Re: [PHP-DB] Inserting things into the DB
addslashes() On Sun, 17 Nov 2002, Peter Beckman wrote: Having a little trouble doing some inserts into a db. The problem is escaping the right characters. Data integrity is important. Right now, I have taken an email and split it into $body and $header (containing the respective parts of the email) using my own parsing loop. Fairly simple, it doesn't really need to be posted. Before running dcc on it (see http://www.rhyolite.com/anti-spam/dcc/ if you want to know more), I escape the quotes: $all2 = preg_replace(/\/,\\\,$header.\n.$body); $cmd = 'echo '.$all2.' | dccproc -C'; $output = `$cmd`; That works great. Does what I want it to do, at least I think it does. The larger problem comes later -- the insert: $body = preg_replace(/\/,,$body); $body = preg_replace(/\/,\\\,$body); $x = db_query(insert into body (submitter,md5,fuz1,fuz2,body) values (1,'{$dcc['Body']['md5']}','{$dcc['Fuz1']['md5']}','{$dcc['Fuz2']['md5']}',\{$body}\)); Now this works great for a good amount of emails. I was just escaping the double quotes, but then I found a case where an email had in the actual email a backslash before the quote, so I added the first regex as well. But then I start running into problems: Syntax error: EOF in backquote substitution or bWarning/b: No ending delimiter '/' found in b/home/beckman/public_html/work/spamtracker/stlib.inc/b on line b45/bbr / line 45: $body = preg_replace(/\/,,$body); I truly suck at regexs, and for the life of me I haven't been able to teach them to myself. If anyone can't point me in the right direction, I think this is easily solved with a better regex than what I have. Why not just use addslashes()? addslashes will escape the single quote, and it will persist through the insert, which cannot happen (need to be able to prove the md5 hashes generated by DCC is accurate, and adding slashes in the wrong place will screw that up). What's the answer? addslashes then remove the single-quoted-slashes? Thanks for the help. Peter --- Peter BeckmanSystems Engineer, Fairfax Cable Access Corporation [EMAIL PROTECTED] http://www.purplecow.com/ --- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] DB vs file
I just want to ask which is better saving my jpeg on mysql or saving it as a file in a folder? which is faster and disk space saving? garry
[PHP-DB] Sorting in numerical order, and then randomly
I am using MySQL to store ad information in the following table: CREATE TABLE IF NOT EXISTS ads_value ( img_link varchar(50), text text, service varchar(50) default NULL, title varchar(50) default NULL, priority int(2) default '0', status enum('current', 'old'), ID int(3) NOT NULL auto_increment, PRIMARY KEY (ID) ) TYPE=MyISAM; Ads for which advertisers pay more will have a higher priority - i.e. 1, 2, 3, etc. Everything else will have a priority of 0. When the page loads, I want to first display any ads that have a priority higher than 0 to be displayed in order, and then the remaining ads with a priority if 0 to be displayed in random order. They have to be displayed in a different order each time, so that each ad has the same chance of being displayed in a particular spot as any other ad. The only spots a random ad cannot be in is one taken by a higher paying ad. I hope this is clear. Is it possible to do this with one query? Or would I have to use 2 different queries: select * from ads_value where status = 'current' and priority 0 order by priority asc and then select * from ads_value where status = 'current' and priority = 0 order by RAND() TIA, -Lisi -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Email Encryption?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ookey, (i think Richard Hutchins' idea is a good one, and secure enough that most sites use this method... but if you want an alternative...) now i am a newby to security and PHP, but here's my logic: 1. During the account setup (presuming this is on-line?) they put in their username, password, e-mail address other details over a 'secure' 128 bit SSL session. 2. During this secure SSL session, you could generate a key pair (be it from your own code or a script you found on the web... or PGP? maybe you could e-mail PGP ask them if it is possible to create dynamic key pairs through scripting...). 3. a) Store both key pairs securely in your database using MD5 3. b) Provide the Client's key as a file for them to save to their HD during the SSL session (Remember, you are only as secure as your weakest link - if their system is weak, yours will also be weak) 4. E-Mail them a link (instead of their details) that they can click on to retrieve their details When they click on the link have it start up an SSL session, allow them to put in their username and provide a browse button to select the key pair file they saved to their HD. 5. Compare the contents of the file to the key pair in the database associated with the username, if it checks out ok, return the client's details (over the SSL connection). Gav - -Original Message- From: Peter Beckman [mailto:[EMAIL PROTECTED]] Sent: Saturday, 16 November 2002 7:12 AM To: Aaron Wolski Cc: 'Jason Vincent'; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? At the time of the account setup, you'll have the unencrypted and encrypted password. Send the email before it gets encrypted. Still, this is a little silly, since the email is unencrypted. I guess you could base64 encode the email, but that'd take an extra step. Oooh, what about this? Send an email that takes you to an https: page that only can be viewed by entering a valid code sent in another email? This https page, given the right code, will give you your username and password? The two separate emails provides a bit of obscurity, and the password is always encrypted. On the server side, if these accounts would only be accessed from certain IP blocks, you can block other requests. Peter On Fri, 15 Nov 2002, Aaron Wolski wrote: My client is the one doing the setup of accounts. How would the account holder know of his password before it got encrypted? Hense the email. Aaron -Original Message- From: Peter Beckman [mailto:[EMAIL PROTECTED]] Sent: November 15, 2002 12:35 PM To: Aaron Wolski Cc: 'Jason Vincent'; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? Why not encrypt the password in the DB? If they lose their password, it cannot be sent to them. They chose it, so it doesn't need to be sent to them in their email. If they lose it, it is changed, and they have to change it again. That way, only if they are stupid do they have an extra step. The passwords in the DB are encrypted, so only if someone gets a hold of the DB can the passwords be cracked by brute force. md5 would work fine for this. It is the same security that FreeBSD uses in their password file. Peter On Fri, 15 Nov 2002, Aaron Wolski wrote: Well. Its not what they want.. it what one of their clients want (very big corporation with very unrealistic security standards - you'd think they were NASA or something *grumble*) Their thought is that someone could hack the received email, login to the store using the publically displayed logins details and reek havoc on the store, etc. *shrugs* Sadly this isn't open for debate as a solutions IS required. Any thoughts? Aaron -Original Message- From: Jason Vincent [mailto:[EMAIL PROTECTED]] Sent: November 15, 2002 11:42 AM To: Aaron Wolski; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? Why email? If the Admin tool uses SSL, that is all you need. Regards, J -Original Message- From: Aaron Wolski [mailto:[EMAIL PROTECTED]] Sent: Friday, November 15, 2002 11:39 AM To: 'Aaron Wolski'; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? Just thinking here.. PGP is not an option as it would mean EACH user being setup would need the company's public key to decrypt. Not possible as they setup a few hundred accounts each month. Hmm.. anything else? Argh :( Aaron -Original Message- From: Aaron Wolski [mailto:[EMAIL PROTECTED]] Sent: November 15, 2002 11:36 AM To: [EMAIL PROTECTED] Subject: [PHP-DB] Email Encryption? OFFTOPIC Sorry for the off topic guys.. But I've just been informed that an application we developed for a client whereby they use an Admin tool to setup user accounts into their store needs to have the login (username and password) encrypted. I am thinking PGP for this but to be honest I've
RE: [PHP-DB] Email Encryption?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, Check out this link: http://www.pgpi.org/dev/ It is not exactly PHP material, but maybe if you wanted to contact them ask them about supporting PHP you might get a response (i'd be interested if you get a responce, as i think having that functionality in PHP would be useful). Also, here are some mail lists news groups: http://www.pgpi.org/products/pgp/support/ Gav -BEGIN PGP SIGNATURE- Version: PGP 7.0.4 iQA/AwUBPdhNjJX+fmrkFTroEQKrbQCg6Rj6S2xrRzbZuLchfQ5/FqkjwvkAn30B aAPHNEreUBHF5VQugdMGacE3 =qRHI -END PGP SIGNATURE- This e-mail and any attachments are intended solely for the named addressee, are confidential and may contain legally privileged information. The copying or distribution of them or of any information they contain, by anyone other than the addressee, is prohibited. If you received this e-mail in error, please notify us immediately by return e-mail or telephone +61 2 9413 2944 and destroy the original message. Thank you. As Email is subject to viruses we advise that all Emails and any attachments should be scanned by an up to-date Anti Virus programme automatically by your system. It is the responsibility of the recipient to ensure that all Emails and any attachments are cleared of Viruses before opening. KSG can not accept any responsibility for viruses that maybe contained here in. Please advise KSG by return Email if you believe any Email sent by our system may contain a virus. It should be noted that most Anti Virus programmes can not scan encrypted file attachments (example - documents saved with a password). Thus extra care should be taken when opening these files. Liability limited by the Accountants Scheme, approved under the Professional Standards Act 1994 (NSW). Level 4 54 Neridah StreetPO Box 1290 CHATSWOOD NSW 2067 CHATSWOOD NSW 2057 Ph: +61 2 9413 2944 Fax: +61 2 9413 9901 -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] Trying to migrate from Windows php to FreeBSD...
I have a whole series of PHP scripts that I wrote on a Windows platform, that connect to our MSSQL server and present data from our Goldmine CRM tool. I'd really really really like to put these scripts on our webserver on FreeBSD instead of (blecch) IIS. However.. the mssql bits are apparently only available in Win32 versions of PHP? That's not a horrid thing.. but what is killing me here is that mssql_fetch_assoc() doesn't have a sybase equivalent? I've been beating my head on this one. Is this just something I'm being particularly dense on? I had built these scripts around the mssql_fetch_assoc() function.. :-/ Thanks in advance, Glenn --- The original portions of this message are the copyright of the author (c)1998-2002 Glenn E. Sieb.ICQ UIN: 300395IRC Nick: Rainbear Religion is for those who do what they are told regardless of what is right. Spirituality is for those who do what is right regardless of what they are told. -- unattributed -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] HTTP Authentication with MySQL/PHP
I have a directory 'admin' that has been .htaccess'ed off. Ie, If you point your browser at that directory, you will be prompted with an HTTP authentication dialog. Nothing special about PHP or MySQL there. I like the security that .htaccess and Apache give me. Now, I have users in a MySQL table with md5 passwords stored for each. These users use an HTML form to log in to my site. Some of these users are admin users. When these admin users log in, I'd like them to have access to the 'admin' directory without being prompted with the HTTP authentication dialog. Is there anyway to use PHP to tell Apache that a user has been authenticated and that it need not throw up the HTTP authentication dialog? In case any of the foregoing is unclear, here's the process I want: 1. A non-authenticated user tries to access the directory 'admin', so Apache tosses up the HTTP authentication dialog. If they enter their user name and password, they will be admitted (done without PHP or MySQL, .htaccess and a passwd file). 2. A non-admin user authenticates with my HTML form, then they try to hit the 'admin' directory. The same thing happens as above. 3. An admin user authenticates with my HTML form, PHP tells Apache that this user has been authenticated. Then the user goes to the 'admin' directory, and is admitted without any other authentication. So, another question: To solve this problem from a different angle, is there a way to have Apache's .htaccess specify SQL to determine a user's credentials? Ie, when they visit the 'admin' directory, Apache could look up their record in the user table and determine if they are an admin. Sorry for the long explanation, but I wanted to make sure I was clear as this is a little bit of a funky request. Thanks, Dave -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Sorting in numerical order, and then randomly
Your options, as I see them, with 3 being the best I could come up with: 1. Make two queries. Depending on how many rows returned, this may be the less taxing option processor wise. 2. Make the random query. As you iterate through them push folks with priority 0 on one stack, priority 1 another stack, etc. At the end of it all you'll have a bunch of stacks with a randomly ordered list of advertisers. 3. (This is the obvious winner) select * from ads_value where status='current' order by priority asc, rand() This will return 0's first, 1,2,3... etc after that in a random order. I might recommend re-ordering your priority making 100 the highest and 1 the lowest priority above 0. This way if you get an advertiser that beats everyone out, they can be 101 or 150 or (if you are lucky in this market) 2000. If you do it your way (as I understand it) you will have to bump down #1 to #2, #2 to #3, etc in order to put a newer higher priority advertiser first. Peter On Sun, 17 Nov 2002, Lisi wrote: I am using MySQL to store ad information in the following table: CREATE TABLE IF NOT EXISTS ads_value ( img_link varchar(50), text text, service varchar(50) default NULL, title varchar(50) default NULL, priority int(2) default '0', status enum('current', 'old'), ID int(3) NOT NULL auto_increment, PRIMARY KEY (ID) ) TYPE=MyISAM; Ads for which advertisers pay more will have a higher priority - i.e. 1, 2, 3, etc. Everything else will have a priority of 0. When the page loads, I want to first display any ads that have a priority higher than 0 to be displayed in order, and then the remaining ads with a priority if 0 to be displayed in random order. They have to be displayed in a different order each time, so that each ad has the same chance of being displayed in a particular spot as any other ad. The only spots a random ad cannot be in is one taken by a higher paying ad. I hope this is clear. Is it possible to do this with one query? Or would I have to use 2 different queries: select * from ads_value where status = 'current' and priority 0 order by priority asc and then select * from ads_value where status = 'current' and priority = 0 order by RAND() TIA, -Lisi -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php --- Peter BeckmanSystems Engineer, Fairfax Cable Access Corporation [EMAIL PROTECTED] http://www.purplecow.com/ --- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php