Friday, January 19, 2007

C++: LibXML in Borland C++ Builder 5

The key to this solution is using a command-line utility that comes with BCB5 called implib.exe which creates a borland-type .lib file from a win32 .dll

Goal:
Get a simple C++ libxml code example to work (from http://xmlsoft.org/examples/index.html)

What to do:
Okay the first thing you need to do is download win32 libxml from http://www.zlatkovic.com/libxml.en.html

but it has certain dependencies so you will want to fetch the binaries:
* libxml2, the XML parser and processor.
* libxslt, the XSL and EXSL Transformations processor.
* xmlsec, the XMLSec and XMLDSig processor.
* xsldbg, the XSL Transformations debugger.
* openssl, the general crypto toolkit.
* iconv, the character encoding toolkit.
* zlib, the compression toolkit.

Then you three types of files in each project, .dll .lib and .h. The problem with these .lib files is that these .lib files are compiled for Microsoft Visual Studio. But in borland the way to create lib files is using implib.exe included in all distributions of borland c++ builder. I run

implib.exe -a zlib.lib zlib.dll

to create a zlib.lib for borland. Then I do the same thing for the other dlls.

Then add the .lib into the borland project and then source code examples will work.

Hooray for implib!

source(s)
http://www.gantless.com/borland.html (implib)
http://www.zlatkovic.com/libxml.en.html (libxml)
http://xmlsoft.org/examples/index.html (libxml examples)

Thursday, January 04, 2007

PHP: SQL Injection Best Practice in MySQL

It is important to avoid SQL injection when working with mysql, and so it is common to use a function like mysql_real_escape_string() in PHP.

At php.net, they suggest using sprintf and a function called quote_smart as described on their mysql_real_escape_string documentation page as a "best practice" method.

php.net [good]:
$query = sprintf(
"SELECT * FROM users WHERE user='%s' AND password='%s'",
mysql_real_escape_string($user),
mysql_real_escape_string($password));


php.net [better]:
$query = sprintf(
"SELECT * FROM users WHERE user=%s AND password=%s",
quote_smart($user),
quote_smart($password));


qsprintf [best]:
$query = qsprintf(
"SELECT * FROM users WHERE user=%s AND password=%s",
$user,
$password);

correction: Of the 3 examples above, the 2 previous used to have single quotes around %s, but this is incorrect as quote_smart or myquote will add single quotes.

note: using sprintf either qsprintf functions will get screwed up when you have a " like 's%' " statement in sql or similar 'like' statements using % (the percentage character).

<?php
function myquote($value)
{
if (get_magic_quotes_gpc())
$value = stripslashes($value);
if (is_numeric($value))
return "'$value'";
return "'".mysql_real_escape_string($value)."'";
}

function qsprintf()
{
$numargs = func_num_args();
$arg_list = func_get_args();
$format = $arg_list[0];
$next_arg_list = array();
for ($i = 1; $i < $numargs; $i++)
$next_arg_list[] = myquote($arg_list[$i]);
return vsprintf($format, $next_arg_list);
}
?>


notes: I modified their quote_smart function and renamed it to myquote in my code sample below because mysql doesn't care if you try to insert '123' into a numeric field (including single quotes) and that way I wouldn't lose leading zeros when inserting something like '01234' into a character field.