This is where a lot of people get confused. Integer is an object type, and will be passed by reference, but the program still prints 0. Why? Even though x is a reference to an object, Integer is an immutable type, and the assignment “x=1” is actually equivalent to “x=new Integer(1)”. This actually changes the value of x, rather than the value pointed to by x.
Fortunately this case is rarely the source of errors since it’s considered bad design to return values through parameters.
Although the above code is in Java, you will run into similar behavior with C# immutable types.
Of course the answer is no, otherwise it wouldn’t be a very interesting post. The concept of interning is an attempt to save memory by allocating static values which match exactly to the same memory location, without regard to where they’re used in the application. But here’s in instance where it doesn’t quite work.
The String.Empty constant just contains the value “”. So logic would say that every value in the following code would point to the exact same location:
Early on PHP had no good methods for escaping SQL, and until recently didn’t support parameterized queries. As a result a lot of documentation covers SQL queries without really addressing the issue, and a lot of older PHP developers are unaware of the enhancements made to prevent this type of attack.
PHP 4.3 introduced mysql_real_escape_string which escapes all potentially “bad” characters which could cause unwanted results in your queries. The link contains examples of how to use the function.
PHP5 includes the MySQLi (MySQL Improved) extention which provides a more enhanced API for accessing MySQL. The mysqli_stmt_bind_param function allows you to use parameterized queries. The link to the function provides an example of how to use parameterized queries.
Parameterized queries are generally considered safer than escaped strings, but that’s only in theory. mysql_real_escape_string currently escapes all known bad characters, and the only thing that would make it unsafe would be for another bad character to be discovered. But parameterized queries will go through a more complicated code path, and thus, more likely to be affected by a coding bug. So there’s really no security related argument which favors one over the other.
Although they are videos, I found it easy to follow by just letting it play in the background while working on something else. Of course there are many times you must switch over to the video to see the code he’s referring to, so it wouldn’t work well on just an MP3 player.
The following snippet will find “dead time” (e.g. time where no events are scheduled) in a database:
1 select distinct dateadd(s,-1,starttime)as deadtime,"start"from sometable t where 2 0=(select count(*)from sometable u where u.starttime < t.deadtime and u.endtime > t.deadtime) 3 union all 4 select distinct dateadd(s,1,endtime)as deadtime,"end"from sometable t where 5 0=(select count(*)from sometable u where u.starttime < t.deadtime and u.endtime > t.deadtime) 6 order by deadtime