Joe --
Send me an email and we'll see what we can work out.
-- Eric
-
Parameterized queries are not limited to SQL servers. Access provides those as well. For SQL servers, this is typically a Stored Procedure. In Access its called a Query. My guess would be that Alaska provides a similar technique (whatever its name might be that the marketing department slapped onto it).Originally posted by Hubert Brandel View Post
Unfortunately not, as I don't "speak" PHP.Could you write a simple line of code using the parametric call in PHP ?
Here's a ASP example, using VBScript and Access
Access Query, named "spGetCustomerByID":
ASP/VBScript:Code:PARAMETERS prmID Long; SELECT ID, FirstName, LastName FROM tCustomers WHERE ID=[prmID];
This function then gets called likeCode:Public Function GetCustomerByID(ByVal cn, ByVal lID, ByRef sFirstName, ByRef sLastName) '------------------------------------------------------------------------------ 'Name : GetCustomerByID 'Funktion : Retrieves customer names by DB ID ' 'Vorauss. : - 'Parameter: ' cn - Active, opened ADO Connection object ' lID - DB ID of customer to retrieve from DB ' sFirstName, sLastName - gets filled with data from DB '------------------------------------------------------------------------------ Dim rs, cmd Dim sSP ' Create needed ADO objects sSP = ""spGetCustomerByID"" Set cmd = Server.CreateObject("ADODB.Command") Set rs = Server.CreateObject("ADODB.Recordset") ' Fill query parameter prmID and attach it to the Command object With cmd Set .ActiveConnection = cn .CommandText = sSP .CommandType = adCmdStoredProc .Parameters.Append .CreateParameter("prmID", adInteger, adParamInput, ,lID) End With Call rs.Open(cmd) ' See if query returned a record ... If Not (rs.BOF And rs.EOF) Then ' Yes -> retrieve values and set success return value sLastName = "" & rs.Fields("LastName").Value sFirstName = "" & rs.Fields("FirstName").Value ' Signal success of query GetCustomerByID = True Else ' No records present GetCustomerByID = False End If Call rs.Close Set rs = Nothing Set cmd = Nothing End Function
You see, no SQL statement anywhere in the code, therefore no chance for an attacker to slip in a SQL comment, "break" your SQL query into pieces and inject his own SQL code.Code:' Somwhere in an ASP page, retrieve form input Dim lID Dim sFirst, sLast ' Get user input from web page On Error Resume Next lID = CLng(Request.Form("txtID")) If Err Then ' Error happened, ID might be empty or not numerical, set safe default lID = -1 Err.Clear End If ' Search for customer upon ID If Not GetCustomerByID(appADOConnection, lID, sFirst, sLast) Then Response.Write "No customer for ID " & CStr(lID) & " found." Else Response.Write "ID: " & CStr(lID) & "<br />" Response.Write "Last name: " & sLast & "<br />" Response.Write "First name: " & sFirst End If
If I didn't check the passed ID to be numerical within the page itself, but simply passed it to the query, the ADO engine would have raised an error if ID wasn't a (long) integer. Depending on how much parameters you pass to a query from a form, it's sometimes easier to do validation this way. The more parameters you pass, it's easier to catch the ADO engine error and act upon that accordingly.Leave a comment:
-
SQL and PHP - novice ... This is true tooOriginally posted by Knuth Konrad View Post
I normaly don't have enought data to use SQL Servers in my Apps (normaly I use Xbase++ with DBF Files). I have played with SQL-Server for my Web-CGI program, using SQLtools (with PB) and SQLExpress (with Xbase++) both with parametric call. At that time I spend some hours (and money for the PHP-book) with PHP. I thought a beginners book should beware the beginners from such errors, but they used the simple way ...
Could you write a simple line of code using the parametric call in PHP ?Leave a comment:
-
Darn!Let me be clear up front, as much as I love this community I'm not likely to donate the code to the public domain. It's more likely to be an addition to my company's "Development Tools" product line.
Does this technology sound interesting?
I've spent more time than I should trying to get PHP to 'play nice' with a PB DLL. There is a depreciated function in PHP 4x but it was never very stable and caused more problems than it was worth.
Needless to say, if you have something that works, I'd be more than interested. Any reasonable price would be fine with me
Leave a comment:
-
I guess I'll float a trial balloon here...
A while back, for my own purposes, I hired a consultant to port some code to PB/Win. The end result is that I have the ability compile DLLs that work as "php extensions". That means that my web pages can call my PB/Win functions with no more php coding than...It works with both PHP4 and PHP5, but it (probably) requires a Windows web server. (Does anybody know whether or not the *nix flavors of php support Win32 DLLs?) I have used it with both WIMP and WAMP.Code:<p> <?php echo [b][i]MyPBFunction[/i][/b]('Param1','Param2','Param3',[etc]); ?> </p>
Let me be clear up front, as much as I love this community I'm not likely to donate the code to the public domain. It's more likely to be an addition to my company's "Development Tools" product line.
Does this technology sound interesting?
-- Eric Pearson, Perfect Sync, Inc.Leave a comment:
-
I cannot thank you all enough for taking the time to post all this information. As I have said before, the PB family of programmers is the best!
I am beginning to get the basice ideas.
I am having a meeting with my web host person next week. I will see exactly what he has in mind.
I would be glad to take on the challenge of writing a web application, but I would be completely a newbie. I will get whatever books I can find, and maybe even take some courses at the local Community College, which is about 1 mile from my house if they have something I think would help.
Again I really appreciate this discussion on the basics. Thanks to all.
John TateLeave a comment:
-
Yes, that's called SQL Injection. And the workaround is quite easy (and not dependend from the language), therefore it has nothing to do with you being a PHP novice, but more with (still) being a database novice.Originally posted by Hubert Brandel View Post
Don't build SQL statements with string concatenation. Instead use parameterized queries. The DB engine itself will take care for you on validating the values passed towards the database column's data type. In the scenario above, the value ADMIN' would have been passed to the query and would have returned no record, because - most likely - there's no user called ADMIN'Leave a comment:
-
Hi,
here is a sample which use Xbase++ with Xb2.NET for the CGI stuff. To be correct, the made there own WWW-Server, but this is not relevant for the sample program:
if you have a webpage, try to use 'show source code' (i have only the german version, so the name is not exact) in the 'display' menu (? - Files, Edit, Display ???).
The client can read what the server sends, but sometimes the forget the new line
Leave a comment:
-
John,
A Web-application is a chain of programs and forms connected by TCPIP / HTTP.
On Clientside:
a WWW-browser (IE or Firefox)
On Serverside:
a WWW-server (IIS or Apache ...)
+ HTML pages and forms
+ CGI programs to act with the forms.
The browser asks for a service with the url
-> this will show normaly index.htm
-> this will show myside.htm
this only show fixed pages, but in this
pages there could be INPUT fields in a form.
-> this can start a cgi program with submit
http://www.xyz-server.zz/cgi-bin/myservice.php or
-> you can call the cgi program direkt too.
the browser will transport the URL-request to the server,
the server sends back the htm page, the browser will
show what he think that the htm code should look like.
If you submit data over a form to a cgi program, the
www-server will put the data into SET Variables or stdout,
depends on GET or POST Method.
POST is better, because the data could be bigger.
In the CGI programm (running on the server) there are infos about the calling code over the environment SET Variables (IP Adress, names ...) and the data (send to STDIN). The CGI program now checks the data and have to give back a over STDOUT a correct header and HTML page or a other file if you want to make a file download (SERVER sends a file to the browser).
The www-server will send the data from the CGI back to the browser and he will show it.
The programmer have to know whats going on at the server and the client side.
I think I saw some CGI examples in PBCC ...
THE BEST is, that the CGI programs don't have to know anything of secure (HTTPS) sides, this is the job of the WWW-server. He will transmit secure sites with the same CGI.
If you want you can have a look at my CGIs on my home server, let me know over private message and I will give you the adress and let him run overnight.Last edited by Hubert Brandel; 12 Feb 2008, 06:21 PM.Leave a comment:
-
John,
Ok, that is much clearer.
Is there a reason you don't want to/can't use PB? The main reason I can think of is wide ranging compatibility. If you are selling the 'schedule' web site for people to host on their own (or at their own hosting company), then I can see how a PB exe could be a problem. If you are thinking of selling the site with hosting, then PB would be a natural for this.
Lets assume that you can't use PB. In that case, what you are looking to do is relatively easy enough to do. If it were me, I would probably use PHP and MySQL. Most hosting company's will have both of these installed so you'll get the widest range of compatibility.
There is another option too. The CGI application does not have to reside on the same physical server that the web page does. It wouldn't be difficult at all for you to write this in PB, sell the HTML pages, and simply link the CGI stuff back to your server. The 'web visitor' would never notice (unless they were very curious) that the program isn't "part of" the current web page. You could then sell the database portion of this project as a service and generate some reoccurring revenue.Leave a comment:
-
Joe and all:
You can see that I do not the proper way to express what I need.
I will try again.
1. I have a web site out there that allows a person to sign up to use the services I have on the site. Let's call him the client.
2. The client then posts his information on the site. Let's say he has a hunting lodge in Alaska. He puts out the dates of the various hunts he is going to guide.
3. Some one browsing the internet sees this site, and signs up for one of the hunts. Let's call him the client's customer. At this point a resonse is sent to the client. A response is also sent to the clients's customer. The client's customer information is stored in a file on the server.
4. Again, a second customer signs up for the same hunt. Another response is sent to the client. The second customer's information is written to the file on the server, then the file is read and both the first customer and the second customer are sent a response informing them of all who are registered for this hunt.
This is basically what was proposed to me some time ago.
I will get more information from my web host about his own capabilities.
Thanks for putting up with my completely neophyte questions.
John TateLeave a comment:
-
Is your associate only using Linux? Is there a reason why he can't/won't support compiled executables?I have an associate who hosts websites- he is hosting mine. I have to the opportunity to work with him on some commercial uses of the web.
What language is the best to create programs that run, if I do not use PB and CGI?
-- The short answer, if you don't want to use PB, is probably PHP, although PERL and Ruby are equally capable and "popular". In fact, PERL is probably more mature and complete.
However, I am not sure you are asking the right question. While the Web is an excellent platform to use, it's not always the right choice. It might very well just be me, but based on your needs description, I can't visualize what it is you are trying to accomplish:
What information? Calendar entries? What is "out there"? On the web server? In the calendar? Someplace else?What is wanted is:
client signs up to use the program on the web. It might be a calendar program.
User puts his information out there.
What product, the calendar? Are they buying the calendar program, or the data "user put his information" on? In this context, is User = Web user?Web users sign up to to use the product being advertised.
Who is the client, and what type of requirements would he/she have? Is this response something like: "ALERT! Someone wants to buy your (calendar/information/whatever). Here is the buyer's contact info (and then list it below)?"Based on clients requirements, the server side program will initiate response to client and to web users.
What information? Purchasing information?The server side program needs to write information to a file on the server, to be accessed as needed.
Who is accessing "as needed"? If the server 'initiates a response', is the response different from what the server is saving in this database?
What .exe file? I'm totally confused here.The reason I mentioned each client receiving a copy of the .exe file was to get around the web host not allowing the .exe run on the server.
Possibly, but you will have to add HTML code (output) in your application so you can't ignore HTML completely. There are lots of ways to do this, but you need at least some basic HTML knowledge.It seems to be feasible to have my friend write the web page, and I would write the executable script in PHP.Leave a comment:
-
Thanks, all for the replies.
What is wanted is:
client signs up to use the program on the web. It might be a calendar program.
User puts his information out there.
Web users sign up to to use the product being advertised.
Based on clients requirements, the server side program will initiate response to client and to web users.
The server side program needs to write information to a file on the server, to be accessed as needed.
The reason I mentioned each client receiving a copy of the .exe file was to get around the web host not allowing the .exe run on the server.
I have no problem writing the kind of program to do the job on a local computer. As I said, I can have the local program access a file specific to the client, and keep the database on the client's local computer. My orginal premise was that the client would receive the contact information from the web user, then client would run his local .exe program which would extract the infomation, write it to a file, then emails would go out to web user as necessary. That would be rather clumsy, I would think.
You can see I know nothing about web based programming. It seems to be feasible to have my friend write the web page, and I would write the executable script in PHP.
Thanks again for the good information.
John TateLeave a comment:
-
Most providers offers PHP on linux server, but even it is easy to use and connect to a SQL MySQL db, it is NOT easy to write secure code - even with PowerBasic (I use PBCC).
What ever you do, don't forget that the program is not running on a local PC with one user, millions can use and attack you program. In the book I bought (a german one for PHP beginners) there was simple examples for connecting a DB, and 5 weeks later the nearly same code was offered as stupid solution, because the datainput was not filtert. I mean SQL injection was the name of this attack:
Screen with inputfields for NAME and PASSWORD. The input was directly used into the folowing SQL statement.
This should act as a secure User login with name and password, but some found out,
that if you type in ADMIN ' (' is this the inline comment in SQL ?)
and in the where clause was then WEHRE user=ADMIN ' and passwort=
so the password was ignored.
Those traps - no problem for a good PHP programmer, but for my as a PHP novice - let me think that my dayly used compiler is the best choice for me. But that means I need a Windows 32 Bit Server-Provider.
And after several tests, I found an unwanted access to my program too,
because I forgot a constellation and had no ELSE part.
But I can't understand why you use one CGI Program per user, normaly you have one or more per application for all users.Last edited by Hubert Brandel; 12 Feb 2008, 09:18 AM.Leave a comment:
-
John,
Just about any web host will provide PHP as their primary web language. It was designed specifically as a web language, is very widely used and well documented, and is extremely easy to learn. While it is rapidly moving to an OOP model, it is perfectly acceptable to write procedural code in it. Interaction with databases, especially MySQL, is trivially easy.
While it's possible to write CGIs in PB, you'll have a support group of about three, vs. thousands and thousands for PHP.
Of course, if you tried to do desktop programming with PHP instead of PB, you'd be on your own...Leave a comment:
-
trustedwebhost.com will run "binary executables". They have a high following here. Personally, I wouldn't use anything besides PBCC with Ajax. I run my own webserver using IIS.
If you had to use something else, it really is a matter of personal preference.
PHP, ASP are all capable.Leave a comment:
-
what language to use?
I have an associate who hosts websites- he is hosting mine. I have to the opportunity to work with him on some commercial uses of the web.
What language is the best to create programs that run, if I do not use PB and CGI? Info from the web pages should be written to a file, to be processed and send info back to user and to user's clients.
I have created a rudimentary program that extracts info from a web page, downloads to the user's computer, then rewrites a blank file back to the web site, waiting for more input. That works, but each new user of the web site would have to have a program (.exe & CGI) sent to him so all the data base info, etc. are stored on the user's computer.
I understand that running .exe files, even in \cgi-bin\ is a problem with most hosting services.
Any info would be much appreciated.
John Tate
Leave a comment: