OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
php-general Digest 4 Oct 2007 14:11:05 -0000 Issue 5054

php-general-digest-helplists.php.net
Date: Thu Oct 04 2007 - 09:11:05 CDT


php-general Digest 4 Oct 2007 14:11:05 -0000 Issue 5054

Topics (messages 262724 through 262747):

Re: Alternate Colors in Rows
        262724 by: Nathan Nobbe
        262744 by: Robert Cummings
        262746 by: tedd

inserting ´ in a db
        262725 by: Yamil Ortega
        262727 by: Bastien Koert
        262729 by: Chris
        262734 by: Tom Swiss
        262738 by: Larry Garfield

Mime Magic functions - how standard are they?
        262726 by: Dave M G
        262730 by: mike

Any known security issues with IMAP?
        262728 by: Don O'Neil
        262731 by: Don O'Neil
        262732 by: Chris
        262745 by: Andrew Ballard

Re: the opposite of a join?
        262733 by: Jim Lucas
        262735 by: Aleksandar Vojnovic
        262743 by: Robert Cummings

Re: inserting ´ in a db
        262736 by: Aleksandar Vojnovic

Re: [PHP-DB] Re: [PHP] Re: the opposite of a join?
        262737 by: Chris
        262740 by: Aleksandar Vojnovic
        262741 by: Chris

Re: The Context of 0
        262739 by: Tom Swiss

Re: Sessions running out of storage space - Increase memory?
        262742 by: Per Jessen

MySQL Identifying worst-performing codes
        262747 by: Lasitha Alawatta

Administrivia:

To subscribe to the digest, e-mail:
        php-general-digest-subscribelists.php.net

To unsubscribe from the digest, e-mail:
        php-general-digest-unsubscribelists.php.net

To post to the list, e-mail:
        php-generallists.php.net

----------------------------------------------------------------------

attached mail follows:


On 10/3/07, Robert Cummings <robertinterjinn.com> wrote:
>
> Hopefully you're using a decent browser (almost
> anything other than IE -- I recommend Opera :)
>

opera is the best for straight browsing. ive found i could have 40 to 50
tabs open with no noticeable perforrmace hit. firefox bogs badly after
about
20 tabs and i find some of the features arent as smart as opera.
sadly though i think firefox is the best for development. web developer and
firebug are 2 priceless tools for development. plus the view source on
firefox
is much better than other browsers.

-nathan

attached mail follows:


On Wed, 2007-10-03 at 22:12 -0400, Nathan Nobbe wrote:
> On 10/3/07, Robert Cummings <robertinterjinn.com> wrote:
> Hopefully you're using a decent browser (almost
> anything other than IE -- I recommend Opera :)
>
> opera is the best for straight browsing. ive found i could have 40 to
> 50
> tabs open with no noticeable perforrmace hit. firefox bogs badly
> after about
> 20 tabs and i find some of the features arent as smart as opera.
> sadly though i think firefox is the best for development. web
> developer and
> firebug are 2 priceless tools for development. plus the view source
> on firefox
> is much better than other browsers.

Opera let's you define what you use to view source. I use my editor joe
and so it's all nice and highlighted. I view source in the same way I
edit HTML.

Cheers,
Rob.
--
...........................................................
SwarmBuy.com - http://www.swarmbuy.com

    Leveraging the buying power of the masses!
...........................................................

attached mail follows:


At 1:44 PM -0500 10/3/07, Steve Marquez wrote:
>Greetings,
>
>I am attempting to alternate the colors of the container DIV. Anyone know
>how to do this?

Hi Steve:

Easy and simple.

First, keep presentation separate from data. In other words, use css
to define a css-class, like so:

.row0
        {
          background-color: yellow;
        }

.row1
        {
          background-color: #809FFF;
        }

Second, embed php into your table, like so:

          <tr class="row<?php echo($i++ & 1 );?>">

You can see a working demo here:

http://webbytedd.com/b/color-rows/

Cheers,

tedd

--
-------
http://sperling.com http://ancientstones.com http://earthstones.com

attached mail follows:


Hi list, good day.

 

I have a simple script that inserts text on a mysql table, that has a field
named description and the type is text.

Everting works fine, except when I try to insert a text that includes a
simple quote.

For example

 

Yamil´s car

 

I send the character string to a variable and then insert into a query. But
the mysql says that something is wrong with the query because the quote
after the l looks like the end of the string, and “s car” doesn`t look like
a valid part of the query.

 

Can anyone help me out, how to handle this error?

 

Thanks

Yamil

attached mail follows:


There are any number of elements to try
 
htmlspecialchars
mysql_real_escape_string
addslashes
 
RTFM and see what works best for your situation
 
 
 
bastien> From: jiumangmail.com> To: php-generallists.php.net> Date: Thu, 4 Oct 2007 11:44:34 +0900> Subject: [PHP] inserting ´ in a db> > Hi list, good day.> > > > I have a simple script that inserts text on a mysql table, that has a field> named description and the type is text.> > Everting works fine, except when I try to insert a text that includes a> simple quote. > > For example > > > > Yamil´s car> > > > I send the character string to a variable and then insert into a query. But> the mysql says that something is wrong with the query because the quote> after the l looks like the end of the string, and “s car” doesn`t look like> a valid part of the query.> > > > Can anyone help me out, how to handle this error?> > > > Thanks> > Yamil>
_________________________________________________________________
Show your pals how you really feel! Learn more today!
http://www.freemessengeremoticons.ca/

attached mail follows:


Yamil Ortega wrote:
> Hi list, good day.
>
>
>
> I have a simple script that inserts text on a mysql table, that has a field
> named description and the type is text.
>
> Everting works fine, except when I try to insert a text that includes a
> simple quote.
>
> For example
>
>
>
> Yamil´s car

http://www.php.net/mysql_real_escape_string

--
Postgresql & php tutorials
http://www.designmagick.com/

attached mail follows:


dmagickgmail.com (Chris) writes:

> > Everting works fine, except when I try to insert a text that includes a
> > simple quote.

> http://www.php.net/mysql_real_escape_string

     I'll see you that and raise you PEAR's database interfaces:

http://pear.php.net/package/DB - especially DB_common::quoteSmart()

or the more modern

http://pear.php.net/package/MDB2

     I'm still partial to DB but suppose I will eventually have to move
to MDB2.

-- Tom Swiss / tms(at)infamous.net / www.infamous.net / www.unreasonable.org
    "What's so funny about peace, love, and understanding?" - Nick Lowe
                  "Power to the Peaceful" - Michael Franti

attached mail follows:


On Wednesday 03 October 2007, Tom Swiss wrote:
> dmagickgmail.com (Chris) writes:
> > > Everting works fine, except when I try to insert a text that includes a
> > > simple quote.
> >
> > http://www.php.net/mysql_real_escape_string
>
> I'll see you that and raise you PEAR's database interfaces:
>
> http://pear.php.net/package/DB - especially DB_common::quoteSmart()
>
> or the more modern
>
> http://pear.php.net/package/MDB2
>
> I'm still partial to DB but suppose I will eventually have to move
> to MDB2.

And I'll raise you native prepared statements with a unified, C-based
interface:

http://www.php.net/pdo

--
Larry Garfield AIM: LOLG42
larrygarfieldtech.com ICQ: 6817012

"If nature has made any one thing less susceptible than all others of
exclusive property, it is the action of the thinking power called an idea,
which an individual may exclusively possess as long as he keeps it to
himself; but the moment it is divulged, it forces itself into the possession
of every one, and the receiver cannot dispossess himself of it." -- Thomas
Jefferson

attached mail follows:


PHP List,

I would like to set up a function within my system that can test a file
that a user has uploaded and determine what kind of file it is. My
intention is to only handle a fairly small number of common file types*,
so I don't think I need to build anything too robust.

Of course, I checked php.net, but was almost immediately confounded by
what seems to be a transition from mime_content_type to Fileinfo. My
confusion lies in the fact that on the one hand mime_content_type seems
to be in the process of being depreciated, but at the same time, the
Fileinfo functions seem to rely on PECL extensions which don't seem to
be standard in every PHP installation.

At least, it seems like the PECL extensions are not present in my
testing environment, which use default installation settings (via Ubuntu
Feisty repositories).

When I tried to emulate the example on this page:
http://php.benscom.com/manual/en/function.finfo-open.php

... It gave me an error indicating the class "finfo" could not be found.

I'm trying to build a system that will hopefully be portable without
anyone having to reconfigure PHP in any way to get it running.

So, ultimately, what I'm wondering is, what should I be using in order
to determine file MIME types that will be the most commonly installed on
servers with PHP?

Thank you for any advice.

* The file types I will test for are most likely to be the following:
.txt, .pdf, .png, .gif, .jpg, .mp3, .ogg, .doc, .odt, .zip, .gz... maybe
that's it.

--
Dave M G
Zend Studio 5.5
Ubuntu 7.04

attached mail follows:


On 10/3/07, Dave M G <martinautotelic.com> wrote:
> So, ultimately, what I'm wondering is, what should I be using in order
> to determine file MIME types that will be the most commonly installed on
> servers with PHP?

I wrote something that does system("file -iNr $file") which gives you
the application/mime-type output. the problem is that it was video
files, and a bunch of the microsoft video formats wind up showing up
as just generic binary data, just like executable files. I wound up
disabling it as I could not rely on it (I had to say "skip *.wmv from
processing" which rendered the whole point of this useless)

Depending on what you need the output for, that could work quite well.
Look into using file through the system() call. From the file types
you listed above I think it can identify them pretty well. Adjust the
options as needed. I decided to go that route instead of trying to
find a PECL or PEAR solution (or I checked and it didn't seem like a
good one was available at the time)

attached mail follows:


Are there any known security issues/concerns with compiling PHP with
imap/pop3 support? Such as hijacking php pages and relaying spam, etc...?

attached mail follows:


Are there any known security issues/concerns with compiling PHP with
imap/pop3 support? Such as hijacking php pages and relaying spam, etc...?

attached mail follows:


Don O'Neil wrote:
> Are there any known security issues/concerns with compiling PHP with
> imap/pop3 support? Such as hijacking php pages and relaying spam, etc...?

[ was posting this again a mistake or just impatience? ]

I'm not sure how opening an email inbox can hijack pages but maybe
someone more creative than I can show me..

None that I'm personally aware of but if you really want to check it out
look at bugs.php.net and do some searching.

--
Postgresql & php tutorials
http://www.designmagick.com/

attached mail follows:


On 10/4/07, Chris <dmagickgmail.com> wrote:
> Don O'Neil wrote:
> I'm not sure how opening an email inbox can hijack pages but maybe
> someone more creative than I can show me..

I don't know about the IMAP/POP3 itself, but if you are displaying the
messages in a web browser for something like building your own
web-mail client, the messages themselves would make YOUR pages just as
vulnerable to all kinds of cross-site scripting (XSS) attacks and the
like as they would be by accepting input from a web form. (I think
someone recently posted this link in another thread:
http://phpsec.org/projects/guide/ )

So yes, if you don't use diligence to filter that stuff out before you
send it to the browser, someone could study your mail interface well
enough to do anything they want by impersonating the user viewing the
messages -- just for starters.

Andrew

attached mail follows:


Robert Cummings wrote:
> On Wed, 2007-10-03 at 14:49 -0700, Jim Lucas wrote:
>> This is only from my own personal testing. Mind you that I have only been using PostgreSQL for a
>> year or so. But one problem that I have always ran into with MySQL is that when JOIN'ing tables
>> that have large data sets is a PITA.
>
> Were you doing left joins when you experienced those problems? Left
> joins are usually very fast.
>
>> So, if I was running MySQL, I would use SQL #1, but if I were using PostgreSQL, I would use SQL #2
>
> I'd use the left join whenever available.
>
> Cheers,
> Rob.

Honestly, I cannot remember. It was right when I first started with
PHP/mysql back in 1999. I think we were using a JOIN (without the LEFT)

Which I think the default is an INNER JOIN if I do recall.

I really have never played with performance over the past few years.

This past year I have been working on a new DB with Call Detail Records
for a phone company. On average we have to deal with processing 2 - 4
million records each billing cycle. So, having to work with that amount
of CDR's and a couple thousand client records that are associated with
them, makes for a good performance test on SQL statements.

--
Jim Lucas

     "Perseverance is not a long race;
         it is many short races one after the other"

Walter Elliot

     "Some men are born to greatness, some achieve greatness,
         and some have greatness thrust upon them."

Twelfth Night, Act II, Scene V
     by William Shakespeare

attached mail follows:


I would also suggest to limit yourself to things you actually need not
to select the whole table.

Aleksandar

Jim Lucas wrote:
> Colin Guthrie wrote:
>> Martin Marques wrote:
>>> SELECT * FROM company WHERE id NOT IN (SELECT companyID FROM contacts);
>>
>> Not ideal as has been mentioned else where in this thread.
>>
>> Col
>>
> I think one would have to take into account the DB type being used here.
>
> I can have MySQL and PostgreSQL setup and running with the same table
> structure (well, as close as you can get) configured with two
> different databases in them.
>
> SQL #1 SELECT *
> FROM company
> WHERE id
> NOT IN (
> SELECT companyID
> FROM contacts
> );
>
> SQL #2 SELECT company.*
> FROM company
> LEFT JOIN contacts
> ON (
> company.companyID = contacts.companyID
> )
> WHERE contacts.companyID IS NULL
>
> Now, both SQL statements will perform relatively the same on either
> DB's with a small data set.
>
> but, if you have a large data set, MySQL will benefit from having the
> Sub-Query style statement
>
> Where-as PostgreSQL will shine with the JOIN command.
>
> This is only from my own personal testing. Mind you that I have only
> been using PostgreSQL for a year or so. But one problem that I have
> always ran into with MySQL is that when JOIN'ing tables that have
> large data sets is a PITA.
>
> So, if I was running MySQL, I would use SQL #1, but if I were using
> PostgreSQL, I would use SQL #2
>
> If anybody else has suggestions or comments about performance between
> MySQL vs. PostgreSQL with regards to similarly formed SQL calls, I
> would like to hear their experiences.
>

attached mail follows:


On Thu, 2007-10-04 at 11:56 +1000, Chris wrote:
> Robert Cummings wrote:
> > On Thu, 2007-10-04 at 11:23 +1000, Chris wrote:
> >> Robert Cummings wrote:
> >>> On Wed, 2007-10-03 at 14:49 -0700, Jim Lucas wrote:
> >>>> This is only from my own personal testing. Mind you that I have only been using PostgreSQL for a
> >>>> year or so. But one problem that I have always ran into with MySQL is that when JOIN'ing tables
> >>>> that have large data sets is a PITA.
> >>> Were you doing left joins when you experienced those problems? Left
> >>> joins are usually very fast.
> >> If indexed properly of course ;)
> >
> > Yes, but you're not going to get a performance improvement if you use
> > anything else if the table isn't properly indexed.
>
> A subselect could win out in terms of performance especially if the
> table in the subselect is reasonably small (eg all fits into memory).

But if it fits in memory then it's probably already in memory for a left
join also.

Cheers,
Rob.
--
...........................................................
SwarmBuy.com - http://www.swarmbuy.com

    Leveraging the buying power of the masses!
...........................................................

attached mail follows:


Pick one:
http://si2.php.net/manual/en/function.htmlentities.php
http://si2.php.net/manual/en/function.addslashes.php
http://si.php.net/mysql_escape_string

Aleksandar

Yamil Ortega wrote:
> Hi list, good day.
>
>
>
> I have a simple script that inserts text on a mysql table, that has a field
> named description and the type is text.
>
> Everting works fine, except when I try to insert a text that includes a
> simple quote.
>
> For example
>
>
>
> Yamil´s car
>
>
>
> I send the character string to a variable and then insert into a query. But
> the mysql says that something is wrong with the query because the quote
> after the l looks like the end of the string, and “s car” doesn`t look like
> a valid part of the query.
>
>
>
> Can anyone help me out, how to handle this error?
>
>
>
> Thanks
>
> Yamil
>
>
>

attached mail follows:


Aleksandar Vojnovic wrote:
> I would also suggest to limit yourself to things you actually need not
> to select the whole table.

In this case you can't because you're looking for records that exist in
one table that don't exist in another.

Apart from looking at the whole table in each case how else would you do
that?

--
Postgresql & php tutorials
http://www.designmagick.com/

attached mail follows:


It seems you missed my point :) if you would need all the data then
select them all, but if you need only partial data from the table then
you could limit yourself to that specific columns. I doubt everybody
need everything all the time. True?

Aleksandar

Chris wrote:
> Aleksandar Vojnovic wrote:
>> I would also suggest to limit yourself to things you actually need
>> not to select the whole table.
>
> In this case you can't because you're looking for records that exist
> in one table that don't exist in another.
>
> Apart from looking at the whole table in each case how else would you
> do that?
>

attached mail follows:


Aleksandar Vojnovic wrote:
> It seems you missed my point :) if you would need all the data then
> select them all, but if you need only partial data from the table then
> you could limit yourself to that specific columns. I doubt everybody
> need everything all the time. True?

Ahh - you meant the select * from table bit ;) My apologies.

--
Postgresql & php tutorials
http://www.designmagick.com/

attached mail follows:


jblanchardpocket.com ("Jay Blanchard") writes:

> In certain cases 0 is the equivalent of FALSE and in other cases a 0 is
> just a 0... Exercise care when using 0 to determine if something is FALSE
> and understand that 0 has context.

     I think "context" and "equivalence" are not completely accurate way to
think about this.

     0 is always 0.

     0 is equal to ( == ) False. 0 is not identical to ( !== ) False. If 0
needs to be typecast or converted to a boolean value, the result is False.

     Saying that it's the "equivalent of" False is ambiguous. AFAIK
"equivalent" is not a PHP operator or concept. When you say
"equivalent" do you mean "equal to" or "identical to" or "gets cast to" or
something else?

     PHP programmers must understand the difference between "x equals y"
and "x is identical to y", and the implicit type conversions that occur.
Novices, study

http://www.php.net/manual/en/language.operators.comparison.php

http://www.php.net/manual/en/language.types.type-juggling.php

until you grok why

<?php

if (0 == False) echo "0 == False\n";
if (1 == True) echo "1 == True\n";
if (-1 == True) echo "-1 == True\n";

$b = (boolean)-1; var_dump($b);
$i = intval($b); var_dump($i);

?>

gives

0 == False
1 == True
-1 == True
bool(true)
int(1)

-- Tom Swiss / tms(at)infamous.net / www.infamous.net / www.unreasonable.org
    "What's so funny about peace, love, and understanding?" - Nick Lowe
                  "Power to the Peaceful" - Michael Franti

     

attached mail follows:


Dan wrote:

> After thinking about this a while I also thought of making my own
> cache. The problem with that is would it be any faster or have any
> less strain on the server than having multiple requests/connections to
> the database?

A lot depends on the amount of data and the overall load on the
web-server.
If you do the query once, then store the result in a file, and then keep
reading that file for the next <cachetime> seconds, the file will most
probably remain in memory, so accessing it will be fast and without IO.

/Per Jessen, ZĂĽrich

attached mail follows:


  Hello friends, There is a tool call "idera" (SQL diagnostic manager). Basically it is a performance monitoring and diagnostics tool. It has a feature; Identifying of worst-performing codes - Identifies performance bottlenecks such as the worst-performing stored procedures, long-running queries, most frequently run queries, SQL Statements and SQL batches http://www.idera.com/Products/SQLdm/Features.aspx I'm looking for a same like tool for MySQL. Is anyone have any ideas. Thanks in advance, Best Regards, Lasitha DOTW DISCLAIMER: This e-mail and any attachments are strictly confidential and intended for the addressee only. If you are not the named addressee you must not disclose, copy or take any action in reliance of this transmission and you should notify us as soon as possible. If you have received it in error, please contact the message sender immediately. This e-mail and any attachments are believed to be free from viruses but it is your responsibility to carry out all necessary virus checks and DOTW accepts no liability in connection therewith. This e-mail and all other electronic (including voice) communications from the sender's company are for informational purposes only. No such communication is intended by the sender to constitute either an electronic record or an electronic signature or to constitute any agreement by the sender to conduct a transaction by electronic means.