PHPDeveloper: PHP News, Views and Community

News Feed

Sections

Tutorials

Books

Events

Talks

Jobs

News Archive

Stefan Mischook's Blog: How to call functions from another class

Evan Sims' Blog: Automattic releases WordPress for iPhone

Ibuildings Blog: About Open Source software projects

CodeIgniter.com: CodeIgniter Community Voice - Lee's Lost Bet

Job Posting: Zynga Seeks PHP Developer (Los Gatos & San Francisco, CA)

PHPImpact Blog: Using Annotations in PHP

Community News: Latest PECL Releases for 07.22.2008

Daniel Cousineau's Blog: PHP 5.3 and Closures

Zend Developer Zone: Generating PDF Forms From a Flex Application With PHP

Job Posting: Big Tent Seeks Senior Web Engineer - PHP (San Francisco, CA)

Community Events

Don't see your event here?
Let us know!

feed this:

Mark Kimsal's Blog:
Addslashes() don't call it a comeback

0 comments :: posted Thursday June 12, 2008 @ 13:36:20

voice your opinion now!

BY CHRIS CORNUTT

As Michael Kimsal points out, there's a new posting on his brother Mark's blog talking about alternatives to addslashes() in your applications.

I've seen a lot of people talking about mysql_real_escape_string() vs addslashes() vs addcslashes(). There seems to be a lot of real confusion about what these functions do (even with the php.net manual around), especially when it comes to character sets. [...] So, I've decided to lay it all out in a few charts so there is no confusion about what each function does and how each can help protect against SQL injection attacks.

He ran some tests based on what the function does to see if it helps with certain things like "escapes with single quotes instead of backslash" and "prevents multi-byte attacks". He compares the speed and testability of the functions as well as provides a multi-byte breakdown oh how the mysql_real_escape_string function works with different character sets.

tagged with: addslashes compare escape string mysql addcslashes multibyte

Christopher Jones' Blog:
PHP 5.3 "NOWDOCS" make SQL escaping easier

0 comments :: posted Thursday February 14, 2008 @ 11:18:00

voice your opinion now!

BY CHRIS CORNUTT

Christopher Jones has posted about an update to the development for PHP 5.3 that makes escaping SQL even easier in scripts - NOWDOCS.

Escaping quotes or other meta characters in SQL can be painful unless you get lucky with your quoting style. [...] Even with PHP's "Heredoc" syntax something will need escaping, but with PHP 5.3's new "Nowdoc" syntax no escaping is needed.

The only difference between HEREDOC and NOWDOC is that the initial keyword (like the first END in this statement: <<<'END' text here END;) that can make worrying about complex quoting rules a thing of the past.

tagged with: nowdocs sql escape nowdoc heredoc php5 quote

Rob Allen's Blog:
A View Stream with Zend_View

0 comments :: posted Thursday February 07, 2008 @ 07:58:17

voice your opinion now!

BY CHRIS CORNUTT

Rob Allen has posted about a small modification that he made to his Zend Framework setup that allows for a little safer echoing of information out to the View later of an application.

One of my biggest issues with using PHP as the templating engine in View scripts is that the easiest way to echo a variable is the least secure. [...] So, I decided to leverage a post by Mike Naberezny from a while ago about streams. The idea is all his; I just modified it to work with Zend Framework's Zend_View the way I wanted it to.

His method uses a slightly different output format - instead of using a normal echo statement to push out the escaped output, it uses a special syntax using the "@" sign as a shortcut to the call to escape(). He includes the code you'll need to make it work in your ZF install and explain it a bit (including where the real key lies - in stream_popen).

tagged with: zendframework stream zendview escape custom output view

All content copyright, 2008 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework