logs archiveIRC Archive / Freenode / #php / 2006 / April / 2 / 1
DogWater
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource
im getting that for a query that returns 850 lines
danf_1979
DogWater, if $query it's just a string, yes
Stormchaser
!+mysql_error
php-bot
Handle SQL Errors! For MySQL, always check if mysql_query() returned false; if so, print mysql_error(). I.e. $result = mysql_query($query); if (!$result) { echo $query.'<br>'.mysql_error(); exit(1); }
poopieface
Hey, so how can I stop sql code injection in my php app? I'm using MySQL :X
DogWater
$query = mysql_query("SELECT * from items where id = '$id'") or die(mysql_error());
poncha
poopieface, by validating ALL the data
K_F
poopieface: the best way is to learn as much as possible about SQL
danf_1979
poopieface, read about mysql_real_escape_string
and htmlentities
that's a good start
         

poopieface
i know about sql and rdbms design, but when using a string that can be anything (such as for searching)
how does one prevent sql injection?
bashusr
poopieface: you do $var=mysql_escape_string($var);
DogWater
i use real_escape_string
bashusr
you escape all strings poopieface
poopieface
where $var would be the query?
K_F
poopieface: http://www.kfwebs.net/links/6/2 <- try the SQL Injection whitepaper
DogWater
err mysql_real_escape_strings
danf_1979
yep DogWater
bashusr
DogWater: what's the difference between real and what i told him?
DogWater
i think its just the newer format
Viflux
newer is better, duh!
S_O_D
I wonder if someone knows how to get live stream tv on your website from webcams
K_F
in the end both are just a tool to aid you in the protection
DogWater
i used to use mysql_escape_strings, one day i went to the manual for that function and it said started using the other one
so i did
itrebal
S_O_D: nope, noone knows
K_F
you should know the fundamenetals of the techniques
bashusr
S_O_D: it doesn't involve php... you should ask somewhere else.
S_O_D: you could use windows media streaming or about another other video streaming server.
S_O_D
mmm maybe, but i have to ask
Viflux
The only difference between mysql_escape_string() and mysql_real_escape_string() is that the latter will escape the string using the character set of the provided connection (or default if none provided).
itrebal
Viflux: one more difference
         

danf_1979
It should be somthing like this poopieface: user_input->filter/validate->escape->mysql->validate->html_output
itrebal
Viflux: its depreciated
Viflux
itrebal: What's that?
ahh
itrebal
since 4.3.0
(mysql_escape_string, is)
bashusr
danf_1979: that seems a lot of steps
S_O_D
but if i use windows media encoder how can i get the signal from the server to php
bashusr
i like doing user_input->validate->escape->mysql->html_output
Viflux
deprecated schmeprecated
danf_1979
Redundante security es the best way to go
bashusr
i don't see why you have to double validate
especially when you're going from your own protected server
danf_1979
bashusr, you must escape html_output too
bashusr
why?
danf_1979
always have a backup plan
bashusr
S_O_D: you don't.
S_O_D: php can't stream anything
S_O_D: you gotta use some other technology like real, windows media player, flash, or some other embedded object
you can't do it directly with php and html
DogWater
Hm.
K_F
anyways, have a nice day, I'm going back to my beer and Dilbert :)
DogWater
This invalid resource thing is really slowing down my workflow
damnit
i was moving along really fast
itrebal
DogWater: dont you hate those?
danf_1979
It should be somthing like this poopieface: user_input->filter/validate->mysql_real_escape_string($filtered)->mysql->htmlentities($output, ENT_QUOTE, $charset))
itrebal
danf_1979: usually you dont edit the input at all, beyond escaping it
bashusr
what in the world?!
danf_1979
I dont edit it
just filter it
bashusr
danf_1979: why do you need htmlentitites?
you expect to get html tags in your query?
danf_1979
bashusr, javascript would be a good reason
itrebal
bashusr: in most, because then you can take the input and manipulate it later per specifications
yay! my code is *nearly* done!
bashusr
wow
i never thought about that.
itrebal
which part?
bashusr
people could inject javascript into my address field
danf_1979
yes they do
bashusr
ouch.
carchic
if i put a line "php_flag_register_globals = on" in my httpd.conf, is it the same as enabling register_globals in my php.ini?
MarkR
carchic: No, because it only applies to that context
Therefore if you put it in on a virtual-host basis, it only applies to that vhost. And it won't affect CLI apps at all if it's in httpd.conf, or different web server instances
carchic
MarkR: thank you
oh alright then thanks again
MarkR
(Not that you'll normally be running more than one web server instance, but it's possible)
Dragnslcr
carchic- in the sense that it opens huge security holes in your system, it's effect is the same
its
Viflux
lol
carchic
ahh that is what i am kind of wondering
MarkR
carchic: Oh yes, and you need a space not an underscore between php_flag and register_globals
carchic
i am trying to use osCommerce
poncha
MarkR, that way it can be limited per location, too... not necessarily separate servers
poopieface
k, so i did the escape string stuff
MarkR
That is always inadvisable
Dragnslcr
Well that's mistake number one
danf_1979
Oh, I'm not going to get banned again
lol
poopieface
and i treid doing some sql injection right now
and the result was SELECT * FROM entry WHERE phone = 'Samsung C207 JOIN SELECT * FROM entry WHERE phone = Samsung C207;'
so that means im protected now?
carchic
is there a good alternative to osCommerce?
poopieface
what chars does it filter out?
MarkR
carchic: I'm not aware of a decent open source one, which is why a couple of years ago, I started writing one. We're fairly pleased with it so far, but it's not open source (yet) I'm afraid.
Zencart is a marginal improvement, apparently, but not really much
danf_1979
I'm developing one too
but propietary
carchic
I am working on starting a page which should use a shopping cart and checkout...
MarkR
Well, the main problem with oscommerce (besides its awful code) is that the way its checkout works is extremely non-conducive to decent PSP integration. Most of its PSP integrations are a horrible hack.
carchic
hmmm with no other open source alternative either? that makes my work a bit harder....
DogWater
uhh ok so the resource is invalid only in that FILE
if i copy the code into a test.php and open the script it runs lol
jesus
ok im pissy now
itrebal
DogWater: oh i love those
danf_1979
I've always wondered why Jesus name has began being used as that kind of expression... It's kind of funny
but that's another story
itrebal
lol
hehe
i found this one quote a while ago "nobody is perfect. Well, there was this one guy. But we killed him."
danf_1979
:)
draxas
:))
TheMystic_ca
anyone have problems serializing recursive tree (children know parent)?
itrebal
lol
TheMystic_ca
?
draxas
anyone know how to unset a variable that is a reference to another variable without ddestroying that another var.?
streaky
is a good question
MarkR
draxas, I don't think that should happen anyway. Try unset
streaky
logically it should
draxas
right thanks
streaky
my vulcan logic is failing me
(Action) throws out a free tip: never start a wiki
itrebal
streaky: lol, why?
TheMystic_ca
so no one has had problems serialization trees and then having nodes missing upon unserializiation?
streaky
too much effort - i've been working on one.. and just getting some structure into one before anybody can even post docs.. 14 hours and counting :/
MarkR
TheMystic_ca: To be quite honest, I've never tried serialising a recursive structure.
streaky
i hate open source :p
MarkR
Buy an Oracle licence then, you'll enjoy it I'm sure
itrebal
streaky: lol, a friend of mine used a wiki as a blog
streaky
hum.. i think i did it once.. don't recall having problems
TheMystic_ca
MarkR: it's serialized by the time it leaves __sleep.
streaky
a wiki as a blog? that's.. criminal
itrebal
streaky: he didnt have any problems until someone realized they could edit his posts :P
streaky
rofl
Bi3Zt
guys ... i'm kinda a newbie with php but i've been searching for hours for a way to count the number of lines in code :O
itrebal
at which point i shot him in the face and got him wordpress
Bi3Zt
any1 can help me a little bit further on the way ?
IOscanner
Is there a way to add a time out value for php. I have a program and I don't want it to run for more then 2 minutes.
itrebal
Bi3Zt: i guess you could do count(file('filename')); ...
IOscanner:
draxas
"I am not beating it - I am encourageing it with a stick" -- Mary Chipperfeild
itrebal
crrj
Bi3Zt, in what context do you want to get the number of lines of code?
MarkR
IOscanner: There is a script timeout of some sort, but I think it's disabled by default when you use the CLI. I think you can still re-enable it
« prev 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 next »