Re: [PHP] MySql Injection advice

you can do that with IPs because it is an implementation of an integer. look: I take a integer value: 2130706433 express it as binary: 1110001 now I have to look it as bytes: 1110 0001 express the bytes as decimals: 127 0 0 1 does this number m

Re: [PHP] MySql Injection advice

Eddie Drapkin wrote: Things I have used prepared statements for: 1. SELECT 2. UPDATE 3. INSERT 4. DELETE 5. Stored procedures Things I am aware of that prepared statements are not capable of doing: What have you read that prepared statements can't do? I've not heard of anything, nor have I enc

Re: [PHP] MySql Injection advice

On Tue, 2009-07-14 at 01:52 -0400, Andrew Ballard wrote: > On Mon, Jul 13, 2009 at 4:18 PM, Haig Dedeyan wrote: > > for the phone #'s, I'm using int as the data type & storing each part of the > > phone # in its own cell, > > > > When it gets displayed, I add a dash in between each part of the phon

Re: [PHP] MySql Injection advice

Things I have used prepared statements for: 1. SELECT 2. UPDATE 3. INSERT 4. DELETE 5. Stored procedures Things I am aware of that prepared statements are not capable of doing: What have you read that prepared statements can't do? I've not heard of anything, nor have I encountered anything, myse

Re: [PHP] MySql Injection advice

On Mon, Jul 13, 2009 at 4:18 PM, Haig Dedeyan wrote: > for the phone #'s, I'm using int as the data type & storing each part of the > phone # in its own cell, > > When it gets displayed, I add a dash in between each part of the phone #'s > (country code-area code-1st set of digits-last set of digit

Re: [PHP] MySql Injection advice

tedd wrote: At 3:53 PM -0400 7/12/09, Paul M Foster wrote: On Sun, Jul 12, 2009 at 09:07:45AM -0400, tedd wrote: As for prepared statements, I'm no authority on them, but from what I've read they are not going to be something I'll be practicing anytime soon. Aside from Stuart's comment

Re: [PHP] MySql Injection advice

On Mon, Jul 13, 2009 at 5:52 PM, Ashley Sheridan wrote: > On Mon, 2009-07-13 at 16:30 -0400, Bastien Koert wrote: >> On Mon, Jul 13, 2009 at 4:18 PM, Haig Dedeyan wrote: >> > On July 13, 2009 09:48:54 am Haig Dedeyan wrote: >> >> On Monday 13 July 2009 14:31:09 tedd wrote: >> >> > At 3:53 PM -0400

Re: [PHP] MySql Injection advice

On Mon, 2009-07-13 at 16:30 -0400, Bastien Koert wrote: > On Mon, Jul 13, 2009 at 4:18 PM, Haig Dedeyan wrote: > > On July 13, 2009 09:48:54 am Haig Dedeyan wrote: > >> On Monday 13 July 2009 14:31:09 tedd wrote: > >> > At 3:53 PM -0400 7/12/09, Paul M Foster wrote: > >> > >On Sun, Jul 12, 2009 at

Re: [PHP] MySql Injection advice

On Mon, Jul 13, 2009 at 4:18 PM, Haig Dedeyan wrote: > On July 13, 2009 09:48:54 am Haig Dedeyan wrote: >> On Monday 13 July 2009 14:31:09 tedd wrote: >> > At 3:53 PM -0400 7/12/09, Paul M Foster wrote: >> > >On Sun, Jul 12, 2009 at 09:07:45AM -0400, tedd wrote: >> > > >> > > >> > > >> > >>  As for

Re: [PHP] MySql Injection advice

On July 13, 2009 09:48:54 am Haig Dedeyan wrote: > On Monday 13 July 2009 14:31:09 tedd wrote: > > At 3:53 PM -0400 7/12/09, Paul M Foster wrote: > > >On Sun, Jul 12, 2009 at 09:07:45AM -0400, tedd wrote: > > > > > > > > > > > >> As for prepared statements, I'm no authority on them, but from what

Re: [PHP] MySql Injection advice

On Monday 13 July 2009 14:31:09 tedd wrote: > At 3:53 PM -0400 7/12/09, Paul M Foster wrote: > >On Sun, Jul 12, 2009 at 09:07:45AM -0400, tedd wrote: > > > > > > > >> As for prepared statements, I'm no authority on them, but from what > >> I've read they are not going to be something I'll be prac

Re: [PHP] MySql Injection advice

At 3:53 PM -0400 7/12/09, Paul M Foster wrote: On Sun, Jul 12, 2009 at 09:07:45AM -0400, tedd wrote: As for prepared statements, I'm no authority on them, but from what I've read they are not going to be something I'll be practicing anytime soon. Aside from Stuart's comments about slown

Re: [PHP] MySql Injection advice

At 8:50 PM +0530 7/12/09, Zareef Ahmed wrote: On Sun, Jul 12, 2009 at 8:42 PM, tedd <tedd.sperl...@gmail.com> wrote: As with all communication, it's better to be clear than obtuse. Agree, but I believe "obtuse" word meaning is contextual and depends :) The wo

Re: [PHP] MySql Injection advice

On July 12, 2009 08:52:56 am Haig Dedeyan wrote: > At 6:39 PM -0400 7/11/09, Haig Dedeyan wrote: > > [1] > > >mysql_query("INSERT INTO phonedir > >(fname, lname) VALUES('$new_fname','$new_lname')") > >or die(mysql_error()); > > > >or > > [2] > > >mysql_query("INSERT INTO phonedir > >(fname, lname)

Re: [PHP] MySql Injection advice

On July 12, 2009 03:34:49 pm Haig Dedeyan wrote: > On Sat, 11 Jul 2009 21:26:36 -0400, Haig Dedeyan wrote: > >> On Sun, Jul 12, 2009 at 4:09 AM, Haig Dedeyan wrote: > >>> mysql_query("INSERT INTO phonedir > >>> (fname, lname) VALUES('$new_fname','$new_lname')") > >>> or die(mysql_error()); > > >

Re: [PHP] MySql Injection advice

On Sun, Jul 12, 2009 at 09:07:45AM -0400, tedd wrote: > > As for prepared statements, I'm no authority on them, but from what > I've read they are not going to be something I'll be practicing > anytime soon. Aside from Stuart's comments about slowness, what else have you read that makes you dis

Re: [PHP] MySql Injection advice

On Sat, 11 Jul 2009 21:26:36 -0400, Haig Dedeyan wrote: >> On Sun, Jul 12, 2009 at 4:09 AM, Haig Dedeyan wrote: >>> mysql_query("INSERT INTO phonedir >>> (fname, lname) VALUES('$new_fname','$new_lname')") >>> or die(mysql_error()); > > I won;t be using 2x escapes but I just need to know if I sho

Re: [PHP] MySql Injection advice

On Sun, Jul 12, 2009 at 8:42 PM, tedd wrote: > At 8:24 PM +0530 7/12/09, Zareef Ahmed wrote: > >> On Sun, Jul 12, 2009 at 6:32 PM, tedd < >> tedd.sperl...@gmail.com> wrote: >> >> Hi gang: >> >> I am top posting only to show that the following post makes no sense as

Re: [PHP] MySql Injection advice

At 8:24 PM +0530 7/12/09, Zareef Ahmed wrote: On Sun, Jul 12, 2009 at 6:32 PM, tedd <tedd.sperl...@gmail.com> wrote: Hi gang: I am top posting only to show that the following post makes no sense as to who said what. At what point here Zareef, did you think yo

Re: [PHP] MySql Injection advice

On Sun, Jul 12, 2009 at 6:32 PM, tedd wrote: > Hi gang: > > I am top posting only to show that the following post makes no sense as to > who said what. > > At what point here Zareef, did you think you were helping anyone? Or is > this more of your "I'm going to do whatever I want" attitude? > A

Re: [PHP] MySql Injection advice

At 9:26 PM -0400 7/11/09, Haig Dedeyan wrote: @Tedd - I will be looking into prepared statements eventually but I still want to understand escaping. Haig: I'm not the one pushing the prepared statements, that's someone else. However, I can see how you might think that considering how people

Re: [PHP] MySql Injection advice

Hi gang: I am top posting only to show that the following post makes no sense as to who said what. At what point here Zareef, did you think you were helping anyone? Or is this more of your "I'm going to do whatever I want" attitude? I would hate to review code with such lack of forethought

Re: [PHP] MySql Injection advice

At 6:39 PM -0400 7/11/09, Haig Dedeyan wrote: [1] mysql_query("INSERT INTO phonedir (fname, lname) VALUES('$new_fname','$new_lname')") or die(mysql_error()); or [2] mysql_query("INSERT INTO phonedir (fname, lname) VALUES('".mysql_real_escape_string($new_fname)."','".mysql_real_escape_stri

Re: [PHP] MySql Injection advice

2009/7/12 Haig Dedeyan > On July 11, 2009 08:21:34 pm Haig Dedeyan wrote: > > On Sun, Jul 12, 2009 at 4:09 AM, Haig Dedeyan > wrote: > > > On July 11, 2009 10:57:14 am Haig Dedeyan wrote: > > > > At 10:12 PM -0400 7/10/09, Haig Dedeyan wrote: > > > > > > > > [1] > > > > > > > > >$fname = mysql_r

Re: [PHP] MySql Injection advice

On July 11, 2009 08:21:34 pm Haig Dedeyan wrote: > On Sun, Jul 12, 2009 at 4:09 AM, Haig Dedeyan wrote: > > On July 11, 2009 10:57:14 am Haig Dedeyan wrote: > > > At 10:12 PM -0400 7/10/09, Haig Dedeyan wrote: > > > > > > [1] > > > > > > >$fname = mysql_real_escape_string($fname); > > > >$lname =

Re: [PHP] MySql Injection advice

On Sun, Jul 12, 2009 at 4:09 AM, Haig Dedeyan wrote: > On July 11, 2009 10:57:14 am Haig Dedeyan wrote: > > At 10:12 PM -0400 7/10/09, Haig Dedeyan wrote: > > > > [1] > > > > >$fname = mysql_real_escape_string($fname); > > >$lname = mysql_real_escape_string($lname); > > > > > >$sql = "UPDATE phon

Re: [PHP] MySql Injection advice

2009/7/12 Eddie Drapkin : > No offense or anything, but all of this work you've done is > immediately mode obsolete the second you switch to prepared > statements.  They're easier to use and more secure, as well as making > code more readable.  I don't understand why it's so hard for them to > catc

Re: [PHP] MySql Injection advice

On Sat, Jul 11, 2009 at 6:39 PM, Haig Dedeyan wrote: > On July 11, 2009 10:57:14 am Haig Dedeyan wrote: >> At 10:12 PM -0400 7/10/09, Haig Dedeyan wrote: >> >> [1] >> >> >$fname = mysql_real_escape_string($fname); >> >$lname = mysql_real_escape_string($lname); >> > >> >$sql = "UPDATE phonedir SET f

Re: [PHP] MySql Injection advice

On July 11, 2009 10:57:14 am Haig Dedeyan wrote: > At 10:12 PM -0400 7/10/09, Haig Dedeyan wrote: > > [1] > > >$fname = mysql_real_escape_string($fname); > >$lname = mysql_real_escape_string($lname); > > > >$sql = "UPDATE phonedir SET fname = '$fname',lname = '$lname' WHERE > > id=$id"; $result =

Re: [PHP] MySql Injection advice

At 10:12 PM -0400 7/10/09, Haig Dedeyan wrote: [1] $fname = mysql_real_escape_string($fname); $lname = mysql_real_escape_string($lname); $sql = "UPDATE phonedir SET fname = '$fname',lname = '$lname' WHERE id=$id"; $result = mysql_query($sql); echo mysql_error() . "\n"; This will result in th

Re: [PHP] MySql Injection advice

On Jul 10, 2009, at 10:12 PM, Haig Dedeyan wrote: Hi everyone, I'm starting to experiment with an edit form and I am seeing the following behaviour: $fname = mysql_real_escape_string($fname); $lname = mysql_real_escape_string($lname); $sql = "UPDATE phonedir SET fname = '$fname',l

Re: [PHP] MySql Injection advice

On July 10, 2009 11:26:04 pm Haig Dedeyan wrote: > Haig Dedeyan wrote: > > Hi everyone, > > > > I'm starting to experiment with an edit form and I am seeing the > > following behaviour: > > > > $fname = mysql_real_escape_string($fname); > > $lname = mysql_real_escape_string($lname); > > > > > > $sq

Re: [PHP] MySql Injection advice

Haig Dedeyan wrote: Hi everyone, I'm starting to experiment with an edit form and I am seeing the following behaviour: $fname = mysql_real_escape_string($fname); $lname = mysql_real_escape_string($lname); $sql = "UPDATE phonedir SET fname = '$fname',lname = '$lname' WHERE id=$id"; $result

[PHP] MySql Injection advice

Hi everyone, I'm starting to experiment with an edit form and I am seeing the following behaviour: $fname = mysql_real_escape_string($fname); $lname = mysql_real_escape_string($lname); $sql = "UPDATE phonedir SET fname = '$fname',lname = '$lname' WHERE id=$id"; $result = mysql_query($sql);