code OK for large number of hits?

This is a discussion on code OK for large number of hits? within the MySQL Database forums, part of the Database Forums category; On Mon, 05 May 2008 10:25:06 +0200, Matthias Watermann <lists@mwat.de> wrote: >On Mon, ...


Go Back   Usenet Forums > Database Forums > MySQL Database

Reload this Page code OK for large number of hits?

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
Page 2 of 2 < 1 2

 

LinkBack Thread Tools Display Modes
  #11 (permalink)  
Old 05-05-2008
Geoff Cox
 
Posts: n/a
Default Re: code OK for large number of hits?
On Mon, 05 May 2008 10:25:06 +0200, Matthias Watermann <lists@mwat.de>
wrote:

>On Mon, 05 May 2008 07:16:35 +0100, Geoff Cox wrote:
>
>> [...]
>> where the user is typing a number into a box
>>
>> var number_check = number_given;
>> if ( (number_check >7) || (number_check < 1) ) { alert("The number must
>> be in the range 1 to 7!"); } else
>> if (isNaN(number_check)) {
>> alert("Please enter a valid number"); } else {
>> sendGroup1Lab1(number_check);
>> }
>
>You must _never_ rely on client-side validation! As far as the
>server-side script is concerned you should at least assume the user
>switched JavaScript off (not to mention intended malformed values).
>
>> I have changed (***) the php to
>>
>> $result1 = $_GET['answer1'];
>> $result2 = $_GET['answer2'];
>> $result3 = $_GET['answer3'];
>> $result4 = $_GET['answer4'];
>
>If those values are supposed to be numbers you should at least
>ensure that:
>
>$result1 = $_GET['answer1'] * 1;
>$result2 = $_GET['answer2'] * 1;
>$result3 = $_GET['answer3'] * 1;
>$result4 = $_GET['answer4'] * 1;


>(There's no need for those "$result" variables: Why keep the same value
>in memory multiple times?) Do _not_ assume all the expected CGI
>arguments are there actually but always check that.

Matthias,

I'm not clear what you mean above re the "no need for those "$result"
variables" - could you please explain?

Cheers

Geoff


>
>> [...]
>> $result4 = mysql_real_escape_string($_GET['favorite']); ***
>
>What's "favorite" supposed to be? A string? A number (real or integer)?
>How do you validate that?
>
>> mysql_query("INSERT INTO mytable (answer1,answer2,answer3,answer4)
>> VALUES ('$result1','$result2','$result3','$result4')");
>
>The single quote are needed for string values, while those "$resultX"
>variables are integers. Hence you could omit the single quotes.
>
>> I see that mysql_real_escape_string can only be used after connecting
>> to the database?
>
>Yes. However, id you'd validate the user provided values there's not
>much need for such a call anyway. And escaping possibly malicious
>values might avoid some SQL injection problem but it does _not_ avoid
>your tables being filled with useless data.
>
>> Is the above safer?
>
>Further improvement could be gained by not using the tables directly
>but calling an stored procedure which could implement additional
>validation. But that's another topic and probably oversized for
>your application.
>
>However, you should switch from HTTP/GET to HTTP/POST. While that's
>not a safety net as such at least it makes it a _little_ harder to
>fake the CGI arguments.
Reply With Quote
  #12 (permalink)  
Old 05-05-2008
Rik Wasmus
 
Posts: n/a
Default Re: code OK for large number of hits?
On Mon, 05 May 2008 12:51:09 +0200, Geoff Cox <gcox@freeuk.notcom> wrote:
>> If those values are supposed to be numbers you should at least
>> ensure that:
>>
>> $result1 = $_GET['answer1'] * 1;
>> $result2 = $_GET['answer2'] * 1;
>> $result3 = $_GET['answer3'] * 1;
>> $result4 = $_GET['answer4'] * 1;
>
>
>> (There's no need for those "$result" variables: Why keep the same value
>> in memory multiple times?) Do _not_ assume all the expected CGI
>> arguments are there actually but always check that.
>
> Matthias,
>
> I'm not clear what you mean above re the "no need for those "$result"
> variables" - could you please explain?

It's more of a discussion for comp.lang.php.

However, I do NOT agree that those $result variables are unneeded: it's a
Good Practise to leave the GET/POST/COOKIE/ARG superglobals arrays as
read-only. Who knows what other code would do next? And one could want to
log illegal values later on for instance. As soon as one wants to alter
it, use a 'normal' variable. Certainly with the limited GET array, memory
will seldomly be the problem.

Nothing to do with MySQL anymore, f'up comp.lang.php
--
Rik Wasmus
Reply With Quote
  #13 (permalink)  
Old 05-05-2008
Matthias Watermann
 
Posts: n/a
Default Re: code OK for large number of hits?
On Mon, 05 May 2008 11:51:09 +0100, Geoff Cox wrote:

> [...]
>>(There's no need for those "$result" variables: Why keep the same value
>>in memory multiple times?) Do _not_ assume all the expected CGI
>>arguments are there actually but always check that.
>
> Matthias,
>
> I'm not clear what you mean above re the "no need for those "$result"
> variables" - could you please explain?

As I've shown in my validation examples you can "clean" the CGI arguments
directly in the global "$_GET" list. I consider it a waste of memory to
duplicate those values. But just was just a hint. The other points were
more important.


--
Matthias
/"\
\ / ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL
X - AGAINST M$ ATTACHMENTS
/ \
Reply With Quote
  #14 (permalink)  
Old 05-05-2008
Jerry Stuckle
 
Posts: n/a
Default Re: code OK for large number of hits?
Matthias Watermann wrote:
> On Mon, 05 May 2008 11:51:09 +0100, Geoff Cox wrote:
>
>> [...]
>>> (There's no need for those "$result" variables: Why keep the same value
>>> in memory multiple times?) Do _not_ assume all the expected CGI
>>> arguments are there actually but always check that.
>> Matthias,
>>
>> I'm not clear what you mean above re the "no need for those "$result"
>> variables" - could you please explain?
>
> As I've shown in my validation examples you can "clean" the CGI arguments
> directly in the global "$_GET" list. I consider it a waste of memory to
> duplicate those values. But just was just a hint. The other points were
> more important.
>
>

You can. But I agree with Rik. It is better to consider the $_GET and
$_POST values to be read-only.

Which is more important - maintainability and serviceability of the
application, or 50 bytes of memory?

But this is also a PHP question, not a MySQL one.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Reply With Quote
  #15 (permalink)  
Old 05-05-2008
Peter H. Coffin
 
Posts: n/a
Default Re: code OK for large number of hits?
On Mon, 05 May 2008 10:25:06 +0200, Matthias Watermann wrote:
> $hits = array();

As a completely juvenile aside, variable names like this make me giggle.

--
3. My noble half-brother whose throne I usurped will be killed, not kept
anonymously imprisoned in a forgotten cell of my dungeon.
--Peter Anspach's list of things to do as an Evil Overlord
Reply With Quote
  #16 (permalink)  
Old 05-05-2008
Matthias Watermann
 
Posts: n/a
Default Re: code OK for large number of hits?
On Mon, 05 May 2008 10:22:55 -0500, Peter H. Coffin wrote:

> [...]
>> $hits = array();
>
> As a completely juvenile aside, variable names like this make me giggle.

You're welcome! Laughing improves your health, or so I hear :-)

--
Matthias
/"\
\ / ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL
X - AGAINST M$ ATTACHMENTS
/ \
Reply With Quote
Reply
Page 2 of 2 < 1 2

« Previous Thread | Next Thread »

Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 09:51 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0