php-general-digest-helplists.php.net
Date: Sat May 27 2006 - 05:02:36 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

php-general Digest 27 May 2006 10:02:36 -0000 Issue 4151

Topics (messages 236991 through 236997):

Re: Serialize
        236991 by: Al

Re: Escaping quotes for DB Entry
        236992 by: Ford, Mike
        236993 by: Ford, Mike

Re: 5.1.4, mysqli, and fastcgi leaving connections open.
        236994 by: steve

Re: anti SQL injection method in php manual.
        236995 by: Dotan Cohen

What is best framwork?
        236996 by: Pham Huu Le Quoc Phuc

Fatal error: Call to undefined function mysql_create_db()
        236997 by: Mark Sargent

Administrivia:

To subscribe to the digest, e-mail:
        php-general-digest-subscribelists.php.net

To unsubscribe from the digest, e-mail:
        php-general-digest-unsubscribelists.php.net

To post to the list, e-mail:
        php-generallists.php.net

----------------------------------------------------------------------

attached mail follows:

phplistf2s.com wrote:
> Hi,
>
> Is a serialized array a "safe" string to insert into a mysql text field? Or is a
> function such as mysql_real_escape_string always needed?
>
> regards
> Simon

Seems like you can use mySQL bloob fields and serialize

attached mail follows:

> From: Brad Bonkoski [mailto:bbonkoskimediaguide.com]
> Sent: Fri 26/05/2006 15:41
>
> A lot has been said recently about the dangers of the family of
> magic_quotes...
> I understand the dangers.
> The question is, for those of us using a database that does not have a
> *real_escape_string function...Oracle for example.
> What is the *best* way to escape quotes for DB insertion?

Well, since Oracle escapes single-quotes with another single quote, on the few occasions when I actually have to escape I generally just run:
 
    $safe_str = str_replace("'", "''", $str);
 
---------------------------------------------------------------------
Mike Ford, Electronic Information Services Adviser,
Learning Support Services, Learning & Information Services,
JG125, James Graham Building, Leeds Metropolitan University,
Headingley Campus, LEEDS, LS6 3QS, United Kingdom
Email: m.fordleedsmet.ac.uk
Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211

To view the terms under which this email is distributed, please go to http://disclaimer.leedsmet.ac.uk/email.htm

attached mail follows:

> From: Jochem Maas [mailto:jochemiamjochem.com]
> Sent: Fri 26/05/2006 15:54

>
> Brad Bonkoski wrote:
> > All...
> > A lot has been said recently about the dangers of the family of
> > magic_quotes...
> > I understand the dangers.
> > The question is, for those of us using a database that does not have a
> > *real_escape_string function...Oracle for example.
> > What is the *best* way to escape quotes for DB insertion?
>
> looking at the manual I would assume that ora_bind() is the best way of safely
> stuffing things into an oracle DB:
>
> http://php.net/manual/en/function.ora-bind.php

Whoa, that is waaaay out of date - the ora_ functions have been deprecated as long as I've been using PHP, which is several years now! You should be using the OCI extension, and oci_bind_by_name().

> if this function is of any worth it *should* be doing any/all proper escaping of
> data 'under water' and hopefully much more thoroughly/correctly than anything you/we
> could do in userland.
>
> <remark type="biased">
> of course you could use firebird DB (php5 interbase extension) and just make use of
> the built in parameterized query functionality - which is simple to use, doesn't
> require endless reams of parameter binding declaration and is rock solid (i.e. no
> matter how crap my input filtering is SQL injection remains impossible ;-))
> </remark>
 
oci_bind_by_name() (and, presumably, ora-bind() before it) *is* Oracle's parameterized query equivalent -- admittedly not quite as elegant, but no escaping required and is "rock solid (i.e. no matter how crap [your] input filtering is SQL injection remains impossible"!).
 
---------------------------------------------------------------------
Mike Ford, Electronic Information Services Adviser,
Learning Support Services, Learning & Information Services,
JG125, James Graham Building, Leeds Metropolitan University,
Headingley Campus, LEEDS, LS6 3QS, United Kingdom
Email: m.fordleedsmet.ac.uk
Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211

To view the terms under which this email is distributed, please go to http://disclaimer.leedsmet.ac.uk/email.htm

attached mail follows:

mysqli does not have persistent connections. Kinda wish it did, as
using fascgi has the about the same number of processes that I would
want connections in a connection pooling scheme under a module
scenario.

anyhow, its a 5.1.4 bug and its reported.

attached mail follows:

On 5/26/06, Eric Butera <digital.tarsiergmail.com> wrote:
> > > > What is the purpose of the sprintf?
>
> It's just a way of creating the string without escaping it with quotes
> to call the function over and over to keep it clean.
>

Thanks. I think that I'll stick with the simpler code (to my eyes) and
eliminate the sprintf. In any case, it works.

Dotan Cohen
http://auto-car.info

attached mail follows:

Hi!
I intend to write a sale online web use PHP and MySQL.
I want to find a "best framework"(available) of php.
Could you give me some advice?
Thanks.

attached mail follows:

Hi All,

I get the following,

*Fatal error*: Call to undefined function mysql_create_db() in
*/usr/local/apache2/htdocs/createmovie.php* on line 6

for this code,

 5 //create the moviesite database
 6 mysql_create_db("moviesite") or die(mysql_error());

which is from a tutorial in the book I'm using. Any pointers? Code looks
identical to the book's. Cheers.

P.S. I also tried this,

mysql_create_db("moviesite", $connect) or die(mysql_error());

and

mysql_create_db("moviesite", "$connect") or die(mysql_error());

Mark Sargent.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]