query error handling - Page 2

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Re: query error handling

Quoted text here. Click to load it

So much for your claim that you were going to stop responding to me.

Have you figured out yet how to format a TIN?

Re: query error handling

Doug Miller wrote:
Quoted text here. Click to load it

Doug, I understand and share your general frustration with Jerry, we
should both probably resist the urge to respond as it never leads
anywhere good but, like you, sometimes I find it irresistible. It's just
if you DO choose to retaliate you should at least do so factually, your
overall argument loses some credibility when you misrepresent your
adversary's statements, even slightly. If they are wrong you should be
able to show that without distorting the facts.

I think the use of the word "new" is not at all ambiguous in this case,
it's no different to saying NTFS was "new in Windows NT", there's no
implication that it is "new" in any wider sense. It's a small thing but
your argument would be stronger without it, that's all I was saying.

Besides, Jerry's statement _was_ an admission of error on his part, as
noted a rare thing in itself. To expect an apology as well, rather than
just an excuse / explanation would be a bit naive. The only thing I've
found that can silence people that stubborn is to make a big song and
dance about how they are so stubborn they won't be able to resist
replying to your post, the worst offenders will be too stubborn to cede
your point and won't reply ;)

Of course the proper solution would be to set up a filter / killfile, it
takes all of 2 minutes. The fact neither of has has done that yet hints
that you, like I, DO sometimes derive a bit of satisfaction from
thoroughly and publicly rebutting the spoutings of obnoxious internet
pundits. I'm not sure what the ratio between 'good done in correcting
factual errors for posterity' and 'annoyance caused by the noise of
endless pedantic squabbling' actually is in general. With Jerry though
it's like shooting fish in a barrel, and with the frequency of his posts
there's at least a dozen new barrels every day so I think in his case
responding just tends to just create noise.

With that in mind I'm going to butt out of this thread! Of course I am
certain neither of you possess the self restraint needed to not reply to
this post and get the last word in ;D

Happy holidays!


Re: query error handling

matt (matthew.leonhardt@gmail.com) wrote:
: > matt wrote:
: > > wrote:
: > >> Hash: SHA1
: >
: > >> On 18/12/09 15:44, Michael Costello wrote:
: >
: > >>> Hi,
: > >>> I have the following two PHP statements:
: > >>>$query = "SELECT id, firstname, lastname, phone FROM members=
:  WHERE id
: > >>> = $id";
: > >>>$result = mysql_query($query) or die('SQL Select Error: '.my=
: sql_error
: > >>> ());
: >
: > > [snip]
: >
: > > Please use mysql_real_escape_string() when using variables in your
: > > queries.Better yet, use prepared statements.
: >
: > Incorrect."id" is obviously a numeric value; you do not use
: > mysql_real_escape_string() on numeric types.

: I'll concede that members.id is *likely* a numeric field...although I
: don't see the harm in calling mysql_real_escape_string().

: What I will not concede is the idea that $id obviously contains a
: numeric value.  I'm surprised that you would have made the suggestion
: to remove a sanitizing function without providing an example or
: reference on how you feel one should sanitize the variable for the
: query.

I have to agree that at some point before it is used $id should be

Consider for example: if $id comes straight from an html form and is not
correctly validated then the end result from a malicious user could be
made equivalent to

        $id = '1 into outfile /etc/passwd':

    $query = "SELECT id, firstname, lastname, phone FROM members
        WHERE id = $id";

    $result = mysql_query($query) or die ...etc...

Personally I like bind variables for this.  Databases such as Oracle have
them built in.  To use bind variables with mysql within php I understand
you can use the ADODB library.

Re: query error handling

Malcolm Dew-Jones wrote:
Quoted text here. Click to load it

Row id's should NEVER come from an HTML form - sanitized or not, unless
there are other criteria included.  Otherwise, it will allow access to
rows the user should not be able to access.

BTW, your query would fail anyway, because in a correctly configured
system, only root can write to /etc/passwd, and MySQL should NEVER be
run as root.  But the point is well taken.

Quoted text here. Click to load it

As I said - it's a matter of preference.  And you can also use bind
variables with the mysqli extension or PDO.  You don't need ADODB.

Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.

Site Timeline