anyway.
A Penny for Your Thoughts
2006-04-21
: The Marginalia Code
In light of, y'know, learning a thing or two, I've edited the meat out of this post. It remains a mere husk of its former self.
Here's what happens when you click "Submit, Monkey!" underneath "This reminds me..."
snipWhat happens when you click "Submit, Monkey!" underneath "This makes me go..." is very similar:
snipSo that's two tables in my database, reminds and responds. The "entryid" field contains the id of the main post; the "commentid" field contains the id of the particular comment.
Here's what happens wrt marginalia when the code displays a comment:
snipAnybody interested in more?
1. On 2006-04-21, Vincent wrote:
|
By the way, what I'm ashamed of is not having written any of it in subroutines. It's all just inline in front of God and everybody. |
2. On 2006-04-21, Clinton R. Nixon wrote:
|
Vincent, Whoa! Dude! There's like way too many places for SQL injection there. Someone could, seriously, delete your weblog with a single comment. Back it up now. And then contact me, and I'll help you out or something. My heart just jumped in my throat when I saw exactly how a jerk - which, by the way, there's plenty of Vincent-hating jerks who know SQL and PHP - could erase all your hard work. - Clinton |
This makes... |
3. On 2006-04-21, Vincent wrote:
|
I backup now. |
4. On 2006-04-21, Joshua Kronengold wrote:
|
Still, dude. At least use parameterized queries -- that sort of stuff is just way too dangerous. Try something like (I don't know PHP, but this is close enough to perl): $qtext="insert into reminds (entryid, commentid, ondate, initials, linkto, linktext) values (?, ?, ?, ?, ?, ?)"; if($press=="Submit, Monkey!") { $result=mysql_query($qtext,$entry, $comment, $ondate, $initials, $linkto, $linktext) or die(mysql_error()); print " Success! Sweet, sweet success. Click here. ";mysql_free_result($result); } |
5. On 2006-04-21, Vincent wrote:
|
Clinton's teaching me code safeners. I'm psyched. I think this may precipitate the big redesign I've been plotting. Also I'm going to edit the post to remove the code, so that's why you can't see it anymore. |
6. On 2006-04-21, Avram wrote:
|
Wow, now I'm almost sorry I asked. |
7. On 2006-04-21, Vincent wrote:
|
Ha! I TOLD YOU SO! |
8. On 2006-04-21, Sydney Freedberg wrote:
|
(I tried to enter this in marginalia, but, surprise! That's apparently disabled.) So Vincent turns out to be too trusting of human nature? Irony! |
This makes... |
9. On 2006-04-22, Dave Y. wrote:
|
I'm relatively new to php, but I know a thing or two and would be glad to help, either in terms of pointers ( i came too late to the thread to see the code) or in terms of (benign) testing. Lemme know - I think you have my email. Sounds like Clinton's basically got your back, though. |
10. On 2006-04-22, Mark W wrote:
|
Wow. The postless post. Read with the snippage, it strongly implies that whenever you do anything, Vincent's code simply goes "snip". Which would actually be kind of neat. |
11. On 2006-04-22, Ben Lehman wrote:
|
You have to get your posts snipped early, otherwise you'll have a whole lot of little posts running around. |
12. On 2006-04-24, Joshua Kronengold wrote:
|
Yow. I just had to edit a marginalia post to escape some stuff that was causing the SQL to bomb out -- at least apply a regexp to your variables like s/'/'/g, which avoids most of the trivial sql hacking bugs (as well as letting people post things with apostrophes without getting "sql error" on the result side). |
This makes... |
13. On 2006-04-24, Vincent wrote:
|
That's an unrelated thing. Apostrophes in marginalia worked fine until Textdrive updated their PHP like 10 days ago. That, this, and plus an idea I have for maybe bettering the social contract around here point to a ground-up redesign. Expect not much activity for a little while. |
14. On 2006-04-24, Avram wrote:
|
Textdrive, hey? I just downloaded and installed that on my laptop over the weekend, for fiddling around with. Thinking about the Marginalia gave me some ideas about AJAX-y comment threading that I may want to try out, if I can figure out the hard parts. |
This makes... |
15. On 2006-04-25, Vincent wrote:
|
Test. |
16. On 2006-04-25, Vincent wrote:
|
I'm testing like a testy tester. test 'test' "test" |
This makes... |
17. On 2006-04-25, Vincent wrote:
|
Okay. Tentatively, a) everything works again, and b) I'm safe from SQL injection. I guess this means that the ground-up redesign I've been plotting can wait another week or three. Which is fine. Like I don't have enough to do already. REPORT ERRORS! Thanks, everybody! |
18. On 2006-04-25, Thomas Robertson wrote:
|
I don't know if this is an error per se, but my aggregator is reading all apostrophes (') as ('). Of course my aggregator already doesn't properly parse your <(br)/>s, so it's not a big deal. Thomas |
19. On 2006-04-25, Vincent wrote:
|
Oh yes, the aggregators. They'll have to wait for my attention. Hang in there. |
This comment thread has an RSS feed:
link http://www.lumpley.com/anyway_comments_rss.php?entry=199