Re: [PHP] MySql Injection advice

2009-07-14 Thread Eddie Drapkin
Things I have used prepared statements for: 1. SELECT 2. UPDATE 3. INSERT 4. DELETE 5. Stored procedures Things I am aware of that prepared statements are not capable of doing: What have you read that prepared statements can't do? I've not heard of anything, nor have I encountered anything,

Re: [PHP] MySql Injection advice

2009-07-14 Thread Ashley Sheridan
On Tue, 2009-07-14 at 01:52 -0400, Andrew Ballard wrote: On Mon, Jul 13, 2009 at 4:18 PM, Haig Dedeyanhdede...@videotron.ca wrote: for the phone #'s, I'm using int as the data type storing each part of the phone # in its own cell, When it gets displayed, I add a dash in between each part

Re: [PHP] MySql Injection advice

2009-07-14 Thread Michael A. Peters
Eddie Drapkin wrote: Things I have used prepared statements for: 1. SELECT 2. UPDATE 3. INSERT 4. DELETE 5. Stored procedures Things I am aware of that prepared statements are not capable of doing: What have you read that prepared statements can't do? I've not heard of anything, nor have I

Re: [PHP] MySql Injection advice

2009-07-13 Thread Haig Dedeyan
On July 12, 2009 03:34:49 pm Haig Dedeyan wrote: On Sat, 11 Jul 2009 21:26:36 -0400, Haig Dedeyan wrote: On Sun, Jul 12, 2009 at 4:09 AM, Haig Dedeyan hdede...@videotron.ca wrote: mysql_query(INSERT INTO phonedir (fname, lname) VALUES('$new_fname','$new_lname')) or die(mysql_error());

Re: [PHP] MySql Injection advice

2009-07-13 Thread Haig Dedeyan
On July 12, 2009 08:52:56 am Haig Dedeyan wrote: At 6:39 PM -0400 7/11/09, Haig Dedeyan wrote: [1] mysql_query(INSERT INTO phonedir (fname, lname) VALUES('$new_fname','$new_lname')) or die(mysql_error()); or [2] mysql_query(INSERT INTO phonedir (fname, lname)

Re: [PHP] MySql Injection advice

2009-07-13 Thread tedd
At 8:50 PM +0530 7/12/09, Zareef Ahmed wrote: On Sun, Jul 12, 2009 at 8:42 PM, tedd mailto:tedd.sperl...@gmail.comtedd.sperl...@gmail.com wrote: As with all communication, it's better to be clear than obtuse. Agree, but I believe obtuse word meaning is contextual and depends :) The word

Re: [PHP] MySql Injection advice

2009-07-13 Thread tedd
At 3:53 PM -0400 7/12/09, Paul M Foster wrote: On Sun, Jul 12, 2009 at 09:07:45AM -0400, tedd wrote: snip As for prepared statements, I'm no authority on them, but from what I've read they are not going to be something I'll be practicing anytime soon. Aside from Stuart's comments about

Re: [PHP] MySql Injection advice

2009-07-13 Thread Ashley Sheridan
On Monday 13 July 2009 14:31:09 tedd wrote: At 3:53 PM -0400 7/12/09, Paul M Foster wrote: On Sun, Jul 12, 2009 at 09:07:45AM -0400, tedd wrote: snip As for prepared statements, I'm no authority on them, but from what I've read they are not going to be something I'll be practicing

Re: [PHP] MySql Injection advice

2009-07-13 Thread Haig Dedeyan
On July 13, 2009 09:48:54 am Haig Dedeyan wrote: On Monday 13 July 2009 14:31:09 tedd wrote: At 3:53 PM -0400 7/12/09, Paul M Foster wrote: On Sun, Jul 12, 2009 at 09:07:45AM -0400, tedd wrote: snip As for prepared statements, I'm no authority on them, but from what I've read

Re: [PHP] MySql Injection advice

2009-07-13 Thread Bastien Koert
On Mon, Jul 13, 2009 at 4:18 PM, Haig Dedeyanhdede...@videotron.ca wrote: On July 13, 2009 09:48:54 am Haig Dedeyan wrote: On Monday 13 July 2009 14:31:09 tedd wrote: At 3:53 PM -0400 7/12/09, Paul M Foster wrote: On Sun, Jul 12, 2009 at 09:07:45AM -0400, tedd wrote: snip  As for

Re: [PHP] MySql Injection advice

2009-07-13 Thread Ashley Sheridan
On Mon, 2009-07-13 at 16:30 -0400, Bastien Koert wrote: On Mon, Jul 13, 2009 at 4:18 PM, Haig Dedeyanhdede...@videotron.ca wrote: On July 13, 2009 09:48:54 am Haig Dedeyan wrote: On Monday 13 July 2009 14:31:09 tedd wrote: At 3:53 PM -0400 7/12/09, Paul M Foster wrote: On Sun, Jul 12,

Re: [PHP] MySql Injection advice

2009-07-13 Thread Bastien Koert
On Mon, Jul 13, 2009 at 5:52 PM, Ashley Sheridana...@ashleysheridan.co.uk wrote: On Mon, 2009-07-13 at 16:30 -0400, Bastien Koert wrote: On Mon, Jul 13, 2009 at 4:18 PM, Haig Dedeyanhdede...@videotron.ca wrote: On July 13, 2009 09:48:54 am Haig Dedeyan wrote: On Monday 13 July 2009 14:31:09

Re: [PHP] MySql Injection advice

2009-07-13 Thread Michael A. Peters
tedd wrote: At 3:53 PM -0400 7/12/09, Paul M Foster wrote: On Sun, Jul 12, 2009 at 09:07:45AM -0400, tedd wrote: snip As for prepared statements, I'm no authority on them, but from what I've read they are not going to be something I'll be practicing anytime soon. Aside from Stuart's

Re: [PHP] MySql Injection advice

2009-07-13 Thread Andrew Ballard
On Mon, Jul 13, 2009 at 4:18 PM, Haig Dedeyanhdede...@videotron.ca wrote: for the phone #'s, I'm using int as the data type storing each part of the phone # in its own cell, When it gets displayed, I add a dash in between each part of the phone #'s (country code-area code-1st set of

Re: [PHP] MySql Injection advice

2009-07-12 Thread Zareef Ahmed
2009/7/12 Haig Dedeyan hdede...@videotron.ca On July 11, 2009 08:21:34 pm Haig Dedeyan wrote: On Sun, Jul 12, 2009 at 4:09 AM, Haig Dedeyan hdede...@videotron.ca wrote: On July 11, 2009 10:57:14 am Haig Dedeyan wrote: At 10:12 PM -0400 7/10/09, Haig Dedeyan wrote: [1]

Re: [PHP] MySql Injection advice

2009-07-12 Thread tedd
At 6:39 PM -0400 7/11/09, Haig Dedeyan wrote: [1] mysql_query(INSERT INTO phonedir (fname, lname) VALUES('$new_fname','$new_lname')) or die(mysql_error()); or [2] mysql_query(INSERT INTO phonedir (fname, lname)

Re: [PHP] MySql Injection advice

2009-07-12 Thread tedd
Hi gang: I am top posting only to show that the following post makes no sense as to who said what. At what point here Zareef, did you think you were helping anyone? Or is this more of your I'm going to do whatever I want attitude? I would hate to review code with such lack of forethought

Re: [PHP] MySql Injection advice

2009-07-12 Thread tedd
At 9:26 PM -0400 7/11/09, Haig Dedeyan wrote: @Tedd - I will be looking into prepared statements eventually but I still want to understand escaping. Haig: I'm not the one pushing the prepared statements, that's someone else. However, I can see how you might think that considering how

Re: [PHP] MySql Injection advice

2009-07-12 Thread Zareef Ahmed
On Sun, Jul 12, 2009 at 6:32 PM, tedd tedd.sperl...@gmail.com wrote: Hi gang: I am top posting only to show that the following post makes no sense as to who said what. At what point here Zareef, did you think you were helping anyone? Or is this more of your I'm going to do whatever I want

Re: [PHP] MySql Injection advice

2009-07-12 Thread tedd
At 8:24 PM +0530 7/12/09, Zareef Ahmed wrote: On Sun, Jul 12, 2009 at 6:32 PM, tedd mailto:tedd.sperl...@gmail.comtedd.sperl...@gmail.com wrote: Hi gang: I am top posting only to show that the following post makes no sense as to who said what. At what point here Zareef, did you think you

Re: [PHP] MySql Injection advice

2009-07-12 Thread Zareef Ahmed
On Sun, Jul 12, 2009 at 8:42 PM, tedd tedd.sperl...@gmail.com wrote: At 8:24 PM +0530 7/12/09, Zareef Ahmed wrote: On Sun, Jul 12, 2009 at 6:32 PM, tedd mailto:tedd.sperl...@gmail.com tedd.sperl...@gmail.com wrote: Hi gang: I am top posting only to show that the following post makes no

Re: [PHP] MySql Injection advice

2009-07-12 Thread Nisse Engström
On Sat, 11 Jul 2009 21:26:36 -0400, Haig Dedeyan wrote: On Sun, Jul 12, 2009 at 4:09 AM, Haig Dedeyan hdede...@videotron.ca wrote: mysql_query(INSERT INTO phonedir (fname, lname) VALUES('$new_fname','$new_lname')) or die(mysql_error()); I won;t be using 2x escapes but I just need to know

Re: [PHP] MySql Injection advice

2009-07-12 Thread Paul M Foster
On Sun, Jul 12, 2009 at 09:07:45AM -0400, tedd wrote: snip As for prepared statements, I'm no authority on them, but from what I've read they are not going to be something I'll be practicing anytime soon. Aside from Stuart's comments about slowness, what else have you read that makes you

Re: [PHP] MySql Injection advice

2009-07-11 Thread Phpster
On Jul 10, 2009, at 10:12 PM, Haig Dedeyan hdede...@videotron.ca wrote: Hi everyone, I'm starting to experiment with an edit form and I am seeing the following behaviour: $fname = mysql_real_escape_string($fname); $lname = mysql_real_escape_string($lname); $sql = UPDATE phonedir

Re: [PHP] MySql Injection advice

2009-07-11 Thread tedd
At 10:12 PM -0400 7/10/09, Haig Dedeyan wrote: [1] $fname = mysql_real_escape_string($fname); $lname = mysql_real_escape_string($lname); $sql = UPDATE phonedir SET fname = '$fname',lname = '$lname' WHERE id=$id; $result = mysql_query($sql); echo mysql_error() . \n; This will result in the

Re: [PHP] MySql Injection advice

2009-07-11 Thread Haig Dedeyan
On July 11, 2009 10:57:14 am Haig Dedeyan wrote: At 10:12 PM -0400 7/10/09, Haig Dedeyan wrote: [1] $fname = mysql_real_escape_string($fname); $lname = mysql_real_escape_string($lname); $sql = UPDATE phonedir SET fname = '$fname',lname = '$lname' WHERE id=$id; $result =

Re: [PHP] MySql Injection advice

2009-07-11 Thread Eddie Drapkin
On Sat, Jul 11, 2009 at 6:39 PM, Haig Dedeyanhdede...@videotron.ca wrote: On July 11, 2009 10:57:14 am Haig Dedeyan wrote: At 10:12 PM -0400 7/10/09, Haig Dedeyan wrote: [1] $fname = mysql_real_escape_string($fname); $lname = mysql_real_escape_string($lname); $sql = UPDATE phonedir SET

Re: [PHP] MySql Injection advice

2009-07-11 Thread Stuart
2009/7/12 Eddie Drapkin oorza...@gmail.com: No offense or anything, but all of this work you've done is immediately mode obsolete the second you switch to prepared statements.  They're easier to use and more secure, as well as making code more readable.  I don't understand why it's so hard for

Re: [PHP] MySql Injection advice

2009-07-11 Thread Zareef Ahmed
On Sun, Jul 12, 2009 at 4:09 AM, Haig Dedeyan hdede...@videotron.ca wrote: On July 11, 2009 10:57:14 am Haig Dedeyan wrote: At 10:12 PM -0400 7/10/09, Haig Dedeyan wrote: [1] $fname = mysql_real_escape_string($fname); $lname = mysql_real_escape_string($lname); $sql = UPDATE

Re: [PHP] MySql Injection advice

2009-07-11 Thread Haig Dedeyan
On July 11, 2009 08:21:34 pm Haig Dedeyan wrote: On Sun, Jul 12, 2009 at 4:09 AM, Haig Dedeyan hdede...@videotron.ca wrote: On July 11, 2009 10:57:14 am Haig Dedeyan wrote: At 10:12 PM -0400 7/10/09, Haig Dedeyan wrote: [1] $fname = mysql_real_escape_string($fname); $lname =

Re: [PHP] MySql Injection advice

2009-07-10 Thread Michael A. Peters
Haig Dedeyan wrote: Hi everyone, I'm starting to experiment with an edit form and I am seeing the following behaviour: $fname = mysql_real_escape_string($fname); $lname = mysql_real_escape_string($lname); $sql = UPDATE phonedir SET fname = '$fname',lname = '$lname' WHERE id=$id; $result =

Re: [PHP] MySql Injection advice

2009-07-10 Thread Haig Dedeyan
On July 10, 2009 11:26:04 pm Haig Dedeyan wrote: Haig Dedeyan wrote: Hi everyone, I'm starting to experiment with an edit form and I am seeing the following behaviour: $fname = mysql_real_escape_string($fname); $lname = mysql_real_escape_string($lname); $sql = UPDATE phonedir