explanation please

Re: explanation please

Michael G wrote:[color=blue]
> The following is from
> http://php.mirrors.ilisys.com.au/man...-injection.php .
>
> Would someone explain the following lines, in particular I don't understand
> '$paramArr[\'$1\']' nor do I understand how the syntax {1} works or how it
> is related to arrays?
>
> Thanks, mIke.
>
> <some code snipped>
> ...
> return preg_replace('/\{(.*?)\}/ei','$paramArr[\'$1\']', $queryString);
> }
>
> $sqlQuery = 'SELECT col1, col2 FROM tab1 WHERE col1 = {1} AND col3 = {2}
> LIMIT {3}';
> $stm = mysql_query(pre pareSQL($sqlQue ry, array('username ', 24.3, 20);
> ?>
>
>
>
> ----== Posted via Newsfeeds.Com - Unlimited-Uncensored-Secure Usenet News==----
> http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
> ----= East and West-Coast Server Farms - Total Privacy via Encryption =----[/color]

look at the snippet of code and you'll find your answer. the $paramArr
variable is passed with the calling of the function.

you'd type the following into your script: prepareSQL("som ething",
"here"); and "here" would become $paramArr.

-- code --

<?php
function prepareSQL($que ryString, $paramArr) {
foreach (array_keys($pa ramArr) as $paramName) {
if (is_int($paramA rr[$paramName])) {
$paramArr[$paramName] = (int)$paramArr[$paramName];
}
elseif (is_numeric($pa ramArr[$paramName])) {
$paramArr[$paramName] = (float)$paramAr r[$paramName];
}
elseif (($paramArr[$paramName] != 'NULL') and
($paramArr[$paramName] != 'NOT NULL')) {
$paramArr[$paramName] =
mysql_real_esca pe_string(strip slashes($paramA rr[$paramName]));
$paramArr[$paramName] = '\''.$paramArr[$paramName].'\'';
}
}

return preg_replace('/\{(.*?)\}/ei','$paramArr[\'$1\']', $queryString);
}

Re: explanation please

Ahh, *those* curly brackets are a little different. prepareSQL() is
not a built in PHP function, so I can't say for sure what it does.

Based on your example, I would guess that it does something like
substitute the values passed as the second parameter (the array) into
the string passed as the first parameter ($sqlQuery) where the
parameters in the original string are refered to by {i} where i is
their index in the array.

I'd also venture a guess that your "return preg_replace... " code comes
from prepareSQL(). Without seeing the rest of the function, it looks
like that call preg_replace() is what does the actual replacement of
the variables.

So, in short, those {1}, {2}, etc. are *not* the same as the curly
braces described at http://www.php.net/strings

Re: explanation please

ZeldorBlat wrote:[color=blue]
> Ahh, *those* curly brackets are a little different. prepareSQL() is
> not a built in PHP function, so I can't say for sure what it does.
>
> Based on your example, I would guess that it does something like
> substitute the values passed as the second parameter (the array) into
> the string passed as the first parameter ($sqlQuery) where the
> parameters in the original string are refered to by {i} where i is
> their index in the array.
>
> I'd also venture a guess that your "return preg_replace... " code comes
> from prepareSQL(). Without seeing the rest of the function, it looks
> like that call preg_replace() is what does the actual replacement of
> the variables.
>
> So, in short, those {1}, {2}, etc. are *not* the same as the curly
> braces described at http://www.php.net/strings
>[/color]

i don't know the answer to your question, but here's the function he was
speaking about:

<?php
function prepareSQL($que ryString, $paramArr) {
foreach (array_keys($pa ramArr) as $paramName) {
if (is_int($paramA rr[$paramName])) {
$paramArr[$paramName] = (int)$paramArr[$paramName];
}
elseif (is_numeric($pa ramArr[$paramName])) {
$paramArr[$paramName] = (float)$paramAr r[$paramName];
}
elseif (($paramArr[$paramName] != 'NULL') and
($paramArr[$paramName] != 'NOT NULL')) {
$paramArr[$paramName] =
mysql_real_esca pe_string(strip slashes($paramA rr[$paramName]));
$paramArr[$paramName] = '\''.$paramArr[$paramName].'\'';
}
}

return preg_replace('/\{(.*?)\}/ei','$paramArr[\'$1\']', $queryString);
}

Re: explanation please

ZeldorBlat wrote:[color=blue]
> Ahh, *those* curly brackets are a little different. prepareSQL() is
> not a built in PHP function, so I can't say for sure what it does.
>
> Based on your example, I would guess that it does something like
> substitute the values passed as the second parameter (the array) into
> the string passed as the first parameter ($sqlQuery) where the
> parameters in the original string are refered to by {i} where i is
> their index in the array.
>
> I'd also venture a guess that your "return preg_replace... " code comes
> from prepareSQL(). Without seeing the rest of the function, it looks
> like that call preg_replace() is what does the actual replacement of
> the variables.
>
> So, in short, those {1}, {2}, etc. are *not* the same as the curly
> braces described at http://www.php.net/strings
>[/color]

here's the function (taken off the website he quoted):

<?php
function prepareSQL($que ryString, $paramArr) {
foreach (array_keys($pa ramArr) as $paramName) {
if (is_int($paramA rr[$paramName])) {
$paramArr[$paramName] = (int)$paramArr[$paramName];
}
elseif (is_numeric($pa ramArr[$paramName])) {
$paramArr[$paramName] = (float)$paramAr r[$paramName];
}
elseif (($paramArr[$paramName] != 'NULL') and
($paramArr[$paramName] != 'NOT NULL')) {
$paramArr[$paramName] =
mysql_real_esca pe_string(strip slashes($paramA rr[$paramName]));
$paramArr[$paramName] = '\''.$paramArr[$paramName].'\'';
}
}

return preg_replace('/\{(.*?)\}/ei','$paramArr[\'$1\']', $queryString);
}

Re: explanation please


"muldoonaz" <donot@spam.me. com> wrote in message
news:Q0JTe.2961 69$WN5.93062@fe 02.news.easynew s.com...[color=blue]
> Michael G wrote:[color=green]
>> The following is from
>> http://php.mirrors.ilisys.com.au/man...-injection.php .
>>
>> Would someone explain the following lines, in particular I don't
>> understand
>> '$paramArr[\'$1\']' nor do I understand how the syntax {1} works or how
>> it is related to arrays?
>>
>> Thanks, mIke.
>>
>> <some code snipped>
>> ...
>> return preg_replace('/\{(.*?)\}/ei','$paramArr[\'$1\']',
>> $queryString);
>> }
>>
>> $sqlQuery = 'SELECT col1, col2 FROM tab1 WHERE col1 = {1} AND col3 = {2}
>> LIMIT {3}';
>> $stm = mysql_query(pre pareSQL($sqlQue ry, array('username ', 24.3, 20);
>> ?> ----== Posted via Newsfeeds.Com - Unlimited-Uncensored-Secure Usenet
>> News==----
>> http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+
>> Newsgroups
>> ----= East and West-Coast Server Farms - Total Privacy via Encryption
>> =----[/color]
>
> look at the snippet of code and you'll find your answer. the $paramArr
> variable is passed with the calling of the function.
>
> you'd type the following into your script: prepareSQL("som ething",
> "here"); and "here" would become $paramArr.
>[/color]

Yeah, I understand that. In the OP, $paramArr is an array. I also now
understand that the author of this function uses regular expressions to do
the replacement.

[color=blue]
> return preg_replace('/\{(.*?)\}/ei','$paramArr[\'$1\']', $queryString);
> }
>[/color]

But I still fail to understand how 'paramArr[\'$1\']' is mapped using $1 as
an index. I've tried printing paramArr['$1'] to see if I might gain some
understanding but to no avail.

Mike



----== Posted via Newsfeeds.Com - Unlimited-Uncensored-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----

Re: explanation please


"Michael G" <mike-g@montana.com> wrote in message
news:1126133711 _18365@spool6-east.superfeed. net...[color=blue]
>
> "muldoonaz" <donot@spam.me. com> wrote in message
> news:Q0JTe.2961 69$WN5.93062@fe 02.news.easynew s.com...[color=green]
>> Michael G wrote:[color=darkred]
>>> The following is from
>>> http://php.mirrors.ilisys.com.au/man...-injection.php .
>>>
>>> Would someone explain the following lines, in particular I don't[/color]
>> return preg_replace('/\{(.*?)\}/ei','$paramArr[\'$1\']',[/color][/color]
$queryString);[color=blue][color=green]
>> }
>>[/color]
>
> But I still fail to understand how 'paramArr[\'$1\']' is mapped using $1
> as an index. I've tried printing paramArr['$1'] to see if I might gain
> some understanding but to no avail.
>[/color]

ok. I have an explanation, thanks to a Perl book I have. Anyway, the $1 is
called a backreference. Backreferences contain the value that is matched by
each atom of the regular expression. In this case there is only one atom -
(.*?), hence only one backreference. So each time there is a match the value
contained in the curly braces would be copied into the backreference. So
$paramArr['$1'] after the first match would give $paramArr['0'] as per the
regex. Not real sure about what the modifiers 'ei' mean at the end of the
pattern.

Mike




----== Posted via Newsfeeds.Com - Unlimited-Uncensored-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----

Re: explanation please

Michael G wrote:
[color=blue]
> "Michael G" <mike-g@montana.com> wrote in message
> news:1126133711 _18365@spool6-east.superfeed. net...
>[color=green]
>>"muldoonaz" <donot@spam.me. com> wrote in message
>>news:Q0JTe.29 6169$WN5.93062@ fe02.news.easyn ews.com...
>>[color=darkred]
>>>Michael G wrote:
>>>
>>>>The following is from
>>>>http://php.mirrors.ilisys.com.au/man...-injection.php .
>>>>
>>>>Would someone explain the following lines, in particular I don't[/color][/color]
>[color=green][color=darkred]
> >> return preg_replace('/\{(.*?)\}/ei','$paramArr[\'$1\']',[/color][/color]
> $queryString);
>[color=green][color=darkred]
>>>}
>>>[/color]
>>
>>But I still fail to understand how 'paramArr[\'$1\']' is mapped using $1
>>as an index. I've tried printing paramArr['$1'] to see if I might gain
>>some understanding but to no avail.
>>[/color]
>
>
> ok. I have an explanation, thanks to a Perl book I have. Anyway, the $1 is
> called a backreference. Backreferences contain the value that is matched by
> each atom of the regular expression. In this case there is only one atom -
> (.*?), hence only one backreference. So each time there is a match the value
> contained in the curly braces would be copied into the backreference. So
> $paramArr['$1'] after the first match would give $paramArr['0'] as per the
> regex. Not real sure about what the modifiers 'ei' mean at the end of the
> pattern.[/color]

IIRC, the 'e' modifier is for expand or evaluate, and I know that the
'i' modifier is case-insensitive matching.

--
Justin Koivisto, ZCE - justin@koivi.co m