echo_loser

So I guess Zend2 is going to be COMPLETELY different? Maybe I could get started with the book I have now and then take on Zend 2 once it's released? It's from late 2009 though so what do you think? Should be a good intro right? I am intent on learning zend because that seems to be where most of jobs are.

My friend Who works avidly with zend framework gave me one of his old books: Easy PHP Websites with the Zend Framework The problem is it's the first edition from 2009. There is a second edition released in May 2011 and when I asked him if I should get the newer one he said some things have changed but the book is still useful. What do you guys think? Has the platform changed enough to warrant getting the new edition? Also, would you reccomend this book as a way of getting familiar with Zend? I really want a comprehensive book that I can follow from start to finish... doesn't seem to be set of tutorials online available for free. Or is there? If there is a set of tutorials somewhere online can someone please direct me towards that? Thank you.

Using intval() on integers by the way - thanks again!

Deeply bows as a sign of appreciation and respect.

Ok, it’s pretty obvious when someone SHOULD use mysql_real_escape_string(), but other times I am confused: 1) When variable are $_GET [] through URL and used in a SELECT statement. I am thinking most likely YES since user can just alter the URL link anyway they wish. 2) When variables come from ALREADY inserted values into database BY ADMIN and is used in SELECT statement. I’m thinking it’s NOT needed here? Variables in question here are used to populate an HTML <select> box. ----- Also, two final questions: 3) If I use mysql_real_escape_string() on a variable and then use it in a SELECT statement, do I have to use the mysql_real_escape_string() AGAIN on that SAME variable if I use it in an INSERT statement a few rows down? Or, do I just need to mysql_real_escape_string() it once? 4) I do not use the second parameter (link identifier) because I am using only one db connection link in the script. Is this ok? $var = mysql_real_escape_string($var)

I am trying to find a job doing PHP and MySQL. I have a portfolio section where I created a really simple Postcard application where visitors can send people they know online postcards via email after they click on confirmation link i send them using sha1() as token in a temp table that holds information. I was also going to add a section where I show usage of Regular Expressions and things. Does anybody have any suggestions what other web apps or whatever I could add to this section to make my portfolio section really POP to potential employers? Any suggestions are welcome and much appreciated.

Great! Thanks for that. The OWASP was overwhelming in sheer volume so I needed something that would show me the most common security issues related to PHP and MySQL only. Thanks! I will check out the PHP security resource you provided. I knew there had to be something on this website but after looking for 20 min I gave up and decided to make a post. AND... if anyone else has any PHP and MySQL articles regarding commonly dealt with security issues that they can provide, I would greatly appreciate it and review EVERYTHING.

I recently came across this function: mysql_real_escape_string. I did more research on it and I found out that this is the STANDARD procedure to prevent against SQL injection attacks. The book I am following basically told me to: mysql_real_escape_string ($variable_name); To every variable BEFORE I use it in an SQL query that involves variables enclosed in quotes (strings). I didn’t even know about SQL injection attacks before this and I was wondering--since the book I am following is for beginners--is there a place or a sticky on this site (or any resource is appreciated) that has the most common security procedures you should do for PHP and MySQL? I don’t want to look like the complete noob that I am when I go looking for a job. I know there are security issues that also relate to servers and server settings, but I’m not worried about that as I am just trying to build a portfolio of PHP and MySQL stuff so I can find a job.

Roger that. I'll use md5() instead. Thanks!

Yeah, you're right. I won't waste the time of this forum with questions like these in the future. Sorry about that... just a bit new to the whole PHP thing.

The password function in MySQL: PASSWORD(), produces a 41-byte hash value which I store in a password CHAR(41) NOT NULL. I was curious though how long of a string can be converted into that 41-byte hash value? For example, if someone were to enter a 1000 character string, would that still be able to be stored in CHAR(41)? The book I am following limits the password to maxlength=”20” but I did not see my question being answered in the book or on the MySQL website so I am just asking.

If say, you were to set a table field to VARCHAR(5), and the user were to enter a string that is 6 characters long, how would MySQL react? Would it store the first 5 characters and ignore the last 6th character? In the case that there is NO server side checking of course. I did keyword searches on Google with no luck to my question being answered.

I am new to the whole PHP/MySQL thing and I had a question on database performance: After I connect to the database and do a SELECT statement on a table, what is the proper way to handle closing and/or freeing memory. Currently, in the book I am following, the ONLY thing that they do is a mysql_free_result() after they are done extracting the info from the table into variables. They say that although it is usually only used when expecting LARGE returns, it should be used consistently to mark the end of needing that result set. I was wondering is mysql_free_result() enough? Or is there something else I should be doing like closing the database with a die() or something?

Ahhh… Ok thank you for that. I’m thinking that the problem is: although I was visiting two separate websites, they were BOTH under LOCALHOST as I was developing locally so when when I cleared session variables for ONE test site it cleared session variables for EVERYTHING under http://localhost? I guess then I have another simple question that relates: There are two different LIVE (NOT localhost) sites under DIFFERENT domain names, they both have a session variable named $_SESSION['logged’], and this variable $_SESSION['logged’] when set to 1(ON) will determine whether or not a user is logged in and display appropriate HTML content. Will there be confusion by the browser between the two different LIVE websites and will there be a chance of content that shouldn’t be accessed (user not logged in) being displayed simply because the other site with the SAME session variable name is set to on? $_SESSION['logged’] == 1 being ON I guess all this confusion came about because my test sites were ALL under http://localhost? Thank you again

I am following along in a PHP, MySQL book and the way they clear session variables is by: session_start(); session_unset(); session_destroy(); They clear session variables like that in that exact order. My question is that this apparently clears ALL session variables for the browser in use. Every website I have visited when you click a LOGOUT button ONLY logs you out of their specific site and DOES NOT seem to clear ALL session variables as this would log you out of any other websites that you might be logged into with that same browser. So, I went to the PHP website and found out that instead of using the session_unset () function you can clear individual session variables using the unset ($_SESSION['varname']) function. Is this a good way of clearing session variables ONLY for a PARTICULAR website and NOT clearing session variables for the WHOLE browser? If so, would I then NOT use the session_destroy () function after clearing each individual session variable specific to that ONE website using unset ($_SESSION['varname'])? Thank you in advance!