Re: [PHP-DB] Hello
addslashes doesn't take encoding's into account. http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string goes into some details. Karl DeSaulniers wrote: So what's the difference with that and addslashes() ? Karl Sent from losPhone On Dec 15, 2009, at 3:50 PM, Chris wrote: Karl DeSaulniers wrote: What does this do exactly? Documentation was a bit fuzzy for me. Is it needed at all times to protect with? Per the docs: prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a. So anything that has a null character, a newline (windows/linux/mac), single and double quotes and \x1a (not sure what that is) is escaped and ready to be put in a query. If you don't quote those characters someone could put one of those characters in a query and cause problems - starting off with an invalid query but possibly ending up worse. -- Postgresql & php tutorials http://www.designmagick.com/ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Postgresql & php tutorials http://www.designmagick.com/ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Hello
So what's the difference with that and addslashes() ? Karl Sent from losPhone On Dec 15, 2009, at 3:50 PM, Chris wrote: Karl DeSaulniers wrote: What does this do exactly? Documentation was a bit fuzzy for me. Is it needed at all times to protect with? Per the docs: prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a. So anything that has a null character, a newline (windows/linux/ mac), single and double quotes and \x1a (not sure what that is) is escaped and ready to be put in a query. If you don't quote those characters someone could put one of those characters in a query and cause problems - starting off with an invalid query but possibly ending up worse. -- Postgresql & php tutorials http://www.designmagick.com/ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Hello
Karl DeSaulniers wrote: What does this do exactly? Documentation was a bit fuzzy for me. Is it needed at all times to protect with? Per the docs: prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a. So anything that has a null character, a newline (windows/linux/mac), single and double quotes and \x1a (not sure what that is) is escaped and ready to be put in a query. If you don't quote those characters someone could put one of those characters in a query and cause problems - starting off with an invalid query but possibly ending up worse. -- Postgresql & php tutorials http://www.designmagick.com/ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Hello
Karl DeSaulniers wrote: Hi Chris, On Dec 14, 2009, at 8:09 PM, Chris wrote: Problem 1 is sql injection. Wrap each variable in a mysql_real_escape_string call: insert into table (...) values ('" . mysql_real_escape_string($username) . "' At one point I did have the mysql_real_escape_string() and it worked the same as without as far as populating the database. Did you try names with single quotes? (Tim O'Reilly is a common example to try). But when I would view results, it didnt read anything from the database. Sure it went in? Did you see the data when you viewed the table in phpmyadmin or some other tool? Again you need to escape all your data (except $min, $max_results - just make sure they are always integers). Those are so I can control the number of items shown per page. I realise that. mysql_real_escape_string is used for data in your query, and may cause problems if used in limit clauses. If you end up with this for example: select * from table limit mysql_real_escape_string('blah'); of course it's not going work. Hence the check to make sure $min and $max_results are int's before passing them to the query so if anyone messes with them it won't break your queries. if (!is_int($min)) { $min = 0; } if (!is_int($max_results)) { $max_results = 5; } Basically the result page would not show anything in the database unless it was inserted in the database using the $_POST method. That still suggests an error with the insert. -- Postgresql & php tutorials http://www.designmagick.com/ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Hello
What does this do exactly? Documentation was a bit fuzzy for me. Is it needed at all times to protect with? On Dec 14, 2009, at 8:22 PM, Karl DeSaulniers wrote: mysql_real_escape_string() Karl DeSaulniers Design Drumm http://designdrumm.com
Re: [PHP-DB] Hello
Hi Chris, On Dec 14, 2009, at 8:09 PM, Chris wrote: Problem 1 is sql injection. Wrap each variable in a mysql_real_escape_string call: insert into table (...) values ('" . mysql_real_escape_string ($username) . "' At one point I did have the mysql_real_escape_string() and it worked the same as without as far as populating the database. But when I would view results, it didnt read anything from the database. also quoting 'NULL' means it will add 'NULL' as the id - not what you want. You can leave out the column to use the default from the database. Actually it works fine with 'NULL' for some reason. UserID is an auto Incrament and if I take $UserID out as well as its VALUE, I get an error for number of fields not matching. Any errors from mysql? Add: echo mysql_error(); after your insert call. Again you need to escape all your data (except $min, $max_results - just make sure they are always integers). Those are so I can control the number of items shown per page. I'm assuming there are no errors reported by mysql. To debug this, I'd simplify the query and work out which bit isn't matching what you want (it could be $fieldOne isn't quite what you expect, or it could be $fieldEleven or $fieldEighteen or ..). Start off with one field, then add another and go from there. Basically the result page would not show anything in the database unless it was inserted in the database using the $_POST method. Not sure why, but I have since redone the result page utilizing a different method of retrieval and it looks to be working. Thank you all for your responses. very quick I might add. :) -- Postgresql & php tutorials http://www.designmagick.com/ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Karl DeSaulniers Design Drumm http://designdrumm.com
Re: [PHP-DB] Hello
Karl DeSaulniers wrote: HI, Thanks for your response. Here is my query. UserID is auto incrament and UserLastLogin is a current_timestamp. $query_users = "INSERT INTO users(UserID, Username, UserEmail, UserPassword, UserFirstName, UserLastName, UserCompany, UserAddress, UserAddress2, UserCity, UserState, UserCountry, UserZip, UserPhone, UserFax, UserEmailVerified, UserRegistrationDate, UserVerificationCode, UserIP, UserLastLogin) VALUES('NULL','".$Username."','".$UserEmail."','".$UserPassword."','".$UserFirstName."','".$UserLastName."','".$UserCompany."','".$UserAddress."','".$UserAddress2."','".$UserCity."','".$UserState."','".$UserCountry."','".$UserZip."','".$UserPhone."','".$UserFax."','".$UserEmailVerified."','".$UserRegistrationDate."','".$UserVerificationCode."','".$UserIP."', now())"; This works as far as populating the database, but my results page does not return anything. Only if the VALUES is set like this: VALUES('NULL','".$Username=$_POST['Username']."','".$UserEmail=$_POST['UserEmail']."','".$UserPassword=$_POST['UserPassword']."','".$UserFirstName=$_POST['UserFirstName']."','".$UserLastName=$_POST['UserLastName']."','".$UserCompany=$_POST[$UserCompany]."','".$UserAddress=$_POST['UserAddress']."','".$UserAddress2=$_POST['UserAddress2']."','".$UserCity=$_POST['UserCity']."','".$UserState=$_POST['UserState']."','".$UserCountry=$_POST[$UserCountry]."','".$UserZip=$_POST['UserZip']."','".$UserPhone=$_POST['UserPhone']."','".$UserFax=$_POST[$UserFax]."','".$UserEmailVerified=$_POST[$UserEmailVerified]."','".$UserRegistrationDate=$_POST[$UserRegistrationDate]."','".$UserVerificationCode=$_POST['UserVerificationCode']."','".$UserIP=$_POST[$UserIP]."', now())"; but some do not work with this setup. variables like $UserEmailVerified, $UserRegistrationDate and $UserIP are not created from the form that was submitted. for example, User IP date is created like this. $UserIP = md5($_SERVER[REMOTE_ADDR]); Problem 1 is sql injection. Wrap each variable in a mysql_real_escape_string call: insert into table (...) values ('" . mysql_real_escape_string($username) . "' also quoting 'NULL' means it will add 'NULL' as the id - not what you want. You can leave out the column to use the default from the database. Any errors from mysql? Add: echo mysql_error(); after your insert call. - Below is a snip of how I retrieve the info on the result page (dont want to clutter with whole code. also $fieldOne etc are MySql wildcards '%' from some dropdown lists that show before this code is executed. The results from adding show up fine there.) $query_users = "SELECT * FROM users WHERE UserID LIKE '$fieldOne' AND Username LIKE '$fieldTwo' AND UserEmail LIKE '$fieldThree' AND UserPassword LIKE '$fieldFour' AND UserFirstName LIKE '$fieldFive' AND UserLastName LIKE '$fieldSix' AND UserCompany LIKE '$fieldSeven' AND UserAddress LIKE '$fieldEight' AND UserAddress2 LIKE '$fieldNine' AND UserCity LIKE '$fieldTen' AND UserState LIKE '$fieldEleven' AND UserCountry LIKE '$fieldTwelve' AND UserZip LIKE '$fieldThirteen' AND UserPhone LIKE '$fieldFourteen' AND UserFax LIKE '$fieldFifteen' AND UserEmailVerified LIKE '$fieldSixteen' AND UserRegistrationDate LIKE '$fieldSeventeen' AND UserVerificationCode LIKE '$fieldEighteen' AND UserIP LIKE '$fieldNineteen' AND UserLastLogin LIKE '$fieldTwenty' LIMIT $min, $max_results"; Again you need to escape all your data (except $min, $max_results - just make sure they are always integers). I'm assuming there are no errors reported by mysql. To debug this, I'd simplify the query and work out which bit isn't matching what you want (it could be $fieldOne isn't quite what you expect, or it could be $fieldEleven or $fieldEighteen or ..). Start off with one field, then add another and go from there. -- Postgresql & php tutorials http://www.designmagick.com/ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Hello
HI, Thanks for your response. Here is my query. UserID is auto incrament and UserLastLogin is a current_timestamp. $query_users = "INSERT INTO users(UserID, Username, UserEmail, UserPassword, UserFirstName, UserLastName, UserCompany, UserAddress, UserAddress2, UserCity, UserState, UserCountry, UserZip, UserPhone, UserFax, UserEmailVerified, UserRegistrationDate, UserVerificationCode, UserIP, UserLastLogin) VALUES('NULL','".$Username."','".$UserEmail."','". $UserPassword."','".$UserFirstName."','".$UserLastName."','". $UserCompany."','".$UserAddress."','".$UserAddress2."','". $UserCity."','".$UserState."','".$UserCountry."','".$UserZip."','". $UserPhone."','".$UserFax."','".$UserEmailVerified."','". $UserRegistrationDate."','".$UserVerificationCode."','".$UserIP."', now())"; This works as far as populating the database, but my results page does not return anything. Only if the VALUES is set like this: VALUES('NULL','".$Username=$_POST['Username']."','".$UserEmail=$_POST ['UserEmail']."','".$UserPassword=$_POST['UserPassword']."','". $UserFirstName=$_POST['UserFirstName']."','".$UserLastName=$_POST ['UserLastName']."','".$UserCompany=$_POST[$UserCompany]."','". $UserAddress=$_POST['UserAddress']."','".$UserAddress2=$_POST ['UserAddress2']."','".$UserCity=$_POST['UserCity']."','".$UserState= $_POST['UserState']."','".$UserCountry=$_POST[$UserCountry]."','". $UserZip=$_POST['UserZip']."','".$UserPhone=$_POST['UserPhone']."','". $UserFax=$_POST[$UserFax]."','".$UserEmailVerified=$_POST [$UserEmailVerified]."','".$UserRegistrationDate=$_POST [$UserRegistrationDate]."','".$UserVerificationCode=$_POST ['UserVerificationCode']."','".$UserIP=$_POST[$UserIP]."', now())"; but some do not work with this setup. variables like $UserEmailVerified, $UserRegistrationDate and $UserIP are not created from the form that was submitted. for example, User IP date is created like this. $UserIP = md5($_SERVER[REMOTE_ADDR]); - Below is a snip of how I retrieve the info on the result page (dont want to clutter with whole code. also $fieldOne etc are MySql wildcards '%' from some dropdown lists that show before this code is executed. The results from adding show up fine there.) $query_users = "SELECT * FROM users WHERE UserID LIKE '$fieldOne' AND Username LIKE '$fieldTwo' AND UserEmail LIKE '$fieldThree' AND UserPassword LIKE '$fieldFour' AND UserFirstName LIKE '$fieldFive' AND UserLastName LIKE '$fieldSix' AND UserCompany LIKE '$fieldSeven' AND UserAddress LIKE '$fieldEight' AND UserAddress2 LIKE '$fieldNine' AND UserCity LIKE '$fieldTen' AND UserState LIKE '$fieldEleven' AND UserCountry LIKE '$fieldTwelve' AND UserZip LIKE '$fieldThirteen' AND UserPhone LIKE '$fieldFourteen' AND UserFax LIKE '$fieldFifteen' AND UserEmailVerified LIKE '$fieldSixteen' AND UserRegistrationDate LIKE '$fieldSeventeen' AND UserVerificationCode LIKE '$fieldEighteen' AND UserIP LIKE '$fieldNineteen' AND UserLastLogin LIKE '$fieldTwenty' LIMIT $min, $max_results"; $result = mysql_query($query_users) or die(mysql_error()); for($i = 1; $i <= $num_sql; $i++) { $r = mysql_fetch_array($result, MYSQL_ASSOC); $UserID = $r['UserID']; $Username = $r['Username']; $UserEmail = $r['UserEmail']; $UserPassword = $r['UserPassword']; so I have 3 pages. one adds the users, the next reviews and the last shows the results of what is picked. Thanks, Karl -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Hello
I don't quite understand what your problem is but it looks as if some fields of the records that show up in phpMySql are empty and that the result page that you have built does not show them. If that is the case, is there a where clasue that causes them to not return? Can you run the query that is on your result page in phpmysql and see what it returns. Jack 2009/12/14 Karl DeSaulniers > Hi I am new to this list. > I am in need of some help or direction. > I am new to php and databases, so forgive me if my request seems too > simple. > > I am making a database if users and have had much success in getting it to > work however, not all my data is getting shown once I try to display > results. I am running an INSERT query that inputs data into the database > from a form. But here is the hiccup. I am asigning the form data to a > $variable. > > Eg: $Username = $_POST['Username']; > > I then run $Username through some checks to make sure it's not an > injection. After all that I want to insert it into the database. This works > fine if I use: > > $query = "INSERT INTO users (Username, UserEmail, etc) > > VALUES ('".$_POST['Username']."', '".$_POST['UserEmail']."', etc)"; > > And it works if I use > > VALUES ('".$Username."', '".$UserEmail."', etc)"; > > However I have some variables that are not posted from the form and in the > first example, it does not insert those in the database. > > In the second, it will insert them into the database, but when I go to > display them it is saying there are no records to retrieve. I looked at > the database in phpMySql and they are there. It will only display them in > the results page if they had been inserted using $_POST. Is this normal? > What is the best way to $_POST a $Variable. Something like > $_POST[$Username] (which doesn't work). > > Any help would be greatly appreciated. > Thanks, > > Karl > Design Drumm > > Sent from losPhone > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- Jack van Zanen - This e-mail and any attachments may contain confidential material for the sole use of the intended recipient. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of this e-mail or any attachment is prohibited. If you have received this e-mail in error, please contact the sender and delete all copies. Thank you for your cooperation
Re: [PHP-DB] Hello
Welcome Rodrigo! Start checking php.net for object/clasess check out this mirror site of php.net http://php.oregonstate.edu/manual/en/ref.classobj.php By the way I don't know if we have from Brazil here... M. Mamedov - Original Message - From: "Rodrigo Kochenburger" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, December 16, 2003 10:33 PM Subject: [PHP-DB] Hello > Hi everybody, > i'm new in this list, so let me introduce my self. > My name is Rodrigo and i'm from brazil, so sorry if my english isnt > correct. > > let me know know if there's anothers brazilians here. > > And i'd like to starting using this to ask about some tutorial or > something like that to help me with Software Architecture in PHP using > Oriented Object Programming. > > Thanks a Lot. > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Hello
The page you gave me didnt help but thanks anyway :) We solved the problem which was dizzing us for days by using the silly command pack("H*", $image) !! Dimitris "Ben Bleything" <[EMAIL PROTECTED]> wrote in message 01c10ae1$30a03690$0201a8c0@c1141975c">news:01c10ae1$30a03690$0201a8c0@c1141975c... > Check out http://www.phpbuilder.com/columns/florian19991014.php3. It > deals with MySQL, but the concepts should be the same... it sounds like > there are some steps about handling the binary data in a binary-safe > fashion that are getting left out. > > Good luck, > Ben > > -Original Message- > From: a [mailto:[EMAIL PROTECTED]] > Sent: Thursday, July 12, 2001 2:33 AM > To: [EMAIL PROTECTED] > Subject: [PHP-DB] Hello > > Hello > > I have an ibm db2 which has jpg images stored as blob fields (about 2M). > I > seem to have a hard time getting them with PHP and presenting them > properly > in the browser. (When I try to save it from the DB2 side, it is stored > ok). > > Though i actually get the image i ask for, when i try to output it to > the > browser i get a series of characters from 0 to F instead (Hex) like > this: > > FFD8FFFE000857414E473202FFE000104A4649460001010102580258FFDB0 > > Saving it to a file with has no result either. The file seems to be > created, > it has the appropriate size but trying to view is contents results in > getting an unsupported type of image which the browser fails to present. > > Using the different types of the odbc_binmode function of PHP > (http://www.php.net/manual/en/function.odbc-binmode.php), returns the > same > results. I try odbc_longreadlen since i get a blob field but the output > is > similar to the previous. > > I also asked in a DB2 newsgroup > http://groups.google.com/groups?hl=el&safe=off&ic=1&th=17ccf5cbc4d0762c, > 4&se > ekm=5261b6a0.0107090324.6ab27060%40. > > Thats why we added a field containing a JPEG format of the image but it > doesnt seem to work either. > > > Thanks in advance. > > Dimitris Glezos > > > High Performance Computing Laboratory > University of Patras > > > > > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > > -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP-DB] Hello
Check out http://www.phpbuilder.com/columns/florian19991014.php3. It deals with MySQL, but the concepts should be the same... it sounds like there are some steps about handling the binary data in a binary-safe fashion that are getting left out. Good luck, Ben -Original Message- From: a [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 12, 2001 2:33 AM To: [EMAIL PROTECTED] Subject: [PHP-DB] Hello Hello I have an ibm db2 which has jpg images stored as blob fields (about 2M). I seem to have a hard time getting them with PHP and presenting them properly in the browser. (When I try to save it from the DB2 side, it is stored ok). Though i actually get the image i ask for, when i try to output it to the browser i get a series of characters from 0 to F instead (Hex) like this: FFD8FFFE000857414E473202FFE000104A4649460001010102580258FFDB0 Saving it to a file with has no result either. The file seems to be created, it has the appropriate size but trying to view is contents results in getting an unsupported type of image which the browser fails to present. Using the different types of the odbc_binmode function of PHP (http://www.php.net/manual/en/function.odbc-binmode.php), returns the same results. I try odbc_longreadlen since i get a blob field but the output is similar to the previous. I also asked in a DB2 newsgroup http://groups.google.com/groups?hl=el&safe=off&ic=1&th=17ccf5cbc4d0762c, 4&se ekm=5261b6a0.0107090324.6ab27060%40. Thats why we added a field containing a JPEG format of the image but it doesnt seem to work either. Thanks in advance. Dimitris Glezos High Performance Computing Laboratory University of Patras -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DB] hello
Hi! try using LIMIT in your query... SELECT * from thistable LIMIT 0,15 and then make a loop to display the results. regards Marcelo Gulin MacBane escribió: > > Has anyone got some code to display the first say 15 records from a query > then get the next 15 then next for a mysql database > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]