Re: Alphabetical pagination (RESOLVED)
Re: Alphabetical pagination (RESOLVED)
am 16.07.2009 16:53:25 von Martin Scotta
--0016362853427df1b3046ed3d527
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
On Thu, Jul 16, 2009 at 11:01 AM, Andrew Ballard wrote:
> On Thu, Jul 16, 2009 at 9:33 AM, Miller,
> Terion wrote:
> >
> > Here is what finally worked:
> >
> >
> = isset($_GET['letter']) ? $_GET['letter'] : "A";
> //alphabetical pagination links
> echo '';
> foreach(range('A','Z') as
> $c){ ($letter ==
> $c) ?
> printf('%s ',$c)
> : printf(' ',$c,$c);
> }
> echo "
";
>
> //Show all restaurants that start with $letter
> $sql = "SELECT * FROM restaurants WHERE name LIKE
> '{$letter}%'";
> $result = mysql_query($sql) or die(mysql_error());
> while($row = mysql_fetch_assoc($result)){
> printf('
> align="left" width="100">%s
%s%s
> width=200>',$row['name'],$row['address'],$result['cviolations']);
> }
>
> ?>
> > Thanks again everyone!!
>
> Terion,
>
> I hope that isn't your final answer. This has SQL injection written
> all over it since you are neither validating that $letter is actually
> a letter, nor are you escaping it before passing it off to MySQL.
>
>
> $letter = isset($_GET['letter']) ? $_GET['letter'] : 'A';
>
>
> if (!preg_match('/^[A-Z]$/i', $letter) {
> $letter = 'A';
> /*
> Rather than setting $letter to 'A' and continuing,
> you could generate an error if you end up in here
> so you can let the user know that what they passed
> was invalid.
> */
>
> }
>
>
> //....
> ?>
>
> In this case, it should be safe to use $letter directly in the query
> without passing it through mysql_real_escape_string() since it should
> only contain a single harmless alphanumeric letter, but it wouldn't
> hurt (and may still be a good idea) to go ahead and escape the value
> in the query anyway just in case something in your code changes later
> that might cause some cruft to slip in.
>
> Andrew
>
My point of view:
# i'll use constants for these values
assert( ord('A') == 0x41 );
assert( ord('Z') == 0x5A );
# 1. get the ascii code of the 1st character or from A=0x41
$letter = ord( array_key_exists('letter', $_GET) ? strtoupper(
$_GET['letter']{0} ) : 'A' );
# 2. different solutions
# 2.a check if it is range ussing <= ussing constants (faster)
$letter = chr( 0x41<= $letter && $letter <= 0x5A ? $letter : 0x41 );
# 2. different solutions
# 2.b check if it is range min/max and with constants (faster)
$letter = chr( min( max(0x41, $letter), 0x5A) );
I'd use the 2.b but this has different behaviour when $letter > Z (should
this ever happen?)
In the other hand I think it is the faster one.
--
Martin Scotta
--0016362853427df1b3046ed3d527--
Re: Alphabetical pagination (RESOLVED)
am 16.07.2009 17:01:58 von tmiller
One question I still have...I had help with this script of course and I'm c=
onfused with the %s what does it do?
On 7/16/09 9:53 AM, "Martin Scotta" wrote:
On Thu, Jul 16, 2009 at 11:01 AM, Andrew Ballard wrote=
:
On Thu, Jul 16, 2009 at 9:33 AM, Miller,
Terion wrote:
>
> Here is what finally worked:
>
>
=3D isset($_GET['letter']) ? $_GET['letter'] : "A"; =
//alphabetical pagination links =
echo '=
'; foreach(range('A'=
,'Z') as $c){ ($le=
tter == $c) =
? printf('%s ',$c) =
: printf(' ',$c,$c); =
} =
echo "
"; =
=
//Show all restaurants that start with $letter =
$sql =3D "SELECT * FROM restaurants WHE=
RE name LIKE '{$letter}%'"; =
$result =3D mysql_query($sql) or die(mysql_error()); =
while($row =3D mysql_fetch_assoc($=
result)){ printf('=
%s
%s%s
r=3D#000 width=3D200>',$row['name'],$row['address'],$result['cviolatio=
ns']); } =
=
?>
> Thanks again everyone!!
Terion,
I hope that isn't your final answer. This has SQL injection written
all over it since you are neither validating that $letter is actually
a letter, nor are you escaping it before passing it off to MySQL.
$letter =3D isset($_GET['letter']) ? $_GET['letter'] : 'A';
if (!preg_match('/^[A-Z]$/i', $letter) {
$letter =3D 'A';
/*
Rather than setting $letter to 'A' and continuing,
you could generate an error if you end up in here
so you can let the user know that what they passed
was invalid.
*/
}
//....
?>
In this case, it should be safe to use $letter directly in the query
without passing it through mysql_real_escape_string() since it should
only contain a single harmless alphanumeric letter, but it wouldn't
hurt (and may still be a good idea) to go ahead and escape the value
in the query anyway just in case something in your code changes later
that might cause some cruft to slip in.
Andrew
My point of view:
# i'll use constants for these values
assert( ord('A') == 0x41 );
assert( ord('Z') == 0x5A );
# 1. get the ascii code of the 1st character or from A=3D0x41
$letter =3D ord( array_key_exists('letter', $_GET) ? strtoupper( $_GET['let=
ter']{0} ) : 'A' );
# 2. different solutions
# 2.a check if it is range ussing <=3D ussing constants (faster)
$letter =3D chr( 0x41<=3D $letter && $letter <=3D 0x5A ? $letter : 0x41 );
# 2. different solutions
# 2.b check if it is range min/max and with constants (faster)
$letter =3D chr( min( max(0x41, $letter), 0x5A) );
I'd use the 2.b but this has different behaviour when $letter > Z (should t=
his ever happen?)
In the other hand I think it is the faster one.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: Alphabetical pagination (RESOLVED)
am 16.07.2009 17:32:49 von Martin Scotta
--0016e64b9ada5d5db2046ed462dd
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
On Thu, Jul 16, 2009 at 12:01 PM, Miller, Terion <
tmiller@springfi.gannett.com> wrote:
>
> One question I still have...I had help with this script of course and I'm
> confused with the %s what does it do?
>
> On 7/16/09 9:53 AM, "Martin Scotta" wrote:
>
>
> On Thu, Jul 16, 2009 at 11:01 AM, Andrew Ballard
> wrote:
> On Thu, Jul 16, 2009 at 9:33 AM, Miller,
> Terion wrote:
> >
> > Here is what finally worked:
> >
> >
> = isset($_GET['letter']) ? $_GET['letter'] : "A";
> //alphabetical pagination links
> echo '';
> foreach(range('A','Z') as
> $c){ ($letter ==
> $c) ?
> printf('%s ',$c)
> : printf(' ',$c,$c);
> }
> echo "
";
>
> //Show all restaurants that start with $letter
> $sql = "SELECT * FROM restaurants WHERE name LIKE
> '{$letter}%'";
> $result = mysql_query($sql) or die(mysql_error());
> while($row = mysql_fetch_assoc($result)){
> printf('
> align="left" width="100">%s
%s%s
> width=200>',$row['name'],$row['address'],$result['cviolations']);
> }
>
> ?>
> > Thanks again everyone!!
>
> Terion,
>
> I hope that isn't your final answer. This has SQL injection written
> all over it since you are neither validating that $letter is actually
> a letter, nor are you escaping it before passing it off to MySQL.
>
>
> $letter = isset($_GET['letter']) ? $_GET['letter'] : 'A';
>
>
> if (!preg_match('/^[A-Z]$/i', $letter) {
> $letter = 'A';
> /*
> Rather than setting $letter to 'A' and continuing,
> you could generate an error if you end up in here
> so you can let the user know that what they passed
> was invalid.
> */
>
> }
>
>
> //....
> ?>
>
> In this case, it should be safe to use $letter directly in the query
> without passing it through mysql_real_escape_string() since it should
> only contain a single harmless alphanumeric letter, but it wouldn't
> hurt (and may still be a good idea) to go ahead and escape the value
> in the query anyway just in case something in your code changes later
> that might cause some cruft to slip in.
>
> Andrew
>
> My point of view:
>
> # i'll use constants for these values
> assert( ord('A') == 0x41 );
> assert( ord('Z') == 0x5A );
>
> # 1. get the ascii code of the 1st character or from A=0x41
> $letter = ord( array_key_exists('letter', $_GET) ? strtoupper(
> $_GET['letter']{0} ) : 'A' );
>
> # 2. different solutions
> # 2.a check if it is range ussing <= ussing constants (faster)
> $letter = chr( 0x41<= $letter && $letter <= 0x5A ? $letter : 0x41 );
>
> # 2. different solutions
> # 2.b check if it is range min/max and with constants (faster)
> $letter = chr( min( max(0x41, $letter), 0x5A) );
>
> I'd use the 2.b but this has different behaviour when $letter > Z (should
> this ever happen?)
> In the other hand I think it is the faster one.
>
>
>
printf has it's own mini-syntax.
This was implemented in C.
PHP's printf syntax is very similar, but with some cool add-ons
http://php.net/printf
The detailed description of format are here: http://php.net/sprintf
--
Martin Scotta
--0016e64b9ada5d5db2046ed462dd--