On 21/06/15 20:14, Mark Murphy wrote:
> But what does your application do when it gets an invalid SQL statement?
> Maybe it is telling the attacker something important about your database so
> that they can compromise it with the appropriate injection.
It just defaults to the first news article in
But what does your application do when it gets an invalid SQL statement?
Maybe it is telling the attacker something important about your database so
that they can compromise it with the appropriate injection.
On 2:36PM, Sun, Jun 21, 2015 Lester Caine wrote:
> On 21/06/15 18:55, Richard wrote:
>
On 21/06/15 18:55, Richard wrote:
>>> OK - this had no chance of success since publish_date_desc is
>>> >> processed using the _desc ( or _asc ) and any invalid data
>>> >> stripped
>>> >>
>>> >>
>>> >> &sort_mode=publish_date_desc%20or%20(1,2)=(select*from(select%20n
>>> >> ame_const(CHAR(111,10
> Date: Sunday, June 21, 2015 12:39:06 PM -0400
> From: Aziz Saleh
>
> On Sun, Jun 21, 2015 at 9:19 AM, Lester Caine
> wrote:
>
>> OK - this had no chance of success since publish_date_desc is
>> processed using the _desc ( or _asc ) and any invalid data
>> stripped
>>
>>
>> &sort_mode=publi
On Sun, Jun 21, 2015 at 9:19 AM, Lester Caine wrote:
> OK - this had no chance of success since publish_date_desc is processed
> using the _desc ( or _asc ) and any invalid data stripped
>
>
> &sort_mode=publish_date_desc%20or%20(1,2)=(select*from(select%20name_const(CHAR(111,108,111,108,111,115,
OK - this had no chance of success since publish_date_desc is processed
using the _desc ( or _asc ) and any invalid data stripped
&sort_mode=publish_date_desc%20or%20(1,2)=(select*from(select%20name_const(CHAR(111,108,111,108,111,115,104,101,114),1),name_const(CHAR(111,108,111,108,111,115,104,101,
On 16/05/15 14:51, Karl DeSaulniers wrote:
> Interesting. I program in MySQL on a hosting plan by a third party.
> I have heard/read MySQL is not an enterprise solution, but
> for the basic business with say less than 100,000 customers,
> it does the job and well. Larger than that I had hear Postg
On May 16, 2015, at 8:42 AM, Lester Caine wrote:
> On 16/05/15 10:00, Karl DeSaulniers wrote:
>> That does clarify things a bit better on both the @ question
>> and prepared statements. Thank you for the link as well.
>>
>> So new question.. what is the best type of database to use
>> for someon
On 16/05/15 10:00, Karl DeSaulniers wrote:
> That does clarify things a bit better on both the @ question
> and prepared statements. Thank you for the link as well.
>
> So new question.. what is the best type of database to use
> for someone who wants to start small and grow big?
>
> My findings
On May 16, 2015, at 3:51 AM, Lester Caine wrote:
> On 15/05/15 06:21, Karl DeSaulniers wrote:
>> Oh ok. Now it makes a little more sense.
>> I have worked in ASP before, but I am programming in PHP and MySQL at the
>> moment.
>>
>> I am going to look into Prepared Statements. Thanks for your
On 15/05/15 06:21, Karl DeSaulniers wrote:
> Oh ok. Now it makes a little more sense.
> I have worked in ASP before, but I am programming in PHP and MySQL at the
> moment.
>
> I am going to look into Prepared Statements. Thanks for your feedback.
Just to clarify things a little here and explai
-Kevin Waddell
Proverbs 3:5-6
On Fri, 5/15/15, Ruprecht Helms wrote:
Subject: Re: [PHP-DB] SQL Injection
To: php-db@lists.php.net
Date: Friday, May 15, 2015, 10:16 AM
On 15.05.2015 07:21, Karl DeSaulniers wrote:
> On May 14, 2015, at
On 15.05.2015 07:21, Karl DeSaulniers wrote:
On May 14, 2015, at 11:11 PM, Onatawahtaw wrote:
Hi Karl,
If you look at the link you provided you'll notice that some of the code is for
ASP.net and some is for PHP.
I have looked in the link. Most problems by inject an sql-Code is to add
so
On May 14, 2015, at 11:11 PM, Onatawahtaw wrote:
> Hi Karl,
>
> If you look at the link you provided you'll notice that some of the code is
> for ASP.net and some is for PHP. What of the two are you programming in? If
> you are programming in ASP.net you are asking your question to the wrong
Hi Karl,
If you look at the link you provided you'll notice that some of the code is for
ASP.net and some is for PHP. What of the two are you programming in? If you are
programming in ASP.net you are asking your question to the wrong mailing list
as this list is for PHP. If you are programming
On May 14, 2015, at 8:37 PM, Jigme Datse Yli-Rasku
wrote:
> On 15/05/14 18:19 , Karl DeSaulniers wrote:
>> On May 14, 2015, at 8:09 PM, Aziz Saleh wrote:
>>
>>>
>>>
>>> On Thu, May 14, 2015 at 9:05 PM, Karl DeSaulniers
>>> wrote:
>>> Hello Everyone,
>>> Have a quick question. Was reading s
On 15/05/14 18:19 , Karl DeSaulniers wrote:
On May 14, 2015, at 8:09 PM, Aziz Saleh wrote:
On Thu, May 14, 2015 at 9:05 PM, Karl DeSaulniers wrote:
Hello Everyone,
Have a quick question. Was reading some material and wanted some Players
perspective.
I know w3schools is not the de-facto on
On May 14, 2015, at 8:09 PM, Aziz Saleh wrote:
>
>
> On Thu, May 14, 2015 at 9:05 PM, Karl DeSaulniers
> wrote:
> Hello Everyone,
> Have a quick question. Was reading some material and wanted some Players
> perspective.
> I know w3schools is not the de-facto on everything, so I wanted to kno
On Thu, May 14, 2015 at 9:05 PM, Karl DeSaulniers
wrote:
> Hello Everyone,
> Have a quick question. Was reading some material and wanted some Players
> perspective.
> I know w3schools is not the de-facto on everything, so I wanted to know
> how reliable is the information on this page.
>
> http:/
Hello Everyone,
Have a quick question. Was reading some material and wanted some Players
perspective.
I know w3schools is not the de-facto on everything, so I wanted to know how
reliable is the information on this page.
http://www.w3schools.com/sql/sql_injection.asp
Namely the @ symbol before S
Been a while since I've had a concerted hacker attempt, but over night
this has appeared in the logs.
'sort_mode' => 'last_modified_desc\' and(/**/sElEcT 1
/**/fRoM(/**/sElEcT count(*),/**/cOnCaT((/**/sElEcT(/**/sElEcT
/**/uNhEx(/**/hEx(/**/cOnCaT(0x217e21,0x4142433134355a5136324457514146504f49594
On Jan 15, 2013, at 5:25 AM, Amit Tandon wrote:
SELECT orderid
FROM ORDERS_TABLE
WHERE orderstatus IN ( 'Cancelled', 'New'", 'Denied',
'Expired' , 'Failed' , 'Pending' , 'Refunded' , 'Reversed' , 'Under
Review'
, 'Voided') AND orderdate < '".mysqli_real_escape_s
SELECT orderid
FROM ORDERS_TABLE
WHERE orderstatus IN ( 'Cancelled', 'New'", 'Denied',
'Expired' , 'Failed' , 'Pending' , 'Refunded' , 'Reversed' , 'Under Review'
, 'Voided') AND orderdate < '".mysqli_real_escape_string($
yesterday);
Another option would be to use e
Hello Everyone,
Hope your 2013 is treating you well.
Quick question and apologies if it is a stupid question.
Is this a viable syntax?
$sql = "SELECT orderid
FROM ORDERS_TABLE
WHERE orderstatus = 'Cancelled' OR (orderstatus = ('New' OR
'Denied' OR 'Expired' OR 'Failed'
On Mon, Jun 18, 2012 at 6:26 PM, Matijn Woudt wrote:
> On Mon, Jun 18, 2012 at 11:56 PM, Dee Ayy wrote:
>> I would like a query that lists records where a column has not taken
>> on a specific value when grouped by another column.
>>
>> N V
>> n1 v1
>> n1 v2
>> n2 v1
>> n2 v2
>> n2 v3
>> n3 v1
>
On Mon, Jun 18, 2012 at 11:56 PM, Dee Ayy wrote:
> I would like a query that lists records where a column has not taken
> on a specific value when grouped by another column.
>
> N V
> n1 v1
> n1 v2
> n2 v1
> n2 v2
> n2 v3
> n3 v1
>
> If v3 has ever been set for N, do not list N. So the result wo
I would like a query that lists records where a column has not taken
on a specific value when grouped by another column.
N V
n1 v1
n1 v2
n2 v1
n2 v2
n2 v3
n3 v1
If v3 has ever been set for N, do not list N. So the result would be n1, n3
If v2 has ever been set for N, do not list N. So the res
Chris your answer is the better solution, I thinked that the option suggest
by Martin was fine.
anywhere, tanks for help us to improve us code.
Gerardo.
2009/3/16 Chris
> Martin Zvarík wrote:
>
>> Is it smart to use all of this on one page?
>> Or should I rather do one SQL and let PHP count it
Martin Zvarík wrote:
Is it smart to use all of this on one page?
Or should I rather do one SQL and let PHP count it?
$q = $DB->q("SELECT COUNT(*) FROM comments");
$int_total = $DB->frow($q);
$q = $DB->q("SELECT COUNT(*) FROM comments WHERE approved IS NULL");
$int_waiting = $DB->frow($q);
$q
Is it smart to use all of this on one page?
Or should I rather do one SQL and let PHP count it?
$q = $DB->q("SELECT COUNT(*) FROM comments");
$int_total = $DB->frow($q);
$q = $DB->q("SELECT COUNT(*) FROM comments WHERE approved IS NULL");
$int_waiting = $DB->frow($q);
$q = $DB->q("SELECT COUNT
mignon hunter wrote:
> Hi Christopher
>
> One other question. Our current site is written in jsp with
> Oracle. I'd like to use PHP. Do you have any thoughts on this?
My recommendation is to utilize the existing skills you have; this
echoes Fergus's comment. However, PHP is very popular and if
casionally.
Oracle is the db on most of the site - a little mysql too.
--- On Fri, 11/7/08, Christopher Jones <[EMAIL PROTECTED]> wrote:
From: Christopher Jones <[EMAIL PROTECTED]>
Subject: Re: [PHP-DB] sql injections/best practises
To: [EMAIL PROTECTED]
Cc: php-db@lists.php.net
Da
On Mon, Nov 10, 2008 at 8:49 AM, mignon hunter <[EMAIL PROTECTED]> wrote:
> One other question. Our current site is written in jsp with Oracle. I'd like
> to use PHP. Do you have any thoughts on this?
Your post, mignon, was pretty clearly directed to Christopher, but I
hope neither of you will be
thank you so much Fergus for all this great info - this will get me started.
--- On Sat, 11/8/08, Fergus Gibson <[EMAIL PROTECTED]> wrote:
From: Fergus Gibson <[EMAIL PROTECTED]>
Subject: Re: [PHP-DB] sql injections/best practises
To: php-db@lists.php.net
Date: Saturday, November 8,
Thank you Christopher - this gives me some much needed direction.
--- On Fri, 11/7/08, Christopher Jones <[EMAIL PROTECTED]> wrote:
From: Christopher Jones <[EMAIL PROTECTED]>
Subject: Re: [PHP-DB] sql injections/best practises
To: [EMAIL PROTECTED]
Cc: php-db@lists.php.net
Hello,
Anybody knows how to make PHP connect to Microsoft SQL Server Express 2008?
I know about the php_mssql extension, but that's apparently only the beginning.
What else do I need to do, assuming I have a standard SQLServer setup...
Thanks in advance,
Yves
On Fri, Nov 7, 2008 at 3:39 PM, Christopher Jones
<[EMAIL PROTECTED]> wrote:
>
> mignon hunter wrote:
>> I'm am trying to find some definitive best practises on database
>> connections with php on both mysql and oracle.
Most security issues come back to a simple concept. Assume anything
in your s
mignon hunter wrote:
> I'm am trying to find some definitive best practises on database connections
with php on both mysql and oracle.
>
> I'm starting to redesign a corporate website and am trying to find out more
about security and the best practises for database queries and user input form
I'm am trying to find some definitive best practises on database connections
with php on both mysql and oracle.
I'm starting to redesign a corporate website and am trying to find out more
about security and the best practises for database queries and user input form
handling.
For example -
http://www.php.net/manual/en/function.number-format.php
bastien
> Date: Sun, 16 Dec 2007 17:17:41 +0600
> From: [EMAIL PROTECTED]
> To: php-db@lists.php.net
> Subject: [PHP-DB] sql problem
>
> my problem in the following code
>
my problem in the following code
INSERT INTO `test` ( `debit` )
VALUES (
'2'
)
when i search it shows like this:
SELECT debit FROM `test`
output is :2.
but
i have to show
output :20,000.00
like
input 2
output 20,000.00
input 3000
output 3,000.00
input 10
output 1,0.00
Bryan wrote:
SELECT * FROM productgroup WHERE groupid = $productid
AND label = 'Cats' ORDER BY title
SELECT * FROM productgroup WHERE groupid = $productid
AND label != 'Cats' ORDER BY label,title
I'd like to find a way to combine these 2 statements. I want to list out
all the products, ordere
How about a union?
SELECT * FROM productgroup WHERE groupid = $productid
AND label = 'Cats' ORDER BY title
UNION
SELECT * FROM productgroup WHERE groupid = $productid
AND label != 'Cats' ORDER BY label,title
Also, for long-term maintenance, it would probably be better to list the
columns rather
Yeah, that's a bit of an important piece of information. Some tricks do work
across versions of SQL, but not always.
Something else you can try is creating an artificial column to sort by. Excuse
the code, it's been ages since I've worked with MS SQL so syntax is probably
off, but just to dem
I think there's one small piece of data I left out. I'm working with
php/mssql, not mysql. I'll move to mysql when I get everything else
built. Mssql 2000 doesn't seem to like the = sign in the order by
clause. It looks like both of you so far have come up with the same
syntax though so it must
I think there's one small piece of data I left out. I'm working with
php/mssql, no mysql. I'll move to mysql when I get everything else
built. Mssql 2000 doesn't seem to like the = sign in the order by
clause. It looks like both of you so far have come up with the same
syntax though so it must
Try this:
SELECT * FROM productgroup WHERE groupid = $productid
ORDER BY label = 'Cats' DESC, title
The test SQL I did to make sure I understood it was this (against our Users
table):
select * from users order by first = 'Bob' DESC, first, last
It put all the "Bob"s first, sorting them by firs
Bryan wrote:
SELECT * FROM productgroup WHERE groupid = $productid
AND label = 'Cats' ORDER BY title
SELECT * FROM productgroup WHERE groupid = $productid
AND label != 'Cats' ORDER BY label,title
I'd like to find a way to combine these 2 statements. I want to list out
all the products, ordere
SELECT * FROM productgroup WHERE groupid = $productid
AND label = 'Cats' ORDER BY title
SELECT * FROM productgroup WHERE groupid = $productid
AND label != 'Cats' ORDER BY label,title
I'd like to find a way to combine these 2 statements. I want to list out
all the products, ordered by title but
Hi Laitha,
And with backslashes before them ??
jm
- Original Message -
From: "Lasitha Alawatta" <[EMAIL PROTECTED]>
To:
Sent: Thursday, March 22, 2007 2:06 PM
Subject: [PHP-DB] SQL unexpected T_CONSTANT_ENCAPSED_STRING Error
Hi All,
I have a sql script u
Hi All,
I have a sql script unable to execute. Because I need to insert double-coats
( " ) also to one field(SPParams field).
Ones I execuit this using mysql_query($sql), it gives "Parse error: parse
error, unexpected T_CONSTANT_ENCAPSED_STRING " error message.
$strSql =
"$event[cal_description]";
echo "\n";
echo "\n";
} while ($event = mysql_fetch_array($events));
} else {
echo "No Public Events Are Currently Scheduled...";
}
?>
- Original Message -
From: "Matthew Ferry" <[EMAIL PROTECTED]>
To:
This is a join - Read up on them, they're very useful and don't require
the overhead of a sub-query.
SELECT egw_cal.* FROM egw_cal_dates
LEFT JOIN egw_cal using (cal_id)
where egw_cal_dates.cal_start > $tstamp
AND egw_cal.cal_category = '501'
-Micah
On 02/12/2007
Try this as your SQL. It should give you all the results, then you can use PHP
to sort it all out.
SELECT * FROM egw_cal WHERE cal_category='501' and cal_id in (SELECT cal_id
FROM egw_cal_dates where cal_start > $tstamp)
-TG
= = = Original message = = =
Hello Everyone
Got a simple / st
Matthew Ferry wrote:
Hello Everyone
Got a simple / stupid question.
Worked on this all night. I'm over looking something very basic here.
The query "event_time" brings back the calendar id for each event that is
pending in the future.
ie 12, 13, 14, 26 (There could be 100 of them out
Hello Everyone
Got a simple / stupid question.
Worked on this all night. I'm over looking something very basic here.
The query "event_time" brings back the calendar id for each event that is
pending in the future.
ie 12, 13, 14, 26 (There could be 100 of them out there)
The second quer
Tony Grimes wrote:
I'm developing a course calendar for a client and I'm running into
performance problems with the admin site. For example, when I try to include
registration counts in the course list, the page really slows down for large
course lists (50 or so):
COURSEATTENDEES CA
query.
I would just test both ways and see which one performs better...
Bastien
From: Tony Grimes <[EMAIL PROTECTED]>
To: PHP-DB
Subject: [PHP-DB] SQL Performance Help
Date: Wed, 27 Dec 2006 14:05:13 -0700
I'm developing a course calendar for a client and I'm running into
perf
I'm developing a course calendar for a client and I'm running into
performance problems with the admin site. For example, when I try to include
registration counts in the course list, the page really slows down for large
course lists (50 or so):
COURSEATTENDEES CAPACITYSEATS LEFT
Chris Carter wrote:
What wrong with this syntax, its not giving any error on runtime but I am
facing a blank page while paging.
$query=" SELECT * FROM gurgaonmalls WHERE mallname = '$mallname' limit $eu,
$limit ";
Have you tried...
echo " $query ";
...to unsure the variables have the values
What wrong with this syntax, its not giving any error on runtime but I am
facing a blank page while paging.
$query=" SELECT * FROM gurgaonmalls WHERE mallname = '$mallname' limit $eu,
$limit ";
--
View this message in context:
http://www.nabble.com/SQL-query-error-tf2831052.html#a7903857
Sent f
OK, this makes my day clear!!
I have versión 3.23.49-3 of MySQL
Thanks Dwight!
-Original Message-
From: Dwight Altman [mailto:[EMAIL PROTECTED]
Sent: Jueves, 28 de Septiembre de 2006 11:32 a.m.
To: php-db@lists.php.net
Subject: RE: [PHP-DB] SQL query
Check your version. Subselects
Check your version. Subselects were only added in MySQL Version 4.1.
Regards,
Dwight
> -Original Message-
> From: Edwin Cruz [mailto:[EMAIL PROTECTED]
> Sent: Thursday, September 28, 2006 10:53 AM
> To: 'Miguel Guirao'; php-db@lists.php.net
> Subject: RE: [PH
iembre de 2006 09:09 a.m.
> Para: php-db@lists.php.net
> Asunto: [PHP-DB] SQL query
>
>
>
>
> Hello list,
>
> Whats wrong with my SQL query:
>
> $query="select email from usuarios where userName = (select
> username from fussv where folio = 'FUSS-1
Hello list,
Whats wrong with my SQL query:
$query="select email from usuarios where userName = (select username from
fussv where folio = 'FUSS-130-2006')";
I get an error!
I have tested the two individual sentences and they worked OK!
---
Miguel Guirao Aguilera
Logisti
> -Original Message-
> From: Chris [mailto:[EMAIL PROTECTED]
> Sent: Thursday, September 07, 2006 9:52 PM
> To: K.A.Bouton
> Cc: php-db@lists.php.net
> Subject: Re: [PHP-DB] sql output to a multidimensional array
>
>
> K.A.Bouton wrote:
> > I
Yeah ... it ain't purdy, and it sure doesn't scale so you have to be
careful where you use it.
This is usually more of a presentation issue that I'd suggest be left up
to the application doing the display of the data.
As an example, I believe Microsoft Excel has a crosstab function that
can
Mitch Miller wrote:
K.A.Bouton wrote:
> I need the output of my sql to be a multidimensional array as follows.
then Chris wrote:
> You won't be able to get an sql query to return in that format (I know
> what you're trying to do, I've used the same chart software).
This is my MSSQL Server s
K.A.Bouton wrote:
> I need the output of my sql to be a multidimensional array as follows.
then Chris wrote:
> You won't be able to get an sql query to return in that format (I know
> what you're trying to do, I've used the same chart software).
This is my MSSQL Server solution, and yep, it out
K.A.Bouton wrote:
I need the output of my sql to be a multidimensional array as follows.
chart [ 'chart_data' ] =3D array ( array ( "", "2001", "2002", "2003",
"2004" ),
array ( "AAA", 0, 10, 30,
63 ),
array ( "BBB
I need the output of my sql to be a multidimensional array as follows.
chart [ 'chart_data' ] =3D array ( array ( "", "2001", "2002", "2003",
"2004" ),
array ( "AAA", 0, 10, 30,
63 ),
array ( "BBB", 100, 20,
Try the MSDN library:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ado270/htm/mdobjconnectionpme.asp
- Frank
> Chris wrote:
> > Todd Cary wrote:
> >> [Sorry - I misposted this in the General group]
> >>
> >> I am in the process of converting my clients PHP scripts that are
>
Todd Cary wrote:
Chris wrote:
Todd Cary wrote:
[Sorry - I misposted this in the General group]
I am in the process of converting my clients PHP scripts that are
using Firebird so they will work with SQL Server (their request; not
mine).
Is there a reference where I can get the COM Methods
Chris wrote:
Todd Cary wrote:
[Sorry - I misposted this in the General group]
I am in the process of converting my clients PHP scripts that are
using Firebird so they will work with SQL Server (their request; not
mine).
Is there a reference where I can get the COM Methods and Properties?
Todd Cary wrote:
[Sorry - I misposted this in the General group]
I am in the process of converting my clients PHP scripts that are using
Firebird so they will work with SQL Server (their request; not mine).
Is there a reference where I can get the COM Methods and Properties?
The php website
[Sorry - I misposted this in the General group]
I am in the process of converting my clients PHP scripts that are
using Firebird so they will work with SQL Server (their request;
not mine).
Is there a reference where I can get the COM Methods and Properties?
Also, without loading the large A
>From: David BERCOT <[EMAIL PROTECTED]>
> >To: php-db@lists.php.net
> >Subject: RE: [PHP-DB] SQL request on DBase file
> >Date: Sat, 11 Feb 2006 14:31:50 +0100
> >
> >Hi,
> >
> > > Whats wonrg with the manual?
> > >
> > > http://
hp.net
Subject: RE: [PHP-DB] SQL request on DBase file
Date: Sat, 11 Feb 2006 14:31:50 +0100
Hi,
> Whats wonrg with the manual?
>
> http://ca3.php.net/manual/en/ref.oracle.php
>
> http://www.zend.com/products/zend_core/zend_core_for_oracle
I looked at these links and I found nothing a
Hi,
> Whats wonrg with the manual?
>
> http://ca3.php.net/manual/en/ref.oracle.php
>
> http://www.zend.com/products/zend_core/zend_core_for_oracle
I looked at these links and I found nothing about .pdf files !!!
I have no problem with Oracle, but only for requesting, in SQL, .dbf
files...
Davi
Whats wonrg with the manual?
http://ca3.php.net/manual/en/ref.oracle.php
http://www.zend.com/products/zend_core/zend_core_for_oracle
Bastien
From: David BERCOT <[EMAIL PROTECTED]>
To: php-db@lists.php.net
Subject: [PHP-DB] SQL request on DBase file
Date: Sat, 11 Feb 2006 00:28:16 +01
Hi,
I have to rewrite an application from ASP. In this application, I
receive DBase files which may be saved into Oracle.
In ASP, I used a generic driver and I made SQL requests on these files.
It is possible with PHP on Linux ?
Do you have some examples ?
Thank you very much.
David.
signature
Do you have the "truncate log on checkpoint" option enabled? Also, if you
want to reduce the size of the log file if shrinking doesn't work, try
running the following against the database. Of course, you should backup
the DB first.
SET NOCOUNT ON
DECLARE @LogicalFileName sysname,
@M
Yes, the transaction logs are being backed up and shrunk regularly. I
am told while they are 400MB most of that is "empty space" and it's
really about 50MB in size. Apparently that is still a bit too big and
indicates a possible problem.
I'm glad all transactions are auto-commited. I presum
Using COMMIT is only required if you issued a BEGIN TRANS before your
INSERTs, UPDATEs and / or DELETEs. All transactions are automatically
committed if you don't use BEGIN TRANS. Are you backing up the
transaction logs regularly?
-- bob
On Fri, 16 Dec 2005, Alex Gemmell wrote:
> Hello people,
Hello people,
My PHP application uses a SQL Server 2000 database. I have previously
only ever used MySQL and so my knowledge of SQL Server comes just from
experimentation and trial and error experience.
My PHP application appears to be working fine but I have just discovered
that although t
Assuming a new record
"INSERT INTO reviews (review_id, review_txt)
VALUES
($id,'$_POST[review]')";
Bastien
From: geekgirl1 <[EMAIL PROTECTED]>
To: php-db@lists.php.net
Subject: [PHP-DB] SQL Insert INTO question
Date: Wed, 7 Dec 2005 11:59:2
First time poster.
This is the problem. I want to add the value of $_POST[review] to the
reviews table where the unique id from the reviews table equals the
review id on my form. The statement below does not work. Should I
use UPDATE instead?
"INSERT INTO reviews (review_txt)
VALUE
Estimado veditio,
you wrote:
> I've got a ton of forms that use the $_POST variable to send
> information into the database [...]
> Any suggestions on how to tighten up the form security, or does
> magic_quotes help enough?
I'm not a security expert but after some attacks I have implemented
this
Haha.. what the hell? Ok, I know this is an older copy of the script I wrote
because I know I took out the "All this does is escape the data" comment and I
KNOW I saw the thing about mysql_escape_string() being deprecated... don't
know why it's still in there. Hah
Thanks for pointing that out
NOTE:
http://www.php.net/mysql_escape_string
"Version: 4.3.0
Description: This function became deprecated, do not use this
function. Instead, use mysql_real_escape_string()."
Jordan
On Aug 25, 2005, at 2:15 PM, <[EMAIL PROTECTED]> [EMAIL PROTECTED]> wrote:
Using mysql_escape_string shoul
I'm pretty amateur at this too, but have done a little reading on the subject.
Here's some nuggets to ponder while the real experts write their responses: :)
1. Magic quotes + mysql_escape_string = double escaped stuff. I think the
general opinion is the magic quotes is evil, but I'm sure some
Greetings all:
Using PHP 4.3.xx and MySQL 4.1 (and 3.xxx sometimes).
I've got a ton of forms that use the $_POST variable to send information into
the database, and I'm worried about injection attacks.
My server has magic_quotes enabled, which I thought would handle most things,
but am wonderi
e from injections, I
still verify the data.
Jos
-Original Message-
From: mayo [mailto:[EMAIL PROTECTED]
Sent: 16 May 2005 23:55
To: php-db@lists.php.net
Subject: [PHP-DB] sql injection attack, protection from
I'm new to PHP and would like to make certain that I have the basic
prote
I'm new to PHP and would like to make certain that I have the basic
protection for the site:
Use double quotes to contain variable
Use mysql_escape_string so that query is considered part of the WHERE
clause.
$result=mysql_query('SELECT * FROM users WHERE
username="'.mysql_escape_string($_GET['
Only? That aint too big, but now i'm confused what's ur hardware and
O.Sspecs? 300 to 500 would be a peice of cake to load. However, it
depends on
ur system.
I would rather use the array than hitting the db for the query. Because the
bottom line is that you will receive your data in an array no m
> explain the phrase "big array."
I guess everything is relative!
We're talking about 300-500 items here.
Paul
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
aturday, April 23, 2005 5:05 PM
Subject: [PHP-DB] SQL or array ?
>
> I have a quick question about which would the best way to implement
> something in terms of performance. Using a database, or just creating
> a big array in memory?
>
--
PHP Database Mailing List (http://www.php.n
I have a quick question about which would the best way to implement
something in terms of performance. Using a database, or just creating
a big array in memory?
I have a PHP file manager script which creates an array of all
files in a directory, and get's their mime types. It then prints
these fi
Thanks, but DISTINCT doesn't work... But I managed to get it to work
anyway by including
"namn_1 NOT LIKE 'H%'"
in the second WHERE-clause...
Micah Stevens wrote:
use DISTINCT?
On Sunday 30 January 2005 12:51 pm, Bobo Wieland wrote:
Anyone that can help me with this one? I want this SQL-statem
use DISTINCT?
On Sunday 30 January 2005 12:51 pm, Bobo Wieland wrote:
> Anyone that can help me with this one? I want this SQL-statement to
> retrive only distinct values from the original table column named (not
> the AS stuff)
>
> (
> SELECT * , namn_2 AS sec_namn, namn_1 AS one
> FROM sortimen
1 - 100 of 349 matches
Mail list logo