Re: [PHP] mysql_real_escape_string paranoid enough?

2009-03-21 Thread mike 
2009/3/21 Robert Cummings :

> Yes, I'm a big fan of automatic database connection identifiers. Why
> just the other week I was integrating ZenCart into another system and I
> couldn't understand why ZenCart wasn't able to properly retrieve the
> last_insert_id(). After digging throught he code I found it was because
> they were making use of magic identifier semantics and since another db
> connection also existed, it was being used for the last_insert_id().
> Wonderful stuff. If you have a niftly little database layer, then it
> shouldn't need magic semantics since it should track the connection
> itself.

What probably makes the most sense is instead of relying on
mysqli_real_escape_string, to create a simple unicode-capable regex
that does the database escaping for you. then it is totally portable.

That is what is sticking in the back of my mind. Even though I force
utf8 connection on any of my database handles already.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] mysql_real_escape_string paranoid enough?

2009-03-21 Thread Virgilio Quilario 
> I typically do something like this:
>
> $data_sql = mysql_real_escape_string($data, $connection);
> $query = "insert into data(data) values('$data_sql')";
> $insert = mysql_query($query, $connection);
> if (!$insert){
>  trigger_error(mysql_error($connection), E_USER_ERROR);
> }
>
> My custom error handler logs the mysql error, and displays a nice
> generic "Something went wrong. Please try again or contact us" message
> to the user, wrapped in the page layout, and then exits.
>
> I've just noticed that while the function signature says:
> string mysql_real_escape_string( ...)
>
> The docs say it could return FALSE in case of error.
>
> I'm not real sure what all could cause a FALSE return.
>
> Obviously, if the database server/process/chipmunk has DIED just
> before the call to mysql_real_escape_string, I'll get FALSE back.
>
> If the input string is just too whack for the function to parse, could
> I get FALSE, and then I'd be inserting junk into the DB?
>
> Or is it possible that the function returns FALSE for what is
> obviously a hack attempt?
>
> I guess I'm asking if anybody adds a line like:
>
> if ($data_sql === false){
>  trigger_error(mysql_error($connection), E_USER_ERROR);
> }
>
> Or is that not really going to do anything useful/better than what I
> already have?

yes you could add that condition and it would be helpful if you also
include the value of $data in addtion to mysql_error so you can
examine and figure out what cause it to return FALSE.

also, php manual says this:
mysql_query() will also fail and return FALSE if the user does not
have permission to access the table(s) referenced by the query.

Virgil
http://www.jampmark.com
Free tips, tutorials, innovative tools and techniques useful for
building and improving web sites.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] mysql_real_escape_string paranoid enough?

2009-03-21 Thread Robert Cummings 
On Sat, 2009-03-21 at 15:37 -0700, mike wrote:
> 2009/3/21 Nisse Engström :
> 
> > I tend to use the escape functions in very close proximity to
> > the actual query, so I don't see a problem with supplying a
> > connection identifier.
> 
> Except unless explicitly specified, my applications do not require a
> connection identifier as it is stored in a global variable (I have a
> nifty little database access layer)

Yes, I'm a big fan of automatic database connection identifiers. Why
just the other week I was integrating ZenCart into another system and I
couldn't understand why ZenCart wasn't able to properly retrieve the
last_insert_id(). After digging throught he code I found it was because
they were making use of magic identifier semantics and since another db
connection also existed, it was being used for the last_insert_id().
Wonderful stuff. If you have a niftly little database layer, then it
shouldn't need magic semantics since it should track the connection
itself.

Cheers,
Rob.
-- 
http://www.interjinn.com
Application and Templating Framework for PHP


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] mysql_real_escape_string paranoid enough?

2009-03-21 Thread mike 
2009/3/21 Nisse Engström :

> I tend to use the escape functions in very close proximity to
> the actual query, so I don't see a problem with supplying a
> connection identifier.

Except unless explicitly specified, my applications do not require a
connection identifier as it is stored in a global variable (I have a
nifty little database access layer)

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] mysql_real_escape_string paranoid enough?

2009-03-21 Thread Nisse Engström 
On Fri, 20 Mar 2009 09:49:23 -0700, mike wrote:

> Slightly off topic here, but I find it annoying to have to use the
> connection identifier for the mysqli_real_escape_string.
> 
> It would be great if there was a function that I could say
> mysql_escape_string that is using utf-8 instead of default, as opposed
> to having to use mysqli_real_escape_string.

I think mysql_escape_string() should work fine with utf-8,
except that it is being deprecated in 5.3.0.



I tend to use the escape functions in very close proximity to
the actual query, so I don't see a problem with supplying a
connection identifier.


/Nisse

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] mysql_real_escape_string paranoid enough?

2009-03-21 Thread tedd 

At 11:41 AM -0500 3/20/09, Richard Lynch wrote:

I typically do something like this:

$data_sql = mysql_real_escape_string($data, $connection);
$query = "insert into data(data) values('$data_sql')";
$insert = mysql_query($query, $connection);
if (!$insert){
  trigger_error(mysql_error($connection), E_USER_ERROR);
}



Richard:

Isn't this --

$insert = mysql_query($query, $connection);
if (!$insert){
  trigger_error(mysql_error($connection), E_USER_ERROR);
}

-- the same as:

$result = mysql_query($query) or 
die(trigger_error(mysql_error($connection), E_USER_ERROR)));


Why not use die?



For error reporting, I use this:

$result = mysql_query($query) or die(report($query,__LINE__ ,__FILE__));

Where:

function report($query, $line, $file)
{
	echo($query . '' .$line . '' . $file . '' . 
mysql_error());

}

HTH's

tedd
--
---
http://sperling.com  http://ancientstones.com  http://earthstones.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] mysql_real_escape_string paranoid enough?

2009-03-20 Thread Stuart 
2009/3/20 Richard Lynch :
> I typically do something like this:
>
> $data_sql = mysql_real_escape_string($data, $connection);
> $query = "insert into data(data) values('$data_sql')";
> $insert = mysql_query($query, $connection);
> if (!$insert){
>  trigger_error(mysql_error($connection), E_USER_ERROR);
> }
>
> My custom error handler logs the mysql error, and displays a nice
> generic "Something went wrong. Please try again or contact us" message
> to the user, wrapped in the page layout, and then exits.
>
> I've just noticed that while the function signature says:
> string mysql_real_escape_string( ...)
>
> The docs say it could return FALSE in case of error.
>
> I'm not real sure what all could cause a FALSE return.
>
> Obviously, if the database server/process/chipmunk has DIED just
> before the call to mysql_real_escape_string, I'll get FALSE back.
>
> If the input string is just too whack for the function to parse, could
> I get FALSE, and then I'd be inserting junk into the DB?
>
> Or is it possible that the function returns FALSE for what is
> obviously a hack attempt?
>
> I guess I'm asking if anybody adds a line like:
>
> if ($data_sql === false){
>  trigger_error(mysql_error($connection), E_USER_ERROR);
> }
>
> Or is that not really going to do anything useful/better than what I
> already have?

According to the C API docs [1] it cannot return an error.

Looking in the extension source [2] it would appear that
incorrect/invalid parameters, lack of MySQL connection and memory
allocation errors are the only reasons why it would fail.

-Stuart

[1] http://dev.mysql.com/doc/refman/5.0/en/mysql-real-escape-string.html
[2] 
http://cvs.php.net/viewvc.cgi/php-src/ext/mysql/php_mysql.c?revision=1.273&view=markup
(line 1775+)

-- 
http://stut.net/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] mysql_real_escape_string paranoid enough?

2009-03-20 Thread mike 
On Fri, Mar 20, 2009 at 9:41 AM, Richard Lynch  wrote:
> I typically do something like this:
>
> $data_sql = mysql_real_escape_string($data, $connection);
> $query = "insert into data(data) values('$data_sql')";
> $insert = mysql_query($query, $connection);
> if (!$insert){
>  trigger_error(mysql_error($connection), E_USER_ERROR);
> }

Slightly off topic here, but I find it annoying to have to use the
connection identifier for the mysqli_real_escape_string.

It would be great if there was a function that I could say
mysql_escape_string that is using utf-8 instead of default, as opposed
to having to use mysqli_real_escape_string.

I suppose a custom function could be written using regexps or even
simple string replacement and mbstring stuff...

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] mysql_real_escape_string paranoid enough?

2009-03-20 Thread Richard Lynch 
I typically do something like this:

$data_sql = mysql_real_escape_string($data, $connection);
$query = "insert into data(data) values('$data_sql')";
$insert = mysql_query($query, $connection);
if (!$insert){
  trigger_error(mysql_error($connection), E_USER_ERROR);
}

My custom error handler logs the mysql error, and displays a nice
generic "Something went wrong. Please try again or contact us" message
to the user, wrapped in the page layout, and then exits.

I've just noticed that while the function signature says:
string mysql_real_escape_string( ...)

The docs say it could return FALSE in case of error.

I'm not real sure what all could cause a FALSE return.

Obviously, if the database server/process/chipmunk has DIED just
before the call to mysql_real_escape_string, I'll get FALSE back.

If the input string is just too whack for the function to parse, could
I get FALSE, and then I'd be inserting junk into the DB?

Or is it possible that the function returns FALSE for what is
obviously a hack attempt?

I guess I'm asking if anybody adds a line like:

if ($data_sql === false){
  trigger_error(mysql_error($connection), E_USER_ERROR);
}

Or is that not really going to do anything useful/better than what I
already have?

-- 
Some people ask for gifts here.
I just want you to buy an Indie CD for yourself:
http://cdbaby.com/search/from/lynch



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php