Re: Alphabetical pagination (RESOLVED)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Jul 16, 2009 at 12:01 PM, Miller, Terion <
tmiller@xxxxxxxxxxxxxxxxxxxx> wrote:

>
> One question I still have...I had help with this script of course and I'm
> confused with the %s what does it do?
>
> On 7/16/09 9:53 AM, "Martin Scotta" <martinscotta@xxxxxxxxx> wrote:
>
>
> On Thu, Jul 16, 2009 at 11:01 AM, Andrew Ballard <aballard@xxxxxxxxx>
> wrote:
> On Thu, Jul 16, 2009 at 9:33 AM, Miller,
> Terion<tmiller@xxxxxxxxxxxxxxxxxxxx> wrote:
> >
> > Here is what finally worked:
> >
> >     <?php                                                        $letter
> = isset($_GET['letter']) ? $_GET['letter'] : "A";
>                              //alphabetical pagination links
>                                        echo '<div align="center"><b>';
>                                                  foreach(range('A','Z') as
> $c){                                                          ($letter ==
> $c)                                                            ?
> printf('%s&nbsp',$c)
>    : printf('<a href="?letter=%s">%s</a>&nbsp;',$c,$c);
>                                    }
>                echo "</b></div><p>";
>
>  //Show all restaurants that start with $letter
>                            $sql = "SELECT * FROM restaurants WHERE name LIKE
> '{$letter}%'";
>  $result = mysql_query($sql) or die(mysql_error());
>                                while($row = mysql_fetch_assoc($result)){
>                                                      printf('<div
> align="left" width="100"><b>%s</b><br>%s</br>%s</br></div><hr color=#000
> width=200></hr>',$row['name'],$row['address'],$result['cviolations']);
>                                                  }
>
>                                                        ?>
> > Thanks again everyone!!
>
> Terion,
>
> I hope that isn't your final answer. This has SQL injection written
> all over it since you are neither validating that $letter is actually
> a letter, nor are you escaping it before passing it off to MySQL.
>
> <?php
> $letter = isset($_GET['letter']) ? $_GET['letter'] : 'A';
>
>
> if (!preg_match('/^[A-Z]$/i', $letter) {
>    $letter = 'A';
>    /*
>       Rather than setting $letter to 'A' and continuing,
>       you could generate an error if you end up in here
>       so you can let the user know that what they passed
>       was invalid.
>    */
>
> }
>
>
> //....
> ?>
>
> In this case, it should be safe to use $letter directly in the query
> without passing it through mysql_real_escape_string() since it should
> only contain a single harmless alphanumeric letter, but it wouldn't
> hurt (and may still be a good idea) to go ahead and escape the value
> in the query anyway just in case something in your code changes later
> that might cause some cruft to slip in.
>
> Andrew
>
> My point of view:
>
> # i'll use constants for these values
> assert( ord('A') == 0x41 );
> assert( ord('Z') == 0x5A );
>
> # 1. get the ascii code of the 1st character or from A=0x41
> $letter = ord( array_key_exists('letter', $_GET) ? strtoupper(
> $_GET['letter']{0} ) : 'A' );
>
> # 2. different solutions
> # 2.a check if it is range ussing <= ussing constants (faster)
> $letter = chr( 0x41<= $letter && $letter <= 0x5A ? $letter : 0x41 );
>
> # 2. different solutions
> # 2.b check if it is range min/max and with constants (faster)
> $letter = chr( min( max(0x41, $letter), 0x5A) );
>
> I'd use the 2.b but this has different behaviour when $letter > Z (should
> this ever happen?)
> In the other hand I think it is the faster one.
>
>
>
printf has it's own mini-syntax.
This was implemented in C.
PHP's printf syntax is very similar, but with some cool add-ons

http://php.net/printf

The detailed description of format are here: http://php.net/sprintf

-- 
Martin Scotta

[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux