Slashdot Mirror

In PHP 5.1, you could use PDO's prepared statements to do the same with other databases, I believe.

PHP succeeds an older product, named PHP/FI. PHP/FI was created by Rasmus Lerdorf in 1995, initially as a simple set of Perl scripts for tracking accesses to his online resume. - PHP history page

Quite honestly, as a programmer, I expect the applications to do as I ask them to, and not hold my dick at every opportunity. If I want something passed to a SQL statement in the way I've asked it to, I don't expect my data to be munged by the application to protect me.

Fuck magic_quotes_gpc. From the docs: 'Magic Quotes is a process that automagically escapes incoming data to the PHP script. It's preferred to code with magic quotes off and to instead escape the data at runtime, as needed.' (Source)

Use your database vendor's string escape functionality.

In conclusion, fuck magic quotes.

http://pear.php.net/manual/en/package.database.db. db-common.query.php

$rs = $db->query('SELECT foo FROM bar WHERE barId = ?', array($barId));

The problem is (most) people rather spend a week fixing stuff instead of doing proper research for a day to prevent that.

are there web application frameworks which don't support parameterized SQL statements?

that would be PHP.

Quit spreading FUD. PHP supports parameterized SQL just as well as any other language I've worked with. See, for example this doc page (search for "Example 2"). Even for databases whose native C APIs don't support the feature (i.e. MySQL), the database abstraction layer PEAR::DB that is distributed with PHP provides emulation.

are there web application frameworks which don't support parameterized SQL statements?

that would be PHP.

Quit spreading FUD. PHP supports parameterized SQL just as well as any other language I've worked with. See, for example this doc page (search for "Example 2"). Even for databases whose native C APIs don't support the feature (i.e. MySQL), the database abstraction layer PEAR::DB that is distributed with PHP provides emulation.

Just stick it around any non-constants you pass in to MySQL (especially ALL user input or user-influenceable input) and you should be good.

Of course, to minimize the risk that you miss one, you might want to use functions or classes to wrap mysql_query. EX I might make a "function selectFromTableX" that takes one field name and one value to compare for equality in the WHERE clause (assuming that's all I ever use SELECT on that table for). Or you can make a class for every table and wrap up ALL queries for that table you'll need.

There is the mysql-real-escape-string to prevent injection in MySQL along with pg_escape_string for PostgreSQL.

$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");
$stmt->bindParam(':name', $name);
$stmt->bindParam(':value', $value);
 
$name = 'one';
$value = 1;
$stmt->execute();

mysql_query('SELECT value FROM REGISTRY WHERE name = "' . $name . '"');

$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");
$stmt->bindParam(':name', $name);
$stmt->bindParam(':value', $value);
 
$name = 'one';
$value = 1;
$stmt->execute();

mysql_query('SELECT value FROM REGISTRY WHERE name = "' . $name . '"');

Interesting, given that SQL injection is one of the easiest attacks to protect against, by making all database access through an abstraction layer that escapes input, many web frameworks have support for database abstraction layers and prepared statements, like PEAR::DB for PHP, developers just need to make use of them.

How tricky it is to self-define a lightweight XML format? Use whatever element you like, and design the data structure on your own that suits you best. Why do we need to design a new language?

How is it different from calling a server to output XML and output HTML/XHTML? Which modern browser today does not support XSLT? Firefox, Internet Explorer? (Yes, Opera will support XSLT 1.0 in the coming version 9)

BTW, There are server-side XSLT processors (for very-old browsers sake). For instance, this, this and this.

And finally, what's the point to make the document semantic if the browser ignores it?

So, yeah, there's a reason every is critical of PHP.

I'm on the other side. What is it about a language that makes it *EASY* to consider the problem at hand, and doesn't make you worry too much about implementation details?

Using PHP, you don't have to worry about things like memory management and/or memory type translation. A "1" becomes a 2 when you add a 1 to it.

Arrays and hashes are the same. Any array can be accessed as a hash, any hash is also an array. Makes it easy to define data in memory, then do loops/recursion on it to get whatever result you want.

Simple!

Time spent solving customer problems rather than implementation problems is time spent making money instead of wasting it.

I've written some really big projects with PHP. (EG: over 50,000 lines in 3+ years, with NO HTML CODE) It's done a magnificent job. It scales nicely and easily with it's "share nothing" approach, and is highly reliable. In the 6 years that I've been actively developing with PHP, the number of times that there was a bug/problem with the language I could count on one hand, with 4 of the fingers peeled down. It's reliable and scalable enough that Yahoo uses it as their preferred development language.

And, as far as security, the vast majority of issues have been with idiots writing insecure scripting, which can be done in any language. (Yes, I'm thinking of you, SPAW editor!) And, if you're using a decent operating system with an update mechanism (EG: yum) then updates to fix found security issues is a no-brainer.

With PHP-GTK you can write quick, powerful, cross-platform GUI applications with ease and speed - I've done so, managing a distributed database application among some 70 school districts with many hundreds of users - and it works marvelously.

PHP may have it's warts, but it's a damned fine tool. Don't let anyone convince you otherwise.

Database work? Sorry, no prepared statements.

PHP has had prepared statement support for MySQL since 2003, it's been emulated in PEAR for an eternity and the very useful PDO extension provides an abstracted interface supporting prepared statements to SQL Server, Sybase, Firebird, Informix, MySQL, Oracle, PostgreSQL, SQLite, DB2 and ODBC.

(and of course, you HAVE to use the shell.)

Forgive me, but you don't know what you're talking about. There is almost never a need to call external apps from a PHP script. The most common needed external app is ImageMagick (because sometimes GD doesn't provide all the functionality you need.) Even then, there are at least two PHP extensions to deal with ImageMagick directly, as well as a PEAR package to abstract away from the image processing library/app.

Quick check: do you want escapeshellcmd, or escapeshellarg?

Well, I dunno, do you want to escape an entire command so that multiple commands can't be injected or do you want to escape a single argument so that multiple arguments can't be injected? Heaven forbid that you should have to spend ten seconds checking the manual pages...

Going to send mail()?

So use one of the multitude of classes specifically written to encapsulate mail sending (including, shock horror, one in PEAR.)

two words should make your skin crawl: "register globals"

register_globals has been disabled by default for six (6) years.

It's not the fault of the language that you didn't bother to keep up with how to use it as it evolved.

Database work? Sorry, no prepared statements.

PHP has had prepared statement support for MySQL since 2003, it's been emulated in PEAR for an eternity and the very useful PDO extension provides an abstracted interface supporting prepared statements to SQL Server, Sybase, Firebird, Informix, MySQL, Oracle, PostgreSQL, SQLite, DB2 and ODBC.

(and of course, you HAVE to use the shell.)

Forgive me, but you don't know what you're talking about. There is almost never a need to call external apps from a PHP script. The most common needed external app is ImageMagick (because sometimes GD doesn't provide all the functionality you need.) Even then, there are at least two PHP extensions to deal with ImageMagick directly, as well as a PEAR package to abstract away from the image processing library/app.

Quick check: do you want escapeshellcmd, or escapeshellarg?

Well, I dunno, do you want to escape an entire command so that multiple commands can't be injected or do you want to escape a single argument so that multiple arguments can't be injected? Heaven forbid that you should have to spend ten seconds checking the manual pages...

Going to send mail()?

So use one of the multitude of classes specifically written to encapsulate mail sending (including, shock horror, one in PEAR.)

two words should make your skin crawl: "register globals"

register_globals has been disabled by default for six (6) years.

It's not the fault of the language that you didn't bother to keep up with how to use it as it evolved.

That's not entirely true: http://www.php.net/pdo

I don't see why everyone is so critical of PHP.

PHP started out as a set of Perl scripts in 1995, presumably using the then-new Perl 5. When it became its own language in 1997, it somehow lost namespaces, the module loading system, DBI, use strict, and everything else in Perl that doesn't register on the suck-o-meter. It also did silly things like adopt the TCL global variable system, rather than using the one that C, Perl, Java, and even things like VB use.

So, yeah, there's a reason every is critical of PHP.

Sources: perldoc perlhist (perl 5.000 was released on 1994-Oct-17), PHP History (PHP/FI 1.0 was a bunch of Perl scripts released in 1995, PHP/FI 2.0 was written in C in 1997), DBI::Changes (First official DBI release was 0.58 released in 21 June 1995)

Very recently, we ported over our PHP-GTK product to Mac OSX 10.3/10.4. It took about a man-month to get all the libraries, dependencies, installer, icons, updates, permissions, etc. figured out, which honestly was 2-3 times longer than we thought it would take.

But, the end result is much, much better than expected! Our application looks, acts, and feels like any other Mac OSX application! Our customers are RAVING about it! The window dressing, the slick maximize/minimize, integration with the OS environment, etc. The launcher is a shell script, and so dependencies (such as the requirement for the installation of X11 and the Xcode apps) can be resolved in the shell script, and the failures displayed in Safari, so it even fails gracefully when the deps aren't met.

Wow! It's just incredible!

Do you *NEED* .NET? Can you learn something else? Something cross platform, maybe? Surely there's something out there that will do the job?

Well, if you can do some SQL and basic OO programming...I recommend looking into the database packages over at http://pear.php.net. Specifically, the DB_DataObject and related packages make creating a simple database and user interface for this pretty easy. Probably 1 or 2 days work if you know what you're doing, tops.
And if you think it is a little beyond your current skillset, perhaps you can find a developer who has worked w/ the pear libraries before to create it for you (I'm sure they have a mailing-list that would be useful for you, asl well).
Good luck!

For your consideration: http://us3.php.net/manual/en/ref.image.php

If you would like to see a simple script which generates a graph on the fly, help yourself to this.

Yes, there are languages far more powerful than PHP. But, as I say EVERY TIME this flamewar goes down- are you sure you need them? As my grand-pappy used to say: why go deer hunting with a tank when a shotgun will do just fine?

http://uk.php.net/manual/en/function.apache-note.p hp

Hopefully you'll come to your senses first.

Why didn't you use the ImageMagick extension in PECL? There's plenty of image processing options with PHP, just because MagickWand didn't work out for you, that doesn't mean you have to concoct a monstrous hybrid of PHPerl.

Not to stop your PHP bashing, but I use http://www.php.net/manual/en/function.pg-query-par ams.php/ also.

That is why you also turn " into " when it's inside double-quotes. This is the right solution, you just have to finetune it. It's not that hard, you just need to remember it every single time it should be done. It's the "remember" stuff that's hard.

Include turning & into &. Finally there's ' (') and you're done.

Some languages has functions to do this for you, you just need to call them.

Not sure about existing solutions, but it really shouldn't be that hard to roll your own – for example, if you use PHP, they have a great manual which not only explains everything you need to know, but it also has very useful examples and stuff. I actually learned everything I know about PHP just reading the manual, and copying the occassional tidbit of information – not very hard at all.

Maybe Gallery would work? (Forgot the URL, but it's a popular program, won't help with videos but it looks great for photos, etc.)

Rasmus Lerdorf has posted a PHP 6.0 wishlist that includes an opcode cache. Rasmus is the founder of the PHP project.

Zend might sell an accelerator, but that doesn't mean they can simply forbid the founder of PHP from adding the feature to his own project. At this point, I think the question is which opcode cache gets added to PHP, not whether it will happen.

Use of this function is recommended instead of addslashes().

http://php.net/manual/en/function.pdo-prepare.php
http://php.net/manual/en/function.pdo-quote.php
http://cvs.php.net/viewcvs.cgi/php-src/php.ini-rec ommended?rev=1.179.2.11
http://php.net/manual/en/ref.errorfunc.php#e-stric t

I guess my post won't reach +5 because mine is not stupid enough

http://php.net/manual/en/function.pdo-prepare.php
http://php.net/manual/en/function.pdo-quote.php
http://cvs.php.net/viewcvs.cgi/php-src/php.ini-rec ommended?rev=1.179.2.11
http://php.net/manual/en/ref.errorfunc.php#e-stric t

I guess my post won't reach +5 because mine is not stupid enough

http://php.net/manual/en/function.pdo-prepare.php
http://php.net/manual/en/function.pdo-quote.php
http://cvs.php.net/viewcvs.cgi/php-src/php.ini-rec ommended?rev=1.179.2.11
http://php.net/manual/en/ref.errorfunc.php#e-stric t

I guess my post won't reach +5 because mine is not stupid enough

http://php.net/manual/en/function.pdo-prepare.php
http://php.net/manual/en/function.pdo-quote.php
http://cvs.php.net/viewcvs.cgi/php-src/php.ini-rec ommended?rev=1.179.2.11
http://php.net/manual/en/ref.errorfunc.php#e-stric t

I guess my post won't reach +5 because mine is not stupid enough

Hi,

PDO and PEAR::DB both provide ways of doing this under PHP.

See http://pear.php.net/ and http://www.php.net/pdo for examples.

David.

Hi,

PDO and PEAR::DB both provide ways of doing this under PHP.

See http://pear.php.net/ and http://www.php.net/pdo for examples.

David.

'He also notes that the addslashes function was deprecated in PHP 4.0 due to security risks, but a "distressing" number of PHP applications continue to use the function.'

How come the php documentation doesn't mention this?

PEAR::DB supports almost the exact same method.

$data = array('one',2);

(short)
$result = $db->query('select * from table where foo=? and bar=?',$data);

(prepare)
$stmt = $db->prepare('select * from table where foo=? and bar=?');
$result = $db->execute($stmt,$data);

Works with mysql, pgsql, mssql... etc etc. MDB2 is the new version of this library which uses much the same syntax. Uses database-specific escaping/quoting automatically.

http://pear.php.net/manual/en/package.database.php

As long as you set the right multibyte string encoding in PHP via the multibyte string functions (specifically, the mb_internal_encoding function), the parser will catch the invalid multibyte sequence and fix it.

Move along, folks. No need to panic.

As long as you set the right multibyte string encoding in PHP via the multibyte string functions (specifically, the mb_internal_encoding function), the parser will catch the invalid multibyte sequence and fix it.

Move along, folks. No need to panic.

Bzzzzzzt!

eval($Content);

You don't see eval() too often in syntax highlighting code, now do you? =)

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd ">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
    <title>{$title}</title>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
</head>
<body>
<table>
{section name=mysec loop=$products}
<tr style="background-color : {cycle values="#f6f6f6,#e6e6e6"};">
                <td>{$producs[mysec].sku}</td>
                <td>{$producs[mysec].description}</td>
                <td>{$producs[mysec].price}</td>
</tr>
{/section}
</table>
</body>
</html>

$products = array();
$result = mysql_query("SELECT sku,description,price FROM products");
while ($row = mysql_fetch_array($result, MYSQL_ASSOC)) {
    array_push($products, array('sku' => $row["sku"], 'description' => $row["description"], 'price' => $row["price"]));
}

$smarty = new Smarty;
$smarty->template_dir = "templates";
$smarty->compile_dir = "template_c";
$smarty->assign("title", "The title of the page.");
$smarty->assign("products", $products);
$smarty->display("template.tpl");

The Smarty template engine offers a flexible and powerful tool for PHP developers.

Where/when I choose to use templates versus embedded code depends on where in a web application the page is viewed. For example, I would use templates on the frontend of complicated sites that require pages to have different page displays, such as a newspaper. A regular news story may display differently from an editorial or op/ed piece. I also think the frontend of a website should be flexible because redesigns happen often.

But I embed HTML on the backend because the admin control panels are more functional than asthetic. Also, the backend pages are more critical than frontend pages and I want admin pages to be self-contained (not reliant on templates that may or may not work or contain errors).

If a user screws up a frontend template, the worst thing that can happen is that the page is unavailable until fixed. But if a user screws up a backend/admin page template, you're can't even access the backend to fix the problem.

Here is a prob that I ran into.
Using PHP and the following headers works fine if you want to generate a HTML table and dump it into Excel.

header("Content-Type: application/vnd.ms-excel");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");

Using the following to open the table in OOo doesn't work. (It didn't for me at least)

header("Content-Type: application/vnd.sun.xml.calc");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");

Luckily there is a nice PEAR package that takes care of this problem --> http://pear.php.net/package/Spreadsheet_Excel_Writ er/

Which language did you intend to start with?

I love PHP myself. Sure, script kiddies have given PHP a bad name in some circles, but I have never used a more flexible language. Plus, you can run a LAMP stack on just about ANYTHING (*cough* I'm familiar with grassroots budgets *cough*).

From what I have read, 99% of the challenge is mastering the "regular expression". PHP includes both the preg_match and preg_replace functions, both of which use these "regular expressions". The plus side is that even if you later decide to port over to something else, your math and regular expressions (i.e. the blood and guts) should be able to follow.

I have been working on this for awhile now. If you are interested, I'll be happy to setup an admin account for you so you can go futz with it and see what I've done. I'm using Wikipedia in order to "build concepts" (rather than tags or categories). Then, using those simple regular expressions, the bot can read websites and RSS feeds and begin categorizing accordingly.

(p.s. be honest. I don't mind constructive criticism at all. =)

Which language did you intend to start with?

I love PHP myself. Sure, script kiddies have given PHP a bad name in some circles, but I have never used a more flexible language. Plus, you can run a LAMP stack on just about ANYTHING (*cough* I'm familiar with grassroots budgets *cough*).

From what I have read, 99% of the challenge is mastering the "regular expression". PHP includes both the preg_match and preg_replace functions, both of which use these "regular expressions". The plus side is that even if you later decide to port over to something else, your math and regular expressions (i.e. the blood and guts) should be able to follow.

I have been working on this for awhile now. If you are interested, I'll be happy to setup an admin account for you so you can go futz with it and see what I've done. I'm using Wikipedia in order to "build concepts" (rather than tags or categories). Then, using those simple regular expressions, the bot can read websites and RSS feeds and begin categorizing accordingly.

(p.s. be honest. I don't mind constructive criticism at all. =)

If you read TFA, it says "Ruby on Rails (aka Rails) is a Ruby framework for database-backed Internet applications". My point was that, for this particular niche, it isn't any better than PHP using either phpGroupWare or eGroupWare which was forked from phpgw.

Developing new applications in these frameworks using the eTemplates system is a really quick and painless procedure. In that context, I mix SQL and PHP, using whatever language is best for a given operation. For the example you mentioned SQL works fine, although one could do it in PHP in a much shorter way than the code you presented, using "sort(array_unique($array))". Check the PHP standard library functions for array manipulations.

Of course, the application mentioned in the article is rather specific, for other type of work I wouldn't use PHP, I prefer Perl for smaller applications without too much number crunching or C/C++ for large ones.

Ruby reminds me of languages like Smalltalk, created in the academic world by professors for the delight of professors. The "everyhting is an object" concept is fine for the classroom, but in the real world I fail to see real advantages in it. OO offers some advantages in a very large project where you must coordinate the work of different programmers, some of which are less experienced than others. For smaller projects OO can be rather a hindrance than a help.

I have browsed the /. comments on this article and am still unconvinced by Ruby. Unfortunately, most of the arguments are like "Hey, Ruby is great, you should try it!", without real substance behind. OK, the one-liner you showed is cool, but the PHP counter example you presented shows that you don't know PHP that well to do an objective comparison between the two languages.

yup yup yup. I currently use keywords for google, google images, traceroute, whois, ebay, wiki, xe.net, php.net, mysql.com (though their website is mostly useless (in comparision with the brilliantly useful php.net)), amazon, archive.org, a file extension search page, and ip2country. yay for bookmarks! your suggestions welcome.

FYI:
http://www.dnsstuff.com/tools/tracert.ch?ip=%25s
http://filext.com/detaillist.php?extdetail=%25s&Su bmit3=Go!
http://whois.webhosting.info/%25s
http://web.archive.org/archive_request_ng?collecti on=web&url=%25s
http://en.wikipedia.org/wiki/Special:Search?search =%25s
http://www.xe.com/ucc/convert.cgi?Amount=%25s&From =USD&To=GBP
http://www.ezwhois.net/index.php
http://search.ebay.co.uk/search/search.dll?satitle =%25s&ht=1&sokeywordredirect=&from=R8&fkr=1&soloct og=9
http://www.php.net/search.php
http://www.mysql.com/search/?q=%25s&charset=
http://puremango.co.uk/ip2country.php?ip=%25s
http://www.amazon.co.uk/exec/obidos/search-handle- form/026-9212734-6757257

A lot of scripting languages allow a === for strict equality (including type)

= is assignment, == is equality, and === is often referred to as 'strict equality'. I don't know, however, of any compiled languages that use it.

While you're at it, make it read objects from a gzip compressed network stream:
new ObjectReader(new GZipReader(new SocketReader(new Socket("1.2.3.4", 42))));

http://php.net/manual/en/filters.compression.php

The examples are a bit short, but you can read the whole manual about streams and filters. It's also possible to append filters later in the communication - i.e. after a handshake. You'll see it has enough to offer and adding new stream wrappers and filters is easy.

...A blog entry about Linux being too hard to use?

I love the irony that the author is complaining that Linux and OSS are too hard to use.

Assemble the abstraction functions? Why not use the standard PEAR package?