Leading Edge Scripts » Databases

Preventing SQL Injection

admin — Fri, 21 Nov 2008 16:43:16 +0000

For anyone who needs it, here is a script I wrote to prevent SQL injection. It uses references to the original global arrays to clean them up.

/**
* added the following code to enabled readyness for magic_quotes() being removed
* in PHP6
*
* added by C. Cook 15/8/2008
*/
//Turn off magic quotes the manual way, this also cleans up all our nasty data
$in = array(&$_GET, &$_POST, &$_COOKIE);
while (list($k, $v) = each($in)) {
foreach ($v as $key => $val) {
if (!is_array($val)) {
//now we re-escape our input data
$in[$k][$key] = mysql_real_escape_string(stripslashes($val));
//$in[$k][$key] = stripslashes($val);
continue;
}
$in[] =& $in[$k][$key];
}
}
unset($in);

Database development – Some Rules

admin — Thu, 06 Nov 2008 21:56:59 +0000

If I’d known this stuff when I first started to design databases for web applications, I think it would have helped me a lot, these are not necessarily ‘formal recommendations’ or even what some people might call ‘best practice’, but these rules work for me when I’m designing my web applications. It makes development quicker, because I don’t have to think about the names of my columns and tables when I’m writing code.

So with that in mind, these are my ‘rules’ for database design:

Name everything in lowercase, that means table names, column names, everything!
always use the plural for table names
always use singular for columns names
always name primary key ‘index’ fields ‘id’ this prevents any issues with the name ‘index’
always name your database columns using something that accurately describes the content of the column e.g. email, first_name, last_name, tel

Short and sweet, but these rules stand me in good stead these days.

On a similar topic, and equally useful, use a database administration tool, like MySQLAdministrator since it’s so much faster than installing old faithful PhpMyAdmin. Don’t get me wrong PhpMyAdmin is still great, and I still use it a lot, but when I can get away with it MySQLAdministrator is just so much faster for creating databases tables.

How to backup and email a dump of your Mysql database on Linux

admin — Sat, 01 Nov 2008 17:55:54 +0000

A few weeks back, after working on an old, slow & clunking server that I use to run a billing system, I thought to myself ‘hey you know what, it would be great to be able to email myself backups of my MySQL database. That will stop me worrying about loosing all this data if this server ever dies on me.’

So, as you’ve probably guessed, I figured out how to do it. The answer’s actually very simple, and can easily be run as a cron job to automate the process on a daily basis.

First you need to make your MySQL dump file. (I prefer .sql files as I think it makes things way more transferable)

The command to dump all your data from MySQL is this:

mysqldump –u username –p databasename > mysqldumpfilename.sql

This will output a copy of your entire database to the file called mysqldumpfilename.sql (of course you can call yours whatever you want)

The next step is to get this file emailed to you. Somewhere (I don’t remember where) I found out that you should encode your mail attachments using the uuencode function in Linux.

So to email yourself a copy of your database backup, the command is as follows:

uuencode mysqldumpfilename.sql mysqldumpfilename.sql | mail sylvia@home.com

Now just put the two together and you can email yourself a backup of your mysql database.