The following is from http://php.mirrors.ilisys.com.au/man...-injection.php .
Would someone explain the following lines, in particular I don't understand
'$paramArr[\'$1\']' nor do I understand how the syntax {1} works or how it
is related to arrays?
Thanks, mIke.
<some code snipped>
....
return preg_replace('/\{(.*?)\}/ei','$paramArr[\'$1\']', $queryString);
}
$sqlQuery = 'SELECT col1, col2 FROM tab1 WHERE col1 = {1} AND col3 = {2}
LIMIT {3}';
$stm = mysql_query(prepareSQL($sqlQuery, array('username', 24.3, 20);
?>
----== Posted via Newsfeeds.Com - Unlimited-Uncensored-Secure Usenet News==---- http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =---- 7  1316 
Michael G wrote: The following is from
http://php.mirrors.ilisys.com.au/man...-injection.php .
Would someone explain the following lines, in particular I don't understand
'$paramArr[\'$1\']' nor do I understand how the syntax {1} works or how it
is related to arrays?
Thanks, mIke.
<some code snipped>
...
return preg_replace('/\{(.*?)\}/ei','$paramArr[\'$1\']', $queryString);
}
$sqlQuery = 'SELECT col1, col2 FROM tab1 WHERE col1 = {1} AND col3 = {2}
LIMIT {3}';
$stm = mysql_query(prepareSQL($sqlQuery, array('username', 24.3, 20);
?>
----== Posted via Newsfeeds.Com - Unlimited-Uncensored-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----
look at the snippet of code and you'll find your answer. the $paramArr
variable is passed with the calling of the function.
you'd type the following into your script: prepareSQL("something",
"here"); and "here" would become $paramArr.
-- code --
<?php
function prepareSQL($queryString, $paramArr) {
foreach (array_keys($paramArr) as $paramName) {
if (is_int($paramArr[$paramName])) {
$paramArr[$paramName] = (int)$paramArr[$paramName];
}
elseif (is_numeric($paramArr[$paramName])) {
$paramArr[$paramName] = (float)$paramArr[$paramName];
}
elseif (($paramArr[$paramName] != 'NULL') and
($paramArr[$paramName] != 'NOT NULL')) {
$paramArr[$paramName] =
mysql_real_escape_string(stripslashes($paramArr[$paramName]));
$paramArr[$paramName] = '\''.$paramArr[$paramName].'\'';
}
}
return preg_replace('/\{(.*?)\}/ei','$paramArr[\'$1\']', $queryString);
}
Ahh, *those* curly brackets are a little different. prepareSQL() is
not a built in PHP function, so I can't say for sure what it does.
Based on your example, I would guess that it does something like
substitute the values passed as the second parameter (the array) into
the string passed as the first parameter ($sqlQuery) where the
parameters in the original string are refered to by {i} where i is
their index in the array.
I'd also venture a guess that your "return preg_replace..." code comes
from prepareSQL(). Without seeing the rest of the function, it looks
like that call preg_replace() is what does the actual replacement of
the variables.
So, in short, those {1}, {2}, etc. are *not* the same as the curly
braces described at http://www.php.net/strings
ZeldorBlat wrote: Ahh, *those* curly brackets are a little different. prepareSQL() is
not a built in PHP function, so I can't say for sure what it does.
Based on your example, I would guess that it does something like
substitute the values passed as the second parameter (the array) into
the string passed as the first parameter ($sqlQuery) where the
parameters in the original string are refered to by {i} where i is
their index in the array.
I'd also venture a guess that your "return preg_replace..." code comes
from prepareSQL(). Without seeing the rest of the function, it looks
like that call preg_replace() is what does the actual replacement of
the variables.
So, in short, those {1}, {2}, etc. are *not* the same as the curly
braces described at http://www.php.net/strings
i don't know the answer to your question, but here's the function he was
speaking about :
<?php
function prepareSQL($queryString, $paramArr) {
foreach (array_keys($paramArr) as $paramName) {
if (is_int($paramArr[$paramName])) {
$paramArr[$paramName] = (int)$paramArr[$paramName];
}
elseif (is_numeric($paramArr[$paramName])) {
$paramArr[$paramName] = (float)$paramArr[$paramName];
}
elseif (($paramArr[$paramName] != 'NULL') and
($paramArr[$paramName] != 'NOT NULL')) {
$paramArr[$paramName] =
mysql_real_escape_string(stripslashes($paramArr[$paramName]));
$paramArr[$paramName] = '\''.$paramArr[$paramName].'\'';
}
}
return preg_replace('/\{(.*?)\}/ei','$paramArr[\'$1\']', $queryString);
}
ZeldorBlat wrote: Ahh, *those* curly brackets are a little different. prepareSQL() is
not a built in PHP function, so I can't say for sure what it does.
Based on your example, I would guess that it does something like
substitute the values passed as the second parameter (the array) into
the string passed as the first parameter ($sqlQuery) where the
parameters in the original string are refered to by {i} where i is
their index in the array.
I'd also venture a guess that your "return preg_replace..." code comes
from prepareSQL(). Without seeing the rest of the function, it looks
like that call preg_replace() is what does the actual replacement of
the variables.
So, in short, those {1}, {2}, etc. are *not* the same as the curly
braces described at http://www.php.net/strings
here's the function (taken off the website he quoted):
<?php
function prepareSQL($queryString, $paramArr) {
foreach (array_keys($paramArr) as $paramName) {
if (is_int($paramArr[$paramName])) {
$paramArr[$paramName] = (int)$paramArr[$paramName];
}
elseif (is_numeric($paramArr[$paramName])) {
$paramArr[$paramName] = (float)$paramArr[$paramName];
}
elseif (($paramArr[$paramName] != 'NULL') and
($paramArr[$paramName] != 'NOT NULL')) {
$paramArr[$paramName] =
mysql_real_escape_string(stripslashes($paramArr[$paramName]));
$paramArr[$paramName] = '\''.$paramArr[$paramName].'\'';
}
}
return preg_replace('/\{(.*?)\}/ei','$paramArr[\'$1\']', $queryString);
}
"muldoonaz" <do***@spam.me.com> wrote in message
news:Q0********************@fe02.news.easynews.com ... Michael G wrote: The following is from
http://php.mirrors.ilisys.com.au/man...-injection.php .
Would someone explain the following lines, in particular I don't
understand
'$paramArr[\'$1\']' nor do I understand how the syntax {1} works or how
it is related to arrays?
Thanks, mIke.
<some code snipped>
...
return preg_replace('/\{(.*?)\}/ei','$paramArr[\'$1\']',
$queryString);
}
$sqlQuery = 'SELECT col1, col2 FROM tab1 WHERE col1 = {1} AND col3 = {2}
LIMIT {3}';
$stm = mysql_query(prepareSQL($sqlQuery, array('username', 24.3, 20);
?> ----== Posted via Newsfeeds.Com - Unlimited-Uncensored-Secure Usenet
News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+
Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption
=----
look at the snippet of code and you'll find your answer. the $paramArr
variable is passed with the calling of the function.
you'd type the following into your script: prepareSQL("something",
"here"); and "here" would become $paramArr.
Yeah, I understand that. In the OP, $paramArr is an array. I also now
understand that the author of this function uses regular expressions to do
the replacement.
return preg_replace('/\{(.*?)\}/ei','$paramArr[\'$1\']', $queryString);
}
But I still fail to understand how 'paramArr[\'$1\']' is mapped using $1 as
an index. I've tried printing paramArr['$1'] to see if I might gain some
understanding but to no avail.
Mike
----== Posted via Newsfeeds.Com - Unlimited-Uncensored-Secure Usenet News==---- http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----
"Michael G" <mi****@montana.com> wrote in message
news:11**************@spool6-east.superfeed.net...
"muldoonaz" <do***@spam.me.com> wrote in message
news:Q0********************@fe02.news.easynews.com ... Michael G wrote: The following is from
http://php.mirrors.ilisys.com.au/man...-injection.php .
Would someone explain the following lines, in particular I don't
return preg_replace('/\{(.*?)\}/ei','$paramArr[\'$1\']',
$queryString); }
But I still fail to understand how 'paramArr[\'$1\']' is mapped using $1
as an index. I've tried printing paramArr['$1'] to see if I might gain
some understanding but to no avail.
ok. I have an explanation, thanks to a Perl book I have. Anyway, the $1 is
called a backreference. Backreferences contain the value that is matched by
each atom of the regular expression. In this case there is only one atom -
(.*?), hence only one backreference. So each time there is a match the value
contained in the curly braces would be copied into the backreference. So
$paramArr['$1'] after the first match would give $paramArr['0'] as per the
regex. Not real sure about what the modifiers 'ei' mean at the end of the
pattern.
Mike
----== Posted via Newsfeeds.Com - Unlimited-Uncensored-Secure Usenet News==---- http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----
Michael G wrote: "Michael G" <mi****@montana.com> wrote in message
news:11**************@spool6-east.superfeed.net...
"muldoonaz" <do***@spam.me.com> wrote in message
news:Q0********************@fe02.news.easynews.c om...
Michael G wrote:
The following is from
http://php.mirrors.ilisys.com.au/man...-injection.php .
Would someone explain the following lines, in particular I don't >> return preg_replace('/\{(.*?)\}/ei','$paramArr[\'$1\']', $queryString);
}
But I still fail to understand how 'paramArr[\'$1\']' is mapped using $1
as an index. I've tried printing paramArr['$1'] to see if I might gain
some understanding but to no avail.
ok. I have an explanation, thanks to a Perl book I have. Anyway, the $1 is
called a backreference. Backreferences contain the value that is matched by
each atom of the regular expression. In this case there is only one atom -
(.*?), hence only one backreference. So each time there is a match the value
contained in the curly braces would be copied into the backreference. So
$paramArr['$1'] after the first match would give $paramArr['0'] as per the
regex. Not real sure about what the modifiers 'ei' mean at the end of the
pattern.
IIRC, the 'e' modifier is for expand or evaluate, and I know that the
'i' modifier is case-insensitive matching.
--
Justin Koivisto, ZCE - ju****@koivi.com http://koivi.com This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: David MacQuigg |
last post by:
I am writing a chapter for teaching OOP in Python. This chapter is
intended as a brief introduction to replace the more complete
discussion in Learning Python, 2nd ed, pp. 295-390. I need to...
|
by: ireneatngs |
last post by:
Hi,
I have example html below which contains a couple of hidden divs.
However, some of the table borders within these hidden divs are
actually displayed when they should not be.
In my...
|
by: MatthewRoberts |
last post by:
Howdy All,
I have a Windows Service that often stops in its tracks with no
exception and no explanation on our QA system.
During testing on the development machine, it can handle any workload,...
|
by: Jay |
last post by:
PREDICATES
Used as a clause.
A. What does PREDICATES mean?
B. What does it mean when used in a where clause?
I checked BOL (Glossary) but get no explanation there.
Thanks
Jay
|
by: Buck Rogers |
last post by:
Hi guys! Love your work!
The below program is from K&R2, p22.
=================================
#include <stdio.h>
/* count digits, white space, others */
main()
{
|
by: Dave Taylor |
last post by:
Is there a decent explanation of how menu merging with MDI forms work in
VB.NET? I've read through the online help and it still seems that whenever
I change menus around or whatever, it breaks...
|
by: deepunayak |
last post by:
I need complete explanation on constant pointers.
e.g
char *const ptr ;
const char *ptr ;
char *const* ptr;
please explain me the differences.
|
by: raghu |
last post by:
can any one help me explaining for loop and its execution and its
syntax with a simple example.
|
by: Erik Lind |
last post by:
I'm new to Python, and OOP. I've read most of Mark Lutz's book and more
online and can write simple modules, but I still don't get when __init__
needs to be used as opposed to creating a class...
|
by: taylorcarr |
last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
| |
