$_pdo = new Data('mysql:host='.$db_host.';dbname='.$db_name.';port='.$db_port, $db_user, $db_pass, array(PDO::MYSQL_ATTR_INIT_COMMAND => 'SET NAMES '.$charset));
Variables come from form.
User can make a sql injection if I don't strip this variables?
Connect credentials should not come from user under any circumstances.
You have to store them in your server in some config file. And then use with connect string.
Please note that charset should be set in DSN, not options.
include 'settings.php';
$dsn = "mysql:host=$db_host;dbname=$db_name;port=$db_port;charset=$charset";
$pdo = new Data($dsn, $db_user, $db_pass);
If you are accepting input from a form to create the connection I would probably use some sanitization functions to clean it up before using it. If this is being stored in a text file or a database it would be a good idea to sanitize before it is saved as well before it is used.
http://php.net/manual/en/function.filter-var.php
$db_host = filter_var($db_host,FILTER_SANITIZE_FULL_SPECIAL_CHARS);
Equivalent to calling htmlspecialchars() with ENT_QUOTES set. Encoding
quotes can be disabled by setting FILTER_FLAG_NO_ENCODE_QUOTES. Like
htmlspecialchars(), this filter is aware of the default_charset and if
a sequence of bytes is detected that makes up an invalid character in
the current character set then the entire string is rejected resulting
in a 0-length string.
http://www.php.net/manual/en/filter.filters.sanitize.php
Related
If my PDO connection is as below:
$sphinx = new PDO('mysql:dbname=db;host=127.0.0.1;port=9306;charset=utf8', 'user', 'pass');
$sphinx->exec('SET CHARACTER SET utf8');
$sphinx->setAttribute(PDO::ATTR_EMULATE_PREPARES, true);
$sphinx->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
And my query is:
$array = $sphinx->prepare("select * from `indexname` where MATCH #(title,body) hello world");
What is the correct way to enable SPH_MATCH_EXTENDED?
If I add:
require ("sphinxapi.php");
$sphinx = new SphinxClient();
$sphinx->SetMatchMode(SPH_MATCH_EXTENDED);
$sphinx->SetArrayResult(true);
Under the PDO connection, is this the correct way to enable stp_match_extended for PDO?
What is the correct way to enable SPH_MATCH_EXTENDED?
SphinxQL uses Extended Match Mode by default.
Don't need to do anything to use it.
You can change to use a different match mode if really want, but its NOT recommended. Internally Sphinx only (now!) implements Extended match mode, the others are all emulated.
I'm creating an in-house application and have always hardcoded the database connection string. However, this time I want to do something different and give the users the ability to enter the information from the application.
I figured out that I can store the variables in the Application Settings and call them from code, but I can't figure out how to call them within the connection string.
Here's the code:
Dim dbConn As New MySqlConnection
dbConn.ConnectionString = "Server=172.43.96.271;Port=3306;Uid=someone;
Password=theirpassword;Database=thedb"
Hope I explained myself well?
You can simply concatenate the string together, or better yet, use the String.Format method:
dbConn.ConnectionString = String.Format("Server={0};Port={1};Uid={2};Password={3};Database={4}", My.Settings.Server, My.Settings.Port, My.Settings.Uid, My.Settings.Database)
If you were using MS SQL, I'd recommend using the SqlConnectionStringBuilder class to do it, but since you're using MySql, it doesn't really apply. You may be able to use it anyway, though.
You would have to use User Settings for this.
And, if you want the users to input the separate parts of the connection string (Server, Post, Username, Password and DB), you would have to create a settings entry for each of those, and then construct the connection string from those values.
Here's a good article for this: User Settings Applied
I have about 85 SSIS packages that are using the same connection manager.
I understand that each package has its own connection manager.
I am trying to decide what would be the best configurations approach to simply set the connectionstring of the connection manager based on the server the packages are residing on.
I have visited all kinds of suggestions online, but cannot find anywhere the practice where I can simply copy the configuration from one package to the rest of the packages.
There are obviously many approaches such as XML file, SQL Server, Environment Variable, etc.
All the articles out there are pointing to use an Indirect method by using XML or SQL approach. Why would using an environment variable for just holding a connection string is such a bad approach?
Any suggestions are highly appreciated.
Thanks!
Why would using an environment variable for just holding a connection string is such a bad approach?
I find the environment variable or registry key configuration approach to be severely limited by the fact that it can only configure one item at a time. For a connection string, you'd need to define an environment variable for each catalog on a given server. Maybe it's only 2 or 3 and that's manageable. We had a good 30+ per database instance and we had multi-instanced machines so you can see how quickly this problem explodes into a maintenance nightmare. Contrast that with a table or xml based approach which can hold multiple configuration items for a given configuration key.
...best configurations approach to simply set the connectionstring of the connection manager based on the server the packages are residing on.
If you go this route, I'd propose creating a variable, ConnectionString and using it to configure the property. It's an extra step but again I find it's easier to debug a complex expression on a variable versus a complex expression on a property. With a variable, you can always pop a breakpoint on the package and look at the locals window to see the current value.
After creating a variable named ConnectionString, I right click on it, select Properties and set EvaluateAsExpression equal to True and the Expression property to something like "Data Source="+ #[System::MachineName] +"\\DEV2012;Initial Catalog=FOO;Provider=SQLNCLI11.1;Integrated Security=SSPI;"
When that is evaluated, it'd fill in the current machine's name (DEVSQLA) and I'd have a valid OLE DB connection string that connects to a named instance DEV2012.
Data Source=DEVSQLA\DEV2012;Initial Catalog=FOO;Provider=SQLNCLI11.1;Integrated Security=SSPI;
If you have more complex configuration needs than just the one variable, then I could see you using this to configure a connection manager to a sql table that holds the full repository of all the configuration keys and values.
...cannot find anywhere the practice where I can simply copy the configuration from one package to the rest of the packages
I'd go about modifying all 80something packages through a programmatic route. We received a passel of packages from a third party and they had not followed our procedures for configuration and logging. The code wasn't terribly hard and if you describe exactly the types of changes you'd make to solve your need, I'd be happy to toss some code onto this answer. It could be as simple as the following. After calling the function, it will modify a package by adding a sql server configuration on the SSISDB ole connection manager to a table called dbo.sysdtsconfig for a filter named Default.2008.Sales.
string currentPackage = #"C:\Src\Package1.dtsx"
public static void CleanUpPackages(string currentPackage)
{
p = new Package();
p.app.LoadPackage(currentPackage, null);
Configuration c = null;
// Apply configuration Default.2008.Sales
// ConfigurationString => "SSISDB";"[dbo].[sysdtsconfig]";"Default.2008.Sales"
// Name => MyConfiguration
c = p.Configurations.Add();
c.Name = "SalesConfiguration";
c.ConfigurationType = DTSConfigurationType.SqlServer;
c.ConfigurationString = #"""SSISDB"";""[dbo].[sysdtsconfig]"";""Default.2008.Sales""";
app.SaveToXml(sourcePackage, p, null);
}
Adding a variable in to the packages would not take much more code. Inside the cleanup proc, add code like this to add a new variable into your package that has an expression like the above.
string variableName = string.Empty;
bool readOnly = false;
string nameSpace = "User";
string variableValue = string.Empty;
string literalExpression = string.Empty;
variableName = "ConnectionString";
literalExpression = #"""Data Source=""+ #[System::MachineName] +""\\DEV2012;Initial Catalog=FOO;Provider=SQLNCLI11.1;Integrated Security=SSPI;""";
p.Variables.Add(variableName, readOnly, nameSpace, variableValue);
p.Variables[variableName].EvaluateAsExpression = true;
p.Variables[variableName].Expression = literalExpression;
Let me know if I missed anything or you'd like clarification on any points.
ORM settings in Coldfusion application.cfc run before anything else runs (onapplicationstart, etc). So how do you set a dynamic datasource (code before the ORM init) in application.cfc? we can set it after and it re-points the ORM to a dynamic datasource, but that requires that the hardcoded datasource must be valid as well. This is tenuous at best.
Here is an example:
<cfscript>
this.name = "someapp_#hash(cgi.http_host)#";
this.ormenabled = "true";
this.ormsettings = { cfclocation = "config/definitions", eventhandling = "true",datasource="STATICDATASOURCE" };
</cfscript>
If it's not specified in application.cfc scope then you get errors like "ORM is not configured for the current application."
We need to be able to get the datasource from a text file on the server.
this.datasource="YourDatasourceName";
Well, if you wanted to store a file, for this example we'll call it "datasource.xml" consisting of:
<dataSourceName>Name goes here</dataSourceName>
You can read it in with:
dataFile = fileRead("pathToFile/datasource.xml");
data = xmlParse(dataFile);
dataSourceName = data.dataSourceName.xmlText;
this.datasource=dataSourceName;
ORM datasource just uses the default datasource if not defined.
Having said that, if you want to add / remove datasource dynamically, see Administrator API at: http://help.adobe.com/en_US/ColdFusion/9.0/Admin/WSc3ff6d0ea77859461172e0811cbf364104-7fcf.html (available since CF8)
I'm not sure if you can re-set the this.ormsettings.datasource to something else at runtime (i.e. onApplicationStart()? or onServerStart()?), but many of the settings can be set again. You may want to try it out.
I'm using an application called Logi info. it requires a connection string to my oracle database. the connection works fine but in order to configure the connection to recive ref cursors from the database, I apparently need to add PLSQLRSet=1 to the end of the string. when I do that I recieve an error "invalid connection string"
Here is my connection string without plsqlrset=1
Data Source=SID; User Id=username; Password=password;
My concern is that PLSQLRSet=1 might be .NET paramater only. Can anyone shed some light on the issue.
Thanks
It appears that the PLSQLRset option is a feature of the OraOLEDB provider (per http://download.oracle.com/docs/cd/B10501_01/win.920/a95498/using.htm).
Therefore I would guess that you have to add Provider=OraOLEDB.Oracle to the connect string -- as shown in the screenshot on the page you linked to -- in order to use this option.