Jump to content
Forums are read-only ×
Larry Ullman's Book Forums

Steve

Members
 View Profile  See their activity

  • Posts

    3

  • Joined

  • Last visited

 Content Type 

Posts posted by Steve

    Uploading Pictures- Organization

    in PHP for the Web: Visual QuickStart Guide (4th Edition)

    Posted

    I am making a social network and one of the features is to allow for users to upload pictures. In code, I'm able to crop the picture (to be used as the "main image") and create a thumbnail of it. I then store each version of the file in two separate directories (one for the "main" image, one for the thumbnail). The files are uniquely names with the User ID, time, and a random string. The users will not see the URL.

     

    But all of the files are going into one of these two directories: should I somehow be storing the images in multiple/different subdirectories (like Facebook does)... or is the method I'm doing now sufficient (and I can change it down the line if necessary)?

     

    Thanks!

    Sql Injection

    in Effortless E-Commerce with PHP and MySQL

    Posted

    Thanks!! I read it as the author was using *both* methods; thanks for clarifying. I did notice the mysql_pconnect, but wasn't going to question it (so, thanks for bringing that up, too).

     

    Appreciated, as always!!

     

    Steve

     

     

     

    Hello Steve,

     

    Thanks for your question. I looked at the article and I'll admit that there are a few points made in the article that I disagree with (e.g., the argument to use mysql_pconnect() or the failure to confirm that variables are set before referencing them). I also don't think the author convinced me of the merits of addcslashes() over mysql_real_escape_string(). The argument for mysql_real_escape_string() is twofold: first, it puts more functionality into the database, which is generally advised. Second, it performs the escaping in a way that's particular to the character set used by the database, so it's more particular and less generic than addcslashes(). Also, to be clear, the author isn't using addcslashes() AND mysql_real_escape_string() but rather addcslashes() INSTEAD OF mysql_real_escape_string().

     

    To be clear, it's really a minor distinction between the two, but I prefer mysql_real_escape_string().

    • Upvote 1

    Sql Injection

    in Effortless E-Commerce with PHP and MySQL

    Posted

    Hi Larry/everyone,

     

    I came across this article: "Can You Hack Your Own Website?..."

    http://net.tutsplus.com/tutorials/tools-and-tips/can-you-hack-your-own-site-a-look-at-some-essential-security-considerations/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+nettuts+%28Nettuts%2B%29&utm_content=Google+Feedfetcher

     

     

    To sanitize inputs, the author used not only "mysql_real_escape_string" but also the function "addcslashes". Specifically, the line of code (that would be added to the "escapedata()" function on page 56) is:

     

    $string_b = addcslashes($string_i, "\x00\n\r\'\x1a\x3c\x3e\x25");

     

    I was wondering your thoughts on this extra line of code; if it's necessary or not?

     

    Thanks!

    • Upvote 1
×
×
  • Create New...