[PHP] XPath 2.0 in PHP 5.3
Hi, Does any one knows if XPath 2.0 will be supported in 5.3? __ Raymond Irving -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Remote MySQL Connecton Problems
Hello everyone, I've run into a bit of a sticky situation trying to connect to a remote MySQL database. Here's the background: Connecting from the command line on the web server works. Connecting from a different vhost works. There's no information in mysql_error. In fact, mysql_select_db('db') or die(mysql_error()); doesn't produce any output. The only way I know this isn't working is when I try to run a query, the result resource is NULL. If I copy the contents of the query and run it on the command line, from the web server, I get the results I expected. I manage both servers. I added the new login on the MySQL server and also ran flush privileges. I've gone so far as to reboot both the MySQL process and the apache process. The versions of MySQL are slightly different 5.0.24a (web) vs 5.0.36(db). It's getting late and I'm just grasping for straws. Thanks! Ray -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: SimpleXML Class
Cesco wrote: Could you help me clarify one thing that I don't understand... let's put it simple, just imagine that I have a tiny XML document with a list of movies: Gone with the wind I want to read this XML file and write the name of the first (and only) movie in the list; for this reason I have choose to use SimpleXML since it was looking quite user-friendly. But there's a thing I don't understand... when I have some children, how do I understand which is the first child and which is the last ? I have tried to write this, but I'm getting a wrong result: instead of "Gone with the wind" I got "with wind Gone the", because I understand that the tag contains all the text that is not formatted, and then it writes all the children of : Gone and the $xml = new SimpleXMLElement("Gone with the wind"); echo ($xml->title . " "); foreach ($xml->title->children() as $element) { echo ($element . " "); } // Returns "with wind Gone the" ?> I'm using PHP 5.2.5, could you tell me what am I doing wrong ? Thank you cdata -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] speaking of control structures...
On Wed, 06 May 2009 08:54:14 -0400, f...@thefsb.org (Tom Worster) wrote: ... >clancy, i can't argue with you. my desired usage of break is really just a >cover-up for a goto. i know. > >it makes no logical sense but i think i'd sooner adopt oop than gotos. my >mom taught me to program back in the late 70s and early 80s. she was an old >hand. when FORTRAN 4 came out she thought it was the bees knees. when Z80 >micros with MS-BASIC came out, she thought they were cute. when turbo pascal >came out on CP/M, she was impressed and taught me to quit using gotos. > >so while it makes no logical sense, perhaps you can see that it makes >emotional sense. > I can understand your reluctance to disregard your mother's advice, but unfortunately she had been brainwashed to accept the dogma of the day. I could never understand the hysteria relating to GOTO. Certainly it could be abused, as I knew to my cost, but it is clear and explicit, whereas both break and exception are disguised GOTO's with ill-defined targets. I started programming in 1967, in Fortran. There were only the most basic computer manuals, and CSIRO (for whom I worked) had a little computer (a CDC3200, with 32K of 24 bit words, and costing only $500,000) in each capital city, and a big computer (a CDC3600, with 64K of 48 bit words, and costing $2 million) in Canberra. Our local computer was at Clayton, and I worked at Highett, so a courier collected our punch cards twice a day and took them to the local computer, then brought back the results of the previous run, giving effectively one and a half runs a day. When I got ambitious, and needed to use the big computer, my cards were put on to mag tape at Clayton, and flown to Canberra, where they were run through the 3600 overnight, and the results written back to mag tape. Next morning the tapes were flown back to Melbourne, driven to Clayton, run through the 3200 to produce listings, and these were then delivered back to Highett. The flights were often delayed by fog in Canberra, and on average we got three runs a week. Programming was in its infancy, and the idea of using a stack to handle subroutines had not been introduced (at least by CDC). The Fortran provided an assigned GOTO, which really was the perfect instruction for writing 'write only' code. It also permitted you to jump indiscriminately into, or out of, loops and subroutines, and it was probably abuse of these options which gave the GOTO its bad name. I was developing a program for analysing linear electronic circuits, and effectively developed my own interpreted language. The program was very simple; it consisted of a loop containing three assigned GOTO's: start: assign begin to switch_one assign next: read the next character if it's a number, GOTO switch_one if it's a punctuation mark, GOTO switch_two GOTO switch_three begin: . GOTO next end: I left CSIRO in 1973, and did not have access to a big computer until about 1983. By this time the assigned GOTO had long since vanished, and I had great difficulty understanding my original logic, until I unrolled the inner loop into a logical progression through the possible inputs. For the next 20 years most of my programming was in 8x86 MASM. This also had the GOTO, and I was able to write extremely complex programs, despite its inherent verbosity, by developing subroutines to handle all the basic procedures, and using GOTO's to define the control structure. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] speaking of control structures...
Robert Cummings wrote: On Wed, 2009-05-06 at 08:41 -0400, Tom Worster wrote: On 5/6/09 7:05 AM, "Robert Cummings" wrote: That seems like an abuse of exceptions. But then we're already abusing loops. I just don't think one could say it's the proper way to do it :) i don't have a lot of interest in "the proper way" to do things. i'm interested in how other programmers actually do things. I highly doubt they use exceptions. lol hello - I always seem to want to reply to your posts Rob! with exceptions.. if you're using an n-tier architecture then exceptions are the best thing to use here, you've got an exceptional state where criteria isn't met and this exception should be caught by the display layer and handled. But this isn't a discussion with an OOP variant it's more procedural, so def out of place imho. at the same time.. the functionality required and what is essentially a want for advanced separation of concerns is very oop so.. really.. this could easily be solved with OOP and it'd be an elegant reusable solution regards! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] speaking of control structures...
Robert Cummings wrote: > On Wed, 2009-05-06 at 22:23 +0200, Marcus Gnaß wrote: >> Robert Cummings wrote: >>> On Wed, 2009-05-06 at 12:56 +0200, Marcus Gnaß wrote: Tom Worster wrote: > there's a control structure i wish php had: a simple block that you can > break out of, e.g. > As Maarten pointed out you could use a function. Another alternative is to use Exceptions which might be the most proper way to do it. >>> That seems like an abuse of exceptions. But then we're already abusing >>> loops. I just don't think one could say it's the proper way to do it :) >>> >> Why do you think it's an abuse of exceptions? If I have a block of code >> which I expect to run from the beginning to the end and I discover a >> situation where its not appropriate to continue this block of code I is >> what I would call an exception. Exception don't have to be errors or >> such. It's just a special situation ... > > While exceptions can certainly be used in this context and in a valid > manner, there's a fine line between an exception and a condition. The OP > was processing code that didn't appear exceptional, he was merely > managing flow control of the logic. This is a condition, not an > exception. Agreed! He wrote: if ( condition ) break; Although I had the impression that he expected the whole block of code to be executed and just wanted to break from this block in an exceptional situation. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] SimpleXML Class
Could you help me clarify one thing that I don't understand... let's put it simple, just imagine that I have a tiny XML document with a list of movies: Gone with the wind I want to read this XML file and write the name of the first (and only) movie in the list; for this reason I have choose to use SimpleXML since it was looking quite user-friendly. But there's a thing I don't understand... when I have some children, how do I understand which is the first child and which is the last ? I have tried to write this, but I'm getting a wrong result: instead of "Gone with the wind" I got "with wind Gone the", because I understand that the tag contains all the text that is not formatted, and then it writes all the children of : Gone and the $xml = new SimpleXMLElement("Gone with theb> wind"); echo ($xml->title . " "); foreach ($xml->title->children() as $element) { echo ($element . " "); } // Returns "with wind Gone the" ?> I'm using PHP 5.2.5, could you tell me what am I doing wrong ? Thank you -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] speaking of control structures...
On Wed, 2009-05-06 at 15:50 -0500, Shawn McKenzie wrote: > Marcus Gnaß wrote: > > Robert Cummings wrote: > >> On Wed, 2009-05-06 at 12:56 +0200, Marcus Gnaß wrote: > >>> Tom Worster wrote: > there's a control structure i wish php had: a simple block that you can > break out of, e.g. > >>> As Maarten pointed out you could use a function. Another alternative is > >>> to use Exceptions which might be the most proper way to do it. > >> That seems like an abuse of exceptions. But then we're already abusing > >> loops. I just don't think one could say it's the proper way to do it :) > >> > >> Cheers, > >> Rob. > > > > Why do you think it's an abuse of exceptions? If I have a block of code > > which I expect to run from the beginning to the end and I discover a > > situation wher its not appropriate to continue this block of code I is > > what I would call an exception. Exception don't have to be errors or > > such. It's just a special situation ... > > > > Marcus > > In the corner to my right, wearing black trunks, with orange and yellow > trim, Marcus Gnaß... > In the corner to my left, wearing pink trunks, trimmed in pink, Robert > Cumings... > > DING! Is that your fantasy Shawn? Me in a boxing ring in pink trim?? *shudder* ;) Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] speaking of control structures...
On Wed, 2009-05-06 at 22:23 +0200, Marcus Gnaß wrote: > Robert Cummings wrote: > > On Wed, 2009-05-06 at 12:56 +0200, Marcus Gnaß wrote: > >> Tom Worster wrote: > >>> there's a control structure i wish php had: a simple block that you can > >>> break out of, e.g. > >> > >> As Maarten pointed out you could use a function. Another alternative is > >> to use Exceptions which might be the most proper way to do it. > > > > That seems like an abuse of exceptions. But then we're already abusing > > loops. I just don't think one could say it's the proper way to do it :) > > > > Cheers, > > Rob. > > Why do you think it's an abuse of exceptions? If I have a block of code > which I expect to run from the beginning to the end and I discover a > situation wher its not appropriate to continue this block of code I is > what I would call an exception. Exception don't have to be errors or > such. It's just a special situation ... While exceptions can certainly be used in this context and in a valid manner, there's a fine line between an exception and a condition. The OP was processing code that didn't appear exceptional, he was merely managing flow control of the logic. This is a condition, not an exception. Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] speaking of control structures...
Marcus Gnaß wrote: > Robert Cummings wrote: >> On Wed, 2009-05-06 at 12:56 +0200, Marcus Gnaß wrote: >>> Tom Worster wrote: there's a control structure i wish php had: a simple block that you can break out of, e.g. >>> As Maarten pointed out you could use a function. Another alternative is >>> to use Exceptions which might be the most proper way to do it. >> That seems like an abuse of exceptions. But then we're already abusing >> loops. I just don't think one could say it's the proper way to do it :) >> >> Cheers, >> Rob. > > Why do you think it's an abuse of exceptions? If I have a block of code > which I expect to run from the beginning to the end and I discover a > situation wher its not appropriate to continue this block of code I is > what I would call an exception. Exception don't have to be errors or > such. It's just a special situation ... > > Marcus In the corner to my right, wearing black trunks, with orange and yellow trim, Marcus Gnaß... In the corner to my left, wearing pink trunks, trimmed in pink, Robert Cumings... DING! -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: SQL Injection - Solution
Andrew Ballard wrote: > On Wed, May 6, 2009 at 2:25 PM, Shawn McKenzie wrote: >> Igor Escobar wrote: >>> Yeah yeah, i understood that, but, the point is... i sad previously, my >>> function is not tied to any database. >>> >>> Is a generic function, i dont know who be use this, so i don't know, what is >>> your data base so, i can't use functions like mysql_real_scape_string etc... >> Then the best you can do is replace mysql_real_scape_string() with >> addslashes() or possibly addcslashes() and build your own list. >> >> > > You can't just use addslashes() or addcslashes(). You have to know > what database you are using because the escape sequences are > different. In MySQL, single quote characters are escaped by a > backslash. In SQL Server, they are escaped by doubling them. > > There are a lot of libraries available that already do this. If > someone wants to write yet another one, it would probably be > worthwhile to dissect some of those existing libraries to see how they > handle work under the hood. > > Andrew Good points. I haven't had much experience with any DB other than mysql or sqlite. Without knowing the DB, you'll either need to use one of these libraries or convert the chars to something else like html entities. -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] speaking of control structures...
Robert Cummings wrote: > On Wed, 2009-05-06 at 12:56 +0200, Marcus Gnaß wrote: >> Tom Worster wrote: >>> there's a control structure i wish php had: a simple block that you can >>> break out of, e.g. >> >> As Maarten pointed out you could use a function. Another alternative is >> to use Exceptions which might be the most proper way to do it. > > That seems like an abuse of exceptions. But then we're already abusing > loops. I just don't think one could say it's the proper way to do it :) > > Cheers, > Rob. Why do you think it's an abuse of exceptions? If I have a block of code which I expect to run from the beginning to the end and I discover a situation wher its not appropriate to continue this block of code I is what I would call an exception. Exception don't have to be errors or such. It's just a special situation ... Marcus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: speaking of control structures...
Tom Worster wrote: there's a control structure i wish php had: a simple block that you can break out of, e.g. block { if ( condition ) break; blah... blah... if ( another condition ) break; blah... blah... etc... } the block is just like a loop except that it is executed once only. this would be a handy structure for writing input validation code. the blah blah fragments can be used for opening files, talking to the db, manipulating strings, processing dates and times, etc., the conditions for testing if the input is unacceptable. i'm sure many of the programmers here do this kind of thing routinely and have their own habits and solutions. i'd be curious what they are. please let us know! i guess i ought to go first. it's fugly but it works: $once = true; while ( $once ) { $once = false; stuff using break where needed ... } tom Here's the way I handle validating user form inputs. Each function validates several things and throws an error with the message stating what's wrong. try { checkEmailAddr($userSubmitedDataArray[EMAIL_ADDR_FIELD]); checkPhoneDigits($userSubmitedDataArray[PHONE_NUM_FIELD], 'phone'); checkNotes($userSubmitedDataArray, $sizesArray); if(!empty($userSubmitedDataArray[CELLPHONE_NUM_FIELD])) { checkPhoneDigits($userSubmitedDataArray[CELLPHONE_NUM_FIELD], 'cell'); checkCellCarrier($userSubmitedDataArray['carrier']); } } catch (Exception $e) { $userErrorMsg = $e->getMessage(); //Message text in check function } A typical function looks like this: function checkEmailAddr($emailAddr) { if(empty($emailAddr)) { throw new Exception("No email address provided"); } if(!preg_match("%...@%", $emailAddr)) { throw new Exception("Email address missing mailbox name."); } if(!filter_var($emailAddr, FILTER_VALIDATE_EMAIL)) { throw new Exception("Email address error. Syntax is wrong. "); } $domain = substr(strchr($emailAddr, '@'), 1); if(!checkdnsrr($domain)) { throw new Exception("Email address warning. Specified domain \"$domain\" appears to be invalid. Check carefully."); } return true; } -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: SQL Injection - Solution
On Wed, May 6, 2009 at 2:25 PM, Shawn McKenzie wrote: > Igor Escobar wrote: >> Yeah yeah, i understood that, but, the point is... i sad previously, my >> function is not tied to any database. >> >> Is a generic function, i dont know who be use this, so i don't know, what is >> your data base so, i can't use functions like mysql_real_scape_string etc... > > Then the best you can do is replace mysql_real_scape_string() with > addslashes() or possibly addcslashes() and build your own list. > > You can't just use addslashes() or addcslashes(). You have to know what database you are using because the escape sequences are different. In MySQL, single quote characters are escaped by a backslash. In SQL Server, they are escaped by doubling them. There are a lot of libraries available that already do this. If someone wants to write yet another one, it would probably be worthwhile to dissect some of those existing libraries to see how they handle work under the hood. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: SQL Injection - Solution
Please reply all. > Do you test with associative arrays? > Yes. Array ( [test] => some stuff \"here\" [test_array] => Array ( [a] => a\"a [0] => b\'b [c] => Array ( [x] => x\"x [0] => y\'y [1] => z ) ) ) Thanks! -Shawn -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: SQL Injection - Solution
Igor Escobar wrote: > Yeah yeah, i understood that, but, the point is... i sad previously, my > function is not tied to any database. > > Is a generic function, i dont know who be use this, so i don't know, what is > your data base so, i can't use functions like mysql_real_scape_string etc... Then the best you can do is replace mysql_real_scape_string() with addslashes() or possibly addcslashes() and build your own list. -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: SQL Injection - Solution
Igor Escobar wrote: > hun...by the way I forgot to mention, I am Brazilian and here in Brazil > these words are not common ... Yes, but you can reuse your function even if you start accepting english posts/comments, etc. You don't want this function to be specific to your app or data because it isn't extensible or portable. Also, I suspect that there are some words in portuguese that "contain" "or", which would be removed. > > That is a recursive function and i can use array_map becouse i some cases we > obtain arrays of arrays and that will generate a error. > Yes, it is recursive, so that it works on arrays of arrays :-) No error that I have seen. $_GET = array( 'test' => 'some stuff "here"', 'test_array' => array('a"a','b`b',array('x"x','y`y','z')) ); print_r(_antiSqlInjection($_GET)); Array ( [test] => some stuff \"here\" [test_array] => Array ( [0] => a\"a [1] => b\'b [2] => Array ( [0] => x\"x [1] => y\'y [2] => z ) ) ) -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: SQL Injection - Solution
Yeah yeah, i understood that, but, the point is... i sad previously, my function is not tied to any database. Is a generic function, i dont know who be use this, so i don't know, what is your data base so, i can't use functions like mysql_real_scape_string etc... Regards, Igor Escobar Systems Analyst & Interface Designer -- Personal Blog ~ blog.igorescobar.com Online Portifolio ~ www.igorescobar.com Twitter ~ @igorescobar On Wed, May 6, 2009 at 3:00 PM, Bruno Fajardo wrote: > 2009/5/6 Igor Escobar : > > hun...by the way I forgot to mention, I am Brazilian and here in > Brazil > > these words are not common ... > > Igor, > > I'm brazilian too, but that is not the point. Deny the use of *any* > word as input in your app is unnecessary. The problem that you're > trying to solve, has been solved a long time ago. > > Bruno. > > > > > That is a recursive function and i can use array_map becouse i some cases > we > > obtain arrays of arrays and that will generate a error. > > > > > > Regards, > > Igor Escobar > > Systems Analyst & Interface Designer > > > > -- > > > > Personal Blog > > ~ blog.igorescobar.com > > Online Portifolio > > ~ www.igorescobar.com > > Twitter > > ~ @igorescobar > > > > > > > > > > > > On Wed, May 6, 2009 at 2:36 PM, Shawn McKenzie > wrote: > > > >> Igor Escobar wrote: > >> > Hunnn... > >> > > >> > So, what do you think now? > >> > > >> > function _antiSqlInjection($Target){ > >> > $sanitizeRules = > >> > array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP > >> > TABLE','SHOW TABLES','*','--','='); > >> > foreach($Target as $key => $value): > >> > if(is_array($value)): $arraSanitized[$key] = > >> > _antiSqlInjection($value); > >> > else: > >> > $arraSanitized[$key] = (!get_magic_quotes_gpc()) ? > >> > addslashes(str_ireplace(trim($sanitizeRules,"",$value))) : > >> > str_ireplace(trim($sanitizeRules,"",$value)); > >> > endif; > >> > endforeach; > >> > return $arraSanitized; > >> > } > >> > > >> Stay on list please. I don't like the ternary or the brace omissions > >> (alternate syntax) :-) however > >> > >> My point was that in my opinion you don't need the replace at all. > >> Also, do you really want to strip all 'or', * and = from all fields? > >> These may be perfectly valid in your app. Or is a very, very common > >> word, so is from and come to think of it, where, select, insert and > delete. > >> > >> For any of the SQL injections to work in your query, there will need to > >> be quotes or the backtick ` in the user supplied content. The quotes > >> are escaped by mysql_real_escape_string(). > >> > >> I don't see any way for a SQL injection without the user input > >> containing quotes or the backtick to break out of your query or > >> prematurely terminate an expression. Some examples here, however they > >> don't mention the backtick: > >> http://us2.php.net/manual/en/security.database.sql-injection.php > >> > >> This might be more useful: > >> > >> ||function _antiSqlInjection($Target) > >> { > >>if(is_array($Target)) { > >>$Value = array_map('_antiSqlInjection', $Target); > >>} else { > >> if(get_magic_quotes_gpc()) { > >> $Target = stripslashes($Target); > >>} > >> // replace backtick with single quote or whatever > >>$Target = str_replace("`", "'", $Target); > >>$Value = mysql_real_escape_string($Target); > >>} > >>return $Value; > >> } > >> > >> Thanks! > >> -Shawn > >> > >> > >> > > >
Re: [PHP] Re: SQL Injection - Solution
2009/5/6 Igor Escobar : > hun...by the way I forgot to mention, I am Brazilian and here in Brazil > these words are not common ... Igor, I'm brazilian too, but that is not the point. Deny the use of *any* word as input in your app is unnecessary. The problem that you're trying to solve, has been solved a long time ago. Bruno. > > That is a recursive function and i can use array_map becouse i some cases we > obtain arrays of arrays and that will generate a error. > > > Regards, > Igor Escobar > Systems Analyst & Interface Designer > > -- > > Personal Blog > ~ blog.igorescobar.com > Online Portifolio > ~ www.igorescobar.com > Twitter > ~ @igorescobar > > > > > > On Wed, May 6, 2009 at 2:36 PM, Shawn McKenzie wrote: > >> Igor Escobar wrote: >> > Hunnn... >> > >> > So, what do you think now? >> > >> > function _antiSqlInjection($Target){ >> > $sanitizeRules = >> > array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP >> > TABLE','SHOW TABLES','*','--','='); >> > foreach($Target as $key => $value): >> > if(is_array($value)): $arraSanitized[$key] = >> > _antiSqlInjection($value); >> > else: >> > $arraSanitized[$key] = (!get_magic_quotes_gpc()) ? >> > addslashes(str_ireplace(trim($sanitizeRules,"",$value))) : >> > str_ireplace(trim($sanitizeRules,"",$value)); >> > endif; >> > endforeach; >> > return $arraSanitized; >> > } >> > >> Stay on list please. I don't like the ternary or the brace omissions >> (alternate syntax) :-) however >> >> My point was that in my opinion you don't need the replace at all. >> Also, do you really want to strip all 'or', * and = from all fields? >> These may be perfectly valid in your app. Or is a very, very common >> word, so is from and come to think of it, where, select, insert and delete. >> >> For any of the SQL injections to work in your query, there will need to >> be quotes or the backtick ` in the user supplied content. The quotes >> are escaped by mysql_real_escape_string(). >> >> I don't see any way for a SQL injection without the user input >> containing quotes or the backtick to break out of your query or >> prematurely terminate an expression. Some examples here, however they >> don't mention the backtick: >> http://us2.php.net/manual/en/security.database.sql-injection.php >> >> This might be more useful: >> >> ||function _antiSqlInjection($Target) >> { >> if(is_array($Target)) { >> $Value = array_map('_antiSqlInjection', $Target); >> } else { >> if(get_magic_quotes_gpc()) { >> $Target = stripslashes($Target); >> } >> // replace backtick with single quote or whatever >> $Target = str_replace("`", "'", $Target); >> $Value = mysql_real_escape_string($Target); >> } >> return $Value; >> } >> >> Thanks! >> -Shawn >> >> >> > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: SQL Injection - Solution
Now i realize... i sent only to the Shawn the modified functions... here goes: function _antiSqlInjection($Target){ $sanitizeRules = array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP TABLE','SHOW TABLES','*','--','='); foreach($Target as $key => $value): if(is_array($value)): $arraSanitized[$key] = _antiSqlInjection($value); else: $arraSanitized[$key] = (!get_magic_quotes_gpc()) ? addslashes(str_ireplace(trim($sanitizeRules,"",$value))) : str_ireplace(trim($sanitizeRules,"",$value)); endif; endforeach; return $arraSanitized; } Regards, Igor Escobar Systems Analyst & Interface Designer -- Personal Blog ~ blog.igorescobar.com Online Portifolio ~ www.igorescobar.com Twitter ~ @igorescobar On Wed, May 6, 2009 at 2:55 PM, Igor Escobar wrote: > hun...by the way I forgot to mention, I am Brazilian and here in Brazil > these words are not common ... > > That is a recursive function and i can use array_map becouse i some cases > we obtain arrays of arrays and that will generate a error. > > > Regards, > Igor Escobar > Systems Analyst & Interface Designer > > -- > > Personal Blog > ~ blog.igorescobar.com > Online Portifolio > ~ www.igorescobar.com > Twitter > ~ @igorescobar > > > > > > On Wed, May 6, 2009 at 2:36 PM, Shawn McKenzie wrote: > >> Igor Escobar wrote: >> > Hunnn... >> > >> > So, what do you think now? >> > >> > function _antiSqlInjection($Target){ >> > $sanitizeRules = >> > array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP >> > TABLE','SHOW TABLES','*','--','='); >> > foreach($Target as $key => $value): >> > if(is_array($value)): $arraSanitized[$key] = >> > _antiSqlInjection($value); >> > else: >> > $arraSanitized[$key] = (!get_magic_quotes_gpc()) ? >> > addslashes(str_ireplace(trim($sanitizeRules,"",$value))) : >> > str_ireplace(trim($sanitizeRules,"",$value)); >> > endif; >> > endforeach; >> > return $arraSanitized; >> > } >> > >> Stay on list please. I don't like the ternary or the brace omissions >> (alternate syntax) :-) however >> >> My point was that in my opinion you don't need the replace at all. >> Also, do you really want to strip all 'or', * and = from all fields? >> These may be perfectly valid in your app. Or is a very, very common >> word, so is from and come to think of it, where, select, insert and >> delete. >> >> For any of the SQL injections to work in your query, there will need to >> be quotes or the backtick ` in the user supplied content. The quotes >> are escaped by mysql_real_escape_string(). >> >> I don't see any way for a SQL injection without the user input >> containing quotes or the backtick to break out of your query or >> prematurely terminate an expression. Some examples here, however they >> don't mention the backtick: >> http://us2.php.net/manual/en/security.database.sql-injection.php >> >> This might be more useful: >> >> ||function _antiSqlInjection($Target) >> { >>if(is_array($Target)) { >>$Value = array_map('_antiSqlInjection', $Target); >>} else { >> if(get_magic_quotes_gpc()) { >> $Target = stripslashes($Target); >>} >> // replace backtick with single quote or whatever >>$Target = str_replace("`", "'", $Target); >>$Value = mysql_real_escape_string($Target); >>} >>return $Value; >> } >> >> Thanks! >> -Shawn >> >> >> >
Re: [PHP] Re: SQL Injection - Solution
hun...by the way I forgot to mention, I am Brazilian and here in Brazil these words are not common ... That is a recursive function and i can use array_map becouse i some cases we obtain arrays of arrays and that will generate a error. Regards, Igor Escobar Systems Analyst & Interface Designer -- Personal Blog ~ blog.igorescobar.com Online Portifolio ~ www.igorescobar.com Twitter ~ @igorescobar On Wed, May 6, 2009 at 2:36 PM, Shawn McKenzie wrote: > Igor Escobar wrote: > > Hunnn... > > > > So, what do you think now? > > > > function _antiSqlInjection($Target){ > > $sanitizeRules = > > array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP > > TABLE','SHOW TABLES','*','--','='); > > foreach($Target as $key => $value): > > if(is_array($value)): $arraSanitized[$key] = > > _antiSqlInjection($value); > > else: > > $arraSanitized[$key] = (!get_magic_quotes_gpc()) ? > > addslashes(str_ireplace(trim($sanitizeRules,"",$value))) : > > str_ireplace(trim($sanitizeRules,"",$value)); > > endif; > > endforeach; > > return $arraSanitized; > > } > > > Stay on list please. I don't like the ternary or the brace omissions > (alternate syntax) :-) however > > My point was that in my opinion you don't need the replace at all. > Also, do you really want to strip all 'or', * and = from all fields? > These may be perfectly valid in your app. Or is a very, very common > word, so is from and come to think of it, where, select, insert and delete. > > For any of the SQL injections to work in your query, there will need to > be quotes or the backtick ` in the user supplied content. The quotes > are escaped by mysql_real_escape_string(). > > I don't see any way for a SQL injection without the user input > containing quotes or the backtick to break out of your query or > prematurely terminate an expression. Some examples here, however they > don't mention the backtick: > http://us2.php.net/manual/en/security.database.sql-injection.php > > This might be more useful: > > ||function _antiSqlInjection($Target) > { >if(is_array($Target)) { >$Value = array_map('_antiSqlInjection', $Target); >} else { > if(get_magic_quotes_gpc()) { > $Target = stripslashes($Target); >} > // replace backtick with single quote or whatever >$Target = str_replace("`", "'", $Target); >$Value = mysql_real_escape_string($Target); >} >return $Value; > } > > Thanks! > -Shawn > > >
Re: [PHP] Re: SQL Injection - Solution
Igor Escobar wrote: > Hunnn... > > So, what do you think now? > > function _antiSqlInjection($Target){ > $sanitizeRules = > array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP > TABLE','SHOW TABLES','*','--','='); > foreach($Target as $key => $value): > if(is_array($value)): $arraSanitized[$key] = > _antiSqlInjection($value); > else: > $arraSanitized[$key] = (!get_magic_quotes_gpc()) ? > addslashes(str_ireplace(trim($sanitizeRules,"",$value))) : > str_ireplace(trim($sanitizeRules,"",$value)); > endif; > endforeach; > return $arraSanitized; > } > Stay on list please. I don't like the ternary or the brace omissions (alternate syntax) :-) however My point was that in my opinion you don't need the replace at all. Also, do you really want to strip all 'or', * and = from all fields? These may be perfectly valid in your app. Or is a very, very common word, so is from and come to think of it, where, select, insert and delete. For any of the SQL injections to work in your query, there will need to be quotes or the backtick ` in the user supplied content. The quotes are escaped by mysql_real_escape_string(). I don't see any way for a SQL injection without the user input containing quotes or the backtick to break out of your query or prematurely terminate an expression. Some examples here, however they don't mention the backtick: http://us2.php.net/manual/en/security.database.sql-injection.php This might be more useful: ||function _antiSqlInjection($Target) { if(is_array($Target)) { $Value = array_map('_antiSqlInjection', $Target); } else { if(get_magic_quotes_gpc()) { $Target = stripslashes($Target); } // replace backtick with single quote or whatever $Target = str_replace("`", "'", $Target); $Value = mysql_real_escape_string($Target); } return $Value; } Thanks! -Shawn -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] SQL Injection - Solution
mysql_escape_string can be used instead. You just lose the ability to have it match coallation. I still think there should be the mysql_escape_string or real one and allow it to pass the coallation without a database handle -or- just make a unicode/utf8 one and be done with it. On May 6, 2009, at 9:40 AM, Igor Escobar wrote: I know that use the mysql_real_escape_string to do de job is better but you should consider that the this function don't have any access to the data base, to objective of this function is sanitize the string. And please, see my second answer, i make some updates in the function that possibly is relevant. Regards, Igor Escobar Systems Analyst & Interface Designer -- Personal Blog ~ blog.igorescobar.com Online Portifolio ~ www.igorescobar.com Twitter ~ @igorescobar On Wed, May 6, 2009 at 1:14 PM, Andrew Ballard wrote: On Wed, May 6, 2009 at 12:06 PM, Bruno Fajardo wrote: Hi there! 2009/5/6 Igor Escobar Hi folks, Someone know how i can improve this function to protect my envairounment vars of sql injection attacks. that is the function i use to do this, but, some people think is not enough: * @uses $_REQUEST= _antiSqlInjection($_REQUEST); * @uses $_POST = _antiSqlInjection($_POST); * @uses $_GET = _antiSqlInjection($_GET); * * @author Igor Escobar * @email blog [at] igorescobar [dot] com * */ function _antiSqlInjection($Target){ $sanitizeRules = array('OR','FROM,'SELECT','INSERT','DELETE','WHERE','DROP TABLE','SHOW TABLES','*','--','='); foreach($Target as $key => $value): if(is_array($value)): $arraSanitized[$key] = _antiSqlInjection($value); else: $arraSanitized[$key] = addslashes(strip_tags(trim(str_replace($sanitizeRules,"", $value; endif; endforeach; return $arraSanitized; } You can help me to improve them? What if someone posts, in any form of your app, a message containing "or", "from" or "where"? Those are very common words, and eliminate them is not the best solution, IMO. Use mysql_real_escape_string() like Shawn said, possibly something like this would do the trick (from http://br2.php.net/manual/en/function.mysql-query.php): $query = sprintf("SELECT firstname, lastname, address, age FROM friends WHERE firstname='%s' AND lastname='%s'", mysql_real_escape_string($firstname), mysql_real_escape_string($lastname)); Cheers, Bruno. +1 I would stick with parameterized queries if available, or just use mysql_real_escape_string() for these and a few more reasons: 1) You'll find lots of posts in the archives explaining why mysql_real_escape_string() is preferred over addslashes() for this purpose. 2) strip_tags has absolutely nothing to do with SQL injection. Neither does trim(). There are cases where you would not want to use either of those functions on input, but you would still need to guard against injection. 3) DROP TABLE will work no matter how many white-space characters appeared between the words. For that matter, I am pretty sure that 'DROP /* some bogus SQL comment to make it past your filter */ TABLE' will work also. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] SQL Injection - Solution
I know that use the mysql_real_escape_string to do de job is better but you should consider that the this function don't have any access to the data base, to objective of this function is sanitize the string. And please, see my second answer, i make some updates in the function that possibly is relevant. Regards, Igor Escobar Systems Analyst & Interface Designer -- Personal Blog ~ blog.igorescobar.com Online Portifolio ~ www.igorescobar.com Twitter ~ @igorescobar On Wed, May 6, 2009 at 1:14 PM, Andrew Ballard wrote: > On Wed, May 6, 2009 at 12:06 PM, Bruno Fajardo > wrote: > > Hi there! > > > > 2009/5/6 Igor Escobar > >> > >> Hi folks, > >> Someone know how i can improve this function to protect my envairounment > >> vars of sql injection attacks. > >> > >> that is the function i use to do this, but, some people think is not > enough: > >> > >> * @uses $_REQUEST= _antiSqlInjection($_REQUEST); > >> * @uses $_POST = _antiSqlInjection($_POST); > >> * @uses $_GET = _antiSqlInjection($_GET); > >> * > >> * @author Igor Escobar > >> * @email blog [at] igorescobar [dot] com > >> * > >> */ > >> > >> function _antiSqlInjection($Target){ > >>$sanitizeRules = > >> array('OR','FROM,'SELECT','INSERT','DELETE','WHERE','DROP TABLE','SHOW > >> TABLES','*','--','='); > >>foreach($Target as $key => $value): > >>if(is_array($value)): $arraSanitized[$key] = > _antiSqlInjection($value); > >>else: > >>$arraSanitized[$key] = > >> addslashes(strip_tags(trim(str_replace($sanitizeRules,"",$value; > >>endif; > >>endforeach; > >>return $arraSanitized; > >> > >> > >> } > >> > >> You can help me to improve them? > > > > What if someone posts, in any form of your app, a message containing > > "or", "from" or "where"? Those are very common words, and eliminate > > them is not the best solution, IMO. > > Use mysql_real_escape_string() like Shawn said, possibly something > > like this would do the trick (from > > http://br2.php.net/manual/en/function.mysql-query.php): > > > > $query = sprintf("SELECT firstname, lastname, address, age FROM > > friends WHERE firstname='%s' AND lastname='%s'", > > mysql_real_escape_string($firstname), > > mysql_real_escape_string($lastname)); > > > > Cheers, > > Bruno. > > +1 > > I would stick with parameterized queries if available, or just use > mysql_real_escape_string() for these and a few more reasons: > > 1) You'll find lots of posts in the archives explaining why > mysql_real_escape_string() is preferred over addslashes() for this > purpose. > > 2) strip_tags has absolutely nothing to do with SQL injection. Neither > does trim(). There are cases where you would not want to use either of > those functions on input, but you would still need to guard against > injection. > > 3) DROP TABLE will work no matter how many white-space characters > appeared between the words. For that matter, I am pretty sure that > 'DROP /* some bogus SQL comment to make it past your filter */ TABLE' > will work also. > > > Andrew >
Re: [PHP] SQL Injection - Solution
On Wed, May 6, 2009 at 12:06 PM, Bruno Fajardo wrote: > Hi there! > > 2009/5/6 Igor Escobar >> >> Hi folks, >> Someone know how i can improve this function to protect my envairounment >> vars of sql injection attacks. >> >> that is the function i use to do this, but, some people think is not enough: >> >> * @uses $_REQUEST= _antiSqlInjection($_REQUEST); >> * @uses $_POST = _antiSqlInjection($_POST); >> * @uses $_GET = _antiSqlInjection($_GET); >> * >> * @author Igor Escobar >> * @email blog [at] igorescobar [dot] com >> * >> */ >> >> function _antiSqlInjection($Target){ >> $sanitizeRules = >> array('OR','FROM,'SELECT','INSERT','DELETE','WHERE','DROP TABLE','SHOW >> TABLES','*','--','='); >> foreach($Target as $key => $value): >> if(is_array($value)): $arraSanitized[$key] = >> _antiSqlInjection($value); >> else: >> $arraSanitized[$key] = >> addslashes(strip_tags(trim(str_replace($sanitizeRules,"",$value; >> endif; >> endforeach; >> return $arraSanitized; >> >> >> } >> >> You can help me to improve them? > > What if someone posts, in any form of your app, a message containing > "or", "from" or "where"? Those are very common words, and eliminate > them is not the best solution, IMO. > Use mysql_real_escape_string() like Shawn said, possibly something > like this would do the trick (from > http://br2.php.net/manual/en/function.mysql-query.php): > > $query = sprintf("SELECT firstname, lastname, address, age FROM > friends WHERE firstname='%s' AND lastname='%s'", > mysql_real_escape_string($firstname), > mysql_real_escape_string($lastname)); > > Cheers, > Bruno. +1 I would stick with parameterized queries if available, or just use mysql_real_escape_string() for these and a few more reasons: 1) You'll find lots of posts in the archives explaining why mysql_real_escape_string() is preferred over addslashes() for this purpose. 2) strip_tags has absolutely nothing to do with SQL injection. Neither does trim(). There are cases where you would not want to use either of those functions on input, but you would still need to guard against injection. 3) DROP TABLE will work no matter how many white-space characters appeared between the words. For that matter, I am pretty sure that 'DROP /* some bogus SQL comment to make it past your filter */ TABLE' will work also. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] SQL Injection - Solution
Hi there! 2009/5/6 Igor Escobar > > Hi folks, > Someone know how i can improve this function to protect my envairounment > vars of sql injection attacks. > > that is the function i use to do this, but, some people think is not enough: > > * @uses $_REQUEST= _antiSqlInjection($_REQUEST); > * @uses $_POST = _antiSqlInjection($_POST); > * @uses $_GET = _antiSqlInjection($_GET); > * > * @author Igor Escobar > * @email blog [at] igorescobar [dot] com > * > */ > > function _antiSqlInjection($Target){ > $sanitizeRules = > array('OR','FROM,'SELECT','INSERT','DELETE','WHERE','DROP TABLE','SHOW > TABLES','*','--','='); > foreach($Target as $key => $value): > if(is_array($value)): $arraSanitized[$key] = > _antiSqlInjection($value); > else: > $arraSanitized[$key] = > addslashes(strip_tags(trim(str_replace($sanitizeRules,"",$value; > endif; > endforeach; > return $arraSanitized; > > > } > > You can help me to improve them? What if someone posts, in any form of your app, a message containing "or", "from" or "where"? Those are very common words, and eliminate them is not the best solution, IMO. Use mysql_real_escape_string() like Shawn said, possibly something like this would do the trick (from http://br2.php.net/manual/en/function.mysql-query.php): $query = sprintf("SELECT firstname, lastname, address, age FROM friends WHERE firstname='%s' AND lastname='%s'", mysql_real_escape_string($firstname), mysql_real_escape_string($lastname)); Cheers, Bruno. > > > > Regards, > Igor Escobar > Systems Analyst & Interface Designer > > -- > > Personal Blog > ~ blog.igorescobar.com > Online Portifolio > ~ www.igorescobar.com > Twitter > ~ @igorescobar -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: SQL Injection - Solution
Igor Escobar wrote: > Hi folks, > Someone know how i can improve this function to protect my envairounment > vars of sql injection attacks. > > that is the function i use to do this, but, some people think is not enough: > > * @uses $_REQUEST= _antiSqlInjection($_REQUEST); > * @uses $_POST = _antiSqlInjection($_POST); > * @uses $_GET = _antiSqlInjection($_GET); > * > * @author Igor Escobar > * @email blog [at] igorescobar [dot] com > * > */ > > function _antiSqlInjection($Target){ > $sanitizeRules = > array('OR','FROM,'SELECT','INSERT','DELETE','WHERE','DROP TABLE','SHOW > TABLES','*','--','='); > foreach($Target as $key => $value): > if(is_array($value)): $arraSanitized[$key] = > _antiSqlInjection($value); > else: > $arraSanitized[$key] = > addslashes(strip_tags(trim(str_replace($sanitizeRules,"",$value; > endif; > endforeach; > return $arraSanitized; > > > } > > You can help me to improve them? > Just at first glance, if you're going to use this type of function you should at least use str_ireplace(). 'drop table' works just as well as 'DROP TABLE'. Also, you might want to use mysql_real_escape_string() or similar for your DB (if you have a connection). Or you can skip the slash stuff until the actual query. This may negate the need for your replace, as quotes are normally needed to get the SQL commands to work in your query anyway. Finally, if magic_quotes are on you'll end up with multiple slashes in your code as it is and if you changed the addslashes() to mysql_real_escape_string(). Normally this is good: if(get_magic_quotes_gpc()) { $value = stripslashes($value); } $arraSanitized[$key] = mysql_real_escape_string($value); I also think strip_tags() or htmlentities() belongs more in a display filter. > > Regards, > Igor Escobar > Systems Analyst & Interface Designer > > -- > > Personal Blog > ~ blog.igorescobar.com > Online Portifolio > ~ www.igorescobar.com > Twitter > ~ @igorescobar > -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] SQL Injection - Solution
Hi folks, Someone know how i can improve this function to protect my envairounment vars of sql injection attacks. that is the function i use to do this, but, some people think is not enough: * @uses $_REQUEST= _antiSqlInjection($_REQUEST); * @uses $_POST = _antiSqlInjection($_POST); * @uses $_GET = _antiSqlInjection($_GET); * * @author Igor Escobar * @email blog [at] igorescobar [dot] com * */ function _antiSqlInjection($Target){ $sanitizeRules = array('OR','FROM,'SELECT','INSERT','DELETE','WHERE','DROP TABLE','SHOW TABLES','*','--','='); foreach($Target as $key => $value): if(is_array($value)): $arraSanitized[$key] = _antiSqlInjection($value); else: $arraSanitized[$key] = addslashes(strip_tags(trim(str_replace($sanitizeRules,"",$value; endif; endforeach; return $arraSanitized; } You can help me to improve them? Regards, Igor Escobar Systems Analyst & Interface Designer -- Personal Blog ~ blog.igorescobar.com Online Portifolio ~ www.igorescobar.com Twitter ~ @igorescobar
Re: [PHP] speaking of control structures...
On 5/6/09 8:55 AM, "Per Jessen" wrote: > Shawn McKenzie already posted the right solution - did you miss it? no, per, i didn't. i like do {} while (0) very much. thanks, shawn! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] speaking of control structures...
Tom Worster wrote: > On 5/6/09 6:56 AM, "Marcus Gnaß" wrote: > >> Tom Worster wrote: >>> there's a control structure i wish php had: a simple block that you >>> can break out of, e.g. >> >> As Maarten pointed out you could use a function. Another alternative >> is to use Exceptions which might be the most proper way to do it. > > in a thread off-list i commented on the use of a function. here's what > i said: Shawn McKenzie already posted the right solution - did you miss it? /Per -- Per Jessen, Zürich (19.6°C) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] speaking of control structures...
On 5/5/09 8:55 PM, "Clancy" wrote: > On Tue, 05 May 2009 14:13:23 -0400, rob...@interjinn.com (Robert Cummings) > wrote: > >> On Tue, 2009-05-05 at 13:56 -0400, Tom Worster wrote: >>> there's a control structure i wish php had: a simple block that you can >>> ... > >> But PHP 5.3 introduces goto: >> >> > >> header: >> >>if( $something ) ... >> >>goto body; >> >> body: >> >>if( $soemthingElse ) ... >>goto footer; >> >>if( $seomthingerElse ) ... >> >>goto footer; >> >> footer: >> >>// blah blah blah >>goto done; >> >> done; > > I heartily agree. In my opinion 'break' is like a 'goto' without a label. As I > used to > tell my students "if I say 'break' the one thing I can be sure of is that you > will all > disappear. I had no idea where most of you go, or what you do, and I'm not > even sure if > I'll ever see some of you again." > > 'Goto' makes it possible to set up the more complex control sequences you > sometimes need, > yet have them clearly defined. For example: > > > begin: ... > if ( ... ) { goto error; } > ... > if ( ) { goto footer; } > ... > goto body; > > repeat: > if ( ) { goto footer; } > ... > if ( ... ) { goto error; } > > body: . > if ($error) { goto error; } > > if (!$error) { goto footer; } > error: > > footer: > if ( ) { goto repeat; } > ?> > > I find it very difficult to set up sequences like this using if/else if (or > switches, but > I don't like them anyway), and have to resort to setting flags and very > careful > indentation to make sure that I'm doing what I intended. Unfortunately my > provider is > still using PHP 4.something, and I have been too busy to switch to someone > more > up-to-date. clancy, i can't argue with you. my desired usage of break is really just a cover-up for a goto. i know. it makes no logical sense but i think i'd sooner adopt oop than gotos. my mom taught me to program back in the late 70s and early 80s. she was an old hand. when FORTRAN 4 came out she thought it was the bees knees. when Z80 micros with MS-BASIC came out, she thought they were cute. when turbo pascal came out on CP/M, she was impressed and taught me to quit using gotos. so while it makes no logical sense, perhaps you can see that it makes emotional sense. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] speaking of control structures...
On Wed, 2009-05-06 at 08:43 -0400, Tom Worster wrote: > On 5/6/09 6:56 AM, "Marcus Gnaß" wrote: > > > Tom Worster wrote: > >> there's a control structure i wish php had: a simple block that you can > >> break out of, e.g. > > > > As Maarten pointed out you could use a function. Another alternative is > > to use Exceptions which might be the most proper way to do it. > > in a thread off-list i commented on the use of a function. here's what i > said: > > yes, it's just like that. i could wrap a function around the logic. and > sometimes i use that trick. > > the downside to that is access to globals. for many of my scripts there's a > common pattern: > > 1 get set up. > 2 process inputs, checking and preparing data for use 3 and 4 or aborting to > an error handler at the end of this section (which is what the breaks all > jump to) if there's a problem with the input. > 3 do some work > 4 prepare an output page > > in this scheme, it's convenient if 2, 3 and 4 all have access to the same > namespace, so i don't usually use the function approach. Then create a shared namespace... $GLOBALS['myWhateverWorksNamespace']['varName'] = 'varValue'; Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] speaking of control structures...
On Wed, 2009-05-06 at 08:41 -0400, Tom Worster wrote: > On 5/6/09 7:05 AM, "Robert Cummings" wrote: > > > That seems like an abuse of exceptions. But then we're already abusing > > loops. I just don't think one could say it's the proper way to do it :) > > i don't have a lot of interest in "the proper way" to do things. i'm > interested in how other programmers actually do things. I highly doubt they use exceptions. > and i'm not even sure it's _possible_ to abuse a programming language. > whatever works... Then you haven't been programming long enough. "Whatever works" is an idiot's guide to programming... one where they remain an idiot. Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] speaking of control structures...
On 5/6/09 6:56 AM, "Marcus Gnaß" wrote: > Tom Worster wrote: >> there's a control structure i wish php had: a simple block that you can >> break out of, e.g. > > As Maarten pointed out you could use a function. Another alternative is > to use Exceptions which might be the most proper way to do it. in a thread off-list i commented on the use of a function. here's what i said: yes, it's just like that. i could wrap a function around the logic. and sometimes i use that trick. the downside to that is access to globals. for many of my scripts there's a common pattern: 1 get set up. 2 process inputs, checking and preparing data for use 3 and 4 or aborting to an error handler at the end of this section (which is what the breaks all jump to) if there's a problem with the input. 3 do some work 4 prepare an output page in this scheme, it's convenient if 2, 3 and 4 all have access to the same namespace, so i don't usually use the function approach. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to deal with identical fields in db
tedd wrote: > At 3:14 AM -0700 5/6/09, Michael A. Peters wrote: >> Peter Ford wrote: >>> >>> tedd wrote: (and I added in some extra bits...) You need to normalize. Authors should have an unique id in an authors table. The authors table has all the specific information about authors, but not the books they have written. Books should have an unique id in a books table. The books table has all the specific information about books, but not the contributing authors. >>> >>> Like the ISBN, for example - that should be unique enough for anyone... >>> I suppose if you deal in antique books, there might not be an ISBN. >> >> Unfortunately sometimes an otherwise identical but different printing >> of the same book has different ISBN numbers. Sometimes the difference >> is hardback vs softcover, special edition, or just a reprint. >> >> The L.O.C. catalog number may be better, AFAIK there is typically only >> one LOC number per edition of a book. It is a good idea to record both >> (if both exist) and use an internally assigned substitute number when >> one, the other, or both don't exist (small run self published works >> often don't have a LOC number for example, if the author didn't want >> to pay for it). > > > But for a database, a book identifier would probably be best (differing > opinions on this) if it was simply an auto_increment unsigned integer > primary key. A key that is generated upon entry of a book record. > > Certainly one can argue that using a different unique key might provide > more information and make the table require one less field, but if one > uses a primary key, then the field can be searched faster than using a > ISBN or L.O.C., which may be duplicated, amended, or not even present. > My thinking on this is a unique identifier for the book should not be > tied to any attribute of the book, which may change, but rather > something completely detached and artificial. > > Cheers, > > tedd > tedd, That is, in fairness, probably what I'd do too: I might have the ISBN or LOC number as a detail field in the book record, and have it available for look-ups, but the primary key would just be a sequence number generated automatically. Same with authors, just a sequence number for the key. (I am not a number, I am a free man...) These things do not need to be visible to the user. Just an implementation detail, nothing to see here... :) Cheers Pete -- Peter Ford phone: 01580 89 Developer fax: 01580 893399 Justcroft International Ltd., Staplehurst, Kent -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] speaking of control structures...
On 5/6/09 7:05 AM, "Robert Cummings" wrote: > That seems like an abuse of exceptions. But then we're already abusing > loops. I just don't think one could say it's the proper way to do it :) i don't have a lot of interest in "the proper way" to do things. i'm interested in how other programmers actually do things. and i'm not even sure it's _possible_ to abuse a programming language. whatever works... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to deal with identical fields in db
At 3:14 AM -0700 5/6/09, Michael A. Peters wrote: Peter Ford wrote: tedd wrote: (and I added in some extra bits...) You need to normalize. Authors should have an unique id in an authors table. The authors table has all the specific information about authors, but not the books they have written. Books should have an unique id in a books table. The books table has all the specific information about books, but not the contributing authors. Like the ISBN, for example - that should be unique enough for anyone... I suppose if you deal in antique books, there might not be an ISBN. Unfortunately sometimes an otherwise identical but different printing of the same book has different ISBN numbers. Sometimes the difference is hardback vs softcover, special edition, or just a reprint. The L.O.C. catalog number may be better, AFAIK there is typically only one LOC number per edition of a book. It is a good idea to record both (if both exist) and use an internally assigned substitute number when one, the other, or both don't exist (small run self published works often don't have a LOC number for example, if the author didn't want to pay for it). But for a database, a book identifier would probably be best (differing opinions on this) if it was simply an auto_increment unsigned integer primary key. A key that is generated upon entry of a book record. Certainly one can argue that using a different unique key might provide more information and make the table require one less field, but if one uses a primary key, then the field can be searched faster than using a ISBN or L.O.C., which may be duplicated, amended, or not even present. My thinking on this is a unique identifier for the book should not be tied to any attribute of the book, which may change, but rather something completely detached and artificial. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] elseif statements
>>He already found the problem and fixed it :)<< Correction: His problem was pointed out to him and he was able to follow instructions he he. I think I posted yesterday, but I had the double= in the script earlier, but it was givning inconsisitant answers, however when I changed the = for== AND changed from calling the information from the $_COOKIE to the variable, it worked as I had hoped. Again, thank you to all for helping. Gary "Robert Cummings" wrote in message news:1241606832.610.108.ca...@localhost... > On Tue, 2009-05-05 at 22:31 -0700, Jim Lucas wrote: >> Well, since nobody seems to want to answer your question, I will... :) >> >> It has to do with you using an assignment '=' instead of a comparison >> '==' operator in your condition. > > He already found the problem and fixed it :) > > Cheers, > Rob. > -- > http://www.interjinn.com > Application and Templating Framework for PHP > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: elseif statements
Hi Gary, 2009/5/5 Gary : > Jan > > Thanks for your note. > > So your wrote: > > $x = (3)*(2) makes no sense. > $x = 3 * 2 works, as > $x = (3 * 2) does, too. > But this is not an error at all. ^^ > > In the first example($x = (3)*(2) makes no sense.), which is the way I have > it, works. So if it works, is there a real compelling reason to change it? No! > I understand that "less is more" when it comes to writing code, but does it > slow things down, does it give erroneus results, or is it developing a poor > writing habit? > > I would enjoy your opinion. It's an opinion thing, I'd say. But having single values in brackets can't speed anything up. if anything, it' gonna be slower. Anyway, this was just meant as a comment, that's why I wrote "this is not an error". I for myself believe that a lot of bracket enclosing can make code more unreadable, but on the other hand sometimes you want more bracket-enclosed statements. if (1 == 2 || (2 != 3 && 3 != 4)) { /* this would be my approach */ } if (1 == 2 || ((2 != 3) && (3 != 4))) { /* this makes it harder to read for me, because of the ending ")))" I think, that this may be slightly faster for the interpreter. */ } if (((1) == (2)) || (((2) != (3)) && ((3 != 4 { /* this is overkill for humans and interpreter */ } My intention to post actually was to tell you about the wrong IF-Statement way down. I removed the quoting around, now: > 2009/5/5 Gary : >> elseif(isset($chester_assess_difference) <=1000){ > > > You got an error here. > > isset($var) returns "true" OR "false", which equals 1 OR 0. > You might not compare it with your integer 1000, because it's always > smaller. > > correct would be: > > elseif (isset($chester_assess_difference) > && $chester_assess_difference <= 1000) { > // do something > } > Regards, Jan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] speaking of control structures...
On Wed, 2009-05-06 at 12:56 +0200, Marcus Gnaß wrote: > Tom Worster wrote: > > there's a control structure i wish php had: a simple block that you can > > break out of, e.g. > > > As Maarten pointed out you could use a function. Another alternative is > to use Exceptions which might be the most proper way to do it. That seems like an abuse of exceptions. But then we're already abusing loops. I just don't think one could say it's the proper way to do it :) Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] speaking of control structures...
Tom Worster wrote: > there's a control structure i wish php had: a simple block that you can > break out of, e.g. As Maarten pointed out you could use a function. Another alternative is to use Exceptions which might be the most proper way to do it. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] elseif statements
On Tue, 2009-05-05 at 22:31 -0700, Jim Lucas wrote: > Well, since nobody seems to want to answer your question, I will... :) > > It has to do with you using an assignment '=' instead of a comparison '==' > operator in your condition. He already found the problem and fixed it :) Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to deal with identical fields in db
Peter Ford wrote: tedd wrote: (and I added in some extra bits...) You need to normalize. Authors should have an unique id in an authors table. The authors table has all the specific information about authors, but not the books they have written. Books should have an unique id in a books table. The books table has all the specific information about books, but not the contributing authors. Like the ISBN, for example - that should be unique enough for anyone... I suppose if you deal in antique books, there might not be an ISBN. Unfortunately sometimes an otherwise identical but different printing of the same book has different ISBN numbers. Sometimes the difference is hardback vs softcover, special edition, or just a reprint. The L.O.C. catalog number may be better, AFAIK there is typically only one LOC number per edition of a book. It is a good idea to record both (if both exist) and use an internally assigned substitute number when one, the other, or both don't exist (small run self published works often don't have a LOC number for example, if the author didn't want to pay for it). -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] how to enable ttf support in php 5.2.9
On Tue, 2009-05-05 at 16:22 -0700, Michael A. Peters wrote: > Ashley Sheridan wrote: > > >> > > content coming from MS Office clipboard pastes generally contain > > characters that are encoded wrong, and do not display correctly in web > > pages unless they have very relaxed doctypes. The function I generally > > use is: > > > > function removeMSCrap($crap) > > { > > $find = Array(chr(128), chr(133), chr(8226), chr(145), chr(8217), > > chr(146), chr(8220), chr(147), chr(8221), chr(148), chr(8226), chr(149), > > chr(8211), chr(150), chr(8212), chr(151), chr(8282), chr(153), chr(169), > > chr(174)); > > $replace = Array("€", "…", "″", "'", "'", > > "'", "'", """, """, """, """, "•", > > "•", "–", "–", "—", "—", "™", "™", > > "©", "®"); > > > > $roses = str_replace($find, $replace, $crap); > > return $roses; > > } > > Is that something you would suggest be used in any web app that has a > textarea for input? > It is valid for that also. I've used it on standard tags before as well. Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to deal with identical fields in db
tedd wrote: (and I added in some extra bits...) > You need to normalize. > > Authors should have an unique id in an authors table. The authors table > has all the specific information about authors, but not the books they > have written. > > Books should have an unique id in a books table. The books table has all > the specific information about books, but not the contributing authors. > Like the ISBN, for example - that should be unique enough for anyone... I suppose if you deal in antique books, there might not be an ISBN. > Then you connect the two tables with a Book-Author table that has only > the id's of both -- no real need for any other information. > This also has the advantage that when you come to add new books by authors already in the database, you only have to look the name up, and you can avoid duplicating authors with misspelt names, etc. You will have to allow for the case of a book with multiple authors, but that should work out fine - you just have two (or more) records in the Book-Author table to link the same book to several authors, and logic that watches out for that when you extract the data. > That way when you want to see all the books an author has written, then > you pull out all the records that has the author's id and look up each > book via the book id. > > Likewise, when you want to see all the authors who have contributed to a > book, then you pull out all records that has the book's id and look up > each author via their author id. > > Do you see how it works? > > Cheers, > > tedd > It always surprises me how many people need to have database normalisation explained to them - it seems obvious to me... (and tedd, clearly!) -- Peter Ford phone: 01580 89 Developer fax: 01580 893399 Justcroft International Ltd., Staplehurst, Kent -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Avoid to open mysql querries then times in the page
tedd wrote: On 5/4/09, Matthieu wrote: Hello, I'm a totally newbie to php/Mysql but I'd like to know if it is normal that I have to connect 3 times to the db in one page. For example, I have 1. A connection for the login / pass a $_SESSION['login'] before the HTML tags 2. I need to say hello to the user so I reconnect, run a query to select the user having the login and echo 'Hello '.$user['login'].'!'' 3. I need to show him his friends a bit later, so I have to connect a last time and re-run a querry because I can't use the data $user that I used in my upper php code... Is there a walkthroug to have only one connection for the page? Thanks Matthieu Matthieu: The way I usually have a user navigate a protected site is to first to have them identify themselves via a logon/password script -- and then I store their user_id in a SESSION. Note, I do not store all their data in a SESSION, just their user_id. The user_id should be an unique auto_increment integer primary key from your users' table. At the start of each protected page, I have: As such, I check if $user_id > 0 -- if so, then I process the request as directed. If not, then I send the user back to login. That's basically what i do. I don't store much in sessions, just the id of the logged in user (set to 0 for not logged in) and maybe a few temporary things (IE a page that requires login, if the uid is set to 0 I'll store the page in the session so that after login they can be redirected back). There's a few other things I do in session data, but not much. Since I only use non persistent cookies for security reasons, almost anything worth saving is worth saving as a db record tied to the user id. Sessions for me mostly are just a way to know a user is authenticated and who they are authenticated as. As for connecting to the database, I connect as needed to get information needed. I do not use SESSIONs to store all the data to be passed from page to page, I gather only what's needed for that page. I also make sure that when I open a connection, I close the connection I may have several open/close statements within a page, but normally I try to avoid that. I just use pear mdb2 - they make it easy to deal with multiple different databases etc. and I just let the connection close when the page finished executing, I don't explicitly close any connections. I do explicitly unset prepared statements, but only on pages that do many queries (short fast pages free up the memory when the page finishes executing anyway). Since I generally use the same database for session handling as I use for rest of the app, the database will be opened when the page starts and need to be open when the page finishes execution for writing any new session data, so it doesn't make sense to me to explicitly close the connection except for my search engine (it uses a different database) - but when the search query has run, the search results are displayed and the script finishes executing anyway, so closing that connection isn't needed anyway - the job is done and the script exits quickly closing the connection on it's own. HTH's tedd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php