PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
Moderator: General Moderators
kkonline
Forum Contributor
Posts: 251 Joined: Thu Aug 16, 2007 12:54 am
Post
by kkonline » Sat Aug 18, 2007 12:26 pm
I am using the following code to extract data from database and convert it to xml format. I am concerned if
anything extra which i would be required to do before displaying the data. Any security issues with the code? Because to input data to db we use sql/xss prevention so is there anything similar or different that
must be done to prevent any kind of attack.
Code: Select all
<?php
$hostname_conn = "localhost";
$database_conn = "mysql";
$username_conn = "root";
$password_conn = "";
$conn = mysql_pconnect($hostname_conn, $username_conn, $password_conn) or trigger_error(mysql_error(),E_USER_ERROR);
?><?php
mysql_select_db($database_conn, $conn);
[b]$query_rsAll = "SELECT * FROM phpnews_news";[/b]
$rsAll = mysql_query($query_rsAll, $conn) or die(mysql_error());
$row_rsAll = mysql_fetch_assoc($rsAll);
$totalRows_rsAll = mysql_num_rows($rsAll);
header('Content-type: text/xml');
header('Pragma: public');
header('Cache-control: private');
header('Expires: -1');
?><?php echo('<?xml version="1.0" encoding="utf-8"?>'); ?><root><?php if ($totalRows_rsAll > 0) { ?><?php do { ?><row><?php foreach ($row_rsAll as $column=>$value) { ?> <<?php echo $column; ?>><![CDATA[<?php echo $row_rsAll[$column]; ?>]]></<?php echo $column; ?>> <?php } ?></row><?php } while ($row_rsAll = mysql_fetch_assoc($rsAll)); ?><?php } ?></root><?php
mysql_free_result($rsAll);
?>
superdezign
DevNet Master
Posts: 4135 Joined: Sat Jan 20, 2007 11:06 pm
Post
by superdezign » Sat Aug 18, 2007 12:57 pm
Why do you use a persistent connection? And why do you have so many php tags? It's hard to read, and pretty unnecessary.
kkonline
Forum Contributor
Posts: 251 Joined: Thu Aug 16, 2007 12:54 am
Post
by kkonline » Sat Aug 18, 2007 1:01 pm
superdezign wrote: Why do you use a persistent connection? And why do you have so many php tags? It's hard to read, and pretty unnecessary.
What do you mean by having a persistent connection please explain??
I guess the php tags are only to get the data and then show in xml format. I got this code from a friend
superdezign
DevNet Master
Posts: 4135 Joined: Sat Jan 20, 2007 11:06 pm
Post
by superdezign » Sat Aug 18, 2007 1:08 pm
kkonline wrote: What do you mean by having a persistent connection please explain??
mysql_pconnect() creates a persistent connection, but you don't need one. You will end up reconnecting on every page request, and disconnecting after page requests are done.
kkonline wrote: I guess the php tags are only to get the data and then show in xml format. I got this code from a friend
It's disorganized and there are way too many. Any place where there is nothing between the closing tag and opening tag, get rid of it.
kkonline
Forum Contributor
Posts: 251 Joined: Thu Aug 16, 2007 12:54 am
Post
by kkonline » Mon Aug 20, 2007 10:11 am
You mean i should use mysql_connect() instead of mysql_pconnect in config.php inclusion in which i have the connection setting? the following is the code that i modified, replaced that redundant code with do while and foreach, works fine.
config.php
Code: Select all
<?php
$hostname_conn = "localhost";
$database_conn = "sql";
$username_conn = "root";
$password_conn = "pass";
$conn = mysql_connect($hostname_conn, $username_conn, $password_conn) or trigger_error(mysql_error(),E_USER_ERROR);
I have modified the code as below.
Code: Select all
<?php
include 'config.php';
$query_rsAll = "SELECT `maintext` FROM `phpnews_news";
$rsAll = mysql_query($query_rsAll, $conn) or die(mysql_error());
$row_rsAll = mysql_fetch_assoc($rsAll);
$totalRows_rsAll = mysql_num_rows($rsAll);
header('Content-type: text/xml');
header('Pragma: public');
header('Cache-control: private');
header('Expires: -1');
echo '<?xml version="1.0" encoding="utf-8"?><root>' ;
if ($totalRows_rsAll > 0) {
do{
echo '<row>';
foreach ($row_rsAll as $column=>$value) {
$row_rsAll[$column]=htmlentities($row_rsAll[$column], ENT_NOQUOTES, 'UTF-8');
echo "<$column><![CDATA[" . $row_rsAll[$column] . "]]></$column>";
// note the period . will join strings together.
}
echo "</row>";
}
while ($row_rsAll = mysql_fetch_assoc($rsAll));
}
echo '</root>';
mysql_free_result($rsAll);
?>
Now is the code ok?
superdezign
DevNet Master
Posts: 4135 Joined: Sat Jan 20, 2007 11:06 pm
Post
by superdezign » Mon Aug 20, 2007 2:10 pm
I'd use a while instead of a do...while and an if together.
kkonline
Forum Contributor
Posts: 251 Joined: Thu Aug 16, 2007 12:54 am
Post
by kkonline » Tue Aug 21, 2007 1:24 am
I am working with article manager and don't want & , ; % - ' " to be misprinted also the data should be free from xss attacks as much as possible.
I am extracting data from db and then converting it into XML.
I use
Code: Select all
$row_rsAll[$column]=htmlentities($row_rsAll[$column], ENT_NOQUOTES, 'UTF-8');
in the xml conversion code. Is that fine or should i use htmlspecialchars
My aim is to secure against xss and also the xml data when printed (when article is printed on browser it should not have &at; " &)
Or should i use xss specific code written at
http://svn.bitflux.ch/repos/public/popo ... linput.php
and apply it to$row_rsAll
superdezign
DevNet Master
Posts: 4135 Joined: Sat Jan 20, 2007 11:06 pm
Post
by superdezign » Tue Aug 21, 2007 7:06 am
Why do you keep on bringing up XSS? You are dealing with a database.