Re: [PHP] CMS Templating with Standards Based HTML Delima...
Adam, The current crop of browser based WYSIWYG editors are far from cross browser and standards compliant, so steer clear. You could consider looking into Macromedia Contribute, which is perfect for little client touch-ups in a WYSIWYG, non-technical environment. If you want your own CMS, and want standards, and templating, and the 400 other things that are on your list, you need to consider writing your own solution. However, I will also point you to a couple of existing solutions which may either inspire you, or prove to be enough of a solution for your situation... 1. MovableType (MT) [1] is behind 90% of the blogs out there, and since blogs are behind over 90% of all standards based websites right now, it's at least *conducive* to a standards-based workflow. It's *supposed* to be blogging software, but it's being bent to handle all sorts of website content... Doug Bowman [2] uses it to power his blog, his portfolio, and used it as the CMS for adaptive path's [3] entire site (give or take a few bits) -- he has an excellent explanation of it all too [4]. The cool thing about MT is that there's truckloads of plug-ins, which provide real power. A plug-in I recently read about by John Gruber [5] is Markdown [6], a way to convert email-style plain text into valid XHTML. See the link for more details. John also wrote Smartypants, which makes HTML better. However, I'm getting a little OT, since MT is Perl Based, but there's a huge community, and you might be able to bend MT to suit your needs. 2. Textile [7] is like Markdown, in that it parses email-style raw text with simple formatting (*bold*) and shorthand to produce valid XHTML... it's written in PHP, and has been embedded into Textpattern [8], a wonderful new PHP-driven CMS which is in Gamma testing at the moment. Textpattern fully supports and *embraces* standards, XHTML, CSS, et al, and is quite possible the best --and most elegant-- CMS on the market. Whilst it hasn't got everything *I'd* want in a CMS (hence why I'm building my own), it's truly amazing. It *can* be used for blogs, and has many blog-like features, but Textpattern can be used for all sorts of web publishing. However, it takes over your whole site.. it's all inclusive -- CMS, Users Admin, CSS, Templating, XHTML, etc... EVERYTHING! At the very least, Textile might inspire you to write something like it or Markdown, empowering your clients to make small and large changes using nothing but a plain text area and a few simple special characters to change formatting slightly. The links: 1. http://www.movabletype.org/ 2. http://www.stopdesign.com/ 3. http://www.adaptivepath.com/ 4. http://www.stopdesign.com/log/2003/07/11/adaptive_paths_mt_setup.html 5. http://daringfireball.net/ 6. http://daringfireball.net/projects/markdown/ 7. http://www.textism.com/tools/textile/ 8. http://www.textpattern.com/ On Sunday, March 21, 2004, at 10:01 AM, Adam Reiswig wrote: Is there a good open source php based cms system out there that can do the above? I'd sure like to know about it. Thanks for any pointers! --- Justin French http://indent.com.au -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Upload file field not working as a form element
All I am trying to do is insert the file name, not the file. The file is
being uploaded to the server in a specific location. All I need is the
filename inserted into the database. I've gotten the upload part to work and
everything I just can't get the file name inserted for God knows what
reason. I removed the upload code and am simply trying to insert the
filename and userid into the database. The userid goes in but I cannot get
the file name inserted.
Here is the form:
form action=?php echo $editFormAction; ? method=post
enctype=multipart/form-data name=form1
input name=filename type=file id=filename
input name=userid type=hidden id=userid
value=?php echo $row_rsUSER['id']; ?
input type=submit name=Submit2 value=Upload
disabled
input type=hidden name=MM_insert value=form1
/form
and here is the php code
?php
function GetSQLValueString($theValue, $theType, $theDefinedValue = ,
$theNotDefinedValue = )
{
$theValue = (!get_magic_quotes_gpc()) ? addslashes($theValue) : $theValue;
switch ($theType) {
case text:
$theValue = ($theValue != ) ? ' . $theValue . ' : NULL;
break;
case long:
case int:
$theValue = ($theValue != ) ? intval($theValue) : NULL;
break;
case double:
$theValue = ($theValue != ) ? ' . doubleval($theValue) . ' :
NULL;
break;
case date:
$theValue = ($theValue != ) ? ' . date(Y-m-d,strtotime($theValue))
. ' : NULL;
break;
case defined:
$theValue = ($theValue != ) ? $theDefinedValue :
$theNotDefinedValue;
break;
}
return $theValue;
}
$editFormAction = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
$editFormAction .= ? . htmlentities($_SERVER['QUERY_STRING']);
}
if ((isset($_POST[MM_insert])) ($_POST[MM_insert] == form1)) {
$insertSQL = sprintf(INSERT INTO photos (id, photo) VALUES (%s, %s),
GetSQLValueString($_POST['userid'], int),
GetSQLValueString($_POST['userid2'], text));
mysql_select_db($database_connSPARTY, $connSPARTY);
$Result1 = mysql_query($insertSQL, $connSPARTY) or die(mysql_error());
$insertGoTo = complete.php;
if (isset($_SERVER['QUERY_STRING'])) {
$insertGoTo .= (strpos($insertGoTo, '?')) ? : ?;
$insertGoTo .= $_SERVER['QUERY_STRING'];
}
header(sprintf(Location: %s, $insertGoTo));
}
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Timing a MySQL response
Hi all, Just a quick question - but does anyone know how to get the ms value back from MySQL that tells you how long it took to run your query? It shows it when using the command-line version, or MySQL Front, but I'm yet to figure out how to actually retrieve the value (if it is at all possible?). I guess I could wrap a simple timer function before and after the query, but as MySQL seems to have this value already I'd rather not if I don't have to. Suggestions welcome! -- Best regards, Richard Davey http://www.phpcommunity.org/wiki/296.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
php-general Digest 21 Mar 2004 13:09:45 -0000 Issue 2659
php-general Digest 21 Mar 2004 13:09:45 - Issue 2659 Topics (messages 181060 through 181077): Re: Inconv in PHP5 compile 181060 by: PHPDiscuss - PHP Newsgroups and mailing lists php and CSS level 2 181061 by: Andy B 181062 by: Aidan Lister 181068 by: Ben Ramsey 181069 by: Richard Davey 181073 by: Ben Ramsey Re: Function to check a valid date 181063 by: Tom Reed Re: ip to country 181064 by: Tom Reed 181066 by: Filip de Waard Re: string function that inserts a char 181065 by: Five Re: Comparing values / Regex ? 181067 by: Ben Ramsey Forum notify 181070 by: thies.thieso.net Upload file field not working as a form element 181071 by: Vernon 181072 by: Ben Ramsey 181076 by: Vernon PHP 5 Free Hosting 181074 by: David Costa Re: CMS Templating with Standards Based HTML Delima... 181075 by: Justin French Timing a MySQL response 181077 by: Richard Davey Administrivia: To subscribe to the digest, e-mail: [EMAIL PROTECTED] To unsubscribe from the digest, e-mail: [EMAIL PROTECTED] To post to the list, e-mail: [EMAIL PROTECTED] -- ---BeginMessage--- I'm having PHP5 compile problems as well. Here's some shortened output from commands giving a picture of my problem. The first thing that troubles me is vi giving this output: [EMAIL PROTECTED] php-5.0.0RC1]# vi ext/mysql/php_mysql.c ext/mysql/php_mysql.c 2514L, 70348C Error detected while processing modelines: line 2512: E518: Unknown option: fdm=marker Hit ENTER or type command to continue I ran into this after: [EMAIL PROTECTED] php-5.0.0RC1]# gcc --version gcc (GCC) 3.3.2 20031022 (Red Hat Linux 3.3.2-1) .. [EMAIL PROTECTED] php-5.0.0RC1]# ./configure --with-apsx2=/usr/local/apache2/bin/apxs --with-mysql=/data/sw/mysql-4.0.18 .. [EMAIL PROTECTED] php-5.0.0RC1]# make .. .. gcc -Iext/mysql/ -I/data/sw/php-5.0.0RC1/ext/mysql/ -DPHP_ATOM_INC -I/data/sw/php-5.0.0RC1/include -I/data/sw/php-5.0.0RC1/main -I/data/sw/php-5.0.0RC1 -I/data/sw/php-5.0.0RC1/Zend -I/usr/include/libxml2 -I/data/sw/mysql-4.0.18/include -I/data/sw/php-5.0.0RC1/TSRM -g -O2 -c /data/sw/php-5.0.0RC1/ext/mysql/php_mysql.c -o ext/mysql/php_mysql.o echo ext/mysql/php_mysql.lo In file included from /data/sw/php-5.0.0RC1/ext/mysql/php_mysql.c:59: /data/sw/php-5.0.0RC1/ext/mysql/php_mysql.h:51:5: token @ is not valid in preprocessor expressions /data/sw/php-5.0.0RC1/ext/mysql/php_mysql.c:72:5: token @ is not valid in preprocessor expressions /data/sw/php-5.0.0RC1/ext/mysql/php_mysql.c:82:5: token @ is not valid in preprocessor expressions /data/sw/php-5.0.0RC1/ext/mysql/php_mysql.c:86:5: token @ is not valid in preprocessor expressions /data/sw/php-5.0.0RC1/ext/mysql/php_mysql.c:90:5: token @ is not valid in preprocessor expressions /data/sw/php-5.0.0RC1/ext/mysql/php_mysql.c:101:5: token @ is not valid in preprocessor expressions /data/sw/php-5.0.0RC1/ext/mysql/php_mysql.c:122:5: token @ is not valid in preprocessor expressions /data/sw/php-5.0.0RC1/ext/mysql/php_mysql.c:181:5: token @ is not valid in preprocessor expressions /data/sw/php-5.0.0RC1/ext/mysql/php_mysql.c:376:5: token @ is not valid in preprocessor expressions /data/sw/php-5.0.0RC1/ext/mysql/php_mysql.c: In function `php_mysql_do_connect': /data/sw/php-5.0.0RC1/ext/mysql/php_mysql.c:482: error: syntax error at '@' token /data/sw/php-5.0.0RC1/ext/mysql/php_mysql.c:482: error: syntax error at '@' token /data/sw/php-5.0.0RC1/ext/mysql/php_mysql.c:482: error: `MYSQL_TCP_PORT' undeclared (first use in this function) /data/sw/php-5.0.0RC1/ext/mysql/php_mysql.c:482: error: (Each undeclared identifier is reported only once /data/sw/php-5.0.0RC1/ext/mysql/php_mysql.c:482: error: for each function it appears in.) /data/sw/php-5.0.0RC1/ext/mysql/php_mysql.c:485:5: token @ is not valid in preprocessor expressions /data/sw/php-5.0.0RC1/ext/mysql/php_mysql.c:502: error: syntax error at '@' token /data/sw/php-5.0.0RC1/ext/mysql/php_mysql.c:502: error: syntax error at '@' token /data/sw/php-5.0.0RC1/ext/mysql/php_mysql.c:639:5: token @ is not valid in preprocessor expressions /data/sw/php-5.0.0RC1/ext/mysql/php_mysql.c:666:5: token @ is not valid in preprocessor expressions /data/sw/php-5.0.0RC1/ext/mysql/php_mysql.c:674: warning: comparison between pointer and integer /data/sw/php-5.0.0RC1/ext/mysql/php_mysql.c:703:5: token @ is not valid in preprocessor expressions /data/sw/php-5.0.0RC1/ext/mysql/php_mysql.c:706: error: `handler' undeclared (first use in this function) /data/sw/php-5.0.0RC1/ext/mysql/php_mysql.c:715:5: token @ is not valid in preprocessor expressions /data/sw/php-5.0.0RC1/ext/mysql/php_mysql.c:718: warning: comparison between pointer and integer /data/sw/php-5.0.0RC1/ext/mysql/php_mysql.c:726:5: token @ is not valid in preprocessor expressions
Re: [PHP] Timing a MySQL response
Richard Davey wrote: Just a quick question - but does anyone know how to get the ms value back from MySQL that tells you how long it took to run your query? That value is not returned at all. Go with the wrapper... -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals www.phparch.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Upload file field not working as a form element
All I am trying to do is insert the file name, not the file. The file is being uploaded to the server in a specific location. All I need is the filename inserted into the database. I've gotten the upload part to work and everything I just can't get the file name inserted for God knows what reason. I removed the upload code and am simply trying to insert the filename and userid into the database. The userid goes in but I cannot get the file name inserted. Here is the form: form action=?php echo $editFormAction; ? method=post enctype=multipart/form-data name=form1 input name=filename type=file id=filename input name=userid type=hidden id=userid value=?php echo $row_rsUSER['id']; ? input type=submit name=Submit2 value=Upload disabled input type=hidden name=MM_insert value=form1 /form The uploaded file name will be $HTTP_POST_FILES[filename][name] -- use that rather than $_POST[filename]. HTH -- Lowell Allen -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Upload file field not working as a form element
The uploaded file name will be $HTTP_POST_FILES[filename][name] -- use that rather than $_POST[filename]. I'm sorry I don't understand. What is the extra [name] for? When I use this in the insert into the value that is inserted into the database is Array, as opposed to the actual filename. Thanks -V -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Upload file field not working as a form element
On Sunday 21 March 2004 22:53, Vernon wrote: The uploaded file name will be $HTTP_POST_FILES[filename][name] -- use that rather than $_POST[filename]. I'm sorry I don't understand. What is the extra [name] for? When I use this in the insert into the value that is inserted into the database is Array, as opposed to the actual filename. manual Handling file uploads -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- /* SEMPER UBI SUB UBI */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Upload file field not working as a form element
The uploaded file name will be $HTTP_POST_FILES[filename][name] -- use that rather than $_POST[filename]. I'm sorry I don't understand. What is the extra [name] for? When I use this in the insert into the value that is inserted into the database is Array, as opposed to the actual filename. The $HTTP_POST_FILES array works for me. Maybe you need to try the $_FILES array instead. Take a look at the info in the manual: http://www.php.net/manual/en/features.file-upload.php#features.file-upload. post-method. -- Lowell Allen -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] SQL Injection check (mysql)
Hi I'm looking for a function To check SQL Injection in Mysql RDBMS please tell me if anyone know good function or solution thank's
Re: [PHP] 9 Months Ago
Jeff Oien wrote:
When I do this:
$lastmonth = mktime(0, 0, 0, date(m)-9, date(d), date(Y));
this will not work most of the year, if current month is August or less,
the month value will be negative.
Use strtotime('-9 months') instead.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Decoding a URL without decoding values
I've got a querystring that looks like this: ?url=http%3A%2F%2Ftest.alpharetta.ga.us%2Findex.php%3Fm%3Dlinks%26category%3DRecreation%2B%2526%2BParks%26go.x%3D22%26go.y%3D7 As you can gather, I'm trying to pass a URL to another script for some processing. Before I urlencode() the URL and pass it to the query string, it looks like this: http://test.alpharetta.ga.us/index.php?m=linkscategory=Recreation+%26+Parksgo.x=22go.y=7 As you can see, there are already encoded entities in the URL, which are further encoded when passed through urlencode(). The problem I'm having is that when I urldecode() the string from $_GET[url], I get the following string: http://test.alpharetta.ga.us/index.php?m=linkscategory=Recreation Parksgo.x=22go.y=7 It's similar, but the category variable is now Recreation Parks when it needs to be Recreation+%26+Parks. When I try to use file_get_contents() on this string, I get nothing because of the ampersand and spaces in the URL. Is there a way to urldecode() $_GET[url] and still retain its original encoded entities so that I can use it again as a valid URL? -- Regards, Ben Ramsey http://benramsey.com http://www.phpcommunity.org/wiki/People/BenRamsey -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] 9 Months Ago
Marek Kilimajer wrote:
Jeff Oien wrote:
When I do this:
$lastmonth = mktime(0, 0, 0, date(m)-9, date(d), date(Y));
this will not work most of the year, if current month is August or less,
the month value will be negative.
Use strtotime('-9 months') instead.
This code works just fine for me:
$nine_months_ago = mktime(0, 0, 0, date(m)-9, date(d), date(Y));
echo date(m/d/Y, $nine_months_ago);
If today is March 21, 2004, then this outputs 06/21/2003. That's
exactly nine months ago.
See http://www.php.net/date
--
Regards,
Ben Ramsey
http://benramsey.com
http://www.phpcommunity.org/wiki/People/BenRamsey
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Decoding a URL without decoding values
On Monday 22 March 2004 00:03, Ben Ramsey wrote: [snip] Is there a way to urldecode() $_GET[url] and still retain its original encoded entities so that I can use it again as a valid URL? You can base64_encode() it. -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- /* He who laughs last is probably your boss. */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Decoding a URL without decoding values
JW You can base64_encode() it. Hadn't thought of that. Works perfect! Thanks! -- Regards, Ben Ramsey http://benramsey.com http://www.phpcommunity.org/wiki/People/BenRamsey -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Scheduling PHP on Windows
On 20 Mar 2004 Ben Ramsey wrote: I know how to run a PHP script as a cron job on a *nix machine. So, does anyone know how to use the Task Scheduler on Windows to do the same? Or is it even possible? The fundamental idea is simple -- work out a command line from a regular command prompt that does what you want. Then set it up under Control Panel / Scheduled Tasks. You will have to specifically invoke cmd.exe if you want to redirect the output, for example here's a command line I just tried that worked properly: m:\winnt\system32\cmd.exe /c h:\php\cli\php.exe test4.php c:\x.txt -- Tom -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] 9 Months Ago
On Sun, 21 Mar 2004, Marek Kilimajer wrote: Jeff Oien wrote: When I do this: $lastmonth = mktime(0, 0, 0, date(m)-9, date(d), date(Y)); this will not work most of the year, if current month is August or less, the month value will be negative. mktime() can take negative values just fine. -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Array problem
This has been confusing me a little for a few hours now.
Heres a snip of my code which is causing the problem:
$content = table border='0' cellspacing='0' cellpadding='5'\n;
$content .= tr\n;
$content .= tdnbsp;/td\n;
$tasks = new dbconnect;
$tasks-connect();
$tasks-query(SELECT tid, tname FROM tasks);
while(list($tid, $tname) = $tasks-fetch_rows()) {
$content .= td valign='top' align='center'span
class='highlight'$tname/span/td\n;
}
$content .= tdnbsp;/td\n;
$content .= /tr\n;
$projects = new dbconnect;
$projects-connect();
$projects-query(SELECT pid, pname FROM projects);
* $columntotals = array();*
$colour = 0;
while(list($pid, $pname) = $projects-fetch_rows()) {
$tasks-data_seek(0);
$rowtotal = 0;
$count = 0;
if ($colour % 2) {
$bgcolour = #FF;
}
else {
$bgcolour = #F9F9F9;
}
$colour++;
$content .= tr\n;
$content .= td valign='top' align='center'span
class='highlight'$pname/span/td\n;
while(list($tid, $tname) = $tasks-fetch_rows()) {
$logs = new dbconnect;
$logs-connect();
$logs-query(SELECT SUM(hours) from logs WHERE pid = '$pid'
AND tid = '$tid' AND date = '$sdate' AND date = '$edate');
list($sum) = $logs-fetch_rows();
if (!$sum) {
$sum = 0;
}
$rowtotal = $rowtotal + $sum;
*$columntotals[$count] = $columntotals[$count] + $sum;*
$count++;
$content .= td bgcolor='$bgcolour'
align='center'$sum/td\n;
}
$content .= td align='center'b$rowtotal/b/td\n;
}
$content .= /tr\n;
$content .= tr\n;
$content .= tdnbsp;/td\n;
$sumofcolumntotals = 0;
for ($i=0; $isizeof($columntotals); $i++)
{
$sumofcolumntotals = $sumofcolumntotals + $columntotals[$i];
$content .= td align='center'b$columntotals[$i]/b/td\n;
}
$content .= td align='center'b$sumofcolumntotals/b/td\n;
$content .= /tr\n;
$content .= /table\n;
I have made the lines inwhich I know are causing problems in bold.
Basicly, I am creating a report of some data and need to count up totals
of each column and then again total the totals if you get me.
Here is the errors I am getting.
*Notice*: Undefined offset: 0 in
*C:\WWW\Apache2\htdocs\php\coursework\reports_projects.php* on line *58*
*Notice*: Undefined offset: 1 in
*C:\WWW\Apache2\htdocs\php\coursework\reports_projects.php* on line *58*
*Notice*: Undefined offset: 2 in
*C:\WWW\Apache2\htdocs\php\coursework\reports_projects.php* on line *58*
*Notice*: Undefined offset: 3 in
*C:\WWW\Apache2\htdocs\php\coursework\reports_projects.php* on line *58
*Now I understand in a way why its happening, because im trying to
insert into $columntotals something which isnt valid, but I can't think
of a way to stop this at the moment.
Hope to hear soon, thanks in advance guys.
-noginn
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] PHP as module, also as suexec, in Apache?
I'm trying to set up a small academic web server with PHP and CGI. Currently, I have CGI running under suexec, and PHP installed as a module, configured to run in SAFE_MODE. However, some of the students are running up against the limitations of SAFE_MODE (most notably, not being able to create subdirectories and then access them - wtf?!), and we'd like to maybe setup PHP to run under suexec as a CGI, for those users who need it only. To keep server load / overhead down, we'd like to leave everyone else using PHP as a module. We only have the one IP address, so running separate instances of Apache isn't going to fly. Is there a way to do what we're trying to do? (Ideally, .php would work for both, with the determination of suexec vs. module being made based on the user's virtualhost settings.) Thanks! Wendell -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] creating a confirm page
hi was needing to know how to create a confirm page. I have a form that needs to be submitted to a confirm page before it is dropped into a mysql db. was not sure how to do this without losing the content of the form variables...
Re: [PHP] creating a confirm page
Andy B wrote: hi was needing to know how to create a confirm page. I have a form that needs to be submitted to a confirm page before it is dropped into a mysql db. was not sure how to do this without losing the content of the form variables... Hi. Well, you have several solutions for that. or u use sessions and u register every single variable as a session variable ( $_SESSION['variable'] ), or using forms, from one page to another and pass the contents, then, recover every one with $_POST['variable_name'] or $_GET['variable_name'], depending on wich method u've used. cheers... there are several other ways: in the same page, using functions and conditional statements, etc remember: best way is how its above (using sessions or forms) , because will work in most php installations that dont have register_globals on. -- - .-'-. .' `. : : : : : _/| : Bruno Santos : =/_/ : [EMAIL PROTECTED] `._/ | .' ( / ,|...-'Pagina Pessoal \_/^\/||__ http://feiticeir0.no-ip.org _/~ `~`` \_ __/ -'/ `-._ `\_\__ /jgs /-'` `\ \ \-.\ Written very small on the back poket of a girl's jeans - 'If you can read this, you're WAY too close.' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] RE:[PHP] creating a confirm page
remember: best way is how its above (using sessions or forms) , because will work in most php installations. tnx will try sessions and see what they do... (havent quite played with them before but will figure it out)... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ip to country
--- Enda Nagle [EMAIL PROTECTED] wrote: I had a quick look at http://www.iptocountry.com but was wondering if there was a way of doing this with PHP functions? My favorite is GeoIP Country from Maxmind: http://www.maxmind.com/ They have an open source PHP API that is easy to use, and it's free. This is what MySQL AB uses for their Web sites and what many other open source sites use. Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming mid-2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: ip to country
--- Tom Reed [EMAIL PROTECTED] wrote: I would think using HTTP_ACCEPT_LANGUAGE to get the users browser language/country info would be quicker and easier to implement. This is definitely the best way to get the language. You're right about that. However, this is not the user's question: I have a site that will have different pricing by world region / country and also offer different currencies. He needs the country, not the language. Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming mid-2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: ip to country
--- Filip de Waard [EMAIL PROTECTED] wrote: Using HTTP headers to identify the country where a visitor comes from is totally inaccurate. That's not really very fair to HTTP. There is no header that identifies the country, so it's not inaccurate - it doesn't exist. :-) Trying to accurately determine a country from a language isn't the fault of HTTP. I'm sure this is what you were implying, but I wanted to make sure HTTP wasn't being blamed. Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming mid-2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] SQL Injection check (mysql)
--- Ali Ashrafzadeh [EMAIL PROTECTED] wrote: I'm looking for a function To check SQL Injection in Mysql RDBMS please tell me if anyone know good function or solution In my opinion, this is the wrong approach. SQL injection vulnerabilities exist when you use data that the user gave you to create your SQL statement. So, anytime that this happens, simply make absolutely sure that the data you are using from the user fits a very specific format that you are expecting. To be clear: make sure the data that the user submitted only contains the characters you think are valid (don't bother trying to guess malicious characters - you're sure to miss one) and is a valid length. Once you've done this, and your design helps you to make sure that this step can't be bypassed by the user, you're protected against SQL injection. There is also a rather handy document available from NYPHP: http://phundamentals.nyphp.org/PH_storingretrieving.php This is good for describing magic_quotes and mysql_escape_string(). Hope that helps. Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming mid-2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: ip to country
On Mar 21, 2004, at 10:38 PM, Chris Shiflett wrote: --- Filip de Waard [EMAIL PROTECTED] wrote: Using HTTP headers to identify the country where a visitor comes from is totally inaccurate. That's not really very fair to HTTP. There is no header that identifies the country, so it's not inaccurate - it doesn't exist. :-) Trying to accurately determine a country from a language isn't the fault of HTTP. I'm sure this is what you were implying, but I wanted to make sure HTTP wasn't being blamed. Chris Hey Chris, I'm not blaming HTTP, but browsers and operating systems that implement it. I posted the HTTP header that my own browser is using to identify it's language as an example to prove that Accept-Language isn't the right source to identify the visitors language or even his home country. I know there is no such thing as a 'Country' header in HTTP, but even Accept-Language is quite inaccurate. I can't back this by scientific evidence, but I'm pretty sure that using IP addresses to figure out in which country the visitor is located in combination with a table containing the main languages for that country is far more accurate then using the Accept-Language as a source to identify the users language. One of the mantra's of web development that I've encountered is: Never trust HTTP headers as a valid data source. Please don't read that as an attack on HTTP itself... Using IP addresses to identify the visitors language has three major downsides: a. it's not 100% accurate (but nothing is), b. some countries have multiple main languages (like Canada) and c. querying databases for IP addresses takes a performance toll. IP addresses are just giving a hand, but they are no heavenly cure for all our problems. Personally I'm using IP addresses nevertheless, since I'm convinced that it's the best way to initially identify the visitors language or country. I don't have any experience with GeoIP Country from Maxmind (I'm using ip-to-country), but will try it out soon. Thank you for the tip! Regards, Filip de Waard -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Comparing 2 files
Visit sourceforge and look for winmerge, a really excellent software that
does just what you want.
Thrust me - install this software and never look for anything else, :)
Altleast if your on a windows environment.
--
--
Kim Steinhaug
--
There are 10 types of people when it comes to binary numbers:
those who understand them, and those who don't.
--
www.steinhaug.com - www.easywebshop.no - www.webkitpro.com
--
Jens Schmeiser [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Dear list.
I want to compare two text files and print the differences. The text files
contain the structure of a database, so they are very big (6000 lines).
The file looks like that:
TABLENAME#COLUMNNAME#DATATYPE#DATALENGTH#DATAPRECISION#NULLS
...
I only check if the datatype and nulls are different. If so, then the two
lines of the files will be printed.
I tried to do that and it works excellent if there aren't many
differences,
but if there are many diffs, it takes time and time.
What I do now is to read the to files to an array and get the differences
with array_diff
$array1=file('file1.txt');
$array2=file('file2.txt');
$result1 = array_diff($array1,$array2);
$result2 = array_diff($array2,$array1);
After that I do the following:
foreach ($result1 as $line1) {
foreach ($result2 as $line2) {
// compare the two lines and show the differences;
continue;
}
}
Is there a better way to do that (and of course faster)?
Regards
Jens
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Problem uploading large files via PHP (20+ MB)
Im not completely sure, but have you gone throught the settings in the
IIS server aswell? I know altleast for the CGI IIS has its own
timeout which overrides the php.ini file. It could be something here
aswell, but you probably have done this.
Kim Steinhaug
Schonrock III [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
All,
I am attempting to upload a large file via PHP to a web server running
Windows XP Pro IIS 5.1 and I am having some problems. I have been trying
to
find the right combination of settings in the php.ini file and elsewhere
to
get large files to upload properly, but I keep getting a DNS error in
Internet Explorer 6 that shows up after about 12MB or 12.5MB of a 21.7MB
file has been transferred.
When I looked at the IIS website connection timeout it was set at 900
seconds. I have tried many different variations in the php.ini settings
file with little success. I have tried using the 8M format and also the
full out Byte count for size fields in the php.ini file. I can upload
files
that are smaller that 10 MB (I tested with one that was 9MB earlier) with
no
problem. Here are my most recent relevant settings in my php.ini file
(that
I know of):
max_execution_time = 3600
max_input_time = 3600
memory_limit = 104857600
post_max_size = 104857600
upload_max_filesize = 104857600
Does anyone have any ideas? Am I missing something else? If you need any
more information that I left out please let me know. My code for the php
files is located below this message. Any help is greatly appreciated!
Thanks,
Keith
-Sending php file:
html
body
center
bThis is a test document/b
p
form enctype=multipart/form-data action=upload2.php method=post
Send this file: input name=userfile type=file /
input type=submit value=Send File /
/form
/body
/html
-Receiving php file:
html
body
?php
$uploaddir = 'c:\\new\\out\\';
$uploadfile = $uploaddir . $_FILES['userfile']['name'];
print pre;
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
print File is valid, and was successfully uploaded. ;
print Here's some more debugging info:\n;
print_r($_FILES);
} else {
print Possible file upload attack! Here's some debugging info:\n;
print_r($_FILES);
}
print /pre;
?
/body
/html
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: ip to country
--- Filip de Waard [EMAIL PROTECTED] wrote: I posted the HTTP header that my own browser is using to identify it's language as an example to prove that Accept-Language isn't the right source to identify the visitors language or even his home country. It's definitely not the way to determine a user's country. It's not called Country, after all. It's simply a header that indeicates the user's language preferences (many preferences can be specified, each qith a different quality value). However, it is the best way to choose a default language, although giving the user the option to change language is always a good idea. Why? Because, I might be working in Germany for a few months, but my computer is set to English (because I don't speak German). I certainly don't want you giving me a page in German (which is also available in English) when I am telling you that I prefer English. This is what Accept-Language is for, so I hate to hear that people knowingly ignore it. The user knows best when it comes to what language he/she prefers. Trying to override this preference with something you determine by IP address is wildly inaccurate and certain to have a high failure rate. I don't have any experience with GeoIP Country from Maxmind (I'm using ip-to-country), but will try it out soon. Thank you for the tip! No problem. I've tried several, and that one is my favorite. I currently maintain some Web sites with a very broad audience in terms of countries around the world, and this is the database that produces the fewest dead spots for us. Plus, the PHP API was written by a guy from the PHP Group, so that made me feel even more confident. :-) Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming mid-2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Comparing 2 files
Kim Steinhaug wrote: Visit sourceforge and look for winmerge, a really excellent software that does just what you want. Thrust me - install this software and never look for anything else, :) Altleast if your on a windows environment. having been introduced to CVS and the tortoiseCVS program (win32) I was pointed by said program to an prog called examDiff which is also very nice for windows environments. (google either appName - first link will take you where you want to go.) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Zend Optimiser -- wide spread??
Hi all, I'm close to releasing my first widely distributed (I hope) PHP application, and I wish to protect the source with Zend Encoder. Seems easy enough. However, this is a low-cost app that was intended to work on basic installs of PHP, running on almost any server -- it uses no external libraries, and required no special compiles. Is Zend Optimiser (required to run encoded PHP files) part of a base installation, or at the very least, is it widely spread in use (available on most hosts)? Seems like there's no point encoding if only half of the servers out there can run the scripts. I know optimiser is available on *my* host, but that's not enough in this case! --- Justin French http://indent.com.au -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Zend Optimiser -- wide spread??
Justin, Is Zend Optimiser (required to run encoded PHP files) part of a base installation, or at the very least, is it widely spread in use (available on most hosts)? From looking around earlier my impression is that most good commercial web hosting providers have the Zend Optimiser installed. I think it is far less common for people running their own servers to have it installed, unless they are already running code depending on it. As far as I know, it is not part of any standard PHP distribution. --- Geir Pedersen http://www.activio.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: php and CSS level 2
RD I do wonder if either of the above methods would force the RD browser to never cache the CSS file locally You know, I didn't think about that, as I've never personally used this method. I've never had a need. Thinking about it now, I would also think that you may need to send a content-type header of text/css to the browser, as well, though I'm not positive on this. Gecko/Moz based browsers will ignore a stylesheet that lacks the appropriate Content-Type header, so definitely make sure it's there. Regarding the caching, I think just setting up the appropriate cache-control headers should make it indistinguishable from a regular, static CSS file. - michal migurski- contact info and pgp key: sf/cahttp://mike.teczno.com/contact.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] SQL Injection check (mysql)
On Sun, 21 Mar 2004 13:49:22 -0800, Chris Shiflett wrote: To be clear: make sure the data that the user submitted only contains the characters you think are valid (don't bother trying to guess malicious characters - you're sure to miss one) and is a valid length. Once you've done this, and your design helps you to make sure that this step can't be bypassed by the user, you're protected against SQL injection. Or even better: Use only prepared statements. -- Hilsen/Regards Michael Rasmussen -- Be cheerful while you are alive. -- Phathotep, 24th Century B.C. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
php-general Digest 22 Mar 2004 01:22:55 -0000 Issue 2660
php-general Digest 22 Mar 2004 01:22:55 - Issue 2660 Topics (messages 181078 through 181108): Re: Timing a MySQL response 181078 by: John W. Holmes Re: Upload file field not working as a form element 181079 by: Lowell Allen 181080 by: Vernon 181081 by: Jason Wong 181082 by: Lowell Allen SQL Injection check (mysql) 181083 by: Ali Ashrafzadeh 181099 by: Chris Shiflett 181108 by: Michael Rasmussen Re: 9 Months Ago 181084 by: Marek Kilimajer 181086 by: Ben Ramsey 181090 by: Rasmus Lerdorf Decoding a URL without decoding values 181085 by: Ben Ramsey 181087 by: Jason Wong 181088 by: Ben Ramsey Re: Scheduling PHP on Windows 181089 by: trlists.clayst.com Array problem 181091 by: noginn PHP as module, also as suexec, in Apache? 181092 by: Wendell creating a confirm page 181093 by: Andy B 181094 by: Bruno Santos RE:[PHP] creating a confirm page 181095 by: Andy B Re: ip to country 181096 by: Chris Shiflett 181097 by: Chris Shiflett 181098 by: Chris Shiflett 181100 by: Filip de Waard 181103 by: Chris Shiflett Re: Comparing 2 files 181101 by: Kim Steinhaug 181104 by: Jochem Maas Re: Problem uploading large files via PHP (20+ MB) 181102 by: Kim Steinhaug Zend Optimiser -- wide spread?? 181105 by: Justin French 181106 by: Geir Pedersen - Activio AS Re: php and CSS level 2 181107 by: Michal Migurski Administrivia: To subscribe to the digest, e-mail: [EMAIL PROTECTED] To unsubscribe from the digest, e-mail: [EMAIL PROTECTED] To post to the list, e-mail: [EMAIL PROTECTED] -- ---BeginMessage--- Richard Davey wrote: Just a quick question - but does anyone know how to get the ms value back from MySQL that tells you how long it took to run your query? That value is not returned at all. Go with the wrapper... -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals www.phparch.com ---End Message--- ---BeginMessage--- All I am trying to do is insert the file name, not the file. The file is being uploaded to the server in a specific location. All I need is the filename inserted into the database. I've gotten the upload part to work and everything I just can't get the file name inserted for God knows what reason. I removed the upload code and am simply trying to insert the filename and userid into the database. The userid goes in but I cannot get the file name inserted. Here is the form: form action=?php echo $editFormAction; ? method=post enctype=multipart/form-data name=form1 input name=filename type=file id=filename input name=userid type=hidden id=userid value=?php echo $row_rsUSER['id']; ? input type=submit name=Submit2 value=Upload disabled input type=hidden name=MM_insert value=form1 /form The uploaded file name will be $HTTP_POST_FILES[filename][name] -- use that rather than $_POST[filename]. HTH -- Lowell Allen ---End Message--- ---BeginMessage--- The uploaded file name will be $HTTP_POST_FILES[filename][name] -- use that rather than $_POST[filename]. I'm sorry I don't understand. What is the extra [name] for? When I use this in the insert into the value that is inserted into the database is Array, as opposed to the actual filename. Thanks -V ---End Message--- ---BeginMessage--- On Sunday 21 March 2004 22:53, Vernon wrote: The uploaded file name will be $HTTP_POST_FILES[filename][name] -- use that rather than $_POST[filename]. I'm sorry I don't understand. What is the extra [name] for? When I use this in the insert into the value that is inserted into the database is Array, as opposed to the actual filename. manual Handling file uploads -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- /* SEMPER UBI SUB UBI */ ---End Message--- ---BeginMessage--- The uploaded file name will be $HTTP_POST_FILES[filename][name] -- use that rather than $_POST[filename]. I'm sorry I don't understand. What is the extra [name] for? When I use this in the insert into the value that is inserted into the database is Array, as opposed to the actual filename. The $HTTP_POST_FILES array works for me. Maybe you need to try the $_FILES array instead. Take a look at the info in the manual: http://www.php.net/manual/en/features.file-upload.php#features.file-upload. post-method. -- Lowell Allen ---End
Re: [PHP] Zend Optimiser -- wide spread??
On Mar 22, 2004, at 1:16 AM, Justin French wrote: Hi all, I'm close to releasing my first widely distributed (I hope) PHP application, and I wish to protect the source with Zend Encoder. Seems easy enough. However, this is a low-cost app that was intended to work on basic installs of PHP, running on almost any server -- it uses no external libraries, and required no special compiles. Is Zend Optimiser (required to run encoded PHP files) part of a base installation, or at the very least, is it widely spread in use (available on most hosts)? Seems like there's no point encoding if only half of the servers out there can run the scripts. I know optimiser is available on *my* host, but that's not enough in this case! It's not available on every PHP aware webserver, since it's not part of PHP itself. You can give your clients two options: a. encoded file (cheaper) and b. source code (expensive). If you don't want to give them your source you can always make an reseller arrangement with a specific hosting company and forward clients who's current provider doesn't support the Zend Optimizer to that reseller account :-) Regards, Filip de Waard -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] SQL Injection check (mysql)
--- Michael Rasmussen [EMAIL PROTECTED] wrote: To be clear: make sure the data that the user submitted only contains the characters you think are valid (don't bother trying to guess malicious characters - you're sure to miss one) and is a valid length. Once you've done this, and your design helps you to make sure that this step can't be bypassed by the user, you're protected against SQL injection. Or even better: Use only prepared statements. Can you explain that (and defend it)? Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming mid-2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] SQL Injection check (mysql)
On 21 Mar 2004 Chris Shiflett wrote: SQL injection vulnerabilities exist when you use data that the user gave you to create your SQL statement. So, anytime that this happens, simply make absolutely sure that the data you are using from the user fits a very specific format that you are expecting. To be clear: make sure the data that the user submitted only contains the characters you think are valid (don't bother trying to guess malicious characters - you're sure to miss one) and is a valid length. Once you've done this, and your design helps you to make sure that this step can't be bypassed by the user, you're protected against SQL injection. Recently I've been in the middle of trying to build defenses against SQL injection on a site I'm working on (proactively, we haven't had a problem). While this principle seems exactly right, I find it's not as easy to implement as it sounds, and I'd argue that the results aren't as absolute as you suggest, though you certainly have more experience with it than I do so perhaps I'm missing something. Here's how I'm looking at it. Pretty much any useful site tied to a database will use user data in SQL statements, either in WHERE clauses or SET clauses or both. This means all input must be checked for maliciousness, and the primary kinds of malicious input seem to be SQL injection, or on another front HTML injection / XSS. The problem is that there are some well-defined attacks with protections against them that can be logically defended. But there is no list of all possible attacks, so I'm not sure it's really possible to say you're protected against SQL injection at some point. Do you feel differently? If so I'd be interested to hear why. I agree with you that checking for valid characters is safer than checking for malicious characters, but even the former is not absolute. Also it is not possible to make the set of characters with syntactic significance have no overlap with the set of valid input characters -- a single quote used as an apostrophe is the obvious example, so checking for valid characters may still leave characters in the data that could also be part of an attack. As for specifics, at the moment I am simply forcing every element of _POST to be truncated to a known maximum length, then run through strip_tags, stripslashes, and htmlspecialchars (in that order) before I use it. Then every input form element is validated against an appropriate regexp depending on the type of input expected. I also use mysql_real_escape_string on all strings prior to writing them to the database, and I use single quotes around all integer values. If you're game, I'm curious if you see any flaws in this approach. I am still contemplating whether there is any value to running input through htmlspecialchars, or whether I should instead simply be using htmlentities on output. I also haven't looked at what this does to nested attacks of various kinds and whether there is a way to use multiple iterations or escapes in the input data to bypass the filtering (pointers to articles which discuss this would be welcome). Thanks, -- Tom -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] SQL Injection check (mysql)
--- [EMAIL PROTECTED] wrote: Recently I've been in the middle of trying to build defenses against SQL injection on a site I'm working on (proactively, we haven't had a problem). While this principle seems exactly right, I find it's not as easy to implement as it sounds, and I'd argue that the results aren't as absolute as you suggest, though you certainly have more experience with it than I do so perhaps I'm missing something. I would never argue that something is an absolute defense, but I would characterize my recommendation as a best practice. The problem is that there are some well-defined attacks with protections against them that can be logically defended. But there is no list of all possible attacks, so I'm not sure it's really possible to say you're protected against SQL injection at some point. Do you feel differently? If so I'd be interested to hear why. The reason why is the difference in approach. If any approach depends on exhaustive knowledge of all possible attacks, the approach is fundamentally flawed and could never be considered secure. There is only one you, and there are an unlimited number of potential attackers. You cannot hope to second guess every single one of them. I agree with you that checking for valid characters is safer than checking for malicious characters, but even the former is not absolute. Not absolute in what sense? Making sure something is valid is pretty absolute; the only possible flaws are flaws in making sure something is valid. For example, I feel confident that no one can show me a string that I would consider a valid first name that is also an SQL injection attack. Also it is not possible to make the set of characters with syntactic significance have no overlap with the set of valid input characters -- a single quote used as an apostrophe is the obvious example, so checking for valid characters may still leave characters in the data that could also be part of an attack. I would never suggest that you should not escape data properly according to your database of choice. In fact, I included a very helpful link that addresses this, and I will include it again: http://phundamentals.nyphp.org/PH_storingretrieving.php If you are using MySQL, there is a nice function that escapes your data for you: http://www.php.net/mysql_escape_string If you make sure data is valid and then properly escape it for use in an SQL statement, you're adhering to what I am suggesting is a best practice against SQL injection. This is under the assumption that you surround all literal values with single quotes. As for specifics, at the moment I am simply forcing every element of _POST to be truncated to a known maximum length, then run through strip_tags, stripslashes, and htmlspecialchars (in that order) before I use it. This doesn't work for everyone. I can think of several examples where users would be submitting HTML and/or PHP code. I wouldn't want to delete some of their data. I applaud your efforts in data filtering, because almost all PHP vulnerabilities that I read about are a result of the author completely failing to perform any data filtering at all (which is inexcusable). However, might I suggest that you take a slightly different approach. Verify that the data is exactly what you expect it to be, and then escape and/or encode it when necessary. For example, for storing valid data, use mysql_escape_string() or an equivalent function for your database of choice. For displaying valid data, use htmlentities(). If you want some user-submitted tags interpreted, you can use str_replace() to convert those HTML entities back (this makes sure that only specific uses of specific tags are interpreted). For unvalidated data, do nothing with it until you have validated it with your data filtering logic. A good software architecture should make it easy for the developer to keep up with this (naming conventions are also very helpful for this). Then every input form element is validated against an appropriate regexp depending on the type of input expected. I also use mysql_real_escape_string on all strings prior to writing them to the database, and I use single quotes around all integer values. If you're game, I'm curious if you see any flaws in this approach. I'm always game. :-) This actually sounds like a strong approach to me. I assume that you surround all data in an SQL statement with single quotes (not just integer values). In fact, this is almost exactly what I am suggesting. I do not think you have an SQL injection vulnerability, unless what your code does strays from this description somehow. Also, if your applications never allow the user to submit HTML or PHP, stripping tags is fine. But, you might be interested in letting your regular expression catch this, so that you can log attacks. Attackers certainly profile your applications - why not profile their attacks? It can potentially help us all. I am still contemplating
