anyway.

By the way, what I'm ashamed of is not having written any of it in subroutines. It's all just inline in front of God and everybody.

Vincent,

Whoa! Dude!

There's like way too many places for SQL injection there. Someone could, seriously, delete your weblog with a single comment. Back it up now.

And then contact me, and I'll help you out or something. My heart just jumped in my throat when I saw exactly how a jerk - which, by the way, there's plenty of Vincent-hating jerks who know SQL and PHP - could erase all your hard work.

- Clinton

I backup now.

Still, dude.

At least use parameterized queries—that sort of stuff is just way too dangerous.

Try something like (I don't know PHP, but this is close enough to perl):

$qtext="insert into reminds (entryid, commentid, ondate, initials, linkto, linktext) values (?, ?, ?, ?, ?, ?)";

if($press=="Submit, Monkey!") {
$result=mysql_query($qtext,$entry, $comment, $ondate, $initials, $linkto, $linktext) or die(mysql_error());

print "

Success! Sweet, sweet success. Click here.

";
mysql_free_result($result);

}

Clinton's teaching me code safeners. I'm psyched.

I think this may precipitate the big redesign I've been plotting.

Also I'm going to edit the post to remove the code, so that's why you can't see it anymore.

Wow, now I'm almost sorry I asked.

Ha! I TOLD YOU SO!

(I tried to enter this in marginalia, but, surprise! That's apparently disabled.)

So Vincent turns out to be too trusting of human nature? Irony!

I'm relatively new to php, but I know a thing or two and would be glad to help, either in terms of pointers ( i came too late to the thread to see the code) or in terms of (benign) testing. Lemme know - I think you have my email. Sounds like Clinton's basically got your back, though.

Wow. The postless post. Read with the snippage, it strongly implies that whenever you do anything, Vincent's code simply goes "snip".

Which would actually be kind of neat.

You have to get your posts snipped early, otherwise you'll have a whole lot of little posts running around.

Yow.  I just had to edit a marginalia post to escape some stuff that was causing the SQL to bomb out—at least apply a regexp to your variables like s/'/'/g, which avoids most of the trivial sql hacking bugs (as well as letting people post things with apostrophes without getting "sql error" on the result side).

That's an unrelated thing. Apostrophes in marginalia worked fine until Textdrive updated their PHP like 10 days ago.

That, this, and plus an idea I have for maybe bettering the social contract around here point to a ground-up redesign. Expect not much activity for a little while.

Textdrive, hey? I just downloaded and installed that on my laptop over the weekend, for fiddling around with. Thinking about the Marginalia gave me some ideas about AJAX-y comment threading that I may want to try out, if I can figure out the hard parts.

Test.

I'm testing like a testy tester.

test 'test' "test"

Okay.

Tentatively, a) everything works again, and b) I'm safe from SQL injection.

I guess this means that the ground-up redesign I've been plotting can wait another week or three.

Which is fine. Like I don't have enough to do already.

REPORT ERRORS! Thanks, everybody!

I don't know if this is an error per se, but my aggregator is reading all apostrophes (') as (').  Of course my aggregator already doesn't properly parse your <(br)/>

s, so it's not a big deal.

Thomas

Oh yes, the aggregators.

They'll have to wait for my attention.

Hang in there.