Pancake

I'm guessing you mean... class someThing { public function someFunction() { /* */ return 'foo'; } } /* */ class anotherThing { protected $do; function __construct() { $this->do = new someThing(); } public function display() { echo $this->do->someFunction(); } } $a = new anotherThing(); $a->display();

"INSERT INTO ... WHERE username='". $_POST['username'] ."'" is the same as "INSERT INTO ... WHERE username="{$_POST['username']}"

Right-click the file first, and then give yourself premissions to edit it.

Ahh.. you have a good point there.. I've only been on this forum for so long

Examples - http://www.phpfreaks.com/forums/index.php/topic,177199.0.html - http://www.phpfreaks.com/forums/index.php/topic,177132.0.html (I'm assuming cpg_db_query doesn't auto-escape queries?)

I know how to escape them. I probably was not conveying my point very clearly. Lately, I've seen newer people post code that uses $_POST directly in their SQL statements, and I've seen almost nobody point it out. Anyway, best method (I think(: function escapeString($str) { if(get_magic_quotes_gpc()) $str = stripslashes($str) return mysql_real_escape_string($str); }

Is it just me, or is there nothing wrong with inserting $_POST and $_GET variables into SQL queries? I've seen a lot of: mysql_query("SELECT * FROM users WHERE username='" . $_POST['username'] ."'"); because can't a user send along: foo' OR 1=1 -- It seems like we are teaching new people to rely on Magic_quotes

http://en.wikibooks.org/wiki/Programming:PHP:SQL_Injection

is it just me, or is there nothing wrong with directly using a $_POST variable into an SQL query?

<?php setcookie("cartId", "", time() - 3600); ?> Should work just fine. even time()-1 should work. (I think)

And crafty users can change hidden form fields and disabled fields, so treat hidden/disabled fields as if they were not hidden/disabled

I like it because you can reuse the code very easily, AND it's extremely easy to pass variables between functions. For example: class myExample { var $num = 1; function add() { $this->num++; } function returnNum() { return $this->num; } } $example = new myExample(); $example->add(); echo $returnNum(); //Returns 2 $example->add(); $example->add(); $example->add(); echo $returnNum(); //Returns 5

??? $query = "UPDATE `news` SET `title` = '".$_POST['title']."', `description` ='".$_POST['description']."', `author` ='".$_POST['author']."' , `main_page` ='".$_POST['main_page_display']."' WHERE `id` ='".$_POST['id']."';" ; If it wasn't for magic_quotes_gpc, then that would mean bad news...

Sql Injections!!!

AAHHHH!!! SQL INJECTION!!!! try something like this: <?PHP $name = escapeString($_POST['name']); $email = escapeString($_POST['email']); $username = escapeString($_POST['username']); $password = escapeString(md5($_POST['password'])); // lets check to see if the username already exists $checkuser = mysql_query("SELECT username FROM users WHERE username='$username'"); $username_exist = mysql_num_rows($checkuser); /* Stuff removed to shorten post */ $query = "INSERT INTO users (name, email, username, password) VALUES('$name', '$email', '$username', '$password')"; mysql_query($query) or die(mysql_error()); /* Removed to shorten post */ function escapeString($str) { if(get_magic_quotes_gpc()) stripslashes($str); return mysql_real_escape_string($str); } ?>

If you're new to PHP, then don't handle people's credit card numbers Use something like PayPal

You need to also download PHP Click Here and download it. When it asks to configure for a server, select "Apache 2.X" And when it asks for the config directory for apache, browse for something like this: C:\Program Files\Apache Software Foundation\Apache2.2\conf For your previous posts, PHP (by default) will only process files that end in .php. a .php file is basically a .html file, but PHP processes them.

This would probably require the use of a database to be completely exact. This *might* help... http://www.phpit.net/article/creating-whosonline-script-php/

The only issue is that a-z doesn't allow capital letters, and (I think) the {0, 100} is the amount of text that can be sent through... try: if(eregi("^[a-zA-Z0-9]$", $x)) { Or the easier way: if(preg_match('^[[:alnum:]]$', $x) {

VALUES ('$form_description', '$data', '$form_data_name', '$form_data_size', '$form_data_type')") I'm assuming that $form_description and such have been defined earlier?

sqlStuff Class: class sqlStuff { /* Creates variables to be used in the SQL Connection. These should be changed to match your SQL server settings */ protected $db_host = 'localhost'; protected $db_user = 'root'; protected $db_pass = 'root'; protected $db_name = 'database'; /* This one needs to be used accross all classes, so this is public */ public $cnx; /* Actually connect to the DB */ function __construct() { if(!$this->cnx = new mysqli($this->db_host, $this->db_user, $this->db_pass, $this->db_name)) { //A connection was unsuccessfully made... return false; throw new Exception("ERROR Connecting to DB! Bad username/password?"); //Makes an error message to be cleaned up later. } else { //Connection was successfully made! return true; } } function __destruct() { //Closes the connection when an unset() function is used. $this->cnx->close(); } } I suppose I would possible want to use in some procedural coding later: mysqli_query($sql->cnx, "SELECT * FROM someTable"); So it could be some use/ And at the end of my script, I use: unset($sql); Whole Script: http://www.newerth.com/pancake/showproject/sqlClassExample

Lol it was a joke I posted in the miscellaneous board... It got moved to here though Im guessing he didn't read this thread though...

Just wondering if this is used properly: class sendQuery extends sqlStuff { /* Sends the data to the DB */ function insertInfo($b, $c) { $query = $this->cnx->prepare("INSERT INTO users (user, pass) VALUES (?, ?)"); //Prepares the query... $query->bind_param('ss', $b,$c); //Binds the value with the query if($query->execute()) { //Runs the query and checks if it was successful. return true; } else { //Query was unsuccessful! Sends an error message. return false; throw new Exception("ERROR doing query!"); } $query->close(); } } /* END sendQuery Class */ try { //Runs the above classes and checks for errors.... $cnx = new sqlStuff(); $do = new sendQuery(); $do->insertInfo('Username', sha1('Password')); echo 'Information Inserted Successfully!'; }catch(Exception $e) { //If there are any errors, they will be printed out how we defined them earlier. echo 'Caught Exception: '. $e->getMessage(); } Will the string be escaped? Or should I do something like mysqli_relal_escape_string() along with it? Note: The sqlStuff just connects and isn't vital to the script. And is it possible to simply do: new sqlStuff(); instead of $sql = new sqlStuff(); (sqlStuff only has a __construct and __destruct function that doesn't return anything)

I do this script here: //Assume all variables declared earlier... while(mysql_connect($host, $user, $pass)) { mysql_select_db($db_name); } I run it on my computer and my computer runs slow... Anyone know why?

Yea, if you are using PHP 5, rename the function "connect" with "__construct" So it would be: function __construct($db_username, $db_password, $db_server_name, $db_db_name) { And to execute: $atabase_obj = new DB_OBJECT('username', 'password', 'localhost', 'call_center'); I had plenty of trouble grasping the concept of OOP in php when I started :\ __construct runs when the class is called. Remember, __construct works only in PHP5 or above!!