I opened a gate and shit is flooding.
szigya
@szigya
Best posts made by szigya
Latest posts made by szigya
-
RE: Php magicians
@dhromed said:
@szigya said:
You have really small monitor :(
Sorry, I meant only your previous one, with the ton of white space.
I know.
-
RE: Php magicians
@dhromed said:
@anonymous235 said:
indeed!
It's fixed-height padding so that syzzigy's posts fit exactly on my monitor.
You have really small monitor :( -
RE: Php magicians
php magicians v2
protected static function storeData($generatedSessionId, $value){
$storeId = self::getStoreKey($generatedSessionId);
$sql = "
DELETE FROM dataStoreData WHERE store_id = " . (int)$storeId . ";
";
self::$_dbConnection->execute($sql);
foreach($value as $row){
$sql = "
INSERT INTO dataStoreData (store_id, row_id, data)
VALUES (" . $storeId . ", " . current($row) . ", '" . self::$_dbConnection->quote(serialize($row)) . "')
";
self::$_dbConnection->execute($sql);
}
return $storeId;
}
-
RE: Php magicians
@FragFrog said:
@szigya said:
It's not a problem here, because date is a valid data, and there is no $date input parameter (in the function) as you can see :))).
Yes, it is. It's bugging about like this that gives PHP a bad name, in my opinion. Simply always parametrize your queries; if you have a good system in place for that, it becomes second nature and you automatically avoid bugs like this because those quotes would have been inserted automatically - which would have saved you five hours of work.
For example, a system I work with has a fairly simple query syntax, that is based on (and is essentially identical to) sprintf. It takes a variable number of arguments, of course, and each parameter goes through mysql_real_escape_string and has quotes added to it. Possibility of SQL-injection: zero; at least, as long as you consistently enforce this structure. Is this some mysterious, new fangled enigma technique? Not exactly: it's been in place for almost a decade now (and in fact being deprecated in favor of the newer MySQLi methods). Heck, there's an example of how to do this in the manual.
Don' misunderstand me, this is not the technique I use when I write a code. I've learnt ASP.NET as well, and prefer that kind of coding style, so I use framework for my php projects. I said it's not a problem from a security aspect, and I don't think it would be better if it was a parameter.
-
RE: Php magicians
@dhromed said:
@szigya said:
Fuck, I see what you did here :D
Yo! When replying, you should include a bit of relevant quote, otherwise it looks like you're shouting randomly.
Sure, danke. I'm just getting to know this forum engine.
As well how to add new lines. -
RE: Php magicians
It seems common, but I've never seen anything like this before. I could post two or three times a day pieces like this. An other example:
There is a menu: Queries.
A function in connection with it is like this:
public function Query128() { $sql="..."; //execute return $result; }
and the number of the query is (was) an autoincrement value in the database, and was static in the view. So if I wanted to create a new query, I had to rename it after migration, because queries can be created "online" by clicking on a button and writing in an sql query.
-
RE: Php magicians
It's not a problem here, because date is a valid data, and there is no $date input parameter (in the function) as you can see :))).
Actually 'only' was a little sarcasm, it's originated from by mother tongue, maybe in english it's not so obvious.In this system there aren't any Foreign keys, because it uses MyISAM. :(
-
Php magicians
I work on a system every day which is made of bugs. Today I realized how stupid can be a human being. If someone have to pay as a punishment, the system stores it with id 204. Az idiot wrote into the code insert into ... punishment_reason=402. I looked for it and there is no 402 id in the punishment reason table. It is "the same" as 204, so I checked the function which should have to list these punishments. The function was this one:
[code]
function getLastPunishmentDate()
{
if($date==null)
{
$date=date();
}$sql="select blablabla where date=".$date;
return SQLObject::fetch($sql);
}
[/code]
The only problem was that it returned null every time, because $date had not rounded by quotes. I've done a 5 minute task in 5 hours. Thank you guys! (Again..)