anyway.



2006-04-21 : The Marginalia Code

In light of, y'know, learning a thing or two, I've edited the meat out of this post. It remains a mere husk of its former self.

Here's what happens when you click "Submit, Monkey!" underneath "This reminds me..."

snip

What happens when you click "Submit, Monkey!" underneath "This makes me go..." is very similar:

snip

So that's two tables in my database, reminds and responds. The "entryid" field contains the id of the main post; the "commentid" field contains the id of the particular comment.

Here's what happens wrt marginalia when the code displays a comment:

  snip

Anybody interested in more?



1. On 2006-04-21, Vincent said:

By the way, what I'm ashamed of is not having written any of it in subroutines. It's all just inline in front of God and everybody.

 



2. On 2006-04-21, Clinton R. Nixon said:

Vincent,

Whoa! Dude!

There's like way too many places for SQL injection there. Someone could, seriously, delete your weblog with a single comment. Back it up now.

And then contact me, and I'll help you out or something. My heart just jumped in my throat when I saw exactly how a jerk - which, by the way, there's plenty of Vincent-hating jerks who know SQL and PHP - could erase all your hard work.

- Clinton

 

direct link
marginalia

This makes...
CRN go "Test"*
BR go "Clinton is like the sherif, man..."*

*click in for more



3. On 2006-04-21, Vincent said:

I backup now.

 



4. On 2006-04-21, Joshua Kronengold said:

Still, dude.

At least use parameterized queries—that sort of stuff is just way too dangerous.

Try something like (I don't know PHP, but this is close enough to perl):

$qtext="insert into reminds (entryid, commentid, ondate, initials, linkto, linktext) values (?, ?, ?, ?, ?, ?)";

if($press=="Submit, Monkey!") {
$result=mysql_query($qtext,$entry, $comment, $ondate, $initials, $linkto, $linktext) or die(mysql_error());

print "

Success! Sweet, sweet success. Click here.

";
mysql_free_result($result);

}

 



5. On 2006-04-21, Vincent said:

Clinton's teaching me code safeners. I'm psyched.

I think this may precipitate the big redesign I've been plotting.

Also I'm going to edit the post to remove the code, so that's why you can't see it anymore.

 



6. On 2006-04-21, Avram said:

Wow, now I'm almost sorry I asked.

 



7. On 2006-04-21, Vincent said:

Ha! I TOLD YOU SO!

 



8. On 2006-04-21, Sydney Freedberg said:

(I tried to enter this in marginalia, but, surprise! That's apparently disabled.)

So Vincent turns out to be too trusting of human nature? Irony!

 

direct link
marginalia

This makes...
VB go "test"
sdm go "marginalia works for me"
SF go "Checking - does it work for me now?"*

*click in for more



9. On 2006-04-22, Dave Y. said:

I'm relatively new to php, but I know a thing or two and would be glad to help, either in terms of pointers ( i came too late to the thread to see the code) or in terms of (benign) testing. Lemme know - I think you have my email. Sounds like Clinton's basically got your back, though.

 



10. On 2006-04-22, Mark W said:

Wow. The postless post. Read with the snippage, it strongly implies that whenever you do anything, Vincent's code simply goes "snip".

Which would actually be kind of neat.

 



11. On 2006-04-22, Ben Lehman said:

You have to get your posts snipped early, otherwise you'll have a whole lot of little posts running around.

 



12. On 2006-04-24, Joshua Kronengold said:

Yow.  I just had to edit a marginalia post to escape some stuff that was causing the SQL to bomb out—at least apply a regexp to your variables like s/'/'/g, which avoids most of the trivial sql hacking bugs (as well as letting people post things with apostrophes without getting "sql error" on the result side).

 

direct link
marginalia

This makes...
mneme go "bah"*
mneme go "or..."*
VB go "done, anyway, I'm pretty sure."*
mneme go "*sigh*"*
mneme go "yup"*
VB go "HTML ESCAPING! DAMMIT!"*
JL go "There's always more..."*
mneme go "no, that's just wrong"*
mneme go "yes..."*
mneme go "preview would be nice"*

*click in for more



13. On 2006-04-24, Vincent said:

That's an unrelated thing. Apostrophes in marginalia worked fine until Textdrive updated their PHP like 10 days ago.

That, this, and plus an idea I have for maybe bettering the social contract around here point to a ground-up redesign. Expect not much activity for a little while.

 



14. On 2006-04-24, Avram said:

Textdrive, hey? I just downloaded and installed that on my laptop over the weekend, for fiddling around with. Thinking about the Marginalia gave me some ideas about AJAX-y comment threading that I may want to try out, if I can figure out the hard parts.

 

direct link
marginalia

This makes...
AG go "Textpattern is what I meant"*

*click in for more



15. On 2006-04-25, Vincent said:

Test.

 



16. On 2006-04-25, Vincent said:

I'm testing like a testy tester.

test 'test' "test"

 

direct link
marginalia

This makes...
VB go "I'm still testing..."*

*click in for more



17. On 2006-04-25, Vincent said:

Okay.

Tentatively, a) everything works again, and b) I'm safe from SQL injection.

I guess this means that the ground-up redesign I've been plotting can wait another week or three.

Which is fine. Like I don't have enough to do already.

REPORT ERRORS! Thanks, everybody!

 



18. On 2006-04-25, Thomas Robertson said:

I don't know if this is an error per se, but my aggregator is reading all apostrophes (') as (').  Of course my aggregator already doesn't properly parse your <(br)/>

s, so it's not a big deal.

Thomas

 



19. On 2006-04-25, Vincent said:

Oh yes, the aggregators.

They'll have to wait for my attention.

Hang in there.

 



RSS feed: new comments to this thread