R_P

Krystof, This is a MySQL error, not a PHP error. That probably means the code is correct and the query is wrong. My best guess would be to change the lines: $query .= "WHERE id=" . $news_id ." "; $query .= "LIMIT 1"; to: $query .= "WHERE id='".$news_id ."' "; $query .= "LIMIT 1;";

Hey guys, Its been a while, I know. Use to love coming here to answer peoples questions, but work and school have been keeping me too busy but do anything but lurk. I usually write all my code/apps by hand and over the past couple years created a common set of PHP functions that I implement on every site. This code continues to grow, and may become a framework one day (http://ryan.crawford.com/framework/default/). I wanted to present some of the crux functions for your consideration. Specifically I'd like to know what your best practices are in relation to preventing SQL insertion attacks, looking at the functions I use to control it: private $chars = array( ";" => "{00sc}", "'" => "{01sq}", "!" => "{02ex}", "$" => "{03dl}", "%" => "{04pr}", "<" => "{05ls}", ">" => "{06gt}", "=" => "{07eq}", "&" => "{08an}", "#" => "{09pd}", "," => "{10cm}", "/" => "{11fs}", "*" => "{12as}", "\\"=> "{13bs}" ); /* * Func: inject($str) - aptly named * Desc: We'll be the only people doing SQL injection here */ function inject($str) { return str_replace(array_keys($this->chars), array_values($this->chars),$str); } /* * Func: extract($str) * Desc: Opposite of inject */ function extract($str) { $str = str_replace(array_values($this->depc), array_keys($this->depc),$str); return str_replace(array_values($this->chars), array_keys($this->chars),$str); } /* * Func: query($query_data) * Desc: Make a query on the database (SELECT) * Note: If a log directory is defined, we will track queries */ function query($qdata) { $result = mysql_query($qdata) or die("<br>Query: ".$qdata." <br><br>Issue: " . mysql_error()); // set the condition for the switch statement $c = substr($qdata,0,strpos($qdata,' ')); if($c == "DELETE"||$c == "INSERT"||$c == "UPDATE") { if(is_dir($this->cfg['logdir'])) $this->logLine($qdata,$this->cfg['qlog']); return true; } if(mysql_num_rows($result)==0) return false; while($line = mysql_fetch_array($result,MYSQL_ASSOC)) { $array_result[]=$this->extract($line); } return $array_result; } /* * Func: iquery($array,$table) * Desc: Insert data into the db(using just $_POST) */ function iquery($arr,$table) { if(!$dataArr = $this->againstTable($arr,$table)) return false; $n = 1; // Loop to create SQL query foreach($dataArr as $key => $value) { $insertNames .= (sizeof($dataArr)==$n)? $key : $key.","; $insertValues.= (sizeof($dataArr)==$n)? "'".$value."'" : "'".$value."',"; $n++; } $this->query("INSERT INTO ".$table." (".$insertNames.") VALUES (".$insertValues.");"); } Basically, if you look at the array $chars, for inserted data I am searching for the keys and converting them to the values before insertion. It is a function I run all my inserts through. The query() function is what I do all my SELECTS with and it converts the characters back (the inject function encrypts, extract decrypts for lack of a better term). These are written object oriented so I still have access to PHP's extract if ever needed. Question now being, what do you think of the effectiveness of this technique in terms of protecting against SQL injection? Are there ways to beat it? Are there better methods? Is this efficient? I'm not sure what algorithm PHP is using for str_replace, but the best ones don't run any faster than O(n). I don't think this runs any worse.

Alright. I think I figured it out. The purpose of this is to change the look of the page with the click of a button by changing the path/address of all the images simultaneously. I figured it out though (luckily all my background images were in divs): var allDivs = document.getElementsByTagName("div"); for(var j=0; j<allDivs.length; j++){ if(allDivs[j].style.backgroundImage!="") allDivs[j].style.backgroundImage = allDivs[j].style.backgroundImage.replace(/path#/,"graphx/images/"); } In the future, "graphx/images/" will be a variable, pointing to the folders with similar named (but different) images. Thanks for the ping backs.

Thanks Aaron. Unfortunately, that is still the one-by-one method I am trying to avoid. I'm looking for something like this: for(var i=0; i < document.images.length; i++) { document.images[i].src="something new"; } Unfortunately, that only works with img tags within the document. I'm looking for a similar way to wash over all the background images at once - including those specified in external css files - and avoid using document.all...

Fellow Gurus, I am looking for a way to change the paths of background images using Javascript. I am aware of document.images as a data structure to access images, but does there exist the equivalent for background images? These to do not seem to be included in said data structure. If not, does anyone have some good code to change the paths of background images post rendered without doing them one-by-one? Ryan

Well, I've always considered OOP an additional layer of abstraction using code structure. It offers little/no functionality to the code or page itself, just structure and clarification, modularity and inheritance. It favors large projects where reused code will save a lot of space/coding time. This is important because during actual runtime object oriented PHP code takes longer to execute than flat scripted code which does the same thing. The argument between OO and procedural is one of those never ending battles between warring CS factions and code developers. The only advise I could give is just never make objects for the sake of making objects.

Noted and fixed.

Thanks steal for the diagnostic. Turning off indexes in apache and removing full path disclosure in php.ini should remedy just about the whole list. As for the chat, in more evolved version there will be strict checks on i/o. What I'm worried about right now is that it the base functionality works. I'm in the midst of streamlining data throughput so that client-server pings are literally bits. Core functionality is what I'm worried about. So come in and stay a bit. Let me know the response/lagging times. Works best if theres more than a person in the room. Unfortunately users are sparse.

Bumping this. Optimizing the back end code and would like a few people in the room to help me test. *Hint: Want to be mod? Just type: /auth doggie

While I completely agree with the sentiment, when working in a big-company environment you might not have the choice. If Mr. Big Executive wants his employees to be printing a page when they come to it, then Mr. programmer makes the site print the page. There still could be options/control of the function within the page/applet. Trust me, I've had my share of (and battles against) those kinds of requests too. Although, I'd probably take this one just for the challenge.

Once you send a header specifying an image MIME type to the browser, the only thing that the browser can display is an image! I'm surprised you weren't getting all sorts of errors by doing that. One thing you can consider is creating a seperate php file which returns only images and using it as the source in an HTML image tag like so: <img src="img.php?index=5" alt=""> I generally don't store images in my db tables (although its perfectly acceptable) but using the example above should allow you to do so. Good luck.

Using Javascript to open the print dialog for a page is as about as far as you can go with JS or any client side program. One possibility might be to create a java applet and implement the PrintObject class which would have the capability of automating a print job. It would still require the user to choose to trust the java applet. If you're familiar with Java, here is a great code reference: http://www.javacommerce.com/displaypage.jsp?name=printcode.sql&id=18252

I actually use a database table and tag route (kind of like IRC flags). Basically, before/as each page is called, it looks up the auth tag for that page name in the db table. If that auth tag exists in the users session auth string, then show the page. Some pseudo code: $dbresult = mysql_query("SELECT auth FROM pages WHERE name=."$pageURL); if(strstr($_SESSION['auth'],$dbresult['auth'])) { include($page); } This way, I can assign each user a different set of priveleges and page access combos. A default user gets a basic predefined set. I could post my actual code, but its more convoluted and contains a lot of contingency handling not discussed.

Oh, and if you type "<form>" into the filter box on the gallery page, some additional hidden pictures will be revealed.

Hey guys, So I often find myself sticking images in a web folder and then having the apache (or IIS) indexes turned on so that my friends can browse through the file names. Not the most effective image gallery, I know. Instead of going through the thousands of open source galleries out there, I decided to create my own, heres what is different about it: It consists of one file (the index file). It does not rely on either flat file or SQL databases. Creates thumbnails upon first install and whenever you add new images. Thumbnails generator includes real-time progress bar - useful when you have a lot of images. *Essentially the image gallery for really lazy (or busy ) developers Heres the file: http://ryan.crawford.com/gallery.zip Heres a demo: http://ryan.crawford.com/yjfc/flyin07/?v=g There are a few known bugs and issues. No documentation yet. Feel free to poke around with it and post if you have any questions. Also make sure to tell me you server configuration and the browser(s) you used to test it with. Thanks! Ryan PS - And keep in mind this is an EARLY RELEASE. It doesn't have near the functionality that I'm planning for it.