[H-GEN] PHP & MYSQL On Linux

David Duffy david at audiovisualdevices.com.au
Mon Jul 28 18:16:37 EDT 2003


[ Humbug *General* list - semi-serious discussions about Humbug and     ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]

Josh Goes wrote:

> In your PHP scripts:
> 
> <?php
> // change the values to suit your server setup.
> // note: if you are having issues with using 'localhost' then try using
> another IP that your server box has (e.g. a LAN one).
> mysql_connect("dbserverip", "dbusername", "dbpassword");
> mysql_select_db("dbname");
> 
> $sql = "SELECT * FROM table";
> $result = mysql_query($sql);
> 
> while ($ar = mysql_fetch_array($result)) {
>     echo $ar["columnname"];        // don't forget column names are case
> sensitive
> }
> 
> 
> // use $HTTP_GET_VARS and/or $HTTP_POST_VARS in PHP to be able to bring user
> input into the SQL statement.
> 
> mysql_close();
> ?>
> 
> 
> In your shell, you can create a MySQL database by:
> 
> # mysqladmin create dbname
> 
> Then you can get into your new database by:
> 
> # mysql dbname
> 
> Inside there you can run SQL statements and queries etc. www.mysql.com for
> data types and functions etc.
> 
> Before I wrap this up, if you do allow data that a user can tamper with into
> your SQL statements then you better check it otherwise you are putting
> yourself in a big security hole. Here's an example:
> 
> $SQL = "UPDATE Users SET Password = '" . $HTTP_POST_VARS["password"] . "'
> WHERE Username = '" . $HTTP_POST_VARS["username"] . "'";
> 
> Someone can easily make their $HTTP_POST_VARS equal this: "' OR Username
> like '%"
> This would cause your SQL statement to behave like this:
> UPDATE Users SET Password = 'valuefrompostvars' WHERE Username = '' OR
> Username like '%'
> And that will change the 'password' column in every record in the table
> 'Users'.
> 
> Just be aware of that because I have fallen victim to it!
> 
> Hope this helps and makes sense.
> Josh.

I've used SQL before (in Delphi) so this sounds familiar.
Is it possible to make the tables read-only for apache
but full access for admin purposes? (updating, etc)
I think I need to buy a "PHP For Dummies" to get me kick
started on that side. Maybe a MySQL book too. I do like
the thought of being able to add/delete products on the
web site without having to manually edit pages. Updating
pricing would be much easier too via the database method.
Editing html docs everytime something changes is quickly
losing it appeal! :-) I'm wanting to ramp the web site up
in the coming months to cover a lot more product so that
we can make the most of people shopping online.
David...

> ----- Original Message -----
> From: David Duffy <david at audiovisualdevices.com.au>
> To: Humbug <general at lists.humbug.org.au>
> Sent: Monday, July 28, 2003 10:30 PM
> Subject: [H-GEN] PHP & MYSQL On Linux
> 
>>I've managed to install MySQL and PHP on my RH 7.3 box
>>(whoo hoo) and want to start builing a new web site.
>>Can someone with experience with this sort of thing tell
>>me if it's easy enough to store product details (photo,
>>price, text) in a MySQL database on the Linux server and
>>have Apache & PHP serve it up as web pages based on what
>>categories the surfer clicks on? I realise that it's a
>>bit OT here but need a nudge in the right direction. :-)


-- 
___________________________________________
David Duffy        Audio Visual Devices P/L
U8, 9-11 Trade St, Cleveland 4163 Australia
Ph: +61 7 38210362   Fax: +61 7 38210281
New Web: www.audiovisualdevices.com.au
___________________________________________


--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.  See http://www.humbug.org.au/



More information about the General mailing list