I am an experienced programmer and electronics designer.
Dealt with many different Intel controller hardware items as well as
CP/M and Windows OS.
Programmed in PLM (Intel's language)for controllers.

But now interested in Pi.
So recommendations for advanced hardware appreciated.
Not just the Pi, but other peripherals and hardware (cases etc).
Will probably build many different kinds of projects.

No baby steps please.
Advanced peripherals and hardware please.

Retirement is fun time ! (Or else !)

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On Wed, 9 Sep 2020 12:01:57 -0700, Aioli <Aioli@Aioli.com> declaimed the following:

But now interested in Pi.
So recommendations for advanced hardware appreciated.
Not just the Pi, but other peripherals and hardware (cases etc).
Will probably build many different kinds of projects.

Problem is: any reply to your "advanced hardware" and "peripherals" is dependent upon WHAT you are building.

After all -- for someone wanting to replace a Windows desktop... An R-Pi 4B 8GB, an HDMI monitor, USB keyboard & mouse (I'd recommend saving a
USB port by using something like a Logitech "Unifying" wireless keyboard
and mouse), and a USB(3) disk drive (on which one mounts /home, /tmp, /var
and a swap file -- all the stuff that gets lots of changes that would wear
out a uSD card) qualifies, with some box to put the drive and R-Pi into...

For someone trying to build a programmable Christmas tree lighting set, a couple of long strings of NeoPixel LEDs, a big power supply (the LEDs
want power), almost any R-Pi with WiFi, and a case to hold the R-Pi and
power supply -- and an ability to code a simple web server application for controlling the LED sequencer program. Connect to R-Pi over WiFi to access
LED configuration using a browser in a phone or tablet.

If you are doing projects that require measuring analog data (an oscilloscope perhaps) you will need a dedicated multi-port ADC chip (the
R-Pi does not have on-board ADC -- unlike the Beaglebone Black). You may
also want multi-line PWM chips as the R-Pi is a bit limited in that aspect
too (software PWM is rate limited, and CPU heavy)


--
Wulfraed Dennis Lee Bieber AF6VN
wlfraed@ix.netcom.com http://wlfraed.microdiversity.freeddns.org/

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On Wed, 09 Sep 2020 12:01:57 -0700, Aioli wrote:

I am an experienced programmer and electronics designer.
Dealt with many different Intel controller hardware items as well as
CP/M and Windows OS.
Programmed in PLM (Intel's language)for controllers.

But now interested in Pi.
So recommendations for advanced hardware appreciated.
Not just the Pi, but other peripherals and hardware (cases etc). Will probably build many different kinds of projects.

No baby steps please.
Advanced peripherals and hardware please.

Retirement is fun time ! (Or else !)

Perhaps you might consider entering PiWars to give some stimulus for
challenges & then how you achieve them is up to you (over-engineering
seems to be re-regueur )

https://piwars.org/



--
[A computer is] like an Old Testament god, with a lot of rules and no
mercy.
-- Joseph Campbell

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 09/09/2020 20:01, Aioli wrote:

I am an experienced programmer and electronics designer.
Dealt with many different Intel controller hardware items as well as
CP/M and Windows OS.
Programmed in PLM (Intel's language)for controllers.

But now interested in Pi.
So recommendations for advanced hardware appreciated.
Not just the Pi, but other peripherals and hardware (cases etc).
Will probably build many different kinds of projects.

No baby steps please.
Advanced peripherals and hardware please.

Retirement is fun time !   (Or else !)

Well I bought a high quality DAC and built myself a hifi internet radio
that also can play any CD I have ripped to my server.

It's controlled by any web browser.

I have a yen to make a weather station as well, one day.

--
“The ultimate result of shielding men from the effects of folly is to
fill the world with fools.”

Herbert Spencer

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

"The Natural Philosopher" <tnp@invalid.invalid> wrote in message news:rjcjf8$kee$1@dont-email.me...

I have a yen to make a weather station as well, one day.

I have a Davis Vantage Vue weather station (a remote sensor unit which
measures wind speed/direction, rainfall amount/rate, outside temperature and humidity) and communicates these to a base station by radio link
(proprietary, not wifi). The base station has a USB output.

I run Cumulus software (free download) on my Pi to log this data, draw
graphs, record the data and any extremes, and upload to a web site.
Previously I ran Cumulus on my Windows PC, which meant leaving it on 24/7; I also used that PC for recording TV. Moving those functions to a Pi means the
PC can be switched off when I'm not using it.

Some time, I will investigate uploading the data to an SQL database on the server so a PHP program can extract and display graphs of specified
parameters over a specified interval of time.

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Dennis Lee Bieber <wlfraed@ix.netcom.com> wrote:

On Wed, 9 Sep 2020 12:01:57 -0700, Aioli <Aioli@Aioli.com> declaimed the following:

But now interested in Pi.
So recommendations for advanced hardware appreciated.
Not just the Pi, but other peripherals and hardware (cases etc).
Will probably build many different kinds of projects.

Problem is: any reply to your "advanced hardware" and "peripherals"

is

dependent upon WHAT you are building.

After all -- for someone wanting to replace a Windows desktop... An R-Pi 4B 8GB, an HDMI monitor, USB keyboard & mouse (I'd recommend saving a USB port by using something like a Logitech "Unifying" wireless keyboard
and mouse), and a USB(3) disk drive (on which one mounts /home, /tmp, /var and a swap file -- all the stuff that gets lots of changes that would wear out a uSD card) qualifies, with some box to put the drive and R-Pi into...

For someone trying to build a programmable Christmas tree lighting

set,

a couple of long strings of NeoPixel LEDs, a big power supply (the LEDs
want power), almost any R-Pi with WiFi, and a case to hold the R-Pi and
power supply -- and an ability to code a simple web server application for controlling the LED sequencer program. Connect to R-Pi over WiFi to access LED configuration using a browser in a phone or tablet.

If you are doing projects that require measuring analog data (an oscilloscope perhaps) you will need a dedicated multi-port ADC chip (the
R-Pi does not have on-board ADC -- unlike the Beaglebone Black). You may
also want multi-line PWM chips as the R-Pi is a bit limited in that aspect too (software PWM is rate limited, and CPU heavy)

... and if you want lots of digital and analogue i/o without adding
too many bits and pieces, get a BeagleBone Black! :-)

(I have several Pis and BBBs, horses for courses)

--
Chris Green
·

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 10/09/2020 10:55, NY wrote:

"The Natural Philosopher" <tnp@invalid.invalid> wrote in message news:rjcjf8$kee$1@dont-email.me...

I have a yen to make a weather station as well, one day.

I have a Davis Vantage Vue weather station (a remote sensor unit which measures wind speed/direction, rainfall amount/rate, outside temperature
and humidity) and communicates these to a base station by radio link (proprietary, not wifi). The base station has a USB output.

I've got an Oregon Scientific weather station which can communicate with
an Android app via Bluetooth LE. Someone reverse engineered the
protocol, so I can use a Python program on a Pi to download temperature, humidity and pressure readings. I combine these with readings from
Htu21d and BME280 I2C sensors on other Pi's which are around the house
and shed, and log to an SQLite database.

Some time, I will investigate uploading the data to an SQL database on
the server so a PHP program can extract and display graphs of specified parameters over a specified interval of time.

I've got another Pi running nginx web server with uwsgi, so it can use a
Python program (rather than PHP) to retrieve data from the SQL database
and generate HTML+javascript to plot it using Google charts.

It wasn't too difficult to do, I can't really formally release it as
open source as it uses bits of stuff pulled from various other projects,
but I can give you some pointers if you like.

---druck

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Aioli <Aioli@aioli.com> wrote:

But now interested in Pi.
So recommendations for advanced hardware appreciated.

A nuclear power station?
https://makereal.co.uk/work/edf-energy-sentinel/

Theo

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

"druck" <news@druck.org.uk> wrote in message
news:rjd29r$5pj$1@dont-email.me...

On 10/09/2020 10:55, NY wrote:

"The Natural Philosopher" <tnp@invalid.invalid> wrote in message
news:rjcjf8$kee$1@dont-email.me...

I have a yen to make a weather station as well, one day.

I have a Davis Vantage Vue weather station (a remote sensor unit which
measures wind speed/direction, rainfall amount/rate, outside temperature
and humidity) and communicates these to a base station by radio link
(proprietary, not wifi). The base station has a USB output.

I've got an Oregon Scientific weather station which can communicate with
an Android app via Bluetooth LE. Someone reverse engineered the protocol,
so I can use a Python program on a Pi to download temperature, humidity
and pressure readings. I combine these with readings from Htu21d and
BME280 I2C sensors on other Pi's which are around the house and shed, and
log to an SQLite database.

Some time, I will investigate uploading the data to an SQL database on
the server so a PHP program can extract and display graphs of specified
parameters over a specified interval of time.

I've got another Pi running nginx web server with uwsgi, so it can use a Python program (rather than PHP) to retrieve data from the SQL database
and generate HTML+javascript to plot it using Google charts.

Yes the only bit I haven't cracked is running a process on the Pi that
uploads data to the web server (maybe in daily batches, maybe every 10
minutes when a new entry is added to the local log file on the Pi) so as to
add it to the SQL table. Doing it manually is easy enough from cPanel
accessed by web page (LOAD DATA INFILE from a file on the Pi or Windows
PC) - I've done it for a big database of WWI soldiers' details that my
parents gradually add to as they do research, so I save an Excel spreadsheet
as a CSV file, wipe the SQL table of its existing data, and then upload the whole lot again (including additions and changes). It would be nice to find
a way of automating this, preferably so it only uploaded data that it
doesn't already have.

Extracting the data - selected fields between selected dates - and passing
it to Google Charts is easy enough: I can use a variant of the PHP code that
my parents' website uses to extract data, and I've already worked out a specimen Google Chart, though I wonder where I put that code...

It's so we can see graphs over a longer period of time than the last 48
hours that I've configured into Cumulus.

The hosting is on GoDaddy (which I always want to call Big Daddy!).

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On Thu, 10 Sep 2020 10:33:01 +0100, Chris Green <cl@isbd.net> declaimed the following:

... and if you want lots of digital and analogue i/o without adding
too many bits and pieces, get a BeagleBone Black! :-)

(I have several Pis and BBBs, horses for courses)

I think I'm up to 6 R-Pi (one running Pi-Star, the other is my HTTP server -- 2@3B, 2@3B+, 4B 2gb, 4B 4gb), only 2 BBB, an BB AI (not
recommended for experimenting unless one is comfortable with
editing/building device tree files -- the BBB has run-time pin-muxing, not
the BB AI).

But I've also got 6 TIVA-C boards, 4 or 5 Arduino, 2 Metro, some ancient BASIC Stamps, and a few Propeller boards.

If you need lots of hardware timers -- the TIVA TM4C123 must be a winner. Six 64-bit and six 32-bit timers -- and each of those can be split
into two half-width timers. ARM M4F core, 12-bit ADC. No OS overhead <G>

In contrast, the Propeller has 8 simple cores, running in lockstep, and NO INTERRUPTS (the idea was that one would dedicate a core just to polling whatever would create an interrupt).


--
Wulfraed Dennis Lee Bieber AF6VN
wlfraed@ix.netcom.com http://wlfraed.microdiversity.freeddns.org/

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On Thu, 10 Sep 2020 17:22:55 +0100, NY wrote:

Yes the only bit I haven't cracked is running a process on the Pi that uploads data to the web server (maybe in daily batches, maybe every 10 minutes when a new entry is added to the local log file on the Pi) so as
to add it to the SQL table.

That sounds like a case for using a cron job. See "man cron" for how to
manage crond, the cron daemon, and "man 5 crontab" for how to write a cron
job script.

crond is a daemon process (i.e. started on boot and waits for stuff to
do) that looks for shell scripts to execute, runs any that it finds, and e-mails results and/or errors to the user who submitted the job.

Cron jobs can be run once every hour, day, week or month by putting a
script in the appropriate directory, e.g scripts in /etc/cron.daily are
run once a day, typically somewhat after midnight. In these cases the
script contains details of which user it should be run under and where to
send any data written to stdout or stderr, with the default being to run
it under root and to send output to root.

Jobs with more complex or frequent run timing requirements are put in /etc/cron.d and contain one or more lines, each defining what to run and
when. Here's one of mine:

=====================================================================
#
# getmail is run every 10 minutes
# ===============================
# Results are sent to root
#
SHELL=/bin/bash
MAILTO=root

1,11,21,31,41,51 0-23 * * * root /usr/local/bin/getmail.cronscript

=====================================================================

This uses /bin/bash to run the /usr/local/bin/getmail.cronscript shell
script under the root user and e-mails any output, which would be error reports, to 'root'. It is run every 10 minutes at 1,11.23.31.41 and 51
minutes after the hour.


--
Martin | martin at
Gregorie | gregorie dot org

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On Thu, 10 Sep 2020 20:38:41 +0100, NY wrote:

Yes I'd already identified that cron would be a good way of triggering
the upload. It's a matter of working out what can be run (via cron) at
the Pi which makes a remote web server add data to an SQL database held
on its server, preferably searching for each row of data that is about
to be added to check that it doesn't already have it - to make the
process resilient to temporary outages which would otherwise cause it to
miss data if there was no catchup mechanism.

What, if any, control will you have over the format of data in the email?

I did something similar recently, and ended up using a web page and a bit
of PHP to capture data from the user, which made parsing the message body trivial. Then I modified my mail system so that all mail sent by the web
page ends up in a dedicated user. Its picked up from that user's mail
queue by an overnight cronjob running a chunk of Java that reads the
messages (using the javax.mail classes) and processes them. This doesn't
use a database, but I know that the JDBC classes work well with
PostgreSQL and, of course, there's also the Derby DBMS which interfaces directly with Java applications because its written in Java.

I'll probably write the query-and-display software first, manually
uploading each month's data into the SQL table, and leave the automatic cron-driven uploading with resilience until later.

If you're unfamiliar with awk, that may be worth a look: its a script
language designed for analysing and extracting information from plain
text.


--
Martin | martin at
Gregorie | gregorie dot org

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

"Martin Gregorie" <martin@mydomain.invalid> wrote in message news:rjdo75$6sa$1@dont-email.me...

On Thu, 10 Sep 2020 17:22:55 +0100, NY wrote:

Yes the only bit I haven't cracked is running a process on the Pi that
uploads data to the web server (maybe in daily batches, maybe every 10
minutes when a new entry is added to the local log file on the Pi) so as
to add it to the SQL table.

That sounds like a case for using a cron job. See "man cron" for how to manage crond, the cron daemon, and "man 5 crontab" for how to write a cron job script.

crond is a daemon process (i.e. started on boot and waits for stuff to
do) that looks for shell scripts to execute, runs any that it finds, and e-mails results and/or errors to the user who submitted the job.

Cron jobs can be run once every hour, day, week or month by putting a
script in the appropriate directory, e.g scripts in /etc/cron.daily are
run once a day, typically somewhat after midnight. In these cases the
script contains details of which user it should be run under and where to send any data written to stdout or stderr, with the default being to run
it under root and to send output to root.

Yes I'd already identified that cron would be a good way of triggering the upload. It's a matter of working out what can be run (via cron) at the Pi
which makes a remote web server add data to an SQL database held on its
server, preferably searching for each row of data that is about to be added
to check that it doesn't already have it - to make the process resilient to temporary outages which would otherwise cause it to miss data if there was
no catchup mechanism.

It's on the "round tuit" list - a nice little refinement to what I can do locally at present by searching the local CSV files that Cumulus creates.


I'll probably write the query-and-display software first, manually uploading each month's data into the SQL table, and leave the automatic cron-driven uploading with resilience until later.

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On Thu, 10 Sep 2020 20:38:41 +0100, "NY" <me@privacy.invalid> declaimed the following:

Yes I'd already identified that cron would be a good way of triggering the >upload. It's a matter of working out what can be run (via cron) at the Pi >which makes a remote web server add data to an SQL database held on its >server, preferably searching for each row of data that is about to be added >to check that it doesn't already have it - to make the process resilient to >temporary outages which would otherwise cause it to miss data if there was
no catchup mechanism.

Before worrying about the cron job, you need to determine what capabilities the remote site provides.

If you have direct access to the database server itself (with an account/password for the DBMS and suitable privileges for add/delete/update
of records) then you can run a script issuing SQL DML statements meaning
all the checking for duplicates, et al can be done at your end.

BTW "SQL database" is meaningless. SQL is a Query Language, not a database engine. "SQLite" OTOH is a database engine that uses SQL as the
query language -- but practically any relational model database engine uses
SQL as the query language.

If, OTOH, all you have access to is a web server interface, you will be limited to submitting form data and receiving/parsing returned web pages.



--
Wulfraed Dennis Lee Bieber AF6VN
wlfraed@ix.netcom.com http://wlfraed.microdiversity.freeddns.org/

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 10/09/2020 17:22, NY wrote:

Yes the only bit I haven't cracked is running a process on the Pi that uploads data to the web server (maybe in daily batches, maybe every 10 minutes when a new entry is added to the local log file on the Pi) so as to add it to the SQL table. Doing it manually is easy enough from cPanel accessed by web page (LOAD DATA INFILE from a file on the Pi or Windows
PC)

Ah so the database is on the web server. You will have find out what the database is (e.g. MySql), the IP address, and the username and password
to log on to it. You can then use a suitable Python package such as myslq-connector-python which can use that information to get a cursor on
to the db. Its then a case of issuing sql commands, in the same way as
for a local SQL db.

---druck

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Op 10-9-2020 21:38, NY wrote:

Yes I'd already identified that cron would be a good way of triggering
the upload. It's a matter of working out what can be run (via cron) at
the Pi which makes a remote web server add data to an SQL database held
on its server, preferably searching for each row of data that is about

The normal solution for simple webhosting with no outside facing
database, is: make a PHP script on the web server that receives your
data, maybe via a form upload, maybe directly as a query parameter; that processes the data and connects to the database to save it. AKA build
your own API. Make sure you add some sort of login and/or secret key
and/or checksum. Also make sure that you sanitize your input before
throwing it to the db, even if it is just you!

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 10/09/2020 17:22, NY wrote:

Yes the only bit I haven't cracked is running a process on the Pi that uploads data to the web server (maybe in daily batches, maybe every 10 minutes when a new entry is added to the local log file on the Pi) so as to add it to the SQL table. Doing it manually is easy enough from cPanel accessed by web page (LOAD DATA INFILE from a file on the Pi or Windows
PC) - I've done it for a big database of WWI soldiers' details that my parents gradually add to as they do research, so I save an Excel
spreadsheet
as a CSV file, wipe the SQL table of its existing data, and then upload the whole lot again (including additions and changes). It would be nice to find
a way of automating this, preferably so it only uploaded data that it
doesn't already have.

OK, the easy start way for this kind of thing is to create a script that
runs under cron on the Pi.

That will 'push' the data to the web server.

The web servers side is not too hard - simply create a page that takes
form variables so e.g. you can call it with:

http:weather.mysite.com/upload.php?temp=37.2&pressure=987.9....and so on

To upload simply use curl in the cron script. How you read the data and
get it to curl is your problem!

https://davidwalsh.name/curl-post-file


--
“it should be clear by now to everyone that activist environmentalism
(or environmental activism) is becoming a general ideology about humans,
about their freedom, about the relationship between the individual and
the state, and about the manipulation of people under the guise of a
'noble' idea. It is not an honest pursuit of 'sustainable development,'
a matter of elementary environmental protection, or a search for
rational mechanisms designed to achieve a healthy environment. Yet
things do occur that make you shake your head and remind yourself that
you live neither in Joseph Stalin’s Communist era, nor in the Orwellian utopia of 1984.”

Vaclav Klaus

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 10/09/2020 20:38, NY wrote:

Yes I'd already identified that cron would be a good way of triggering
the upload. It's a matter of working out what can be run (via cron) at
the Pi which makes a remote web server add data to an SQL database held
on its server, preferably searching for each row of data that is about
to be added to check that it doesn't already have it - to make the
process resilient to temporary outages which would otherwise cause it to
miss data if there was no catchup mechanism.

As I said, 'curl' will send data to the server, as long as you can get
data to the command line of curl...

server side PHP to access an SQL database is tedious, not hard.

It's on the "round tuit" list - a nice little refinement to what I can
do locally at present by searching the local CSV files that Cumulus
creates.

I'll probably write the query-and-display software first, manually
uploading each month's data into the SQL table, and leave the automatic cron-driven uploading with resilience until later.

Seriously the cron driven stuff is trivial.

And a PHP script to load the data into a database is also pretty damned trivial.

Takes a lot longer to design a pretty UI with knobs on..


--
You can get much farther with a kind word and a gun than you can with a
kind word alone.

Al Capone

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 10/09/2020 22:36, A. Dumas wrote:

Op 10-9-2020 21:38, NY wrote:

Yes I'd already identified that cron would be a good way of triggering
the upload. It's a matter of working out what can be run (via cron) at
the Pi which makes a remote web server add data to an SQL database
held on its server, preferably searching for each row of data that is
about

The normal solution for simple webhosting with no outside facing
database, is: make a PHP script on the web server that receives your
data, maybe via a form upload, maybe directly as a query parameter; that processes the data and connects to the database to save it. AKA build
your own API. Make sure you add some sort of login and/or secret key
and/or checksum. Also make sure that you sanitize your input before
throwing it to the db, even if it is just you!

Amen to all of that.

Here is the core code for updating a very simple MySql database from a
form variables in php

$fields=array( "pressure","temperature",....);
// this defines all the variables you will send as form variables
$query = "insert into data set";
$flag=0;
foreach($fields as $name) //read variables and add to query
{
if($flag) $query .=',';
if(isset($_GET[$name]))
$query.= sprintf(" %s='%s'",$name,$_POST[$name]);
else
$query.= sprintf(" %s='%s'",$name,"");
$flag++;
}
;
// echo $query;
$link=mysqli_connect("localhost", "myuser","mypass","weather");
if($link)
{
mysqli_query($link, $query);
}
mysqli_close($link);

And as for cron,you need to use:

curl myweather.mydomain.com/upload.php?pressure=1005&temperature=37.5&.....

It really is that simple.
Of course there is no data validation done and not much security
there,but that you can add in later on once it actually works

--
The biggest threat to humanity comes from socialism, which has utterly
diverted our attention away from what really matters to our existential survival, to indulging in navel gazing and faux moral investigations
into what the world ought to be, whilst we fail utterly to deal with
what it actually is.

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 10/09/2020 21:27, druck wrote:

On 10/09/2020 17:22, NY wrote:

Yes the only bit I haven't cracked is running a process on the Pi that
uploads data to the web server (maybe in daily batches, maybe every 10
minutes when a new entry is added to the local log file on the Pi) so
as to
add it to the SQL table. Doing it manually is easy enough from cPanel
accessed by web page (LOAD DATA INFILE from a file on the Pi or Windows
PC)

Ah so the database is on the web server. You will have find out what the database is (e.g. MySql), the IP address, and the username and password
to log on to it. You can then use a suitable Python package such as myslq-connector-python which can use that information to get a cursor on
to the db. Its then a case of issuing sql commands, in the same way as
for a local SQL db.

---druck

Unlikely to be allowed to connect to DB directly - have to use a web
interface.

Heck I run my own servers and I NEVER expose the mysql server port to
the internet.

Only absolutely specific web pages that update very specific things in a
very defined and validated way.

SQL programming done on the server by a web script custom written for
the job.



--
"When a true genius appears in the world, you may know him by this sign,
that the dunces are all in confederacy against him."

Jonathan Swift.

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

The Natural Philosopher wrote:

   $query = "insert into data set";
    $flag=0;
    foreach($fields as $name) //read variables and add to query
        {
        if($flag) $query .=',';
        if(isset($_GET[$name]))
            $query.= sprintf(" %s='%s'",$name,$_POST[$name]);
        else
            $query.= sprintf(" %s='%s'",$name,"");
        $flag++;
        }

<https://xkcd.com/327>

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 11/09/2020 19:50, Andy Burns wrote:

The Natural Philosopher wrote:

     $query = "insert into data set";
     $flag=0;
     foreach($fields as $name) //read variables and add to query
         {
         if($flag) $query .=',';
         if(isset($_GET[$name]))
             $query.= sprintf(" %s='%s'",$name,$_POST[$name]); >>          else
             $query.= sprintf(" %s='%s'",$name,"");
         $flag++;
         }

<https://xkcd.com/327>

funny, but obviously you don't understand sql as the sample code
specifically cannot do that kind of thing.
That is the reason why the SQL command is not passed.
And it is the reason why all the arguments are 'quoted'.


--
“But what a weak barrier is truth when it stands in the way of an hypothesis!”

Mary Wollstonecraft

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

The Natural Philosopher <tnp@invalid.invalid> wrote:

On 11/09/2020 19:50, Andy Burns wrote:

The Natural Philosopher wrote:

     $query = "insert into data set";
     $flag=0;
     foreach($fields as $name) //read variables and add to query
         {
         if($flag) $query .=',';
         if(isset($_GET[$name]))
             $query.= sprintf(" %s='%s'",$name,$_POST[$name]); >>>          else
             $query.= sprintf(" %s='%s'",$name,"");
         $flag++;
         }

<https://xkcd.com/327>

funny, but obviously you don't understand sql as the sample code
specifically cannot do that kind of thing.
That is the reason why the SQL command is not passed.
And it is the reason why all the arguments are 'quoted'.

You mixed up _GET and _POST, there are no sanity checks and you just dump
it in the sql string. What if _POST[$name] starts with '; ? The key is to
use mysqli_real_escape_string($dblink, $strval) or the equivalent for your
db.

Here are some snippets I wrote back in the day, maybe could use corrections
as well? Idk. And I got out before everything turned into classes. Also
this is so old that the mysql extension still existed (as opposed to
mysqli).

if (get_magic_quotes_gpc()) $postdata = stripslashes($postdata);
if ($notags) $postdata = strip_tags($postdata);
if ($collapsewhitespace) {
$postdata = preg_replace('/^\s+/', '', $postdata); // not sure why I didn't use trim()
$postdata = preg_replace('/\s+$/', '', $postdata);
$postdata = preg_replace('/\s+/', ' ', $postdata);
}
$postdata = mb_substr($postdata, 0, $maxlength); // avoid string or field length overflow
if ($nohtml) $postdata = htmlspecialchars($postdata); // tricky; could lead
to double encoding if not careful

$inidata = @parse_ini_file($inifile, TRUE); // load from outside doc root
$ln = @mysql_connect($inidata[$section]['server'], $inidata[$section]['username'], $inidata[$section]['password']);
$db = @mysql_select_db($inidata[$section]['database'], $ln);
@mysql_query("SET NAMES 'utf8mb4' COLLATE 'utf8mb4_unicode_520_ci'", $ln); unset($inidata);
unset($inifile);

if (isset($_SERVER['HTTP_REFERER'])) {
$refer_prev = $_SERVER['HTTP_REFERER'];
$ref = parse_url($refer_prev);
if (strcmp($ref['host'], $_SERVER['HTTP_HOST']))
$err .= 'Request from different host [' . htmlspecialchars($ref['host'])
. '] not accepted.' . "\n";
}

/**
* Insert or update one row in a database table by ID. If ID is positive it
is the
* unique ID of the row to update. If zero, a new row is inserted. If
negative, a new
* row is inserted using INSERT IGNORE (no error message when insertion
fails due to
* key constraints). Data for the insert or update is expected in an associative array
* of key-value pairs: fieldname and unescaped and unquoted fieldvalue. The function either
* returns success of the update, the ID of the newly inserted row, zero if
no row was
* inserted (INSERT IGNORE failure) or FALSE on error.
* @param string $table tablename
* @param integer $id unique ID of row to update or zero for new insertion
or negative for INSERT IGNORE
* @param array $keyvaldata associative array of key-value data
* @return mixed boolean update success, integer insert ID or zero, boolean false
*/
function db_putrow($table, $id, $keyvaldata, $escape = TRUE, $empty2null = TRUE)
{
//check parameter validity
if ( empty($keyvaldata) || !is_array($keyvaldata) || !count($keyvaldata) )
return FALSE;

//check connection
if ( !$ln = db_connect() ) return FALSE;

//implode key-val array to partial SQL statement, escape and quote values
$assign = array();
foreach ( $keyvaldata as $k => $v )
{
if ( $empty2null && !strlen($v) )
$v = 'NULL';
elseif ( $escape && !is_numeric($v) && strcmp('NULL', $v) && !preg_match('/^[A-Z0-9_]+\(.*\)$/', $v) )
$v = "'" . mysql_real_escape_string($v, $ln) . "'";

$assign[] = '`' . $k . '` = ' . $v;
}

$sql = '`' . DB_TABLEPREFIX . $table . '` SET ' . implode(', ', $assign);

if ( $id > 0 ) //update particular row, return update success
{
$sql = 'UPDATE ' . $sql . ' WHERE `id` = ' . $id . ' LIMIT 1';
if ( mysql_query($sql, $ln) )
{
//return number of affected rows or TRUE for successful query
if ( $n = mysql_affected_rows($ln) )
return $n;
else
return TRUE;
}
else
return FALSE;
}
elseif ( $id == 0 ) //insert new row, return new row ID or FALSE on error
{
$sql = 'INSERT INTO ' . $sql;
return mysql_query($sql, $ln) ? mysql_insert_id($ln) : FALSE;
}
else //insert new row (possible duplicate), return new row ID or zero on
failure or FALSE on error
{
$sql = 'INSERT IGNORE INTO ' . $sql;
return mysql_query($sql, $ln) ? (mysql_affected_rows($ln) ? mysql_insert_id($ln) : 0) : FALSE;
}
}

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 12 Sep 2020 05:03:48 GMT
A. Dumas <alexandre@dumas.fr.invalid> wrote:

The Natural Philosopher <tnp@invalid.invalid> wrote:

On 11/09/2020 19:50, Andy Burns wrote:

The Natural Philosopher wrote:

     $query = "insert into data set";
     $flag=0;
     foreach($fields as $name) //read variables and add to query
         {
         if($flag) $query .=',';
         if(isset($_GET[$name]))
             $query.= sprintf("

%s='%s'",$name,$_POST[$name]);

         else
             $query.= sprintf(" %s='%s'",$name,"");
         $flag++;
         }

<https://xkcd.com/327>

funny, but obviously you don't understand sql as the sample code specifically cannot do that kind of thing.
That is the reason why the SQL command is not passed.
And it is the reason why all the arguments are 'quoted'.

That is insufficient protection.

You mixed up _GET and _POST, there are no sanity checks and you just dump
it in the sql string. What if _POST[$name] starts with '; ?

Precisely.

The key is to
use mysqli_real_escape_string($dblink, $strval) or the equivalent for your db.

Doesn't mysql provide prepared statements with placeholders like
sqlite does ? Those are the safest and easiest way to put user date into
SQL.

--
Steve O'Hara-Smith | Directable Mirror Arrays C:\>WIN | A better way to focus the sun
The computer obeys and wins. | licences available see
You lose and Bill collects. | http://www.sohara.org/

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 12-09-2020 09:04, Ahem A Rivet's Shot wrote:

Doesn't mysql provide prepared statements with placeholders like
sqlite does ? Those are the safest and easiest way to put user date into
SQL.

I don't know, maybe now it does. What I posted was my way of doing just
that.

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 12/09/2020 08:04, Ahem A Rivet's Shot wrote:

On 12 Sep 2020 05:03:48 GMT
A. Dumas <alexandre@dumas.fr.invalid> wrote:

The Natural Philosopher <tnp@invalid.invalid> wrote:

On 11/09/2020 19:50, Andy Burns wrote:

The Natural Philosopher wrote:

     $query = "insert into data set";
     $flag=0;
     foreach($fields as $name) //read variables and add to query >>>>>          {
         if($flag) $query .=',';
         if(isset($_GET[$name]))
             $query.= sprintf(" %s='%s'",$name,$_POST[$name]);
         else
             $query.= sprintf(" %s='%s'",$name,"");
         $flag++;
         }

<https://xkcd.com/327>

funny, but obviously you don't understand sql as the sample code
specifically cannot do that kind of thing.
That is the reason why the SQL command is not passed.
And it is the reason why all the arguments are 'quoted'.

That is insufficient protection.

You mixed up _GET and _POST, there are no sanity checks and you just dump
it in the sql string. What if _POST[$name] starts with '; ?

I adapted it from a POST script

if _POST[$name] starts with '; you will get an sql error whem sql
encounters set field = '';'

Precisely.

wrong

The key is to
use mysqli_real_escape_string($dblink, $strval) or the equivalent for your >> db.

Doesn't mysql provide prepared statements with placeholders like
sqlite does ? Those are the safest and easiest way to put user date into
SQL.

Of course. I was merely illustrating the principle. using https and curl
with a password means the only person sending is your script anyway.

It is unlikely that the NSA would wish to destroy your climate data,
though for sure the eco warriors would want to make it scarier. But they
are crap at everything including SQL.


--
"Anyone who believes that the laws of physics are mere social
conventions is invited to try transgressing those conventions from the
windows of my apartment. (I live on the twenty-first floor.) "

Alan Sokal

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 12/09/2020 09:34, A. Dumas wrote:

On 12-09-2020 09:04, Ahem A Rivet's Shot wrote:

    Doesn't mysql provide prepared statements with placeholders like
sqlite does ? Those are the safest and easiest way to put user date into
SQL.

I don't know, maybe now it does. What I posted was my way of doing just
that.

There are a dozen ways of protecting against data corruption and malware available to any coder who can code and understands te REAL risk (as
opposed to armchair security experts who think the NSA is going to hack
an amateur weather database ..

--
Those who want slavery should have the grace to name it by its proper
name. They must face the full meaning of that which they are advocating
or condoning; the full, exact, specific meaning of collectivism, of its
logical implications, of the principles upon which it is based, and of
the ultimate consequences to which these principles will lead. They must
face it, then decide whether this is what they want or not.

Ayn Rand.

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

The Natural Philosopher wrote:

Andy Burns wrote:

The Natural Philosopher wrote:

     $query = "insert into data set";
     $flag=0;
     foreach($fields as $name) //read variables and add to query
         {
         if($flag) $query .=',';
         if(isset($_GET[$name]))
             $query.= sprintf(" %s='%s'",$name,$_POST[$name]); >>>          else
             $query.= sprintf(" %s='%s'",$name,"");
         $flag++;
         }

<https://xkcd.com/327>

funny, but obviously you don't understand sql

I don't claim to specialize in SQL, but I've done my share, however it's
your bugs being discussed not mine.

as the sample code specifically cannot do that kind of thing.

Can I smuggle a single-quote and a semicolon into the $_POST[] array,
so that you concatenate it onto your query string thinking it's merely a
value? Yes I can.

That is the reason why the SQL command is not passed.
And it is the reason why all the arguments are 'quoted'.

If you think those mitigate SQL injection attacks you are badly
mistaken. Your code could use a fixed query string referencing
@variables which are initialised with the values passed.

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

The Natural Philosopher wrote:

armchair security experts who think the NSA is going to hack an amateur weather database

Who needs three letter agencies? There are enough bots out there
throwing attacks at every open port they can find to see what happens...

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On Sat, 12 Sep 2020 11:45:33 +0100, Andy Burns wrote:

If you think those mitigate SQL injection attacks you are badly
mistaken. Your code could use a fixed query string referencing
@variables which are initialised with the values passed.

Is that the same as a prepared statement, as used by JDBC or (IIRC) ODBC interface modules? Prepared statements are designed specifically to
protect your database against injection attacks

If your DBMS supports database procedures, using them is also a good way
to avoid injection attacks.

For private projects I've pretty much standardised on using PostgreSQL
because its very stable and has excellent self-managing capability,
including the ability to handle database changes associated with new
software versions. I always update tables via JDBC using prepared
statements, but tend to retrieve data via views when using less secure
scripted languages, e.g. Perl.


--
Martin | martin at
Gregorie | gregorie dot org

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 12/09/2020 11:45, Andy Burns wrote:

The Natural Philosopher wrote:

Andy Burns wrote:

The Natural Philosopher wrote:

     $query = "insert into data set";
     $flag=0;
     foreach($fields as $name) //read variables and add to query
         {
         if($flag) $query .=',';
         if(isset($_GET[$name]))
             $query.= sprintf(" %s='%s'",$name,$_POST[$name]);
         else
             $query.= sprintf(" %s='%s'",$name,"");
         $flag++;
         }

<https://xkcd.com/327>

funny, but obviously you don't understand sql

I don't claim to specialize in SQL, but I've done my share, however it's
your bugs being discussed not mine.

as the sample code specifically cannot do that kind of thing.

Can I smuggle a single-quote and a semicolon into the  $_POST[] array,
so that you concatenate it onto your query string thinking it's merely a value?  Yes I can.

no. Try it

That is the reason why the SQL command is not passed.
And it is the reason why all the arguments are 'quoted'.

If you think those mitigate SQL injection attacks you are badly
mistaken.  Your code could use a fixed query string referencing
@variables which are initialised with the values passed.

It could.


--
"Women actually are capable of being far more than the feminists will
let them."

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 12/09/2020 11:55, Andy Burns wrote:

The Natural Philosopher wrote:

armchair security experts who think the NSA is going to hack an
amateur weather database

Who needs three letter agencies?  There are enough bots out there
throwing attacks at every open port they can find to see what happens...

if they are throwing attacks at https ports the internet would stop working


--
"Women actually are capable of being far more than the feminists will
let them."

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

The Natural Philosopher <tnp@invalid.invalid> writes:

Andy Burns wrote:

Can I smuggle a single-quote and a semicolon into the  $_POST[]
array, so that you concatenate it onto your query string thinking
it's merely a value?  Yes I can.

no. Try it

What do you think will stop it?

As far as I can see you have an absolutely standard SQL injection vulnerability.

--
https://www.greenend.org.uk/rjk/

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On Sat, 12 Sep 2020 08:04:27 +0100, Ahem A Rivet's Shot <steveo@eircom.net> declaimed the following:

Doesn't mysql provide prepared statements with placeholders like
sqlite does ? Those are the safest and easiest way to put user date into
SQL.

It does since sometime in v4, but the API is a terror. One has to populate a structure defining what the fields are (including datatypes,
buffer addresses, lengths for strings), invoke separate prepare and execute calls.

The older API, and many of the adapters for scripting languages, relied upon the client end quoting/escaping parameters and sending the command
entire.


--
Wulfraed Dennis Lee Bieber AF6VN
wlfraed@ix.netcom.com http://wlfraed.microdiversity.freeddns.org/

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Den 2020-09-12 kl. 13:35, skrev Martin Gregorie:

Is that the same as a prepared statement, as used by JDBC or (IIRC) ODBC interface modules? Prepared statements are designed specifically to
protect your database against injection attacks

I don't think so. Prepared statement has been around longer than the
web-form. Prepared statements are used if you don't want the database to
create a new execution path every time you execute a statement where
only the parameters are changed. For at least Oracle, it is a way to
keep the statement in the SGA cache. It is all about performance.
That it is safer for webforms may be good - but not the reason it exists

<https://www.postgresql.org/docs/12/sql-prepare.html>
"PREPARE creates a prepared statement. A prepared statement is a
server-side object that can be used to optimize performance."


When I started coding professionally I learned that PREPARE is the way
to go - no concatenating strings to a statement. This was in 1997.
The code base suggest that Sql.Prepare in our sql module had been around
for many years already then.

If your DBMS supports database procedures, using them is also a good way
to avoid injection attacks.

And then you have a hard time to switch database.
Keep business logic in code and traceability in triggers.
At least I find that to be a sound principle.

--
Björn

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On Sat, 12 Sep 2020 17:31:37 +0200, Björn Lundin wrote:

Den 2020-09-12 kl. 13:35, skrev Martin Gregorie:

Is that the same as a prepared statement, as used by JDBC or (IIRC)
ODBC interface modules? Prepared statements are designed specifically
to protect your database against injection attacks

I don't think so. Prepared statement has been around longer than the web-form. Prepared statements are used if you don't want the database to create a new execution path every time you execute a statement where
only the parameters are changed. For at least Oracle, it is a way to
keep the statement in the SGA cache. It is all about performance.
That it is safer for webforms may be good - but not the reason it exists

<https://www.postgresql.org/docs/12/sql-prepare.html>
"PREPARE creates a prepared statement. A prepared statement is a
server-side object that can be used to optimize performance."

When I started coding professionally I learned that PREPARE is the way
to go - no concatenating strings to a statement. This was in 1997.
The code base suggest that Sql.Prepare in our sql module had been around
for many years already then.

If your DBMS supports database procedures, using them is also a good
way to avoid injection attacks.

And then you have a hard time to switch database.
Keep business logic in code and traceability in triggers.
At least I find that to be a sound principle.

Agreed: I've never used it with a modern DB - I remember using the DEC equivalent, which I seem the remember as about to only way you could
interface the DEC RDBMS from COBOL on a VAX, on the only VAX-based
project I ever worked on. I may also have used the odd database procedure
with Postgres 9 on the small NCR Unix boxes we used to to host ATM
networks, but don't really remember because I did far more work on the
network side of those (X.25, not TCP/IP!).

But, when all you had was a choice between assembling SQL statements with sprintf() statements or using database procedures then you used the
latter if hackery was a possibility.

IIRC the early ODBC modules didn't support prepared statements, but I
might be wrong about that.


--
Martin | martin at
Gregorie | gregorie dot org

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On Sat, 12 Sep 2020 11:35:32 -0000 (UTC)
Martin Gregorie <martin@mydomain.invalid> wrote:

If your DBMS supports database procedures, using them is also a good way
to avoid injection attacks.

Also a good way to ensure vendor lock-in.

--
Steve O'Hara-Smith | Directable Mirror Arrays C:\>WIN | A better way to focus the sun
The computer obeys and wins. | licences available see
You lose and Bill collects. | http://www.sohara.org/

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Den 2020-09-12 kl. 19:54, skrev Martin Gregorie:

<lots on VAX/VMS snipped>
Interesting, I did not know the VAX thing.
I'm pretty sure we used RDB on VAX before I was employed,
but I'm not sure if they used prepare or not.


My main reason to reply was just to say that I
think performace was the reasson for prepare -
not to prevent injection.

--
Björn

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Den 2020-09-12 kl. 20:47, skrev Ahem A Rivet's Shot:

On Sat, 12 Sep 2020 11:35:32 -0000 (UTC)
Martin Gregorie <martin@mydomain.invalid> wrote:

If your DBMS supports database procedures, using them is also a good way
to avoid injection attacks.

Also a good way to ensure vendor lock-in.

Unless you write a glue layer (which I always do to encapsulate a 3rd
party component - at least on the server side)

Something like (extremely simplified - it is usually a couple of files
per db, with different scope where you set a bind varible compared to
where you use prepare/execute)

pseudo-language:

void Prepare()
switch (db)
{
postgres : {prepare the postgres way, and save pointers to variables}
oracle : {prepare the oracle way, and save pointers to variables}
whatever : {prepare the whatever way, and save pointers to variables}
}

--
Bj�rn

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On Mon, 14 Sep 2020 16:37:06 +0200, Björn Lundin wrote:

Den 2020-09-12 kl. 19:54, skrev Martin Gregorie:

<lots on VAX/VMS snipped>
Interesting, I did not know the VAX thing.
I'm pretty sure we used RDB on VAX before I was employed,
but I'm not sure if they used prepare or not.

RDB - That was the name I was trying to remember!

At the time (late -80s, early 90s) the only interface between DEC COBOL
and RDB was a procedure you wrote, using its own language. It provided COBOL-compatible call interfaces and a way to specify the query to RDB -
using a sort of pseudo-English that EC called Structured Query Language, nothing like the semi-mathematical syntax of SQL as we know it.

The DEC SQL module was then compiled and staticlally linked with the
COBOL program that called it.

In short, if you ever used IDMS, which preceded the first Codd's first
RDBMS implementation you'd not miss the similarities between the way that
IDMS and RDB handled the interface to their respective databases.

In the flavour of IDMS (ICL IDMSX on the 2900) I used, the DB Admin used
an IDMS schema preprocessor to generate a COBOL module from the schema.
This provided the interface between your program and the database server.

When you wrote your COBOL application you specified DB access using a set
of COBOL statements that contained IDMS-specific verbs and that accessed
COBOL variables. A second preprocessor converted these statements into compilable COBOL that called the code generated by the IDMS schema
processor. This was a very nice way to do it from the application
programmers viewpoint since all the code he wrote looked exactly like
normal COBOL, though with a few additional verbs.

My main reason to reply was just to say that I think performace was the reason for prepare - not to prevent injection.

Sounds reasonable, and very useful when it also turned out to be a good
way to nullify SQL injection attacks.


--
Martin | martin at
Gregorie | gregorie dot org

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On Sat, 12 Sep 2020 17:54:16 +0000, Martin Gregorie wrote:

IIRC the early ODBC modules didn't support prepared statements, but I
might be wrong about that.

Turns out they still don't, while JDBC modules do.


--
Martin | martin at
Gregorie | gregorie dot org

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On Mon, 14 Sep 2020 16:37:06 +0200
Björn Lundin <b.f.lundin@gmail.com> wrote:

My main reason to reply was just to say that I
think performace was the reasson for prepare -
not to prevent injection.

Indeed that was the original reason, but it does prevent injection
very well indeed.

--
Steve O'Hara-Smith | Directable Mirror Arrays C:\>WIN | A better way to focus the sun
The computer obeys and wins. | licences available see
You lose and Bill collects. | http://www.sohara.org/

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On Tue, 15 Sep 2020 16:42:43 +0200, Björn Lundin wrote:

Den 2020-09-14 kl. 19:37, skrev Martin Gregorie:

On Sat, 12 Sep 2020 17:54:16 +0000, Martin Gregorie wrote:

IIRC the early ODBC modules didn't support prepared statements, but I
might be wrong about that.

Turns out they still don't, while JDBC modules do.

What? I've used ODBC and Prepare since 2012, which was when I ported our
WCS system to MS sqlserver

Here's an unrelated example of it being used as well

<https://www.easysoft.com/developer/languages/c/examples/

DescribeAndBindColumns.html>

My bad - I believed a Wikipedia article, thinking that it was generally reliable in this type of technical topic. I haven't used ODBC since 2001
(that was on a project using the Red Brick DW). Since then all my database-related stuff has been written in Java.


--
Martin | martin at
Gregorie | gregorie dot org

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Den 2020-09-14 kl. 19:37, skrev Martin Gregorie:

On Sat, 12 Sep 2020 17:54:16 +0000, Martin Gregorie wrote:

IIRC the early ODBC modules didn't support prepared statements, but I
might be wrong about that.

Turns out they still don't, while JDBC modules do.

What? I've used ODBC and Prepare since 2012, which was when I ported our
WCS system to MS sqlserver

Here's an unrelated example of it being used as well

<https://www.easysoft.com/developer/languages/c/examples/DescribeAndBindColumns .html>



--
Björn

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)