Asked  2 Years ago    Answers:  5   Viewed   65 times

My site is rather extensive, and I just recently made the switch to PHP5 (call me a late bloomer).

All of my MySQL query's before were built as such:

"SELECT * FROM tablename WHERE field1 = 'value' && field2 = 'value2'";

This made it very easy, simple and friendly.

I am now trying to make the switch to mysqli for obvious security reasons, and I am having a hard time figuring out how to implement the same SELECT * FROM queries when the bind_param requires specific arguments.

Is this statement a thing of the past?

If it is, how do I handle a query with tons of columns involved? Do I really need to type them all out every time?

 Answers

3
"SELECT * FROM tablename WHERE field1 = 'value' && field2 = 'value2'";

becomes

"SELECT * FROM tablename WHERE field1 = ? && field2 = ?";

which is passed to the $mysqli::prepare:

$stmt = $mysqli->prepare(
  "SELECT * FROM tablename WHERE field1 = ? && field2 = ?");
$stmt->bind_param( "ss", $value, $value2); 
// "ss' is a format string, each "s" means string
$stmt->execute();

$stmt->bind_result($col1, $col2);
// then fetch and close the statement

OP comments:

so if i have 5 parameters, i could potentially have "sssis" or something (depending on the types of inputs?)

Right, one type specifier per ? parameter in the prepared statement, all of them positional (first specifier applies to first ? which is replaced by first actual parameter (which is the second parameter to bind_param)).

mysqli will take care of escaping and quoting (I think).

Wednesday, November 30, 2022
2

Inno Setup does not have any built-in mechanism to access or modify user environment from installer running with elevated/Administrator privileges.

All the attempts to achieve this rely on tricks like:

  • runasoriginaluser flag or ExecAsOriginalUser function. Some examples:

    Modifying or accessing registry of logged in user:
    Inno Setup Creating registry key for logged in user (not admin user) or
    How to read registry HKCU for logged In user from Inno Setup installer running as administrator

    Accessing AppData folder of logged in user:
    Inno Setup always installs into admin's AppData directory or
    Inno Setup Using {localappdata} for logged in user or
    Inno Setup - puts user files in admin documents.

  • or using {user*} constants.

Though these are not reliable, at least for these reasons:

  • When the current user does not have Administrator privileges, (s)he needs to enter Administrator credentials on installer UAC prompt. That switches the installer to a different user. So {user*} constants will not refer to the user that initiated the installation.

  • When the user explicitly runs the installer with elevated privileges, e.g. by right-clicking the installer and selecting "Run as administrator" or running it from another elevated application (file manager), the "original user" for runasoriginaluser flag or ExecAsOriginalUser function will already be elevated.

  • In corporate environments, applications are installed by Administrator, who is not the user that will be using the application.


The only correct generic solution to this problem is to defer a setup of the user environment only to the actual user session.

Easiest is to have the application itself do the setup on its first run.

The installer can only deploy shared files that the application can use for the setup.

If you cannot modify the application for whatever reason, you would have to iterate all accounts and modify them:

  • for files: Inno Setup Create individual shortcuts on all desktops of all users
  • for registry: Uninstall auto-run registry entries for all users

If you need to make sure the settings get distributed to accounts that get created only after installation, see How to install files for each user, including future new users, in Inno Setup?


If you are happy with a fact that the application will be setup for the logged in user only, use PrivilegesRequired=lowest:

[Setup]
PrivilegesRequired=lowest

Then the {user*} constants will correctly refer to the current user's folder.

If you still need Administrator privileges for some sub-task of the installation, you can requests privileges elevation for the sub-task only:

  • Inno Setup - Register components as an administrator
  • Inno Setup - Access unprivileged account folders from installer that requires privileges

If you want to prevent user from breaking this by explicitly running the installer with Administrator privileges, see

  • Can't get Inno Setup postinstall Run item to runasoriginaluser or
  • my answer to How to write to the user's My Documents directory with installer when the user used 'Run As Administrator'.

Or you can programmatically find out, what is the account of the current Windows logon session:

  • Determine if Administrator account that runs elevated Inno Setup installer is the same as the account of the current Windows logon session.
Wednesday, August 10, 2022
 
1

yo need create the user "pma" in mysql or change this lines(user and password for mysql):

/* User for advanced features */
$cfg['Servers'][$i]['controluser'] = 'pma'; 
$cfg['Servers'][$i]['controlpass'] = '';

Linux: /etc/phpmyadmin/config.inc.php

Sunday, August 14, 2022
3

This is how your code should look (with added SQL Injection protection):

<?php
include "dbinfo.php"; //contains mysqli_connect information (the $mysqli variable)
//inputs
$name = mysqli_real_escape_string($_GET['name']);
$text = mysqli_real_escape_string($_GET['text']);

$sqlqr = "INSERT INTO `ncool`.`coolbits_table` (`name`, `text`, `date`) VALUES ('" . $name . "', '" . $text . "', CURRENT_TIMESTAMP);";

mysqli_query($mysqli,$sqlqr); //function where the magic happens.
?>

Take a look at what I've done. Firstly I've escaped the user input you're retrieving into the $name and $text variables (this is pretty much a must for security reasons) and as others have suggested you should preferably be using prepared statements.

The problem is that you weren't surrounding string values with single quotes ('), which is a requirement of the SQL syntax.

I hope this helps to answer your question.

Monday, September 12, 2022
 
2

You cannot search for nulls in InfluxDB <0.9. You will not be able to insert nulls in Influx >=0.9

Sunday, October 23, 2022
 
Only authorized users can answer the search term. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :
 
Share

Browse Other Code Languages