|
Am I giving my host provider's server too much work to do by neglecting to use any object-oriented features of PHP at all? I don't know whether it's a question that even makes much sense - but whenever I see code posted in this thread it's full of -> and . and :: and things that I vaguely recognise as being related to common operations in object-oriented programming. Is it just that the majority of people in the thread are programmers by trade (whereas I'm just a fiddler) and are far more acquainted with OOP than I am, and it's the natural way to do things for them? Or is it actually superior in terms of PHP's performance? I guess it's an academic question, though, because I'm not about to rewrite the site I've written using object-oriented methods to do things. I learnt C++ in the summer and used a bunch of classes to do things in the application I eventually cooked up, but have found it far simpler just to use what Wikipedia informs me is some variation of "procedural style" to program the website I've made.
|
# ? Jan 17, 2009 15:20 |
|
|
# ? May 21, 2024 13:37 |
|
From what I remember, the OO stuff in PHP4 is a little slower than straight up procedural programming, but then again objects in PHP4 suck. In early versions of PHP5 there was more overhead for objects, but they were 1st class OO. At this point PHP5 has matured quite a bit and hardware is fast enough so it really should make a difference on performance. At the same time, I wouldn't overarchitect things by writing your own framework where everything that can be a class is a class. For a lot of stuff, letting the database deal with big work can and is faster.
|
# ? Jan 17, 2009 15:32 |
|
moana posted:It needs to include SMPT authentication because I'm moving the code to another server (and their mail server requires login credentials), but since I'm not really that fluent in PHP, I'm having some trouble getting it to work. I know the server name, user name, password, and all that, but I'm not sure how to put it together and the scripts that I've found online look a lot different than just the normal "mail" function. Any ideas? The examples are probably written for PHPMailer, which is what you'll want to use if you need SMTP authentication, connection security, multipart messages, etc. Look it up because using it is probably much easier than you think.
|
# ? Jan 17, 2009 19:35 |
|
Hammerite posted:Am I giving my host provider's server too much work to do by neglecting to use any object-oriented features of PHP at all? There's nothing wrong with procedural under PHP for certain applications. It's just associated with rear end in a top hat coders that mash their logic, SQL queries, HTML, CSS, and JS all into the same files.
|
# ? Jan 17, 2009 20:03 |
|
Zorilla posted:The examples are probably written for PHPMailer, which is what you'll want to use if you need SMTP authentication, connection security, multipart messages, etc. Look it up because using it is probably much easier than you think.
|
# ? Jan 17, 2009 21:54 |
|
Internet Headache posted:Object-oriented programming under PHP is mostly for easier design, scaling, and maintenance. You would get better performance from a script written in a procedural style but they're a nightmare to build on later. This is true of every language, is it not? Are there any instances where an OO design would be faster than a procedural design?
|
# ? Jan 18, 2009 02:21 |
|
Internet Headache posted:Object-oriented programming under PHP is mostly for easier design, scaling, and maintenance. You would get better performance from a script written in a procedural style but they're a nightmare to build on later. Oh ok, so with people like me, then.
|
# ? Jan 18, 2009 03:21 |
|
waffle iron posted:From what I remember, the OO stuff in PHP4 is a little slower than straight up procedural programming, but then again objects in PHP4 suck. In early versions of PHP5 there was more overhead for objects, but they were 1st class OO. At this point PHP5 has matured quite a bit and hardware is fast enough so it really should make a difference on performance. If you are using PHP for performance on execution rather than development something is already rather wrong.
|
# ? Jan 18, 2009 05:49 |
|
MrMoo posted:If you are using PHP for performance on execution rather than development something is already rather wrong.
|
# ? Jan 18, 2009 09:28 |
|
surrealcatalyst posted:You want a Javascript function that shows the banner. Munkeymon posted:He mentioned a frame, so I think he's actually just changing the relevant frame's .location.href property: Thanks for the input, I'll see what I can make out of the suggestions.
|
# ? Jan 19, 2009 16:59 |
|
What are some common ways that people use to hijack web pages via PHP? I've got a large web page with a MySQL database back end and I'm working on sanitizing all of the inputs. I'm already convinced of the fact that it's possible to hijack the page or database by inputting strange strings, but I'm not exactly clear on what type of inputs could cause problems. I mostly want to know so I can test them out to see if I'm checking thoroughly enough. My page has an account system so users specify a username, which is often echoed, so I imagine it might as simple as making a username like this: ";mysql_query("DROP TABLE accounts");. Or it might be something more sinister that I have no knowledge of, which concerns me.
|
# ? Jan 20, 2009 17:19 |
|
Cloud Dog posted:What are some common ways that people use to hijack web pages via PHP? I've got a large web page with a MySQL database back end and I'm working on sanitizing all of the inputs. I'm already convinced of the fact that it's possible to hijack the page or database by inputting strange strings, but I'm not exactly clear on what type of inputs could cause problems. I mostly want to know so I can test them out to see if I'm checking thoroughly enough. Your users can't input actual PHP commands like mysql_query. They can only input things that PHP will interpret as strings. This means that they can input, if you're not careful, two types of things that you should be concerned about : SQL statements and HTML (XML, whatever) markup. So if you prompt for a username, they can try and get PHP to send a command saying "DROP TABLE TableName" to MySQL, but it's not quite as easy as what you wrote up there - they have to engineer it so that this input goes into a query string you are sending to SQL, and in such a way that MySQL recognises it as valid SQL and executes it. It is something you need to be concerned about, however. As far as HTML goes, a user can enter (for a benign example) something like a <B> tag as part of his username; then if you echo his username onto a page, everything after that point in the page will display in bold text. On a more malicious level, someone could enter a <SCRIPT> tag and get the browsers of anyone who loads the page to do strange things (this is assuming the input is long enough for the contents of a SCRIPT tag). You can get rid of HTML markup using php:<? $UserInput = htmlspecialchars[$UserInput];?> You can make sure SQL is escaped (so that nobody can enter input that breaks out of a string and makes MySQL do things you don't intend) using the following code php:<? if ( !get_magic_quotes_gpc() ) { $UserInput = mysqli_real_escape_string($cxn,$UserInput); }?>
|
# ? Jan 20, 2009 18:25 |
Do not do that ^^^ to escape mysql statements.Cloud Dog posted:My page has an account system so users specify a username, which is often echoed, so I imagine it might as simple as making a username like this: ";mysql_query("DROP TABLE accounts");. Or it might be something more sinister that I have no knowledge of, which concerns me. Which is why you should use prepared statements, then you don't have to worry about an attack like that. php:<? $id = 5151; $database = new PDO('connectionstring'); $query = $database->prepare("select username from user where id = :id"); $query->bindParam(":id", $id); if ($query->execute()) $data = $query->fetchAll(); ?>
|
|
# ? Jan 20, 2009 18:25 |
|
I've always been a fan of privilege separation; using different database user accounts with limited permissions to write. Although practically it's easy to go overboard create excess database connections. Certainly having a user that can only read and write, but not alter/drop tables is a good idea. It doesn't protect you from deleting every row though, so use prepared statements.
|
# ? Jan 21, 2009 01:13 |
|
fletcher posted:Do not do that ^^^ to escape mysql statements. Would you mind telling me why not? You commented in the other thread that you did not like it, but all you said as justification was that the code used to do it is a "mess of poo poo". If there is a real problem with it (other than that you think it is ungainly) then I would really like you to tell me what it is so that I know about it and can consider changing my code. There is no sarcasm or irritation in this question, I really want to know why in your opinion the method I use is wrong. You have not told me, and you have not told him either.
|
# ? Jan 21, 2009 01:33 |
Hammerite posted:Would you mind telling me why not? You commented in the other thread that you did not like it, but all you said as justification was that the code used to do it is a "mess of poo poo". If there is a real problem with it (other than that you think it is ungainly) then I would really like you to tell me what it is so that I know about it and can consider changing my code. There is no sarcasm or irritation in this question, I really want to know why in your opinion the method I use is wrong. You have not told me, and you have not told him either. http://us3.php.net/magic_quotes quote:Warning Even if it wasn't being deprecated/removed, does it really seem like a good idea to check a configuration setting EVERY TIME you have to sanitize input?
|
|
# ? Jan 21, 2009 01:47 |
|
fletcher posted:http://us3.php.net/magic_quotes fletcher posted:Even if it wasn't being deprecated/removed, does it really seem like a good idea to check a configuration setting EVERY TIME you have to sanitize input?
|
# ? Jan 21, 2009 01:58 |
|
But in fact, no, it won't be a problem at all, will it? Read (on the page you linked) the comment left by "judas dot iscariote at gmail dot com": quote:Just for the record. this feature has been removed as of PHP6. Although this means that my checking of get_magic_quotes_gpc will be entirely redundant, it will not cause any of my PHP scripts to cease working in the intended way.
|
# ? Jan 21, 2009 02:02 |
Hammerite posted:I don't see a problem with doing so Bingo. I didn't say it would no longer work, I'm just saying that there's a better way to go about what you are trying to do. Show me a snippet where you are sanitizing 40 parameters you are about to store in the database and you'll understand my "mess of poo poo" comment.
|
|
# ? Jan 21, 2009 02:25 |
|
Hammerite posted:Would you mind telling me why not? Yes, the problem is that in the following code, you make the assumption that magic quotes perform the same function as mysqli_real_escape_string(). Hammerite posted:
If you read the php manual you will find that: What are Magic Quotes posted:When on, all ' (single-quote), " (double quote), \ (backslash) and NULL characters are escaped with a backslash automatically. This is identical to what addslashes() does. But for mysqli_real_escape_string, it escapes the following values: "NUL (ASCII 0), \n, \r, \, ', ", and Control-Z", and takes account of the connection locale. Additionally, "If magic_quotes_sybase is on, a single-quote is escaped with a single-quote instead of a backslash if magic_quotes_gpc or magic_quotes_runtime are enabled". In summary: you should not do that because it does not do the same thing. If you insist in using mysqli_real_escape_string, I would imagine something like this would suffice: php:<? if ( get_magic_quotes_gpc() ) { $foo = mysqli_real_escape_string($cxn,stripslashes($foo)) } else { $foo = mysqli_real_escape_string($cxn,$foo); }?> tef fucked around with this message at 03:15 on Jan 21, 2009 |
# ? Jan 21, 2009 02:43 |
|
fletcher posted:Bingo. I didn't say it would no longer work, I'm just saying that there's a better way to go about what you are trying to do. Show me a snippet where you are sanitizing 40 parameters you are about to store in the database and you'll understand my "mess of poo poo" comment. Well, I'll give you that. The most parameters I have to escape in any given script in my application is 3 or 4, but I can see that it would become unwieldy if you had a huge number to escape. tef posted:
|
# ? Jan 21, 2009 02:57 |
|
php:<? if ( get_magic_quotes_gpc() ) { $foo = mysqli_real_escape_string($cxn,$foo); } else { $foo = mysqli_real_escape_string($cxn,stripslashes($foo)) } ?>
|
# ? Jan 21, 2009 03:06 |
|
Yes, the other way around
|
# ? Jan 21, 2009 03:15 |
|
Probably the best thing to do is check for magic quotes one time in your bootstrap, then turn it off if its on. Then, drop mysqli and use PDO with prepared statements.
|
# ? Jan 21, 2009 16:10 |
|
This may seem like a silly question, and it stems from my lack of experience with OOP in general, but knowing the answer to this will help me with every other language as well as solving some problems I've been thinking to myself. I have a User class that has attributes like $username, $password$, etc (typically a user's information) and has functions like login() and logout(). I don't exactly know how to implement it into my code though... Lets say someone submits a login form, should I be creating a new instance of the class for every user that logs in? The problem that I saw with that is that I believe that I would need to assign a variable name to the new class. If multiple users are logging in at the same time, there be a problem with multiple users being given the same variable name/class. On a slightly unrelated note, my thought processes are along the same lines as if I create a game with a class for an enemy monster that appears multiple times simultaneously. I don't know how you can create more than one instance of the monster class because of conflicting variable names. Also, if anyone has some recommended reading that deals with issues like this, I'd be much obliged.
|
# ? Jan 21, 2009 19:45 |
|
Begby posted:Then, drop mysqli and use PDO with prepared statements. mysqli also has prepared statements.
|
# ? Jan 21, 2009 20:39 |
|
agscala posted:Lets say someone submits a login form, should I be creating a new instance of the class for every user that logs in? The problem that I saw with that is that I believe that I would need to assign a variable name to the new class. Yes. You can simply have $user = new User($blah); Each time a punter comes to your script, it gets fired up anew, and shares nothing between different people's visits. In fact you have to go out of your way to explicitly retain things between different page views by the same person in a short period of time (for this, you want to read about sessions). Or between different visits by the same person over a longer period of time (cookies). You would certainly have to deliberately share information between two different people browsing at the same time. If your script does $user = new User($blah); a new $user is created each time that script is run, and is destroyed when the script ends. agscala posted:On a slightly unrelated note, my thought processes are along the same lines as if I create a game with a class for an enemy monster that appears multiple times simultaneously. I don't know how you can create more than one instance of the monster class because of conflicting variable names. This is a different case, but what you want here is an array. Given you have a class Monster ready; php:<? $monsters = array(); for($i=0; $i<20; $i++) { $monsters[] = new Monster(); } ?> php:<? $monsters[13]->doStuff(); ?> You can also name your monsters: php:<? $monsters = array(); foreach(array('rod', 'jane', 'freddy') as $n) { $monsters[$n] = new Monster(); } $monsters['jane']->doStuff(); ?> I don't have a better answer than wikipedia for sessions or cookies right now. http://en.wikipedia.org/wiki/Session_(computer_science) http://en.wikipedia.org/wiki/HTTP_cookie
|
# ? Jan 21, 2009 20:45 |
|
Awesome, thanks a lot.
|
# ? Jan 21, 2009 21:08 |
|
Does anyone know of a simple query string parser? Something like this http://search.cpan.org/~dami/Search-QueryParser-0.93/lib/Search/QueryParser.pm but for PHP. I surprisingly couldn't find anything.
|
# ? Jan 23, 2009 07:37 |
|
supster posted:Does anyone know of a simple query string parser? Something like this http://search.cpan.org/~dami/Search-QueryParser-0.93/lib/Search/QueryParser.pm but for PHP. Some of the Zend_Lucene components might be helpful, though I doubt they're as elaborate as anything a Perl programmer would create. http://framework.zend.com/manual/en/zend.search.lucene.searching.html#zend.search.lucene.searching.query_building.parsing
|
# ? Jan 24, 2009 04:30 |
|
Im probably really tired, so I cannot see the problem with this code.php:<? $sql = 'SELECT album_id FROM ' . GALLERY_ALBUMS_TABLE . " WHERE album_user_id = $user_id"; $result = $db->sql_query($sql); $gallery_link_id = (int) $db->sql_fetchfield('album_id'); $db->sql_freeresult($result); $gallery_profile_text = ($gallery_link_id > 0) ? $user->lang['GALLERY_LINK_TEXT'] : '' ; ?> php:<? $sql = 'SELECT album_id FROM ' . GALLERY_ALBUMS_TABLE . " WHERE album_user_id = $user_id"; ?>
|
# ? Jan 24, 2009 05:13 |
|
It probably doesn't matter, but you probably should use quotes consistently (' versus "). That would eliminate one possibility. Or maybe it doesn't like line breaks in queries? php:<?php $sql = "SELECT album_id ". "FROM ".GALLERY_ALBUMS_TABLE." ". "WHERE album_user_id = ".$user_id; ?> Zorilla fucked around with this message at 05:27 on Jan 24, 2009 |
# ? Jan 24, 2009 05:22 |
|
Zorilla posted:It probably doesn't matter, but you probably should use quotes consistently (' versus "). That would eliminate one possibility. No this did not solve the problem, and this is not my code. I wanted to try and use a messy solution to get a photo gallery on a phpBB forum, using TS Gallery. For the most part it seems to work like normal, however I no longer have access to member profiles via the forum interface. This is not a make / break factor for me, just a slight annoyance. The specific URL is only going to exist for about a month.
|
# ? Jan 24, 2009 05:36 |
|
Zorilla posted:It probably doesn't matter, but you probably should use quotes consistently (' versus "). That would eliminate one possibility No; that code is using quotes correctly. Using "..." causes the string to be processed for vars + control chars, '...' does not; php:<? $woot = 'Hey There'; echo "$woot\n"; // echoes: "Hey There" and a newline echo '$woot\n'; // echoes: "$woot\n" ?> Obviously you also need to use "..." when you want to use ' inside the string.
|
# ? Jan 24, 2009 16:37 |
|
Oh My Science posted:No this did not solve the problem, and this is not my code. I would make that string be constructed on one line, and check the error line changes; I suspect your error isn't in that line at all.
|
# ? Jan 24, 2009 16:45 |
|
I'm just starting to learn PHP and having a bitch of a time with an inline if statement. It just comes up with a blank page, so I think I need to tweak my error reporting some more because I can't even see where I'm going wrong with this. Any suggestions on that? I set it to report all warnings and errors.code:
One thing I can't figure out (and thought was a problem). Why do I need the "=" sign to get it to evaluate the isset in the second column. I've tried putting it before the IF and it doesn't make any difference. It seems like other places in my code don't need the "=". In conclusion the book Prentice Hall - PHP and MySQL by Example sucks balls.
|
# ? Jan 24, 2009 23:05 |
|
handbandit posted:
You need a semicolon after $sales. How are you trying to set your error reporting level? The = sign in the second column just makes PHP print out whatever you have after it. You could do <?="test";?> and it would print out test. It evaluates it regardless, but without the = there is nothing to tell it to send the data to the output buffer. jasonbar fucked around with this message at 23:25 on Jan 24, 2009 |
# ? Jan 24, 2009 23:22 |
|
I was setting my reporting level in php.ini. I want it to display all errors and warnings, and thought I had that set right. Seems that missing punctuation still makes it bomb though.
|
# ? Jan 25, 2009 00:25 |
|
handbandit posted:I was setting my reporting level in php.ini. I want it to display all errors and warnings, and thought I had that set right. Seems that missing punctuation still makes it bomb though. I guess I could have clarified which $sales to put the semicolon after. Sorry about that. This should do the trick: code:
edit: You mind posting your error_reporting line from the php.ini file? jasonbar fucked around with this message at 00:59 on Jan 25, 2009 |
# ? Jan 25, 2009 00:55 |
|
|
# ? May 21, 2024 13:37 |
|
Here it is in a big chunk from error_reporting on.code:
|
# ? Jan 25, 2009 03:04 |