Jump to content


Member Since 06 May 2003
Offline Last Active Today, 01:45 AM

Posts I've Made

In Topic: Am I doing MySQL PDO secure?

Today, 01:45 AM

People often confuse escaping with SQL injection.

They have nothing to do with each other. Escaping is about taking care of the characters that SQL uses to begin and end a string. Ok, so if your injection is based on injecting a string then it will help with that, but with PDO or mysqli, and a prepared statement, you don't have to bother with escaping. Don't ever create a sql statement that includes a string, and use a parameter instead, and you eliminate sql injection as well as make it unnecessary to use an escaping function.


Today, 01:37 AM

Look, the error you have is this:

"INSERT INTO ericgonzp.inputtest(
See the trailing comma after PHONE? (PHONE,)

That is invalid SQL syntax.

The same goes for:

Remove those commas, and it will probably work.

HOWEVER, as already stated, mysql_ extension has been removed from PHP. Your code only works because you are using an older version of PHP.

Please, do heed the advice from Requinix and Jacques. You should used Mysqli or PDO/Mysql (I prefer the PDO extension) and you really should clean up your code so it's readable.

In Topic: Upload file from local PC to server.

Today, 01:30 AM

Are you writing a command line php program that you are running from a CMD shell?


That would be the ideal way to do something like this.  If not you would have to be running within the environment of some sort of webserver, and that is not what you want to do for an automation utility.


This page covers the basics of this:  http://php.net/manua...commandline.php


You want to specify the path to the php interpreter in your windows and the path to your script, for example:

C:\PHP5\php.exe -f "drive:/path/to/your/script.php"

Once this runs natively, you can tweak your windows environment if you want to associate command line php with .php file extension scripts etc. if you choose.

In Topic: PHP MySQL Update Serialised Data

25 May 2016 - 06:03 PM

It would be much faster to do an update of the value directly with sql.


Your question isn't clear as to which column the serialized string is stored, but my guess would be that it's in `option_value`?


If I understand you correctly,  you are looking for the sub-string


Mysql has the REPLACE function, which will do a direct replacement.

UPDATE tbl SET column_name = REPLACE(column_name, 'reciever_email', $newEmail)

I'm not clear if in your example reciever_email is a literal constant, or some random actual email.


If there is a constant available in the serialized structure that will let you always find the exact part of the string you need to find, then REPLACE is your best option.


The same idea would conceptually also work for email, if your example is literally the way the data appears in each and every row.


If however, there is some variation, then your only option will be write a program that reads each row, unserializes the data into a variable, updates it, reserializes and does an update of that value.  


Mysql does allow for regular expressions in searches, but unfortunately in this case, not for replacing values.  


This SO thread does a good job covering some of the potential work-arounds and variables involved in an "in database" regex based replace feature  (for example, MariaDB has this feature)  that might be applicable to your environment.

In Topic: "global" nginx configuration

17 May 2016 - 04:50 PM

All the advice you've been given is correct.


Nginx will never have config variables, as the developers have been clear that they don't believe that the performance cost of parsing and compiling configuration is acceptable.


Jacques already linked you the include directive page.