I was working in an open source script called PHPProBid. I decided to check what approach they are using to avoid MySQL injection, after looking into their source code I found out they were using the oldest method of escaping user inputted data using the mysql_real_escape_string(). And, it’s not just this script who uses this old method but in fact so many PHP tutorial websites still propagate the old methods and still don’t know the best approach which should be used to avoid MySQL injection. They don’t know that PHP’s manual itself discourages the use of such methods, and encourages to use advance methods such as PDO’s prepared statements. Read the rest of this entry
-
RSS Feeds
-
Categories
-
Archives
Posted December 12th, 2010 by M.Zeb Khan
Posted June 16th, 2010 by M.Zeb Khan
Have you ever wanted to make an array with same keys as the values? for example, we want an array of fruits.
$my_array = array('apple','orange','mango');
By default, when you don’t specify a key for each array element a default numeric key is assigned, the above be assigned key indexes as:
Array ( [0] => apple [1] => orange [2] => mango )
But that’s not actually what you want right? thanks to the built in PHP array function array_combine() we can combine the array values with the keys. Let’s try the following
$my_array = array('apple','orange','mango');
$my_array = array_combine($my_array,$my_array);
Now, let’s run a print_r($my_array) to see how it looks, the results will be:
Array ( [apple] => apple [orange] => orange [mango] => mango )
There we go! you can use this idea if you have a country list array with short country name for the array key, this happened to me when I had a country list array where the key for country Canada was CA. I just used array_combine() and everything worked like a charm!
Posted June 12th, 2010 by M.Zeb Khan
By default Zend Framework will escape data passed to the insert() method, For example if you have a textarea in your form that is accepting input from the user, and someone writes something like I’m testing this form, this will be inserted to the database as I\’m testing this form. We have a built-in function in PHP called stripslashes() that will strip the slashes from the record, but how about if you’re populating the form fields using the $form->populate() ? the best solution is use the setEscape() inside the controller’s init() method. Let’s try it,
public function init() {
$this->view->setEscape('stripslashes');
}
This will strip all the slashes from the view.
Posted June 12th, 2010 by M.Zeb Khan
A quick way to remove numbers from a string in PHP,
$string = "This is my string, I also have 3823 9283"; $clean_string = str_replace(range(0,9),'',$string); // This will return "This is my string, I also have" echo $clean_string;
