[opensuse] php echo

primm

15 Jun 2008 15 Jun '08

12:16

Sorry, I know its Sunday. . .How do I get all 4 echo's into a one line echo: $sql = "SELECT * FROM names WHERE ID=$ID"; $result = mysql_query($sql); $myrow = mysql_fetch_array($result); echo "EDITING <br>"; echo $myrow["name1"]; echo " "; echo $myrow["name2"]; Beers all round. Lynn x x x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Show replies by date

Daniel Bauer

15 Jun 15 Jun

12:59

On Sunday 15 June 2008 14:16:07, primm wrote:

...

Sorry, I know its Sunday. . .How do I get all 4 echo's into a one line echo:

$sql = "SELECT * FROM names WHERE ID=$ID";

$result = mysql_query($sql);

$myrow = mysql_fetch_array($result);

echo "EDITING <br>"; echo $myrow["name1"]; echo " "; echo $myrow["name2"];

Beers all round. Lynn x x x

echo "EDITING <br>", $myrow["name1"], " ", $myrow["name2"]; is this what you were asking for? I'd prefer a coffee, wheather isn't warm enough for beer :-) Daniel -- Daniel Bauer photographer Basel Barcelona professional photography: http://www.daniel-bauer.com erotic art photos: http://www.bauer-nudes.com Madagascar special: http://www.fotograf-basel.ch/madagascar/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Jos van Kan

14:58

Daniel Bauer schreef:

...

On Sunday 15 June 2008 14:16:07, primm wrote:

...
Sorry, I know its Sunday. . .How do I get all 4 echo's into a one line echo:

$sql = "SELECT * FROM names WHERE ID=$ID";

$result = mysql_query($sql);

$myrow = mysql_fetch_array($result);

echo "EDITING <br>"; echo $myrow["name1"]; echo " "; echo $myrow["name2"];

...

echo "EDITING <br>", $myrow["name1"], " ", $myrow["name2"];

I think it's "dot", not "comma", since that is the string join operator in php. Regards, -- Jos van Kan registered Linux user #152704 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Pavol Rusnak

15:37

Jos van Kan wrote:

...

I think it's "dot", not "comma", since that is the string join operator in php.

Yes. Dot ('.') joins strings in PHP. Comma (',') is used in Python. However, there is one difference: PHP: echo "this" . "is" . "a" . "test"; // outputs: thisisatest Python: print "this", "is", "a", "test" # outputs: this is a test # you have to use '+' when you want to join strings print "this" + "is" + "a" + "test" -- Best Regards / S pozdravom, Pavol RUSNAK SUSE LINUX, s.r.o Package Maintainer Lihovarska 1060/12 PGP 0xA6917144 19000 Praha 9, CR prusnak[at]suse.cz http://www.suse.cz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

primm

17:10

On Sunday 15 June 2008 17:37:08 Pavol Rusnak wrote:

...

Jos van Kan wrote:

...
I think it's "dot", not "comma", since that is the string join operator in php.

Yes. Dot ('.') joins strings in PHP. Comma (',') is used in Python. However, there is one difference:

PHP:

echo "this" . "is" . "a" . "test"; // outputs: thisisatest

Python:

print "this", "is", "a", "test" # outputs: this is a test # you have to use '+' when you want to join strings print "this" + "is" + "a" + "test"

Hi Guys. Yeah well: I came up with this: $sql = "SELECT * FROM names WHERE ID=$ID"; $result = mysql_query($sql); $myrow = mysql_fetch_array($result); echo "Creating report for: <i>", $myrow["name1"], " ", $myrow["name2"], "</i>"; Which produces this: http://steve-ss.com/phpscreen.jpg I'd tried all sorts of combinations of single ''s double "'s full .'s and ,'as Thanks for all your help. Coffee it is then. Shame. Love from L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Daniel Bauer

17:33

...

...
echo "EDITING <br>", $myrow["name1"], " ", $myrow["name2"];

I think it's "dot", not "comma", since that is the string join operator in

On Sunday 15 June 2008 16:58:38, Jos van Kan wrote: php.

...

oh, you suddenly made me feel insecure :-) So I checked at at http://es.php.net/manual/en/function.echo.php where the format for echo is shown as void echo ( string $arg1 [, string $... ] ) However the string string join operator in php definitively is a dot, of course. So the difference is that I name a list of items to echo, while you echo one joined string - both approaches should work. regards Daniel -- Daniel Bauer photographer Basel Barcelona professional photography: http://www.daniel-bauer.com erotic art photos: http://www.bauer-nudes.com Madagascar special: http://www.fotograf-basel.ch/madagascar/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Cristian Rodríguez

23:03

primm escribió:

...

Sorry, I know its Sunday. . .How do I get all 4 echo's into a one line echo:

using "." the concatenation operator.

...

$sql = "SELECT * FROM names WHERE ID=$ID"; ^^ security hole !!!

$sql = sprintf("SELECT * FROM names WHERE ID='%s'", mysql_real_escape_string($ID, $dblink)) ; if $ID is a number, use the %d format string and omit the mysql_escape_string() call ...

...

echo "EDITING <br>"; echo $myrow["name1"]; ^^ security hole :-P

if $myrow["name1"] happends to be user supplied we can make it <script>alert('owned');<script> and you have a XSS attack. so echo "EDITING <br>", htmlspecialchars($myrow["name1"]), " ", htmlspecialchars($myrow["name2"]); Yes , "comma" can be used with echo as well, it is not concatenation but a new parameter. Cheers. -- “First they ignore you, then they laugh at you, then they fight you, then you win.” - Gandhi Cristian Rodríguez R. Platform/OpenSUSE - Core Services SUSE LINUX Products GmbH Research & Development http://www.opensuse.org/

primm

23:27

On Monday 16 June 2008 01:03:48 you wrote:

...

primm escribió:

...
Sorry, I know its Sunday. . .How do I get all 4 echo's into a one line echo:

using "." the concatenation operator.

...
$sql = "SELECT * FROM names WHERE ID=$ID";

^^ security hole !!!

$sql = sprintf("SELECT * FROM names WHERE ID='%s'", mysql_real_escape_string($ID, $dblink)) ;

if $ID is a number, use the %d format string and omit the mysql_escape_string() call ...

...
echo "EDITING <br>"; echo $myrow["name1"];

^^ security hole :-P

if $myrow["name1"] happends to be user supplied we can make it <script>alert('owned');<script> and you have a XSS attack.

so

echo "EDITING <br>", htmlspecialchars($myrow["name1"]), " ", htmlspecialchars($myrow["name2"]);

Yes , "comma" can be used with echo as well, it is not concatenation but a new parameter.

Cheers.

Wow. That's scary. I just changed it to: echo "<b>Creating report for: <i>", $myrow["name1"], " ", $myrow["name2"], "</i></b>"; Can you give me a copy and paste _safe_ version of this? Love L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Michael Fischer

16 Jun 16 Jun

19:49

On Mon, Jun 16, primm wrote:

...

On Monday 16 June 2008 01:03:48 you wrote:

...
primm escribió:

...
Sorry, I know its Sunday. . .How do I get all 4 echo's into a one line echo:

using "." the concatenation operator.

...
$sql = "SELECT * FROM names WHERE ID=$ID";

^^ security hole !!!

$sql = sprintf("SELECT * FROM names WHERE ID='%s'", mysql_real_escape_string($ID, $dblink)) ;

if $ID is a number, use the %d format string and omit the mysql_escape_string() call ...

...
echo "EDITING <br>"; echo $myrow["name1"];

^^ security hole :-P

if $myrow["name1"] happends to be user supplied we can make it <script>alert('owned');<script> and you have a XSS attack.

so

echo "EDITING <br>", htmlspecialchars($myrow["name1"]), " ", htmlspecialchars($myrow["name2"]);

Yes , "comma" can be used with echo as well, it is not concatenation but a new parameter.

Cheers.

Wow. That's scary.

I just changed it to:

echo "<b>Creating report for: <i>", $myrow["name1"], " ", $myrow["name2"], "</i></b>";

Can you give me a copy and paste _safe_ version of this?

He just did, about 17 lines up from here.... Read the manual on htmlspecialchars() http://us3.php.net/manual/en/function.htmlspecialchars.php Michael -- Michael Fischer michael@visv.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Michael Mientus

19 Jun 19 Jun

18:20

On Sun, Jun 15, 2008 at 6:03 PM, Cristian Rodríguez wrote:

...

...
$sql = "SELECT * FROM names WHERE ID=$ID";

^^ security hole !!!

$sql = sprintf("SELECT * FROM names WHERE ID='%s'", mysql_real_escape_string($ID, $dblink)) ;

if $ID is a number, use the %d format string and omit the mysql_escape_string() call ...

How is ID=$ID a security hole? Mike -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Randall R Schulz

18:29

On Thursday 19 June 2008 11:20, Michael Mientus wrote:

...

On Sun, Jun 15, 2008 at 6:03 PM, Cristian Rodríguez wrote:

...
...
$sql = "SELECT * FROM names WHERE ID=$ID";

^^ security hole !!!

...

How is ID=$ID a security hole?

If it comes from user-submitted input, it can be used to alter the syntax of the request and fundamentally alter the DBMS command executed. That is the reason for Prepared Statements, which are like pre-compiled statement templates. No matter what parameters get inserted into a Prepared Statement, it will not change the structure of the SQL statement. Search the Web for "Injection Exploit" to get more information on this topic.

...

Mike

Randall Schulz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Michael Mientus

25 Jun 25 Jun

18:11

On Thu, Jun 19, 2008 at 1:29 PM, Randall R Schulz wrote:

...

Search the Web for "Injection Exploit" to get more information on this topic.

This search was not very helpful. On Mon, Jun 16, 2008 at 2:49 PM, Michael Fischer wrote:

...

Read the manual on htmlspecialchars()

http://us3.php.net/manual/en/function.htmlspecialchars.php

and searching for ... On Fri, Jun 20, 2008 at 5:54 AM, Matt Archer wrote:

...

It's called an SQL injection attack.

"sql injection attack" was helpful. Here are the links I found enlightening: http://en.wikipedia.org/wiki/SQL_injection http://izumi.plan99.net/blog/index.php/2007/05/14/unsupport-for-prepared-sta... http://dev.mysql.com/tech-resources/articles/4.1/prepared-statements.html http://www.petefreitag.com/item/356.cfm In particular, Pete's Prepared Statements example written in PHP5 seems like it could be used as a template to update Cristian's example. Mike -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Matt Archer

20 Jun 20 Jun

10:54

Michael Mientus wrote:

...

On Sun, Jun 15, 2008 at 6:03 PM, Cristian Rodríguez wrote:

...
...
$sql = "SELECT * FROM names WHERE ID=$ID"; ^^ security hole !!!

$sql = sprintf("SELECT * FROM names WHERE ID='%s'", mysql_real_escape_string($ID, $dblink)) ;

if $ID is a number, use the %d format string and omit the mysql_escape_string() call ...

How is ID=$ID a security hole?

When the user types in SQL code instead of a valid username. It's called an SQL injection attack.

...

Mike

-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

5791

Age (days ago)

5801

Last active (days ago)

List overview

Download

12 comments

9 participants

participants (9)

Cristian Rodríguez
Daniel Bauer
Jos van Kan
Matt Archer
Michael Fischer
Michael Mientus
Pavol Rusnak
primm
Randall R Schulz