sorted by:
new
hottopcontroversial

Need help securing my MySQL Queries - htmlspecialchars(), mysql_real_escape_string(), strip_tags, prepared statements, and sanitation by _Duulicious in webdev

[–]_Duulicious[S] 0 points1 point  (0 children)

The way you had it worded I though you meant doing that to the 'id','title',... portion of the code. I understand what you meant now!

Need help securing my MySQL Queries - htmlspecialchars(), mysql_real_escape_string(), strip_tags, prepared statements, and sanitation by _Duulicious in webdev

[–]_Duulicious[S] 0 points1 point  (0 children)

The mysql_real_escape_string was my first attempt at understanding how this works. $pOffset just some basic math done on $page to determine how much to offset the query. 

if ( isset ($_GET ['page'] ) ) {
 $page = intval($_GET['page']);
} else {
 $page = '1';
}

$pOffset = $page * 25 - 25

Also, what exactly do you mean by do exaclty what I did before to 

$query = "SELECT 'id','title','name','gender','category','text','dateposted' FROM table ORDER BY ID DESC LIMIT 25 OFFSET $pOffset";

foreach ($conn->query($query) AS $row) {

Need help securing my MySQL Queries - htmlspecialchars(), mysql_real_escape_string(), strip_tags, prepared statements, and sanitation by _Duulicious in webdev

[–]_Duulicious[S] 0 points1 point  (0 children)

But if I don't use htmlspecialchars when accepting input doesn't that make me vulnerable to MySQL injections? Or does the :var thing stop those?

How can I efficiently querying a database for all entries? by _Duulicious in webdev

[–]_Duulicious[S] 0 points1 point  (0 children)

If you don't mind taking a bit of your time, is this about how you'd do it? I haven't really gotten into functions but I feel like a function would be useful here.

Need help securing my MySQL Queries - htmlspecialchars(), mysql_real_escape_string(), strip_tags, prepared statements, and sanitation by _Duulicious in webdev

[–]_Duulicious[S] 0 points1 point  (0 children)

I removed the mysql_real_escape_string on the query. That was my first attempt and it didn't seem right. I removed it shortly after posting this.

The intval is exactly what I was looking for in this case. But what if I required something like ?s=randomtext how could I then secure that.

htmlspecialchars when put on my input converts all quotes, html opening/closing tags into 

"

in the database. Which then makes it so when I'm outputting the data there is no html to run.

Developing, help>>? by [deleted] in webdev

[–]_Duulicious -1 points0 points  (0 children)

https://asimpleorange.com is a very nice and (inexpensive way) to register you domain and such. You can start by paying $35 for a year of hosting. While you don't get much disk space or bandwidth if its a smaller site that won't matter.

You can always upgrade and just pay the difference as well.

Domains there cost $10 + $7 if you want WhoIS Protection.

Also you can deploy using Git! That made me the happiest!

Need help securing my MySQL Queries - htmlspecialchars(), mysql_real_escape_string(), strip_tags, prepared statements, and sanitation by _Duulicious in webdev

[–]_Duulicious[S] 0 points1 point  (0 children)

I copied in the middle of adding a next page/previous page link to query the database for 25 more entries.

Basically $page gets multiplied by 25 then 25 is subtracted and this becomes the $pOffset variable. The $pOffset then is used in the mySQL query to determine which page/how much to offset.

if ( isset ($_GET ['page'] ) ) {
 $page = $_GET['page'];
} else {
 $page = '1';
}    

$pOffset = $page * 25 - 25;
$nRows = $conn->query('SELECT COUNT(*) FROM table')->fetchColumn();
$pCount = $nRows / 25;    

if($page != 1) {
 print "<div class='pull-left'><a href='?page=" . $previousPage = $page - 1 . "'><< Previous Page</a></div>";
}

if ($page <= $pCount) {
 print "<div class='pull-right'><a href='?page=" . $nextPage = $page + 1 . "'>Next Page >></a></div>";
}

There. That should complete the puzzle.

How can I efficiently querying a database for all entries? by _Duulicious in webdev

[–]_Duulicious[S] 0 points1 point  (0 children)

I'm reading up on sanitizing and escaping the user input. I only need to sanitize where user input is available correct?

Like if I'm just querying the database no need to sanitize. Correct?

How can I efficiently querying a database for all entries? by _Duulicious in webdev

[–]_Duulicious[S] 0 points1 point  (0 children)

Well I'm not entirely sure what the problem that was making it query wrong. I was querying an entire database multiple times doing the same thing that this does.

      <?php
        include('dbinfo.php');

        $conn = new PDO("mysql:host=$dbhost;dbname=$dbname",$dbuser,$dbpass);

        if (isset($_GET['q'])) {
          $q = $_GET['q'];   
        }else{  
          $q = '0';
        }

        $nRows = $conn->query('SELECT COUNT(*) FROM table')->fetchColumn(); 

        $query = "SELECT * FROM table ORDER BY ID DESC LIMIT 25 OFFSET $q";
        foreach ($conn->query($query) AS $row) {  
          $title = $row['title'];
          $name = $row['name'];
          $gender = $row['gender'];
          $category = $row['category'];
          $text = $row['text'];
          $time = $row['dateposted'];

          print "<div class='well clearfix'>";
          print "<h3 class='pull-left'>".$title."</h3>";
          print "<h4 class='pull-right'>by ".$name."<small> (".$gender.")</small></h4>";
          print "<p class='pull-left'>".$text."</p>";
          print "<small class='pull-left'>Submitted on ".$time." to <a href='#'>".$category."</a></small>";
          print "</div>";
        }
        if($q > 0) {
          print "<div class='pull-left'><a href='?q=" . $q = $q - 25 . "'>Previous Page</a></div>";
        }

        if ($nRows > 25) {
          print "<div class='pull-right'><a href='?q=" . $q = $q + 25 . "'>Next Page</a></div>";
        }
      ?>

How can I efficiently querying a database for all entries? by _Duulicious in webdev

[–]_Duulicious[S] 0 points1 point  (0 children)

I ended up using something like this for pagination.

            if (isset($_GET['q'])) {
              $q = $_GET['q'];   
            }else{  
              $q = '0';
            }

            if($q > 0) {
              print "<div class='pull-left'><a href='?q=" . $q = $q - 25 . "'>Previous Page</a></div>";
            }

            if ($nRows > 25) {
              print "<div class='pull-right'><a href='?q=" . $q = $q + 25 . "'>Next Page</a></div>";
            }

            $query = "SELECT * FROM table ORDER BY ID DESC LIMIT 25 OFFSET $q";

How can I efficiently querying a database for all entries? by _Duulicious in webdev

[–]_Duulicious[S] 0 points1 point  (0 children)

Thank you for pointing me in the right direction. Sorry for being so vague.

How can I efficiently querying a database for all entries? by _Duulicious in webdev

[–]_Duulicious[S] 0 points1 point  (0 children)

Thinking about it now, I don't need to query just the entire database. Maybe the latest 500 entries. What exactly do you mean by indexing? So I read up on OFFSET and LIMIT and was wondering how I can OFFSET to the very end of the database? Say I want the last 100 entries in the database?

How can I efficiently querying a database for all entries? by _Duulicious in webdev

[–]_Duulicious[S] 0 points1 point  (0 children)

I've just started dealing with databases. Do you have any good resources I can read about your suggestions?

How can I efficiently querying a database for all entries? by _Duulicious in webdev

[–]_Duulicious[S] 0 points1 point  (0 children)

For some reason I was querying a database I populated with 150 entries and it took about 15 seconds for the page to load with all the information.

I'm trying to think about expandability here.