Sorry, I know its Sunday. . .How do I get all 4 echo's into a one line echo: $sql = "SELECT * FROM names WHERE ID=$ID"; $result = mysql_query($sql); $myrow = mysql_fetch_array($result); echo "EDITING <br>"; echo $myrow["name1"]; echo " "; echo $myrow["name2"]; Beers all round. Lynn x x x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sunday 15 June 2008 14:16:07, primm wrote:
Sorry, I know its Sunday. . .How do I get all 4 echo's into a one line echo:
$sql = "SELECT * FROM names WHERE ID=$ID";
$result = mysql_query($sql);
$myrow = mysql_fetch_array($result);
echo "EDITING <br>"; echo $myrow["name1"]; echo " "; echo $myrow["name2"];
Beers all round. Lynn x x x
echo "EDITING <br>", $myrow["name1"], " ", $myrow["name2"]; is this what you were asking for? I'd prefer a coffee, wheather isn't warm enough for beer :-) Daniel -- Daniel Bauer photographer Basel Barcelona professional photography: http://www.daniel-bauer.com erotic art photos: http://www.bauer-nudes.com Madagascar special: http://www.fotograf-basel.ch/madagascar/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Daniel Bauer schreef:
On Sunday 15 June 2008 14:16:07, primm wrote:
Sorry, I know its Sunday. . .How do I get all 4 echo's into a one line echo:
$sql = "SELECT * FROM names WHERE ID=$ID";
$result = mysql_query($sql);
$myrow = mysql_fetch_array($result);
echo "EDITING <br>"; echo $myrow["name1"]; echo " "; echo $myrow["name2"];
echo "EDITING <br>", $myrow["name1"], " ", $myrow["name2"];
I think it's "dot", not "comma", since that is the string join operator in php. Regards, -- Jos van Kan registered Linux user #152704 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Jos van Kan wrote:
I think it's "dot", not "comma", since that is the string join operator in php.
Yes. Dot ('.') joins strings in PHP. Comma (',') is used in Python. However, there is one difference: PHP: echo "this" . "is" . "a" . "test"; // outputs: thisisatest Python: print "this", "is", "a", "test" # outputs: this is a test # you have to use '+' when you want to join strings print "this" + "is" + "a" + "test" -- Best Regards / S pozdravom, Pavol RUSNAK SUSE LINUX, s.r.o Package Maintainer Lihovarska 1060/12 PGP 0xA6917144 19000 Praha 9, CR prusnak[at]suse.cz http://www.suse.cz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sunday 15 June 2008 17:37:08 Pavol Rusnak wrote:
Jos van Kan wrote:
I think it's "dot", not "comma", since that is the string join operator in php.
Yes. Dot ('.') joins strings in PHP. Comma (',') is used in Python. However, there is one difference:
PHP:
echo "this" . "is" . "a" . "test"; // outputs: thisisatest
Python:
print "this", "is", "a", "test" # outputs: this is a test # you have to use '+' when you want to join strings print "this" + "is" + "a" + "test"
Hi Guys. Yeah well: I came up with this: $sql = "SELECT * FROM names WHERE ID=$ID"; $result = mysql_query($sql); $myrow = mysql_fetch_array($result); echo "Creating report for: <i>", $myrow["name1"], " ", $myrow["name2"], "</i>"; Which produces this: http://steve-ss.com/phpscreen.jpg I'd tried all sorts of combinations of single ''s double "'s full .'s and ,'as Thanks for all your help. Coffee it is then. Shame. Love from L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
echo "EDITING <br>", $myrow["name1"], " ", $myrow["name2"];
I think it's "dot", not "comma", since that is the string join operator in
On Sunday 15 June 2008 16:58:38, Jos van Kan wrote: php.
oh, you suddenly made me feel insecure :-) So I checked at at http://es.php.net/manual/en/function.echo.php where the format for echo is shown as void echo ( string $arg1 [, string $... ] ) However the string string join operator in php definitively is a dot, of course. So the difference is that I name a list of items to echo, while you echo one joined string - both approaches should work. regards Daniel -- Daniel Bauer photographer Basel Barcelona professional photography: http://www.daniel-bauer.com erotic art photos: http://www.bauer-nudes.com Madagascar special: http://www.fotograf-basel.ch/madagascar/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
primm escribió:
Sorry, I know its Sunday. . .How do I get all 4 echo's into a one line echo:
using "." the concatenation operator.
$sql = "SELECT * FROM names WHERE ID=$ID"; ^^ security hole !!!
$sql = sprintf("SELECT * FROM names WHERE ID='%s'", mysql_real_escape_string($ID, $dblink)) ; if $ID is a number, use the %d format string and omit the mysql_escape_string() call ...
echo "EDITING <br>"; echo $myrow["name1"]; ^^ security hole :-P
if $myrow["name1"] happends to be user supplied we can make it <script>alert('owned');<script> and you have a XSS attack. so echo "EDITING <br>", htmlspecialchars($myrow["name1"]), " ", htmlspecialchars($myrow["name2"]); Yes , "comma" can be used with echo as well, it is not concatenation but a new parameter. Cheers. -- “First they ignore you, then they laugh at you, then they fight you, then you win.” - Gandhi Cristian Rodríguez R. Platform/OpenSUSE - Core Services SUSE LINUX Products GmbH Research & Development http://www.opensuse.org/
On Monday 16 June 2008 01:03:48 you wrote:
primm escribió:
Sorry, I know its Sunday. . .How do I get all 4 echo's into a one line echo:
using "." the concatenation operator.
$sql = "SELECT * FROM names WHERE ID=$ID";
^^ security hole !!!
$sql = sprintf("SELECT * FROM names WHERE ID='%s'", mysql_real_escape_string($ID, $dblink)) ;
if $ID is a number, use the %d format string and omit the mysql_escape_string() call ...
echo "EDITING <br>"; echo $myrow["name1"];
^^ security hole :-P
if $myrow["name1"] happends to be user supplied we can make it <script>alert('owned');<script> and you have a XSS attack.
so
echo "EDITING <br>", htmlspecialchars($myrow["name1"]), " ", htmlspecialchars($myrow["name2"]);
Yes , "comma" can be used with echo as well, it is not concatenation but a new parameter.
Cheers.
Wow. That's scary. I just changed it to: echo "<b>Creating report for: <i>", $myrow["name1"], " ", $myrow["name2"], "</i></b>"; Can you give me a copy and paste _safe_ version of this? Love L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Mon, Jun 16, primm wrote:
On Monday 16 June 2008 01:03:48 you wrote:
primm escribió:
Sorry, I know its Sunday. . .How do I get all 4 echo's into a one line echo:
using "." the concatenation operator.
$sql = "SELECT * FROM names WHERE ID=$ID";
^^ security hole !!!
$sql = sprintf("SELECT * FROM names WHERE ID='%s'", mysql_real_escape_string($ID, $dblink)) ;
if $ID is a number, use the %d format string and omit the mysql_escape_string() call ...
echo "EDITING <br>"; echo $myrow["name1"];
^^ security hole :-P
if $myrow["name1"] happends to be user supplied we can make it <script>alert('owned');<script> and you have a XSS attack.
so
echo "EDITING <br>", htmlspecialchars($myrow["name1"]), " ", htmlspecialchars($myrow["name2"]);
Yes , "comma" can be used with echo as well, it is not concatenation but a new parameter.
Cheers.
Wow. That's scary.
I just changed it to:
echo "<b>Creating report for: <i>", $myrow["name1"], " ", $myrow["name2"], "</i></b>";
Can you give me a copy and paste _safe_ version of this?
He just did, about 17 lines up from here.... Read the manual on htmlspecialchars() http://us3.php.net/manual/en/function.htmlspecialchars.php Michael -- Michael Fischer michael@visv.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sun, Jun 15, 2008 at 6:03 PM, Cristian Rodríguez
$sql = "SELECT * FROM names WHERE ID=$ID";
^^ security hole !!!
$sql = sprintf("SELECT * FROM names WHERE ID='%s'", mysql_real_escape_string($ID, $dblink)) ;
if $ID is a number, use the %d format string and omit the mysql_escape_string() call ...
How is ID=$ID a security hole? Mike -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thursday 19 June 2008 11:20, Michael Mientus wrote:
On Sun, Jun 15, 2008 at 6:03 PM, Cristian Rodríguez wrote:
$sql = "SELECT * FROM names WHERE ID=$ID";
^^ security hole !!!
...
How is ID=$ID a security hole?
If it comes from user-submitted input, it can be used to alter the syntax of the request and fundamentally alter the DBMS command executed. That is the reason for Prepared Statements, which are like pre-compiled statement templates. No matter what parameters get inserted into a Prepared Statement, it will not change the structure of the SQL statement. Search the Web for "Injection Exploit" to get more information on this topic.
Mike
Randall Schulz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, Jun 19, 2008 at 1:29 PM, Randall R Schulz
Search the Web for "Injection Exploit" to get more information on this topic.
This search was not very helpful.
On Mon, Jun 16, 2008 at 2:49 PM, Michael Fischer
Read the manual on htmlspecialchars()
and searching for ...
On Fri, Jun 20, 2008 at 5:54 AM, Matt Archer
It's called an SQL injection attack.
"sql injection attack" was helpful. Here are the links I found enlightening: http://en.wikipedia.org/wiki/SQL_injection http://izumi.plan99.net/blog/index.php/2007/05/14/unsupport-for-prepared-sta... http://dev.mysql.com/tech-resources/articles/4.1/prepared-statements.html http://www.petefreitag.com/item/356.cfm In particular, Pete's Prepared Statements example written in PHP5 seems like it could be used as a template to update Cristian's example. Mike -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Michael Mientus wrote:
On Sun, Jun 15, 2008 at 6:03 PM, Cristian Rodríguez
wrote: $sql = "SELECT * FROM names WHERE ID=$ID"; ^^ security hole !!!
$sql = sprintf("SELECT * FROM names WHERE ID='%s'", mysql_real_escape_string($ID, $dblink)) ;
if $ID is a number, use the %d format string and omit the mysql_escape_string() call ...
How is ID=$ID a security hole?
When the user types in SQL code instead of a valid username. It's called an SQL injection attack.
Mike
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (9)
-
Cristian Rodríguez
-
Daniel Bauer
-
Jos van Kan
-
Matt Archer
-
Michael Fischer
-
Michael Mientus
-
Pavol Rusnak
-
primm
-
Randall R Schulz