Re: [PHP-DB] Hello
Karl DeSaulniers wrote: What does this do exactly? Documentation was a bit fuzzy for me. Is it needed at all times to protect with? Per the docs: prepends backslashes to the following characters: \x00, \n, \r, \, ', and \x1a. So anything that has a null character, a newline (windows/linux/mac), single and double quotes and \x1a (not sure what that is) is escaped and ready to be put in a query. If you don't quote those characters someone could put one of those characters in a query and cause problems - starting off with an invalid query but possibly ending up worse. -- Postgresql php tutorials http://www.designmagick.com/ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Hello
So what's the difference with that and addslashes() ? Karl Sent from losPhone On Dec 15, 2009, at 3:50 PM, Chris dmag...@gmail.com wrote: Karl DeSaulniers wrote: What does this do exactly? Documentation was a bit fuzzy for me. Is it needed at all times to protect with? Per the docs: prepends backslashes to the following characters: \x00, \n, \r, \, ', and \x1a. So anything that has a null character, a newline (windows/linux/ mac), single and double quotes and \x1a (not sure what that is) is escaped and ready to be put in a query. If you don't quote those characters someone could put one of those characters in a query and cause problems - starting off with an invalid query but possibly ending up worse. -- Postgresql php tutorials http://www.designmagick.com/ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Hello
addslashes doesn't take encoding's into account. http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string goes into some details. Karl DeSaulniers wrote: So what's the difference with that and addslashes() ? Karl Sent from losPhone On Dec 15, 2009, at 3:50 PM, Chris dmag...@gmail.com wrote: Karl DeSaulniers wrote: What does this do exactly? Documentation was a bit fuzzy for me. Is it needed at all times to protect with? Per the docs: prepends backslashes to the following characters: \x00, \n, \r, \, ', and \x1a. So anything that has a null character, a newline (windows/linux/mac), single and double quotes and \x1a (not sure what that is) is escaped and ready to be put in a query. If you don't quote those characters someone could put one of those characters in a query and cause problems - starting off with an invalid query but possibly ending up worse. -- Postgresql php tutorials http://www.designmagick.com/ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Postgresql php tutorials http://www.designmagick.com/ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Hello
Karl DeSaulniers wrote:
HI,
Thanks for your response. Here is my query. UserID is auto incrament and
UserLastLogin is a current_timestamp.
$query_users = INSERT INTO users(UserID, Username, UserEmail,
UserPassword, UserFirstName, UserLastName, UserCompany, UserAddress,
UserAddress2, UserCity, UserState, UserCountry, UserZip, UserPhone,
UserFax, UserEmailVerified, UserRegistrationDate, UserVerificationCode,
UserIP, UserLastLogin)
VALUES('NULL','.$Username.','.$UserEmail.','.$UserPassword.','.$UserFirstName.','.$UserLastName.','.$UserCompany.','.$UserAddress.','.$UserAddress2.','.$UserCity.','.$UserState.','.$UserCountry.','.$UserZip.','.$UserPhone.','.$UserFax.','.$UserEmailVerified.','.$UserRegistrationDate.','.$UserVerificationCode.','.$UserIP.',
now());
This works as far as populating the database, but my results page does
not return anything.
Only if the VALUES is set like this:
VALUES('NULL','.$Username=$_POST['Username'].','.$UserEmail=$_POST['UserEmail'].','.$UserPassword=$_POST['UserPassword'].','.$UserFirstName=$_POST['UserFirstName'].','.$UserLastName=$_POST['UserLastName'].','.$UserCompany=$_POST[$UserCompany].','.$UserAddress=$_POST['UserAddress'].','.$UserAddress2=$_POST['UserAddress2'].','.$UserCity=$_POST['UserCity'].','.$UserState=$_POST['UserState'].','.$UserCountry=$_POST[$UserCountry].','.$UserZip=$_POST['UserZip'].','.$UserPhone=$_POST['UserPhone'].','.$UserFax=$_POST[$UserFax].','.$UserEmailVerified=$_POST[$UserEmailVerified].','.$UserRegistrationDate=$_POST[$UserRegistrationDate].','.$UserVerificationCode=$_POST['UserVerificationCode'].','.$UserIP=$_POST[$UserIP].',
now());
but some do not work with this setup. variables like $UserEmailVerified,
$UserRegistrationDate and $UserIP are not created from the form that was
submitted.
for example, User IP date is created like this.
$UserIP = md5($_SERVER[REMOTE_ADDR]);
Problem 1 is sql injection. Wrap each variable in a
mysql_real_escape_string call:
insert into table (...) values (' . mysql_real_escape_string($username)
. '
also quoting 'NULL' means it will add 'NULL' as the id - not what you
want. You can leave out the column to use the default from the database.
Any errors from mysql?
Add:
echo mysql_error();
after your insert call.
-
Below is a snip of how I retrieve the info on the result page (dont want
to clutter with whole code. also $fieldOne etc are MySql wildcards '%'
from some dropdown lists that show before this code is executed. The
results from adding show up fine there.)
$query_users = SELECT * FROM users WHERE UserID LIKE '$fieldOne' AND
Username LIKE '$fieldTwo' AND UserEmail LIKE '$fieldThree' AND
UserPassword LIKE '$fieldFour' AND UserFirstName LIKE '$fieldFive' AND
UserLastName LIKE '$fieldSix' AND UserCompany LIKE '$fieldSeven' AND
UserAddress LIKE '$fieldEight' AND UserAddress2 LIKE '$fieldNine' AND
UserCity LIKE '$fieldTen' AND UserState LIKE '$fieldEleven' AND
UserCountry LIKE '$fieldTwelve' AND UserZip LIKE '$fieldThirteen' AND
UserPhone LIKE '$fieldFourteen' AND UserFax LIKE '$fieldFifteen' AND
UserEmailVerified LIKE '$fieldSixteen' AND UserRegistrationDate LIKE
'$fieldSeventeen' AND UserVerificationCode LIKE '$fieldEighteen' AND
UserIP LIKE '$fieldNineteen' AND UserLastLogin LIKE '$fieldTwenty' LIMIT
$min, $max_results;
Again you need to escape all your data (except $min, $max_results - just
make sure they are always integers).
I'm assuming there are no errors reported by mysql.
To debug this, I'd simplify the query and work out which bit isn't
matching what you want (it could be $fieldOne isn't quite what you
expect, or it could be $fieldEleven or $fieldEighteen or ..).
Start off with one field, then add another and go from there.
--
Postgresql php tutorials
http://www.designmagick.com/
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Hello
Hi Chris,
On Dec 14, 2009, at 8:09 PM, Chris wrote:
Problem 1 is sql injection. Wrap each variable in a
mysql_real_escape_string call:
insert into table (...) values (' . mysql_real_escape_string
($username) . '
At one point I did have the mysql_real_escape_string() and it worked
the same as without as far as populating the database.
But when I would view results, it didnt read anything from the database.
also quoting 'NULL' means it will add 'NULL' as the id - not what
you want. You can leave out the column to use the default from the
database.
Actually it works fine with 'NULL' for some reason. UserID is an auto
Incrament and if I take $UserID out as well as its VALUE, I get an
error for number of fields not matching.
Any errors from mysql?
Add:
echo mysql_error();
after your insert call.
Again you need to escape all your data (except $min, $max_results -
just make sure they are always integers).
Those are so I can control the number of items shown per page.
I'm assuming there are no errors reported by mysql.
To debug this, I'd simplify the query and work out which bit isn't
matching what you want (it could be $fieldOne isn't quite what you
expect, or it could be $fieldEleven or $fieldEighteen or ..).
Start off with one field, then add another and go from there.
Basically the result page would not show anything in the database
unless it was inserted in the database using the $_POST method.
Not sure why, but I have since redone the result page utilizing a
different method of retrieval and it looks to be working.
Thank you all for your responses. very quick I might add. :)
--
Postgresql php tutorials
http://www.designmagick.com/
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Karl DeSaulniers
Design Drumm
http://designdrumm.com
Re: [PHP-DB] Hello
What does this do exactly? Documentation was a bit fuzzy for me. Is it needed at all times to protect with? On Dec 14, 2009, at 8:22 PM, Karl DeSaulniers wrote: mysql_real_escape_string() Karl DeSaulniers Design Drumm http://designdrumm.com
Re: [PHP-DB] Hello
Karl DeSaulniers wrote:
Hi Chris,
On Dec 14, 2009, at 8:09 PM, Chris wrote:
Problem 1 is sql injection. Wrap each variable in a
mysql_real_escape_string call:
insert into table (...) values (' .
mysql_real_escape_string($username) . '
At one point I did have the mysql_real_escape_string() and it worked the
same as without as far as populating the database.
Did you try names with single quotes? (Tim O'Reilly is a common example
to try).
But when I would view results, it didnt read anything from the database.
Sure it went in? Did you see the data when you viewed the table in
phpmyadmin or some other tool?
Again you need to escape all your data (except $min, $max_results -
just make sure they are always integers).
Those are so I can control the number of items shown per page.
I realise that. mysql_real_escape_string is used for data in your query,
and may cause problems if used in limit clauses. If you end up with this
for example:
select * from table limit mysql_real_escape_string('blah');
of course it's not going work.
Hence the check to make sure $min and $max_results are int's before
passing them to the query so if anyone messes with them it won't break
your queries.
if (!is_int($min)) {
$min = 0;
}
if (!is_int($max_results)) {
$max_results = 5;
}
Basically the result page would not show anything in the database unless
it was inserted in the database using the $_POST method.
That still suggests an error with the insert.
--
Postgresql php tutorials
http://www.designmagick.com/
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] Hello
Hi I am new to this list.
I am in need of some help or direction.
I am new to php and databases, so forgive me if my request seems too
simple.
I am making a database if users and have had much success in getting
it to work however, not all my data is getting shown once I try to
display results. I am running an INSERT query that inputs data into
the database from a form. But here is the hiccup. I am asigning the
form data to a $variable.
Eg: $Username = $_POST['Username'];
I then run $Username through some checks to make sure it's not an
injection. After all that I want to insert it into the database. This
works fine if I use:
$query = INSERT INTO users (Username, UserEmail, etc)
VALUES ('.$_POST['Username'].', '.$_POST['UserEmail'].', etc);
And it works if I use
VALUES ('.$Username.', '.$UserEmail.', etc);
However I have some variables that are not posted from the form and in
the first example, it does not insert those in the database.
In the second, it will insert them into the database, but when I go to
display them it is saying there are no records to retrieve. I
looked at the database in phpMySql and they are there. It will only
display them in the results page if they had been inserted using
$_POST. Is this normal?
What is the best way to $_POST a $Variable. Something like $_POST
[$Username] (which doesn't work).
Any help would be greatly appreciated.
Thanks,
Karl
Design Drumm
Sent from losPhone
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Hello
I don't quite understand what your problem is but it looks as if some fields
of the records that show up in phpMySql are empty and that the result page
that you have built does not show them. If that is the case, is there a
where clasue that causes them to not return?
Can you run the query that is on your result page in phpmysql and see what
it returns.
Jack
2009/12/14 Karl DeSaulniers k...@designdrumm.com
Hi I am new to this list.
I am in need of some help or direction.
I am new to php and databases, so forgive me if my request seems too
simple.
I am making a database if users and have had much success in getting it to
work however, not all my data is getting shown once I try to display
results. I am running an INSERT query that inputs data into the database
from a form. But here is the hiccup. I am asigning the form data to a
$variable.
Eg: $Username = $_POST['Username'];
I then run $Username through some checks to make sure it's not an
injection. After all that I want to insert it into the database. This works
fine if I use:
$query = INSERT INTO users (Username, UserEmail, etc)
VALUES ('.$_POST['Username'].', '.$_POST['UserEmail'].', etc);
And it works if I use
VALUES ('.$Username.', '.$UserEmail.', etc);
However I have some variables that are not posted from the form and in the
first example, it does not insert those in the database.
In the second, it will insert them into the database, but when I go to
display them it is saying there are no records to retrieve. I looked at
the database in phpMySql and they are there. It will only display them in
the results page if they had been inserted using $_POST. Is this normal?
What is the best way to $_POST a $Variable. Something like
$_POST[$Username] (which doesn't work).
Any help would be greatly appreciated.
Thanks,
Karl
Design Drumm
Sent from losPhone
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
Jack van Zanen
-
This e-mail and any attachments may contain confidential material for the
sole use of the intended recipient. If you are not the intended recipient,
please be aware that any disclosure, copying, distribution or use of this
e-mail or any attachment is prohibited. If you have received this e-mail in
error, please contact the sender and delete all copies.
Thank you for your cooperation
Re: [PHP-DB] Hello
HI,
Thanks for your response. Here is my query. UserID is auto incrament
and UserLastLogin is a current_timestamp.
$query_users = INSERT INTO users(UserID, Username, UserEmail,
UserPassword, UserFirstName, UserLastName, UserCompany, UserAddress,
UserAddress2, UserCity, UserState, UserCountry, UserZip, UserPhone,
UserFax, UserEmailVerified, UserRegistrationDate,
UserVerificationCode, UserIP, UserLastLogin)
VALUES('NULL','.$Username.','.$UserEmail.','.
$UserPassword.','.$UserFirstName.','.$UserLastName.','.
$UserCompany.','.$UserAddress.','.$UserAddress2.','.
$UserCity.','.$UserState.','.$UserCountry.','.$UserZip.','.
$UserPhone.','.$UserFax.','.$UserEmailVerified.','.
$UserRegistrationDate.','.$UserVerificationCode.','.$UserIP.',
now());
This works as far as populating the database, but my results page
does not return anything.
Only if the VALUES is set like this:
VALUES('NULL','.$Username=$_POST['Username'].','.$UserEmail=$_POST
['UserEmail'].','.$UserPassword=$_POST['UserPassword'].','.
$UserFirstName=$_POST['UserFirstName'].','.$UserLastName=$_POST
['UserLastName'].','.$UserCompany=$_POST[$UserCompany].','.
$UserAddress=$_POST['UserAddress'].','.$UserAddress2=$_POST
['UserAddress2'].','.$UserCity=$_POST['UserCity'].','.$UserState=
$_POST['UserState'].','.$UserCountry=$_POST[$UserCountry].','.
$UserZip=$_POST['UserZip'].','.$UserPhone=$_POST['UserPhone'].','.
$UserFax=$_POST[$UserFax].','.$UserEmailVerified=$_POST
[$UserEmailVerified].','.$UserRegistrationDate=$_POST
[$UserRegistrationDate].','.$UserVerificationCode=$_POST
['UserVerificationCode'].','.$UserIP=$_POST[$UserIP].', now());
but some do not work with this setup. variables like
$UserEmailVerified, $UserRegistrationDate and $UserIP are not created
from the form that was submitted.
for example, User IP date is created like this.
$UserIP = md5($_SERVER[REMOTE_ADDR]);
-
Below is a snip of how I retrieve the info on the result page (dont
want to clutter with whole code. also $fieldOne etc are MySql
wildcards '%' from some dropdown lists that show before this code is
executed. The results from adding show up fine there.)
$query_users = SELECT * FROM users WHERE UserID LIKE '$fieldOne' AND
Username LIKE '$fieldTwo' AND UserEmail LIKE '$fieldThree' AND
UserPassword LIKE '$fieldFour' AND UserFirstName LIKE '$fieldFive'
AND UserLastName LIKE '$fieldSix' AND UserCompany LIKE '$fieldSeven'
AND UserAddress LIKE '$fieldEight' AND UserAddress2 LIKE '$fieldNine'
AND UserCity LIKE '$fieldTen' AND UserState LIKE '$fieldEleven' AND
UserCountry LIKE '$fieldTwelve' AND UserZip LIKE '$fieldThirteen' AND
UserPhone LIKE '$fieldFourteen' AND UserFax LIKE '$fieldFifteen' AND
UserEmailVerified LIKE '$fieldSixteen' AND UserRegistrationDate LIKE
'$fieldSeventeen' AND UserVerificationCode LIKE '$fieldEighteen' AND
UserIP LIKE '$fieldNineteen' AND UserLastLogin LIKE '$fieldTwenty'
LIMIT $min, $max_results;
$result = mysql_query($query_users) or die(mysql_error());
for($i = 1; $i = $num_sql; $i++) {
$r = mysql_fetch_array($result, MYSQL_ASSOC);
$UserID = $r['UserID'];
$Username = $r['Username'];
$UserEmail = $r['UserEmail'];
$UserPassword = $r['UserPassword'];
so I have 3 pages. one adds the users, the next reviews and the last
shows the results of what is picked.
Thanks,
Karl
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Hello
Welcome Rodrigo! Start checking php.net for object/clasess check out this mirror site of php.net http://php.oregonstate.edu/manual/en/ref.classobj.php By the way I don't know if we have from Brazil here... M. Mamedov - Original Message - From: Rodrigo Kochenburger [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 10:33 PM Subject: [PHP-DB] Hello Hi everybody, i'm new in this list, so let me introduce my self. My name is Rodrigo and i'm from brazil, so sorry if my english isnt correct. let me know know if there's anothers brazilians here. And i'd like to starting using this to ask about some tutorial or something like that to help me with Software Architecture in PHP using Oriented Object Programming. Thanks a Lot. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] Hello
Hi everybody, i'm new in this list, so let me introduce my self. My name is Rodrigo and i'm from brazil, so sorry if my english isnt correct. let me know know if there's anothers brazilians here. And i'd like to starting using this to ask about some tutorial or something like that to help me with Software Architecture in PHP using Oriented Object Programming. Thanks a Lot. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] Hello
Hello I have an ibm db2 which has jpg images stored as blob fields (about 2M). I seem to have a hard time getting them with PHP and presenting them properly in the browser. (When I try to save it from the DB2 side, it is stored ok). Though i actually get the image i ask for, when i try to output it to the browser i get a series of characters from 0 to F instead (Hex) like this: FFD8FFFE000857414E473202FFE000104A4649460001010102580258FFDB0 Saving it to a file with has no result either. The file seems to be created, it has the appropriate size but trying to view is contents results in getting an unsupported type of image which the browser fails to present. Using the different types of the odbc_binmode function of PHP (http://www.php.net/manual/en/function.odbc-binmode.php), returns the same results. I try odbc_longreadlen since i get a blob field but the output is similar to the previous. I also asked in a DB2 newsgroup http://groups.google.com/groups?hl=elsafe=offic=1th=17ccf5cbc4d0762c,4se ekm=5261b6a0.0107090324.6ab27060%40. Thats why we added a field containing a JPEG format of the image but it doesnt seem to work either. Thanks in advance. Dimitris Glezos High Performance Computing Laboratory University of Patras -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DB] Hello
The page you gave me didnt help but thanks anyway :) We solved the problem which was dizzing us for days by using the silly command pack(H*, $image) !! Dimitris Ben Bleything [EMAIL PROTECTED] wrote in message 01c10ae1$30a03690$0201a8c0@c1141975c">news:01c10ae1$30a03690$0201a8c0@c1141975c... Check out http://www.phpbuilder.com/columns/florian19991014.php3. It deals with MySQL, but the concepts should be the same... it sounds like there are some steps about handling the binary data in a binary-safe fashion that are getting left out. Good luck, Ben -Original Message- From: a [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 12, 2001 2:33 AM To: [EMAIL PROTECTED] Subject: [PHP-DB] Hello Hello I have an ibm db2 which has jpg images stored as blob fields (about 2M). I seem to have a hard time getting them with PHP and presenting them properly in the browser. (When I try to save it from the DB2 side, it is stored ok). Though i actually get the image i ask for, when i try to output it to the browser i get a series of characters from 0 to F instead (Hex) like this: FFD8FFFE000857414E473202FFE000104A4649460001010102580258FFDB0 Saving it to a file with has no result either. The file seems to be created, it has the appropriate size but trying to view is contents results in getting an unsupported type of image which the browser fails to present. Using the different types of the odbc_binmode function of PHP (http://www.php.net/manual/en/function.odbc-binmode.php), returns the same results. I try odbc_longreadlen since i get a blob field but the output is similar to the previous. I also asked in a DB2 newsgroup http://groups.google.com/groups?hl=elsafe=offic=1th=17ccf5cbc4d0762c, 4se ekm=5261b6a0.0107090324.6ab27060%40. Thats why we added a field containing a JPEG format of the image but it doesnt seem to work either. Thanks in advance. Dimitris Glezos High Performance Computing Laboratory University of Patras -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP-DB] hello
Has anyone got some code to display the first say 15 records from a query then get the next 15 then next for a mysql database -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
