I think if someone want use PHP and MySQL:

1. Think about lerning PDO
2. Think about mysqli
3. Use native php functions like: strip_tags, mysql_real_escape_string or if variable numeric just (int) $Foo

NOTE: This answer was originally posted at StackOverflow.com by RadikCH

You’ve got two options – escaping the special characters in your unsafe_variable, or using a parameterized query. Both would protect you from SQL injection. The parameterized query is considered the better practice, but escaping characters in your variable will require fewer changes.

We’ll do the simpler string escaping one first.

//Connect

$unsafe_variable = $_POST["user-input"]
$safe_variable = mysql_real_escape_string($unsafe_variable);

mysql_query("INSERT INTO table (column) VALUES ('" . $safe_variable . "')");

//Disconnect

See also, the details of the mysql_real_escape_string function.

To use the parameterized query, you need to use MySQLi rather than the MySQL functions. To rewrite your example, we would need something like the following.

<?php
    $mysqli = new mysqli("server", "username", "password", "database_name");

    // TODO - Check that connection was successful.

    $unsafe_variable = $_POST["user-input"];

    $stmt = $mysqli->prepare("INSERT INTO table (column) VALUES (?)");

    // TODO check that $stmt creation succeeded

    // "s" means the database expects a string
    $stmt->bind_param("s", $unsafe_variable);

    $stmt->execute();

    $stmt->close();

    $mysqli->close();
?>

The key function you’ll want to read up on there would be mysqli::prepare.

Also, as others have suggested, you may find it useful/easier to step up a layer of abstraction with something like PDO.

Please note that the case you asked about is a fairly simple one, and that more complex cases may require more complex approaches. In particular:

• If you want to alter the structure of the SQL based on user input, parameterised queries are not going to help, and the escaping required is not covered by mysql_real_escape_string. In this kind of case you would be better off passing the user’s input through a whitelist to ensure only ‘safe’ values are allowed through.
• If you use integers from user input in a condition and take the mysql_real_escape_string approach, you will suffer from the problem described by Polynomial in the comments below. This case is trickier because integers would not be surrounded by quotes, so you could deal with by validating that the user input contains only digits.
• There are likely other cases I’m not aware of. You might find http://webappsec.org/projects/articles/091007.txt a useful resource on some of the more subtle problems you can encounter.

NOTE: This answer was originally posted at StackOverflow.com by Matt Sheppard

You could do something basic like this:

$safe_variable = mysql_real_escape_string($_POST["user-input"]);
mysql_query("INSERT INTO table (column) VALUES ('" . $safe_variable . "')");

This won’t solve every problem, but it’s a very good stepping stone. I left out obvious items such as checking the variable’s existence, format (numbers, letters, etc.).

NOTE: This answer was originally posted at StackOverflow.com by Tanerax

mysql> show variables like '%time_zone%';
+------------------+---------------------+
| Variable_name    | Value               |
+------------------+---------------------+
| system_time_zone | India Standard Time |
| time_zone        | Asia/Calcutta       |
+------------------+---------------------+
2 rows in set (0.00 sec)

mysql> create table datedemo(
    -> mydatetime datetime,
    -> mytimestamp timestamp
    -> );
Query OK, 0 rows affected (0.05 sec)

mysql> insert into datedemo values ((now()),(now()));
Query OK, 1 row affected (0.02 sec)

mysql> select * from datedemo;
+---------------------+---------------------+
| mydatetime          | mytimestamp         |
+---------------------+---------------------+
| 2011-08-21 14:11:09 | 2011-08-21 14:11:09 |
+---------------------+---------------------+
1 row in set (0.00 sec)

mysql> set time_zone="america/new_york";
Query OK, 0 rows affected (0.00 sec)

mysql> select * from datedemo;
+---------------------+---------------------+
| mydatetime          | mytimestamp         |
+---------------------+---------------------+
| 2011-08-21 14:11:09 | 2011-08-21 04:41:09 |
+---------------------+---------------------+
1 row in set (0.00 sec)

The above examples shows that how TIMESTAMP date type changed the values after changing the time-zone to 'america/new_work' where DATETIMEis unchanged.

I’ve converted my answer into article so more people can find this useful.

http://www.tech-recipes.com/rx/22599/mysql-datetime-vs-timestamp-data-type/

NOTE: This answer was originally posted at StackOverflow.com by Viswanathan Iyer

I’m not sure it it’s already been answered, but I found unsurpassed usefulness in TIMESTAMP’s ability to auto update itself based on the current time without the use of unnecessary triggers. That’s just me though, although TIMESTAMP is UTC like it was said, it can keep track across different timezones, so if you need to display a relative time for instance, UTC time is what you would want.

NOTE: This answer was originally posted at StackOverflow.com by Marc DiMillo

QueryPath is good, but be careful of “tracking state” cause if you didnt realise what it means, it can mean you waste a lot of debugging time trying to find out what happened and why the code doesn’t work.

what it means is that each call on the result set modifies the result set in the object, it’s not chainable like in jquery where each link is a new set, you have a single set which is the results from your query and each function call modifies that single set.

in order to get jquery-like behaviour, you need to branch before you do a filter/modify like operation, that means it’ll mirror what happens in jquery much more closely.

$results = qp(“div p”);
$forename = $results->find(“input[name=’forename’]”);

“$results” now contains the result set for “input[name=’forename’]” NOT the original query “div p” this tripped me up a lot, what I found was that QueryPath tracks the filters and finds and everything which modifies your results and stores them in the object. you need to do this instead

$forename = $results->branch()->find(“input[name=’forname’]”)

then $results won’t be modified and you can reuse the result set again and again, perhaps somebody with much more knowledge can clear this up a bit, but it’s basically like this from what I’ve found.

NOTE: This answer was originally posted at StackOverflow.com by Christopher Thomas

Though the question has been answered, I just want to reiterate that salts used for hashing should be random and not like email address as suggested in first answer.

More explanation is available at- http://www.pivotalsecurity.com/blog/password-hashing-salt-should-it-be-random/

Recently I had a discussion whether password hashes salted with random
bits are more secure than the one salted with guessable or known
salts. Let’s see: If the system storing password is compromised as
well as the system which stores the random salt, the attacker will
have access to hash as well as salt, so whether the salt is random or
not, doesn’t matter. The attacker will can generate pre-computed
rainbow tables to crack the hash. Here comes the interesting part- it
is not so trivial to generate pre-computed tables. Let us take example
of WPA security model. Your WPA password is actually never sent to
Wireless Access Point. Instead, it is hashed with your SSID (the
network name- like Linksys, Dlink etc). A very good explanation of how
this works is here. In order to retrieve password from hash, you will
need to know the password as well as salt (network name). Church of
Wifi has already pre-computed hash tables which has top 1000 SSIDs and
about 1 million passwords. The size is of all tables is about 40 GB.
As you can read on their site, someone used 15 FGPA arrays for 3 days
to generate these tables. Assuming victim is using the SSID as
“a387csf3″ and password as “123456″, will it be cracked by those
tables? No! .. it cannot. Even if the password is weak, the tables
don’t have hashes for SSID a387csf3. This is the beauty of having
random salt. It will deter crackers who thrive upon pre-computed
tables. Can it stop a determined hacker? Probably not. But using
random salts does provide additional layer of defense. While we are on
this topic, let us discuss additional advantage of storing random
salts on a separate system. Scenario #1 : Password hashes are stored
on system X and salt values used for hashing are stored on system Y.
These salt values are guessable or known (e.g. username) Scenario#2 :
Password hashes are stored on system X and salt values used for
hashing are stored on system Y. These salt values are random. In case
system X has been compromised, as you can guess, there is a huge
advantage of using random salt on a separate system (Scenario #2) .
The attacker will need to guess addition values to be able to crack
hashes. If a 32 bit salt is used, 2^32= 4,294,967,296 (about 4.2
billion) iterations will can be required for each password guessed.

NOTE: This answer was originally posted at StackOverflow.com by Gaurav Kumar

Php has the function of looping letters and can exceed beyond single characters, the rest will be done this way: aa ab ac… zz, and so on.

Try this:

<?php
for ($i = 'a'; $i !== 'aa'; $i++)
    echo "$i\n";
?>

NOTE: This answer was originally posted at StackOverflow.com by James Dantes

<?php

$i = 'a';
do {
echo ($j=$i++),"\r\n";
} while (ord($j) < ord($i));

?>

NOTE: This answer was originally posted at StackOverflow.com by Matt H.

Other’s already said why PHP doesn’t show what you expect, here’s how you get the result you might want

<?php
for ($i = ord('a'); $i <= ord('z'); $i++)
    echo chr($i);
?>

NOTE: This answer was originally posted at StackOverflow.com by Filip Ekberg

Wordpress will only prompt you for your FTP connection information while trying to install plugins or a wordpress update if it cannot write to /wp-content directly. Otherwise, if your web server has write access to the necessary files, it will take care of the updates and installation automatically. This method does not require you to have FTP/SFTP or SSH access, but it does require your to have specific file permissions set up on your webserver.

It will try various methods in order, and fall back on FTP if Direct and SSH methods are unavailable.

http://core.trac.wordpress.org/browser/tags/3.1/wp-admin/includes/file.php#L866

Wordpress will try to write a temporary file to your /wp-content directory. If this succeeds, it compares the ownership of the file with it’s own uid, and if there is a match it will allow you to use the ‘direct’ method of installing plugins, themes, or updates.

Now, if for some reason you do not want to rely on the automatic check for which filesystem method to use, you can define a constant, 'FS_METHOD' in your wp-config.php file that is either 'direct' 'ssh', 'ftpext' or 'ftpsockets' and it will use method. Keep in mind that if you set this to ‘direct’ but your web user (the username under which your webs server runs) does not have proper write permissions, you will receive an error.

In summary, if you do not want to (or you cannot) change permissions on wp-content so your web server has write permissions, then add this to your wp-config.php file:

define('FS_METHOD', 'direct');

NOTE: This answer was originally posted at StackOverflow.com by stereoscott

If you’re on ubuntu, a quick solution that worked for me is giving ownership to the apache user (www-data by default) like so:

cd your_wordpress_directory
sudo chown -R www-data wp-content
sudo chmod -R 755 wp-content

NOTE: This answer was originally posted at StackOverflow.com by mikermcneil

It is possible to use SFTP or SSH to auto update Plugins in WordPress, but you need to have ssh2 pecl extension. You can find out how to do it, using the following tutorial

NOTE: This answer was originally posted at StackOverflow.com by Sudar

We use sftp w/ ssh (on both our dev and live servers) & have tried (not too hard though) to use the WP upload feature. I agree with Toby, upload your plugin(s) to the wp-content/plugins directory and then activate them from there.

NOTE: This answer was originally posted at StackOverflow.com by Schoffelman

Yes, obviously its a CMS, among some other popular Web control management systems like Drupal and Joomla.
It is designed to simplify the publication of web content to web sites and mobile devices — in particular, allowing content creators to create, submit and manage contents without requiring technical knowledge of any Web Programming Languages or Markup Languages such as HTML or the uploading of files.
Kudos to Matt Mullenweg’s Wordpress, a mojority of people across the globe have been facilitated by rich means to develop their small-scale sites with ease. And thats the point of a CMS.

NOTE: This answer was originally posted at StackOverflow.com by Kunal Vyas

I would say Wordpress was originally built as a blogging platform but the underlying architecture made it possible for people to use it as a CMS. Initially, when we started we only used wordpress as a blog but now we are using it as following:

• Blog
• Real Estate Site
• Magazine Layout
• Ecommerce Store
• Coupon Site

And lots of other different needs. Wordpress XML RPC made it easier for us to push data back and forth while creating any PHP application. All the other Mambo Jambos are too complex and only serve as a CMS where in Wordpress you can do a lot.

NOTE: This answer was originally posted at StackOverflow.com by Katie

Sure, WordPress is a CMS for definition, from last release it has:

• A very flexible system for taxonomies
• Feature for create new types of Post
• Wide community of developers , and plugins that extends its base functionality

But i think that its use should be as publishing system / editorial system , first for its plugins system based on filters/action hooks that are great for little change but very tedious for develop large component , then for example not support a linear template system for backend , also manage forms and data input in the page should be rivisited.
This is only my opinion.

NOTE: This answer was originally posted at StackOverflow.com by Emiliano M.

This took me very little time.. Most of the work in converting asp
forms into php and tweaking a theme to fit their design.

That is: your expertise (distinct from capabilities of a system).

create/manage pages/posts.

That is: an expression of the extent of your client’s use of the system.

I don’t use WordPress but from Google I see that it describes itself as a

Blog Tool and Publishing Platform

and that does seem to fit your client’s requirements.

My own choice of CMS (Plone) was informed by the ’roundness’ of the software and community, and the degrees to which the system truly manages a broad and extensible range of content — without dragging me into system management issues.

Personally, I would not describe WordPress as a CMS. But that’s not a criticism 🙂

NOTE: This answer was originally posted at StackOverflow.com by Graham Perrin