 | |
code OK for large number of hits?
comp.databases.mysql comp.databases.mysql
 |
| | Thread Tools | Display Modes |
#11
 
| |||
| |||
|
Re: code OK for large number of hits? -
05-05-2008
, 05:51 AM
|
On Mon, 05 May 2008 07:16:35 +0100, Geoff Cox wrote: [...] where the user is typing a number into a box var number_check = number_given; if ( (number_check >7) || (number_check < 1) ) { alert("The number must be in the range 1 to 7!"); } else if (isNaN(number_check)) { alert("Please enter a valid number"); } else { sendGroup1Lab1(number_check); } You must _never_ rely on client-side validation! As far as the server-side script is concerned you should at least assume the user switched JavaScript off (not to mention intended malformed values). I have changed (***) the php to $result1 = $_GET['answer1']; $result2 = $_GET['answer2']; $result3 = $_GET['answer3']; $result4 = $_GET['answer4']; If those values are supposed to be numbers you should at least ensure that: $result1 = $_GET['answer1'] * 1; $result2 = $_GET['answer2'] * 1; $result3 = $_GET['answer3'] * 1; $result4 = $_GET['answer4'] * 1; |
Quote:
|
(There's no need for those "$result" variables: Why keep the same value in memory multiple times?) Do _not_ assume all the expected CGI arguments are there actually but always check that. |
I'm not clear what you mean above re the "no need for those "$result"
variables" - could you please explain?
Cheers
Geoff
Quote:
|
[...] $result4 = mysql_real_escape_string($_GET['favorite']); *** What's "favorite" supposed to be? A string? A number (real or integer)? How do you validate that? mysql_query("INSERT INTO mytable (answer1,answer2,answer3,answer4) VALUES ('$result1','$result2','$result3','$result4')"); The single quote are needed for string values, while those "$resultX" variables are integers. Hence you could omit the single quotes. I see that mysql_real_escape_string can only be used after connecting to the database? Yes. However, id you'd validate the user provided values there's not much need for such a call anyway. And escaping possibly malicious values might avoid some SQL injection problem but it does _not_ avoid your tables being filled with useless data. Is the above safer? Further improvement could be gained by not using the tables directly but calling an stored procedure which could implement additional validation. But that's another topic and probably oversized for your application. However, you should switch from HTTP/GET to HTTP/POST. While that's not a safety net as such at least it makes it a _little_ harder to fake the CGI arguments. |
#12
| |||
| |||
|
|
If those values are supposed to be numbers you should at least ensure that: $result1 = $_GET['answer1'] * 1; $result2 = $_GET['answer2'] * 1; $result3 = $_GET['answer3'] * 1; $result4 = $_GET['answer4'] * 1; (There's no need for those "$result" variables: Why keep the same value in memory multiple times?) Do _not_ assume all the expected CGI arguments are there actually but always check that. Matthias, I'm not clear what you mean above re the "no need for those "$result" variables" - could you please explain? |
However, I do NOT agree that those $result variables are unneeded: it's a
Good Practise to leave the GET/POST/COOKIE/ARG superglobals arrays as
read-only. Who knows what other code would do next? And one could want to
log illegal values later on for instance. As soon as one wants to alter
it, use a 'normal' variable. Certainly with the limited GET array, memory
will seldomly be the problem.
Nothing to do with MySQL anymore, f'up comp.lang.php
--
Rik Wasmus
#13
| |||
| |||
|
|
[...] (There's no need for those "$result" variables: Why keep the same value in memory multiple times?) Do _not_ assume all the expected CGI arguments are there actually but always check that. Matthias, I'm not clear what you mean above re the "no need for those "$result" variables" - could you please explain? |
directly in the global "$_GET" list. I consider it a waste of memory to
duplicate those values. But just was just a hint. The other points were
more important.
--
Matthias
/"\
\ / ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL
X - AGAINST Microsoft ATTACHMENTS
/ \
#14
| |||
| |||
|
|
On Mon, 05 May 2008 11:51:09 +0100, Geoff Cox wrote: [...] (There's no need for those "$result" variables: Why keep the same value in memory multiple times?) Do _not_ assume all the expected CGI arguments are there actually but always check that. Matthias, I'm not clear what you mean above re the "no need for those "$result" variables" - could you please explain? As I've shown in my validation examples you can "clean" the CGI arguments directly in the global "$_GET" list. I consider it a waste of memory to duplicate those values. But just was just a hint. The other points were more important. |
$_POST values to be read-only.
Which is more important - maintainability and serviceability of the
application, or 50 bytes of memory?
But this is also a PHP question, not a MySQL one.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex (AT) attglobal (DOT) net
==================
#15
| |||
| |||
|
|
$hits = array(); |
--
3. My noble half-brother whose throne I usurped will be killed, not kept
anonymously imprisoned in a forgotten cell of my dungeon.
--Peter Anspach's list of things to do as an Evil Overlord
#16
| |||
| |||
|
|
[...] $hits = array(); As a completely juvenile aside, variable names like this make me giggle. |
--
Matthias
/"\
\ / ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL
X - AGAINST Microsoft ATTACHMENTS
/ \
|
« Previous Thread
|
Next Thread »
| Thread Tools | |
| Display Modes | |
Linear Mode
| |
Powered by vBulletin Version 3.5.3
Copyright ©2000 - 2012, Jelsoft Enterprises Ltd.
Copyright ©2000 - 2012, Jelsoft Enterprises Ltd.