Upload Size & MySQL Select - fread()

daredevil14

Hello, this is my first post on this forum... i am currently facing 2 problems with php...

*My first question : i created an upload script on localhost and on the webserver file manager, the problem is that the max size of uploading is 1 MB only... i can't upload bigger sizes than that, i think that this is due to the php configurations , well i found the php.ini and fortunatelly found its setting and altered it to 2 MB but still doesn't upload more than 1 MB... any idea on how to increase the size limit of uploading ?

*My second question : this is about the output formatting of MySQL "SELECT" and the fread() of the filesystem... i insert a well organized paragraph ( a poem for example ) in a <textarea> input form... but when i select and output it to the browser... either the MySQL select or the filesystem fread()... i'll get an unformatted paragraph without the & the tags... usually in ASP & VBscript... i use the vbCrLf function to obligate the above HTML tags to be embedded and retrieved correctly as they were inserted... i searched the string functions reference but no results... any idea on how that can be done in PHP ? ( both cases : The Filesystem & MySQL Select )

Regards

laserlight

well i found the php.ini and fortunatelly found its setting and altered it to 2 MB but still doesn't upload more than 1 MB... any idea on how to increase the size limit of uploading ?

What exactly did you change? Did you remember to save and restart the web server?

but when i select and output it to the browser... either the MySQL select or the filesystem fread()... i'll get an unformatted paragraph without the & the tags

You're looking to use [man]nl2br/man. Of course, you have to be careful about malicious script injection as well and use something like [man]htmlspecialchars/man or [man]htmlentities/man before using nl2br().

daredevil14

I read about SQL Injections... and that they can perfomed with many SQL statements such as : select, update, where, order by...

in general... if i want to protect my db and my site from these injections, what are the general methods to be used ?

what about the eregi(), eregi_replace()... functions ?
what about the htmlspecialchars(), htmlentities()... functions ?
what about that thing which is called : PHP Filtering ?

any help would be appreciated 🙂

laserlight

if i want to protect my db and my site from these injections, what are the general methods to be used ?

There are no "general methods", though generally you would use the appropriate escaping mechanism for your database vendor's brand of SQL, or your database API.

For example, if you use the PDO extension or the MySQLi extension, you would use prepared statements. This would automatically result in the bound variables being escaped.

If you use other extensions and the incoming variable is expected to be an integer, you would cast it to an int.

If you use the MySQL extension, you would use [man]mysql_real_escape_string/man. With the PostgreSQL extension, it would be [man]pg_escape_string/man. The SQLite extension has [man]sqlite_escape_string/man. More generally, you would double single quotes to escape them.

So yes, it depends on what you are using. I suggest just using PDO.

daredevil14

Well i am using MySQL, and yes I always double single quotes....
but using mysql_real_escape_string() is not working with me, see my other topic :

SQL Injection...