then. So, yes, we need a library function that does this for us for once and for all. This library function must deal with data validation (on data length and on data type ) as its first line of defense. In that function, we should also do the escape! And that bring us to the 2nd line of defense. In this 2nd line of defense, we must take care of the char code specific issues. And for that it looks like mysql_real_escape_string() is my only line of defense. That's per this article http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string But it looks like, Alex you'd have a problem with that. Your reply sounded like that. Correct me if I got you wrong. If I have not misunderstood you, you have an issue with mysql_real_escape... But then could you tell me how you would deal with the GPK and GPK like matters in the light of Shiflett's article? And after that if the function is still returning OK, then I take that user input, use it in a PDO based implementation. Am I missing anything? Feel free to fill it in please so I can close this chapter and move on. On Tue, Jan 17, 2012 at 2:56 PM, Alex Nikitin niks...@gmail.com wrote: Haluk, don't listen to Ross, escaping fails, it was and is a bad solution to an old and still largely unresolved problem. The problem is and has been that of language interoperability, and we have been and continue failing at making a good way for languages to talk to each other, but because this is so needed, especially on the web, where you blink and you are in another language; php, css, html, throw in some javascript, and here is some SQL, oh i need some python, now let's throw in some C, but none of these languages talk to each other, so we have had to make it work and we do it with strings... This is why we have SQL injection and XSS, and the only, i will repeat that, the ONLY way to fix this issue is to have a clear way to say from language to language that this is a programmer string, run it, and this is user input, don't run it. The only right solution is to pass your code as code and the user input as user input, this way you are guaranteed that no execution of user input is possible via usual SQL injection or XSS means. Of course you still need to check and sanitize your input, there are still typical issues, buffer and heap overflows, etc, but simple inclusion of some special character and user input code that just gets ran just like programmer code is simply not possible. Escaping is a bad and many times failed attempt at saying that it's ok to pass user input as code, we just escape the characters we think are bad, to tell the interpreter not to execute them as it normally would. But what does it mean to be a character? Well back when all these languages were designed there was ASCII, and life was easy, now, however we have utf7, utf8, utf16, with tens of thousands of characters, many of which are the same symbol. Oh and they morph, if you don't know what best-fit matching is, look it up, but at the end of the day, if you think that you know what characters you need to escape, you are wrong, i'm sorry. This is why in javascript there are 3 escape functions: escape, escapeURI and escapeURIComponent. Which roughly translate to we failed, we failed again and we failed the third time. So in short, no, mysqli_real_escape_string is not a good
[PHP] sessions and expirations and isolations
Hi, in ASP, sessions expire when the client does not request an asp page for more than 20 min. (The 20 min thing is a server level setting - which can be changed by IIS settings ) And sessions work out of the box. I use sessions a lot. So, most likely, I would keep that style in my PHP apps too. I read the following about PHP sessions... I wanted to know how accurate this info is. quote The default behaviour for sessions is to keep a session open indefinitely and only to expire a session when the browser is closed. This behaviour can be changed in the php.ini file by altering the line: session.cookie_lifetime = 0 If you wanted the session to finish in 5 minutes you would set this to: Listing 23 Keeping a session alive for five minutes (listing-23.txt) session.cookie_lifetime = 300. Remember to restart your web server after making this change. /quote Now, if this info is correct and it is this simple, why do we have some elaborate posts like this one? http://stackoverflow.com/questions/520237/how-do-i-expire-a-php-session-after-30-minutes What do you do when you write a PHP app that relies on sessions? how do you manage the server memory allocation issues? Say you wanted to keep session vars alive for 20 min ( from the last request from the client ) and you wanted your server to completely empty the session if there no request, no new php page is requested from that client within that next 20 min. And if a client requests a page say on the 19th min, session gets extended another 20 from that time on, just like the ASP works. My second question on session is abut keeping sessions apart from one another - if such a concept exists... Let's say you have a session var FirstName in app1 and another session variable exactly named as FirstName in app2. how do you keep them seperate? In ASP, I create a virtual app at the IIS server - assigning a virtual dir path to the app, and from that point on, any page being served under that virtual path is treated as an isolated ASP app and thus the sessions are kept isolated and not get mixed up by asp pages that do not live under that virtual app path. Is this concept even applicable in PHP? Thanks -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions and expirations and isolations
Well Stuart, When I said this In ASP, I create a virtual app at the IIS server - assigning a virtual dir path to the app, and from that point on, any page being served under that virtual path is treated as an isolated ASP app and thus the sessions are kept isolated and not get mixed up by asp pages that do not live under that virtual app path. I did not mean that aspect of the business which you replied to. I did not mean that 2 user's session can get being mixed up. Of course, neither PHP nor ASP would allow that and that's all thru the current session cookie ID - which is nearly impossible to guess for somebody else's session cookie ID for that session time. Instead, I was meaning something totally different. Sorry for not being very clear about it. Here is another shot at it. Here, you are developing an app and the app is being developed under say domain.com/app1/. Let's call this app APP_1 And this app got say 10 php files and these files use lots of some session vars to pass some data from one another. That's the case for APP_1. now you need a second app... which is totally different that APP_1. And that is to be developed under say the same server as say domain.com/APP_2/ and this one too has its 5 php files too. But there is nothing common between two apps. Now, ASP allows me to treat these apps ( APP_1 and APP_2 ) as two separate apps ( virtual apps they call it ) and once I do that ( and that's thru the IS settings ), the sessions vars I store in APP_1 does not get overwritten by the APP_2, even though they may or may not share the ame names... With that, I can set up a session var Age as 43 right there in APP_1 and I can have another session variable in the other app, still named as Age where I store age value as a string, something like say middle-age. If I weren't create these virtual apps at IIS, ASP would have overwritten the value 43 with the value middle-age and vice versa back and forth. I'm trying to understand if the same flexibility is available or not with PHP. I should be able to go the APP_1 and do a _SESSION dump and I should see 10 session variables in there and then I should be able to go APP_2 and there I should se only 8. That's the case with classic ASP. On Mon, Jan 16, 2012 at 4:19 PM, Stuart Dallas stu...@3ft9.com wrote: On 16 Jan 2012, at 22:51, Haluk Karamete wrote: Hi, in ASP, sessions expire when the client does not request an asp page for more than 20 min. (The 20 min thing is a server level setting - which can be changed by IIS settings ) And sessions work out of the box. I use sessions a lot. So, most likely, I would keep that style in my PHP apps too. I read the following about PHP sessions... I wanted to know how accurate this info is. quote The default behaviour for sessions is to keep a session open indefinitely and only to expire a session when the browser is closed. This behaviour can be changed in the php.ini file by altering the line: session.cookie_lifetime = 0 If you wanted the session to finish in 5 minutes you would set this to: Listing 23 Keeping a session alive for five minutes (listing-23.txt) session.cookie_lifetime = 300. Remember to restart your web server after making this change. /quote That's totally accurate, except that it doesn't touch upon how sessions are cleaned up... Now, if this info is correct and it is this simple, why do we have some elaborate posts like this one? http://stackoverflow.com/questions/520237/how-do-i-expire-a-php-session-after-30-minutes ...which explains that post. The session.cookie_lifetime is simply the expiry time that will be set on the cookie that specifies the visitor's session ID. That ID is used as the unique identifier on the server in the session storage system (defaults to files of serialized data). If you want to have more precise control over the session lifetime (though I can't see any reason why you would need to) then you can write your own session handler and implement the timeout logic yourself. You could also handle it by storing a timestamp in the session and using that to decide whether the session data should be considered valid (as described in the accepted answer on that post). What do you do when you write a PHP app that relies on sessions? how do you manage the server memory allocation issues? Say you wanted to keep session vars alive for 20 min ( from the last request from the client ) and you wanted your server to completely empty the session if there no request, no new php page is requested from that client within that next 20 min. And if a client requests a page say on the 19th min, session gets extended another 20 from that time on, just like the ASP works. The only reason there would be memory allocation issues is if you're storing huge amounts of data in the session. If you are then I'd suggest that you either re-architect your application so you don't need to, or implement a custom storage
Re: [PHP] sessions and expirations and isolations
great exp. now I'm heading towards the http://www.php.net/manual/en/session.configuration.php#ini.session.cookie_path. you definitely deserved a good chocolate cookie! On Mon, Jan 16, 2012 at 6:38 PM, Stuart Dallas stu...@3ft9.com wrote: On 17 Jan 2012, at 02:21, Haluk Karamete wrote: Well Stuart, When I said this In ASP, I create a virtual app at the IIS server - assigning a virtual dir path to the app, and from that point on, any page being served under that virtual path is treated as an isolated ASP app and thus the sessions are kept isolated and not get mixed up by asp pages that do not live under that virtual app path. I did not mean that aspect of the business which you replied to. I did not mean that 2 user's session can get being mixed up. Of course, neither PHP nor ASP would allow that and that's all thru the current session cookie ID - which is nearly impossible to guess for somebody else's session cookie ID for that session time. Instead, I was meaning something totally different. Sorry for not being very clear about it. Here is another shot at it. Here, you are developing an app and the app is being developed under say domain.com/app1/. Let's call this app APP_1 And this app got say 10 php files and these files use lots of some session vars to pass some data from one another. That's the case for APP_1. now you need a second app... which is totally different that APP_1. And that is to be developed under say the same server as say domain.com/APP_2/ and this one too has its 5 php files too. But there is nothing common between two apps. Now, ASP allows me to treat these apps ( APP_1 and APP_2 ) as two separate apps ( virtual apps they call it ) and once I do that ( and that's thru the IS settings ), the sessions vars I store in APP_1 does not get overwritten by the APP_2, even though they may or may not share the ame names... With that, I can set up a session var Age as 43 right there in APP_1 and I can have another session variable in the other app, still named as Age where I store age value as a string, something like say middle-age. If I weren't create these virtual apps at IIS, ASP would have overwritten the value 43 with the value middle-age and vice versa back and forth. I'm trying to understand if the same flexibility is available or not with PHP. I should be able to go the APP_1 and do a _SESSION dump and I should see 10 session variables in there and then I should be able to go APP_2 and there I should se only 8. That's the case with classic ASP. Of course. I did touch on this in my reply but I obviously wasn't verbose enough. Sessions are tied to an ID, and that ID is (usually) stored in a cookie. Therefore the cookie is what links a session to a user, and it's the limits on that cookie that determine the level of isolation. In the case you describe above, the default behaviour would be for both apps to share the session because the cookie would be set on domain.com with the default path of /. You can change the path with the session.cookie_path setting. See here for more details: http://www.php.net/manual/en/session.configuration.php#ini.session.cookie_path Basically, each app would need to use the ini_set function to set session.cookie_path to /APP_1 or /APP_2 accordingly, before calling session_start. That will effectively isolate the sessions for the two apps in the same way that virtual directories do in ASP. Hope that makes it clearer. -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] sql injection protection
I understand some ways are better than others in this one, and it looks like the PDO based implementations shine the most as far as SQL Injection. But would not the following be good enough - without implementing a PDO solution? 1- get the user input 2- for each input, deliberately enforce a data type ( that is date/string/integer ) and validate it. 3- for each input, deliberately enforce a data length ( for strings data length and for integer a valid range for example ) 4- check the magic_quotes_gpc and do the stripslashes and then the mysqli_real_escape_string() and the htmlentities. 5- and on top pf all this, I also check for the specific occurrences of these following words; if any exist, I just do not execute that SQL query. and that list is sysobjects, syscolumns, systypes, EXEC(@, CHAR(, exec%20, DECLARE%20@, wscript. CAST( CONVERT( 6- I also count the number of 0x occurrences, if the user input contains more than 2 of 0x, again I do not execute that command. With all these in place, I don't know of a way that a userinput can still make it thru. These may raise a false negative on some valid user input that's coming from a textarea where the data type is string, and an accepted char length is big enough to create some havoc in the db, so be it, I reject that input. My question even after all these are there still ways to break in? All the aboce can be easily tucked in a function which does a data validation something like VallidateUserInput ( $_GET['first_name'], varchar(100),Please supply a first name that is less than 100 characters); VallidateUserInput ( $_GET['age'], smallint,Please supply an age that is between 1-20) Your insight is greatly appreciated on this. I also read somewhere that mysql does NOT allow statement chaining. So, that's even better. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] if http_referer is not reliable then how do we ...
Let' say we have a form mailer script, which takes any form ( whose action is directed to it ) and goes thru the submitting form's fields list ( programmatically) , to build a nice email on the fly and email the build up string to the email address that's coming in the hidden field. Let's say that's the case... And you do not want everyone to use this form mailier functionality. What's the best way to protect it? I currently use captcha to prevent robotic submissions but that won't prevent the issue I'm talked about above. I see no other way then the http_referer to test if the submitting form resides in one of the accepted domains that mailer.php has been hardcoded to work with and give privileges to, But then it's known fact that http_referer can be spoofed. What would be your way of protecting your script from being taken advantage of email functionality - without the http_referer? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] advise needed on a mysql select library function
Why discover the wheel, where there are so many qualified pros are
here that pick up their brains...
I'm building a php library of functions, I mean day to day functions
that eases my RAD.
Since I am new to PHP, I'm trying to wrap php's built-in-functions and
funtionalities into new function names of my own creation from my old
ASP library so that I can work within the new php environment - using
still the familiar function names and arguments ... for example, i had
a leftof function which worked as
leftof(abcef,bc) //returns ef
//which is the leftof the bc in the haystack abcdef.
That's the idea... I have over 100 functions that does all kinds of
things... the goal is to write those functions' php equaivalents. I'm
done with the string and utility functions, now I m getting into db
stuff!
My goal now is to write a one-liner sqlselect functionality which will
work like this
?php
_select(my_wordpress_database_name_here,SELECT * FROM wp_posts,$result);
//so that I can instantly get into business as follows;
while ($row = mysql_fetch_assoc($result)) {
echo li . $row['post_title'];
}
basically, what the _select is supposed to do is to take the passed
database name, look that up in a switch statement to get the sql
server, db uid pwd info and run the whole show all the way until it
puts the results in the $result resource. And I'm already done with
that... I posted the code below... but I want to isolate the switch
statement ( that contains the sqlserver,uid,pwd data ) out from this
library file... I do not want to keep them in the library. ideally,
that info should be kept in say, connection_info.php file...
how would you go about it?
write an include directive ( for the switch section only) and
implement it that way? or is there a better way - such as using a
function for the switch?
please fell free to not only answer this question but also improve the
code segment I posted below. I will be using the principles I gain
from this thread in writing the update,delete and insert versions...
this is where I am now and following code snippet works as intended...
_select( wordpress_XYZ , SELECT * FROM wp_posts , $result );
while ( $row = mysql_fetch_assoc($result)) {
echo li . $row['post_title'];
}
function _select($db_name,$sql,$result)
{
switch (bp_lcase($db_name))
{
case wordpress_XYZ;
$db_name = ; // this is usually the same as the 1st
argument
passed by the user
$db_server = ;
$db_username = ;
$db_pass = ;
break;
case :
echo Unknown database.;
die;
break;
default:
echo Database name not passed;
die;
break;
}
$link = mysql_connect($db_server, $db_username, $db_pass) or
die(mysql_error());
mysql_select_db($db_name, $link) or die(mysql_error());
$result = mysql_query($sql,$link) or die(mysql_error());
mysql_close($link);
}
in the above code, ideally I would want to store the switch stuff
somewhere else... the question is what's the most elegant/proper way
of doing this...
now... that switch could be included as is from a plain file, that's
easy enough...
or it could be put into a function so that _select function internally
calls it and get the handle of the $link so that
mysql_select_db($db_name, $link) can run fine... in that case, should
the $link be passed $ by ref? any issues with that?
which approach is better? or are there other issues that I must be
aware of in starting building such a library?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: advise needed on a mysql select library function
I'm leaning towards this;
function bp_select($db_name,$sql,$result)
{
bp_conn($db_name,$db_server,$db_username,$db_pass);
//with that, I pass the $db_name and the rest gets byRef'ed by
the bp_conn! and I keep the bp_conn in a sep. file
$link = mysql_connect($db_server, $db_username, $db_pass) or
die(mysql_error());
mysql_select_db($db_name, $link) or die(mysql_error());
$result = mysql_query($sql,$link) or die(mysql_error());
mysql_close($link);
}
On Fri, Jan 13, 2012 at 11:18 AM, Haluk Karamete
halukkaram...@gmail.com wrote:
Why discover the wheel, where there are so many qualified pros are
here that pick up their brains...
I'm building a php library of functions, I mean day to day functions
that eases my RAD.
Since I am new to PHP, I'm trying to wrap php's built-in-functions and
funtionalities into new function names of my own creation from my old
ASP library so that I can work within the new php environment - using
still the familiar function names and arguments ... for example, i had
a leftof function which worked as
leftof(abcef,bc) //returns ef
//which is the leftof the bc in the haystack abcdef.
That's the idea... I have over 100 functions that does all kinds of
things... the goal is to write those functions' php equaivalents. I'm
done with the string and utility functions, now I m getting into db
stuff!
My goal now is to write a one-liner sqlselect functionality which will
work like this
?php
_select(my_wordpress_database_name_here,SELECT * FROM wp_posts,$result);
//so that I can instantly get into business as follows;
while ($row = mysql_fetch_assoc($result)) {
echo li . $row['post_title'];
}
basically, what the _select is supposed to do is to take the passed
database name, look that up in a switch statement to get the sql
server, db uid pwd info and run the whole show all the way until it
puts the results in the $result resource. And I'm already done with
that... I posted the code below... but I want to isolate the switch
statement ( that contains the sqlserver,uid,pwd data ) out from this
library file... I do not want to keep them in the library. ideally,
that info should be kept in say, connection_info.php file...
how would you go about it?
write an include directive ( for the switch section only) and
implement it that way? or is there a better way - such as using a
function for the switch?
please fell free to not only answer this question but also improve the
code segment I posted below. I will be using the principles I gain
from this thread in writing the update,delete and insert versions...
this is where I am now and following code snippet works as intended...
_select( wordpress_XYZ , SELECT * FROM wp_posts , $result );
while ( $row = mysql_fetch_assoc($result)) {
echo li . $row['post_title'];
}
function _select($db_name,$sql,$result)
{
switch (bp_lcase($db_name))
{
case wordpress_XYZ;
$db_name = ; // this is usually the same as the 1st
argument
passed by the user
$db_server = ;
$db_username = ;
$db_pass = ;
break;
case :
echo Unknown database.;
die;
break;
default:
echo Database name not passed;
die;
break;
}
$link = mysql_connect($db_server, $db_username, $db_pass) or
die(mysql_error());
mysql_select_db($db_name, $link) or die(mysql_error());
$result = mysql_query($sql,$link) or die(mysql_error());
mysql_close($link);
}
in the above code, ideally I would want to store the switch stuff
somewhere else... the question is what's the most elegant/proper way
of doing this...
now... that switch could be included as is from a plain file, that's
easy enough...
or it could be put into a function so that _select function internally
calls it and get the handle of the $link so that
mysql_select_db($db_name, $link) can run fine... in that case, should
the $link be passed $ by ref? any issues with that?
which approach is better? or are there other issues that I must be
aware of in starting building such a library?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] how do you fund out if a mysql resource is empty?
$result = mysql_query($sql,$link) or die(mysql_error()); how do you find out if $sql returned any recordsets? is there a fast/super efficient way of finding this out... something along the lines of is_empty($result) type thing? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] any security issues with this mysql_update function?
I wrote a function sql_update which takes a $db_name, a $table_name,
a $where and finally a $data array where data is authored by using an
associative array which allows easy the pairing of field names and
field values.
This is how I build the data array;
$data = array(
'FirstName' = 'John',
'LastName' = Smith,
'Age' = 90,
);
and this is how I call the function
sql_update(blueprint2012,test_table,where PersonID=1,$data);
And this does it for me, does it very easy and convenient,
but I've got a concern...
If you kindly take a look at the function that does the work
sql_update posted below, therein you will see a
mysql_real_escape_string being used in an array_map operation.
The question is would simply having mysql_real_escape_string in
there will protect me from a SQLInjection? Is it that good?
Or do you think this kind of stuff should be handled before the
function is called at $data building time?
This approach of course would then nullify the need of using
mysql_real_escape_string within the below function.
I'm inclining towards the idea that the below function *should* just
assume that the data is safe ( and therefore not use
mysql_real_escape_string ) and that before I call the function, I
should take care of the SQLInjection stuff more transparently, so that
$data is safe and sound as far as both sqlinjection and htmlencode
against XSS.
But then again, if mysql_real_escape_string does the job well and good
enough, why worry?
what say you?
function sql_update($db_name,$table_name,$where,$data)
{
//dies out if something wrong.
//returns $the_number_of_records_effected, if any
//following 3 lines take care of the connection
bp_conn($db_name,$db_server,$db_username,$db_pass);
$link = mysql_connect($db_server, $db_username, $db_pass) or
die(mysql_error());
mysql_select_db($db_name, $link) or die(mysql_error());
$values = array_map('mysql_real_escape_string', array_values($data));
$keys = array_keys($data);
$i=-1;
$string = SET ;
foreach ($keys as $item)
{
$i++;
$string = $string . ` . $item . `=' . $values[$i] . ', ;
}
//echo [ . $string . ];
// [SET `FirstName`='John', `LastName`='Smith', `Age`='90', ]
$string = bp_cutthelast($string,2) . . $where;
//echo [ . $string . ];
// [SET `FirstName`='John', `LastName`='Smith', `Age`='90']
$update_sql_statement = 'UPDATE `'.$table_name. ` . $string;
//echo $update_sql_statement;
//outputs UPDATE `test_table` SET `FirstName`='John',
`LastName`='Smith', `Age`='90' where PersonID=1
if (mysql_query($update_sql_statement,$link ))
{
return mysql_affected_rows ($link);
mysql_close($link);
}
else
{
echo error SQL FAILS . mysql_error();
mysql_close($link) ;
die;
return null;
}
}
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] advise on simplfying session usage
Again, coming from ASP background, I'm trying to minimize the typing
for most needed functionalities..
in asp, to set a session var, you go %session(age)=90% and to
output it, you just go %=session(age)%
in php, you've got to _SESSION['age']=90. that's a lot of keyboarding,
lots of double key strokes and the entire word session has to be
uppercase.
of course, if you use an IDE and you get fast at it, this may not be
an issue but I wanted to simplify it anyway.
so the plan is this
?php
_s(age,43) //set the session var age to 43
echo _s(age) //outputs the value
?
To achieve this; I wrote this preliminary function;
function _s($var,$val = r4r53d323,9e809023890j832e@14fdsffdd)
{
if ($val == r4r53d323,9e809023890j832e@14fdsffdd)
{return $_SESSION[$var];}
else
{$_SESSION[$var] = $val;}
}
Now, what's that number you ask!... it's just a value which I figured
I would never end up in a real app.
It's just a way for me to use default argument of the function so I
can call _s function with 1 or 2 arguments.
Can this be done a better way? How do you use _s function with 1 or 2
arguments so in 1 arg mode, you can use it as a set, and in 2 arg
mode, you use it as a way to return val.
Is func_get_args route the only way? performance wise which one would better?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] advise on simplfying session usage
I agree... that was just a wild idea! :)
Let's forget about it!
What's a good PHP programming editor you'd recommend on a mac for starters?
On Thu, Jan 12, 2012 at 6:39 PM, tamouse mailing lists
tamouse.li...@gmail.com wrote:
On Thu, Jan 12, 2012 at 7:16 PM, Haluk Karamete halukkaram...@gmail.com
wrote:
Again, coming from ASP background, I'm trying to minimize the typing
for most needed functionalities..
in asp, to set a session var, you go %session(age)=90% and to
output it, you just go %=session(age)%
in php, you've got to _SESSION['age']=90. that's a lot of keyboarding,
lots of double key strokes and the entire word session has to be
uppercase.
if you haven't (yet) disabled caps-lock, this is one thing it's
typically used for -- successful strings of capital letters.
Anyway, if you use $_SESSION[] a lot, then creating a short 2-char
function can be helpful. Someone else coming along later to maintain
your code might be highly mystified about it though.
of course, if you use an IDE and you get fast at it, this may not be
an issue but I wanted to simplify it anyway.
so the plan is this
?php
_s(age,43) //set the session var age to 43
echo _s(age) //outputs the value
?
To achieve this; I wrote this preliminary function;
function _s($var,$val = r4r53d323,9e809023890j832e@14fdsffdd)
{
if ($val == r4r53d323,9e809023890j832e@14fdsffdd)
{return $_SESSION[$var];}
else
{$_SESSION[$var] = $val;}
}
You should add in a check to make sure the $_SESSION[$var] actually
exists as an index in your first return statement and return a value
you can check against for success/failure.
Now, what's that number you ask!... it's just a value which I figured
I would never end up in a real app.
It's just a way for me to use default argument of the function so I
can call _s function with 1 or 2 arguments.
Can this be done a better way? How do you use _s function with 1 or 2
arguments so in 1 arg mode, you can use it as a set, and in 2 arg
mode, you use it as a way to return val.
Is func_get_args route the only way? performance wise which one would better?
This would be the safest way in this case. I'm not 100% how this would
devolve into byte-code, but my assumption is that there would be a
very slight performance cost, however, since you are calling a
function for every access to the $_SESSION array, you've already bit
the majority of that cost.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
All in all, I would not use this sort of aliasing of a function to an
array to save typing. Get an IDE if it really is that onerous. I can
type sestab and it expands to $_SESSION['index'] automatically
dropping me at the first apostrophe with the whole inner string
highlighted. Saves *LOTS* of typing.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] differences in between these env. variables
I've grouped these env variables, each group returns the same values is there a difference? which ones do you use? which ones should I not use for the purposes listed below group1 SCRIPT_FILENAME vs PATH_TRANSLATED where both return D:\Hosting\5291100\html\directory\file.php purpose: get the full file path to the php script group2 REMOTE_ADDR vs REMOTE_HOST where both return same IP purpose: get the visitor's ip group3 REQUEST_URI vs SCRIPT_NAME vs URL vs ORIG_PATH_INFO vs PHP_SELF which all return /directory/file.php purpose: get the virtual url to the php script -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] reporting errors when $ sign is missing in front of a variable
Hi, I'm coming from ASP background. There, there is a life saver option called option explicit. It forces you to declare your variables using the dim statement. The good thing about that is that if you were to mis-spell one of your variables, asp.dll throws an error stating that on line so and so, variable so and so not declared. This allows you to immediately fix the error saving lots of time. If you did not use option explicit, then that misspelled variable would not have caused any error and you woud have spent much more time debugging your app as to what went wrong where. Now, I undersand with PHP, that we do not have a variable declaration per se; you put a $ sign in front of a word, and that becomes a variable. Since in asp, we do not use $ much. I keep forgetting that. I first declare a var and set a value for it using the $. But then I refer to the darned thing, without the $. And there are no errors. Ths behaviour seems extremely odd to me. How do I achieve the functionality that if I forget to use $ sign for a previously declared variable, php throws me an error. example $my_var = 90; echo my_var; I want an error to be thrown in line 2. what do I need to do? I was assuming that since there is no function titled my_var, PHP would have complain right there and then. But instead, it simply echoes my_var. I would have expected my_var to be outputted only if I were to write echo my_var;. This beats me. At the top of my page, I already have this ?php error_reporting (E_ALL ^ E_NOTICE); ? Haluk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] reporting errors when $ sign is missing in front of a variable
Thanks...
Well I just changed the ?php error_reporting (E_ALL ^ E_NOTICE); ?
to ?php error_reporting (E_ALL ); ? and that does it for me.
Notice: Use of undefined constant my_age - assumed 'my_age' in
D:\Hosting\5291100\html\blueprint\bp_library.php on line 40
my_age
Now back in business :)
Notice: Use of undefined constant my_age - assumed 'my_age' in
D:\Hosting\5291100\html\blueprint\bp_library.php on line 40my_age
On Wed, Jan 11, 2012 at 9:12 PM, Tommy Pham tommy...@gmail.com wrote:
On Wed, Jan 11, 2012 at 8:43 PM, Haluk Karamete halukkaram...@gmail.com
wrote:
Hi, I'm coming from ASP background.
There, there is a life saver option called option explicit. It
forces you to declare your variables using the dim statement. The
good thing about that is that if you were to mis-spell one of your
variables, asp.dll throws an error stating that on line so and so,
variable so and so not declared. This allows you to immediately fix
the error saving lots of time. If you did not use option explicit,
then that misspelled variable would not have caused any error and you
woud have spent much more time debugging your app as to what went
wrong where.
Now, I undersand with PHP, that we do not have a variable declaration
per se; you put a $ sign in front of a word, and that becomes a
variable. Since in asp, we do not use $ much. I keep forgetting that.
I first declare a var and set a value for it using the $. But then I
refer to the darned thing, without the $. And there are no errors. Ths
behaviour seems extremely odd to me.
How do I achieve the functionality that if I forget to use $ sign for
a previously declared variable, php throws me an error.
example
$my_var = 90;
echo my_var;
I want an error to be thrown in line 2. what do I need to do?
I was assuming that since there is no function titled my_var, PHP
would have complain right there and then. But instead, it simply
echoes my_var.
I would have expected my_var to be outputted only if I were to write
echo my_var;. This beats me.
At the top of my page, I already have this ?php error_reporting
(E_ALL ^ E_NOTICE); ?
Haluk
This works for me in development environment without a debugger setup
using a web browser (note that I'm using 5.4RC2 so the default
behavior of error_reporting(E_ALL) is different [1]:
Notice: Use of undefined constant my_var - assumed 'my_var' in
F:\dev\sites\wwwroot\php_apps\test.php on line 5
my_var ?php
error_reporting(E_ALL);
ini_set('display_errors', 'on');
$my_var = 90;
echo my_var;
highlight_file(__FILE__);
Good luck,
Tommy
[1] http://php.net/function.error-reporting
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] http_referer. what's wrong with that?
Because I got this echo $_SERVER['HTTP_REFERER']; I end up with this Notice: Undefined index: HTTP_REFERER in D:\Hosting\5291100\html\blueprint\bp_library.php on line 16 die; Now, this is of course after the ?php error_reporting (E_ALL); ? change. One solution is to dodge it by echo @$_SERVER['HTTP_REFERER']; But I'm still curious, what configuration am I missing so that http_referer is treated like that? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
