Sometimes I feel like being one of the little who like PHP. But, one things which brings me to hell currently is the mysqli-extension. Not that it is not easy to use, there is one strange thing I’m fucked up with. If I read an Image-file via file_get_contents() and want to write it to a database, It’s sensible to use a BLOB-field. So far so fine. I guessed I have to do it this way:
$image_data = file_get_contents( "my_image.png" );
$database = new mysqli( "host", "user", "password" );
$database->select_db( "my_db" );
if( $statement = $database->prepare( "INSERT INTO my_table SET my_blob = ?" ) ) {
<strong>$statement->bind_param( "b", $image_data );</strong>
$statement->execute();
} else {
etc.mysqli::prepare(). So I guessed nothing wrong with it. But it seems to be wrong. If I use $statement->bind_param( "s", $image_data);, which means passing the value as a string, it works as expected. Is this a bug or can someone explain this strange behaviour to me?Filed under Code, MySQL, MySQL 5.0, mysqli, PHP & two comments & no trackbacks
If you use PHP for some years, you will often fight the same problems, which leads to a lot of unuseful work when implementing basic issues like a properly designed class to send mails in a sane way, parsing an INI-file, basic generating of PHP-code, logging to a file or database or an implementation for a persistant object. This components are often needed and you have to write them by yourself, if you want to work around the tranditional and outdated PEAR-packages. So, maybe some day, you have all the patterns you need and can begin to write code but how long does it take? Two years? For years? Not that sensible. So it raises productivity if you can use a set of components which are small, independent and designed for the current state of the language, means: PHP 5.1.x. eZ components by eZ systems fit this specification. You can solve the problems above and much more – analysing and modifying images, debugging, working with user input and, as surplus, you can work with PHP for shell-scripts with ConsoleTools.
As theory is supposed to be useless without practice, a small example for reading an INI-file. Let’s assume the following INI-file:
[context] foobar = Bla bla = blubb whatever = bar
$reader = new ezcConfigurationIniReader();
$reader->init('/path/to/your/config/dir, 'config' );
$config = $reader->load();
echo $config->getSetting( "context", "foobar" );Filed under Code, Components, Design patterns, ezComponents, Patterns, PHP, Technology, www & no comments & no trackbacks
Normally issues like aren’t my topic. Transcripting news from other sites is not minebut the new PHP-version of the 5.1-series provides some important fixes. Deprecation-notice when using the keyword »var« has been removed, so you can use Smarty in combination with PHP5 without the heap of error-messages, fixed buffer-overflow in wordwrap(), XSS-troubles in phpinfo() are fixed and safe-mode reflects itself and checks the first parameter of copy().
Filed under Code, PHP, Security, Technology, www & no comments & no trackbacks
PHP bietet von Haus aus keine Symbole. Ist es in Sprachen wie Ruby möglich, Symbole als Methoden-Argumente zu verwenden, so entfällt diese Möglichkeit in PHP. Dabei bieten Symbole im Gegensatz zu Werten oftmals große Vorteile: sie ermöglichen API-Stabilität, auch wenn sich die Funktionalität einer Klasse beständig ändert, denn das Zuweisen eines Wertes kann in der Klasse bzw. Methode geschehen. Auch wenn sie PHP nicht mitbringt, gibt es eine Möglichkeit, solche Symbole zu emulieren.
Erst einmal ein Beispiel in Ruby:
class Bla
def self.foobar( param )
print “Here we are!\n” if param == :sym
end
end
bla = Bla;
bla.foobar( :sym )
Nun bietet PHP seit der Version 5.0 bekanntermaßen ja Klassen-Konstanten, die sich für diesen Zweck recht praktisch missbrauchen lassen. Das bekannte Beispiel in PHP:
class Bla
{ const SYM = “bla”; public function foobar( $param ) { if( $param == Bla::SYM ) print “Here we are!\n”; }
}$bla = new Bla;
$bla->foobar( Bla::SYM );
Filed under Class-constants, Code, Constants, OOP, PHP, Ruby, Symbols, Technology & no comments & no trackbacks
Some months ago I ranted about Gentoo’s Ejabberd-ebuilds and I want to comment another issue: Ejabberd provides support for PostgreSQL via its ODBC-drivers. That’s reflected in the ebuild, there is a postgres USE-flag. That’s generally fine, but helps nothing, ’cause you need the native PostgreSQL-driver from the jungerl-distribution. But: there is no ebuild in portage. Whether you can’t find jungerl nor the native PostgreSQL-driver in portage, which makes the USE-flag buggy one the one hand and completely useless on the other hand. Is it common not to test functionality when adding a USE-flag?
Filed under Code, Ejabberd, Gentoo, Jabber, Linux, PostgreSQL, Technology, www & ten comments & no trackbacks
Machte meinen Tag:
From: Georgi Guninski
To: full-disclosure@lists.grok.org.uk
Subject: [Full-disclosure] Linus mass killing integer overflows
[...]
the news is, the benevolant dictator has said “let there be C++”, and there is more secure, full featured, reliable and faster linux kernel written2 mainly in C++. the official release is scheduled for 2.8 or when redhat™ becomes ready for the desktop3, whichever comes first.key improvements include:
a) integer overflows were PITA for the kernel janitors. once the classes SafeInt and SafeLong were implemented with suitable operators, the new kernel is 100% “int/long too big” free. the refactoring tool made this part easy.
b) some clever abuse of exceptions dramatically reduces the amount of OOPS:
cases like ‘(SafeInt)0=foo->bar()’ are now gracefully catch()ed, killing
the OOPS.
c) kernel structures were just lame emulation of C++ objects. now they are native C++ objects.
d) exceptions result in cleaner, easier to read code and almost stop the nasty abuse of “goto”currently there are discussions for implementing COM in the kernel and/or scripting the kernel from userland, but Linus hasn’t made up his mind yet.
the first public prerelease will be available from ftp://ftp.kernel.org/pub/linux/kernel soon.
My wishlist for 2.8:
-jvm (should boost my swing apps)
-sql support to query kernel table and fs data
-lisp and prolog interpreters (don’t have a use for this but I’m sure somebody will need it)
The kernel folks have taken a seriously wrong turn here. They should have delayed the preview release until the garbage collector was ready. That’s where the real value for these patches starts.Regards,
Brian
> My wishlist for 2.8:
> -jvm (should boost my swing apps)agreed. i vote for implementing parrot – http://www.parrotcode.org/ to avoid
perl vs python vs java flames.> -sql support to query kernel table and fs data
this seems a bad idea. what if a mcse discovers a sql injection in kernelspace? the side effects may be worse than a cake on b1l1.
> -lisp and prolog interpreters (don’t have a use for this but I’m sure
> somebody will need it)rms likes lisp, so we can count on him.
Filed under Code, integer overflow, kernel, Linux, security, Technology & no comments & no trackbacks
That’s something I did not know before: PostgreSQL is extendable via TCL, Perl and Python. The latter is the interesting one. Don’t want to stuck with archaic languages. Extendable means, that it is possible to write SQL-functions in one of this language, which creates the opportunity to put much more logic in the database as it is normally possible.
Update:
Astro pointed to PL/Ruby, which introduces the possibility to create SQL-functions in Ruby.
Filed under Code, Database, PostgreSQL & one comment & no trackbacks
$database->Execute ("INSERT INTO foo SET baz='".$_POST ['bar']."'");
Filed under Code, Security, Technology, Websecurity & five comments & no trackbacks
Filed under Code, Development, Fun, Technology & no comments & no trackbacks
»Schon besser« wäre mein Fazit. Nachdem ich zum ersten Webmontag in Köln noch fleißig herumgepöbelt habe, konnte ich es trotzdem nicht lassen, wieder hinzugehen. Diesmal sogar mit eigenem Vortrag (mit fukami) zu Sicherheit im Web 2.0. Angelegt klarzumachen, dass mit dem Paradigmenwechsel von der Content-zentrierten Anwendung hin zur User-zentrierten auch einige neue Gefahren auftauchen, besser gesagt alte Gefahren in neuen Gewändern, und ausgebaut als kleiner Rant über existierende Probleme. Meinen ausdrücklichen Dank an Nico Wilfer für seine Coolness, zwei seiner Projekte als Demoobjekte herzugeben. Glaube nicht, dass das jeder so bringt, danke. Weitere Ergebnisse des Abends: Gerrit van Aaken ist didaktisch durchaus talentiert, sein Vortrag zu Typographie im Netz war spannend, Beate Paland gab eine wirklich gute Einführung (soweit ich das mitbekam) in Ruby on Rails, Moe ist auch live ne coole Sau und: es hat diesmal schon viel mehr Spaß gemacht.
Update:
Moe hält uns für nette User, Thomas Wahnhoff sieht unseren Vortrag unter den besten, poocs.de hat Photos, blogwinkel bringt meinen Realname und meinen Nick zusammen, sollte ich gleich verklagen (macht man heute anscheinend so), zu hören gibt es uns auch und die Folien stehen nun auch online (Live, Tarball).
Filed under Art, Beate Paland, Code, Frankfurt, Nico Wilfers, Security, Stefan Mosel, Technology, Vortrag, Webmontag, Websecurity, www, XSS & 14 comments & one trackback
Talk on Webmontag is over. Now it’s time to publish some security related issues I found out over the last weeks.
Filed under Ajax, Amiamo.de, Code, Injection, JavaScript, PHP, Plazes.com, Security, Webmontag, Websecurity, XSS & two comments & two trackbacks
… Webmontag.
Filed under Amiamo.de, Code, Plazes.com, Security, Technology, Webmontag, www & no comments & no trackbacks
Just now I want to release a shiny new version of my bBcode-implementation but then I found a serious JavaScript injection hole in there. So you have to wait.
Filed under Code, Security, Websecurity, XSS & no comments & no trackbacks
So macht man das. Elegant, elegant.
Filed under AMD, Code, Security, Technology, Websecurity & no comments & no trackbacks
Peter Johanson received CVS commit access for the Muine Music Player, the famous »no I’m not just another iTunes clone«-player. I hope Peter will bring some new dynamic to the Muine-project and please remember my interface ideas I’d suggested via the list.
Filed under Code, Gentoo, GNOME, Linux, Muine, Peter Johanson, Technology, www & no comments & no trackbacks