| |
| |
| |
|
Page: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Comments:
<0> Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource
<0> im getting that for a query that returns 850 lines
<1> DogWater, if $query it's just a string, yes
<2> !+mysql_error
<3> Handle SQL Errors! For MySQL, always check if mysql_query() returned false; if so, print mysql_error(). I.e. $result = mysql_query($query); if (!$result) { echo $query.'<br>'.mysql_error(); exit(1); }
<4> Hey, so how can I stop sql code injection in my php app? I'm using MySQL :X
<0> $query = mysql_query("SELECT * from items where id = '$id'") or die(mysql_error());
<5> poopieface, by validating ALL the data
<6> poopieface: the best way is to learn as much as possible about SQL
<1> poopieface, read about mysql_real_escape_string
<1> and htmlentities
<1> that's a good start
<4> i know about sql and rdbms design, but when using a string that can be anything (such as for searching)
<4> how does one prevent sql injection?
<7> poopieface: you do $var=mysql_escape_string($var);
<0> i use real_escape_string
<7> you escape all strings poopieface
<4> where $var would be the query?
<6> poopieface: http://www.kfwebs.net/links/6/2 <- try the SQL Injection whitepaper
<0> err mysql_real_escape_strings
<1> yep DogWater
<7> DogWater: what's the difference between real and what i told him?
<0> i think its just the newer format
<8> newer is better, duh!
<9> I wonder if someone knows how to get live stream tv on your website from webcams
<6> in the end both are just a tool to aid you in the protection
<0> i used to use mysql_escape_strings, one day i went to the manual for that function and it said started using the other one
<0> so i did
<10> S_O_D: nope, noone knows
<6> you should know the fundamenetals of the techniques
<7> S_O_D: it doesn't involve php... you should ask somewhere else.
<7> S_O_D: you could use windows media streaming or about another other video streaming server.
<9> mmm maybe, but i have to ask
<8> The only difference between mysql_escape_string() and mysql_real_escape_string() is that the latter will escape the string using the character set of the provided connection (or default if none provided).
<10> Viflux: one more difference
<1> It should be somthing like this poopieface: user_input->filter/validate->escape->mysql->validate->html_output
<10> Viflux: its depreciated
<8> itrebal: What's that?
<8> ahh
<10> since 4.3.0
<10> (mysql_escape_string, is)
<7> danf_1979: that seems a lot of steps
<9> but if i use windows media encoder how can i get the signal from the server to php
<7> i like doing user_input->validate->escape->mysql->html_output
<8> deprecated schmeprecated
<1> Redundante security es the best way to go
<7> i don't see why you have to double validate
<7> especially when you're going from your own protected server
<1> bashusr, you must escape html_output too
<7> why?
<1> always have a backup plan
<7> S_O_D: you don't.
<7> S_O_D: php can't stream anything
<7> S_O_D: you gotta use some other technology like real, windows media player, flash, or some other embedded object
<7> you can't do it directly with php and html
<0> Hm.
<6> anyways, have a nice day, I'm going back to my beer and Dilbert :)
<0> This invalid resource thing is really slowing down my workflow
<0> damnit
<0> i was moving along really fast
<10> DogWater: dont you hate those?
<1> It should be somthing like this poopieface: user_input->filter/validate->mysql_real_escape_string($filtered)->mysql->htmlentities($output, ENT_QUOTE, $charset))
<10> danf_1979: usually you dont edit the input at all, beyond escaping it
<7> what in the world?!
<1> I dont edit it
<1> just filter it
<7> danf_1979: why do you need htmlentitites?
<7> you expect to get html tags in your query?
<1> bashusr, javascript would be a good reason
<10> bashusr: in most, because then you can take the input and manipulate it later per specifications
<10> yay! my code is *nearly* done!
<7> wow
<7> i never thought about that.
<10> which part?
<7> people could inject javascript into my address field
<1> yes they do
<7> ouch.
<11> if i put a line "php_flag_register_globals = on" in my httpd.conf, is it the same as enabling register_globals in my php.ini?
<12> carchic: No, because it only applies to that context
<12> Therefore if you put it in on a virtual-host basis, it only applies to that vhost. And it won't affect CLI apps at all if it's in httpd.conf, or different web server instances
<11> MarkR: thank you
<11> oh alright then thanks again
<12> (Not that you'll normally be running more than one web server instance, but it's possible)
<13> carchic- in the sense that it opens huge security holes in your system, it's effect is the same
<13> its
<8> lol
<11> ahh that is what i am kind of wondering
<12> carchic: Oh yes, and you need a space not an underscore between php_flag and register_globals
<11> i am trying to use osCommerce
<5> MarkR, that way it can be limited per location, too... not necessarily separate servers
<4> k, so i did the escape string stuff
<12> That is always inadvisable
<13> Well that's mistake number one
<1> Oh, I'm not going to get banned again
<1> lol
<4> and i treid doing some sql injection right now
<4> and the result was SELECT * FROM entry WHERE phone = 'Samsung C207 JOIN SELECT * FROM entry WHERE phone = Samsung C207;'
<4> so that means im protected now?
<11> is there a good alternative to osCommerce?
<4> what chars does it filter out?
<12> carchic: I'm not aware of a decent open source one, which is why a couple of years ago, I started writing one. We're fairly pleased with it so far, but it's not open source (yet) I'm afraid.
<12> Zencart is a marginal improvement, apparently, but not really much
<1> I'm developing one too
<1> but propietary
<11> I am working on starting a page which should use a shopping cart and checkout...
<12> Well, the main problem with oscommerce (besides its awful code) is that the way its checkout works is extremely non-conducive to decent PSP integration. Most of its PSP integrations are a horrible hack.
<11> hmmm with no other open source alternative either? that makes my work a bit harder....
<0> uhh ok so the resource is invalid only in that FILE
<0> if i copy the code into a test.php and open the script it runs lol
<0> jesus
<0> ok im pissy now
<10> DogWater: oh i love those
<1> I've always wondered why Jesus name has began being used as that kind of expression... It's kind of funny
<1> but that's another story
<10> lol
<10> hehe
<10> i found this one quote a while ago "nobody is perfect. Well, there was this one guy. But we killed him."
<1> :)
<14> :))
<15> anyone have problems serializing recursive tree (children know parent)?
<10> lol
<15> ?
<14> anyone know how to unset a variable that is a reference to another variable without ddestroying that another var.?
<16> is a good question
<12> draxas, I don't think that should happen anyway. Try unset
<16> logically it should
<14> right thanks
<16> my vulcan logic is failing me
<10> streaky: lol, why?
<15> so no one has had problems serialization trees and then having nodes missing upon unserializiation?
<16> too much effort - i've been working on one.. and just getting some structure into one before anybody can even post docs.. 14 hours and counting :/
<12> TheMystic_ca: To be quite honest, I've never tried serialising a recursive structure.
<16> i hate open source :p
<12> Buy an Oracle licence then, you'll enjoy it I'm sure
<10> streaky: lol, a friend of mine used a wiki as a blog
<16> hum.. i think i did it once.. don't recall having problems
<15> MarkR: it's serialized by the time it leaves __sleep.
<16> a wiki as a blog? that's.. criminal
<10> streaky: he didnt have any problems until someone realized they could edit his posts :P
<16> rofl
<17> guys ... i'm kinda a newbie with php but i've been searching for hours for a way to count the number of lines in code :O
<10> at which point i shot him in the face and got him wordpress
<17> any1 can help me a little bit further on the way ?
<18> Is there a way to add a time out value for php. I have a program and I don't want it to run for more then 2 minutes.
<10> Bi3Zt: i guess you could do count(file('filename')); ...
<10> IOscanner:
<14> "I am not beating it - I am encourageing it with a stick" -- Mary Chipperfeild
<10> http://us2.php.net/manual/en/function.set-time-limit.php
<19> Bi3Zt, in what context do you want to get the number of lines of code?
<12> IOscanner: There is a script timeout of some sort, but I think it's disabled by default when you use the CLI. I think you can still re-enable it
Return to
#php
or
Go to some related
logs:
#gimp
kxdocker settings
system_config_securitylevel
exec:432 chroot
growisofs kernel panic fatal exception interrupt
volari v3 on ubuntu
convert afm
#freedesktop
#ubuntu
#perl
|
|