R_P
-
Posts
98 -
Joined
-
Last visited
Never
Posts posted by R_P
-
-
Krystof,
This is a MySQL error, not a PHP error. That probably means the code is correct and the query is wrong. My best guess would be to change the lines:
$query .= "WHERE id=" . $news_id ." ";
$query .= "LIMIT 1";
to:
$query .= "WHERE id='".$news_id ."' ";
$query .= "LIMIT 1;";
-
Hey guys,
Its been a while, I know. Use to love coming here to answer peoples questions, but work and school have been keeping me too busy but do anything but lurk. I usually write all my code/apps by hand and over the past couple years created a common set of PHP functions that I implement on every site. This code continues to grow, and may become a framework one day (http://ryan.crawford.com/framework/default/). I wanted to present some of the crux functions for your consideration. Specifically I'd like to know what your best practices are in relation to preventing SQL insertion attacks, looking at the functions I use to control it:
private $chars = array( ";" => "{00sc}", "'" => "{01sq}", "!" => "{02ex}", "$" => "{03dl}", "%" => "{04pr}", "<" => "{05ls}", ">" => "{06gt}", "=" => "{07eq}", "&" => "{08an}", "#" => "{09pd}", "," => "{10cm}", "/" => "{11fs}", "*" => "{12as}", "\\"=> "{13bs}" ); /* * Func: inject($str) - aptly named * Desc: We'll be the only people doing SQL injection here */ function inject($str) { return str_replace(array_keys($this->chars), array_values($this->chars),$str); } /* * Func: extract($str) * Desc: Opposite of inject */ function extract($str) { $str = str_replace(array_values($this->depc), array_keys($this->depc),$str); return str_replace(array_values($this->chars), array_keys($this->chars),$str); } /* * Func: query($query_data) * Desc: Make a query on the database (SELECT) * Note: If a log directory is defined, we will track queries */ function query($qdata) { $result = mysql_query($qdata) or die("<br>Query: ".$qdata." <br><br>Issue: " . mysql_error()); // set the condition for the switch statement $c = substr($qdata,0,strpos($qdata,' ')); if($c == "DELETE"||$c == "INSERT"||$c == "UPDATE") { if(is_dir($this->cfg['logdir'])) $this->logLine($qdata,$this->cfg['qlog']); return true; } if(mysql_num_rows($result)==0) return false; while($line = mysql_fetch_array($result,MYSQL_ASSOC)) { $array_result[]=$this->extract($line); } return $array_result; } /* * Func: iquery($array,$table) * Desc: Insert data into the db(using just $_POST) */ function iquery($arr,$table) { if(!$dataArr = $this->againstTable($arr,$table)) return false; $n = 1; // Loop to create SQL query foreach($dataArr as $key => $value) { $insertNames .= (sizeof($dataArr)==$n)? $key : $key.","; $insertValues.= (sizeof($dataArr)==$n)? "'".$value."'" : "'".$value."',"; $n++; } $this->query("INSERT INTO ".$table." (".$insertNames.") VALUES (".$insertValues.");"); }Basically, if you look at the array $chars, for inserted data I am searching for the keys and converting them to the values before insertion. It is a function I run all my inserts through. The query() function is what I do all my SELECTS with and it converts the characters back (the inject function encrypts, extract decrypts for lack of a better term). These are written object oriented so I still have access to PHP's extract if ever needed.
Question now being, what do you think of the effectiveness of this technique in terms of protecting against SQL injection? Are there ways to beat it? Are there better methods? Is this efficient? I'm not sure what algorithm PHP is using for str_replace, but the best ones don't run any faster than O(n). I don't think this runs any worse.
-
Alright. I think I figured it out. The purpose of this is to change the look of the page with the click of a button by changing the path/address of all the images simultaneously. I figured it out though (luckily all my background images were in divs):
var allDivs = document.getElementsByTagName("div"); for(var j=0; j<allDivs.length; j++){ if(allDivs[j].style.backgroundImage!="") allDivs[j].style.backgroundImage = allDivs[j].style.backgroundImage.replace(/path#/,"graphx/images/"); }In the future, "graphx/images/" will be a variable, pointing to the folders with similar named (but different) images. Thanks for the ping backs.
-
Thanks Aaron.
Unfortunately, that is still the one-by-one method I am trying to avoid. I'm looking for something like this:
for(var i=0; i < document.images.length; i++) { document.images[i].src="something new"; }Unfortunately, that only works with img tags within the document. I'm looking for a similar way to wash over all the background images at once - including those specified in external css files - and avoid using document.all...
-
Hey fellow freeks,
I just wanted let you know that my company - Crawford Communications is looking for multiple PHP developers for multiple projects in part time and full time positions in Atlanta, GA. Unfortunately, they're in-house only. I'm a developer myself and the pay and benefits are pretty good. I'm attaching the descriptions below you can reach me via gtalk: ryanrodd@gmail.com or AIM: roddzillaGT or email me at rrodd@crawford.com.
Duties:
Development, testing and debugging of web applications using PHP and SQL databases, with front ends written in (X)HTML, CSS and JavaScript.
Design and create dynamic, web based user interfaces using remote requests (AJAX, JSON)
Implement and improve workflows for digital assets in a web based content management system.
Create technical and support documents related to the use of the web content management system.
Meet project and deliverable deadlines efficiently and satisfy other client requests.
Qualifications:
Minimum working experience of involvement in at least (2) projects/websites coded in PHP/MySQL.
Experience coding in a MS/Windows environment and some exposure to web servers (Apache,IIS,FreeBSD).
Working experience with raster/vector based image editing software (GIMP,Photoshop,Illustrator).
Good understanding of web design standards and good web coding practices.
Willingness to expand knowledge and skill set and seek turnkey solutions using novel web technologies.
Additional Preferences:
Holds (or in pursuit of) degree in CS or Computational Media field, or equivalent work experience.
Understanding of principles related of software project management, iterative development, and XP.
Familiarity with web multimedia including popular image, video and audio formats and media metadata standards (ID3,IPTC,XMP).
Experience integrating 3rd party solutions with Apache and PHP (ffmpeg, Sox, imagemagick, vlc, etc)
Experience using remote requests in dynamic web pages and other frameworks (ie JSON, AJAX, jQuery, Flash/Flex).
Look forward to hearing from ya.
-
Fellow Gurus,
I am looking for a way to change the paths of background images using Javascript. I am aware of document.images as a data structure to access images, but does there exist the equivalent for background images? These to do not seem to be included in said data structure. If not, does anyone have some good code to change the paths of background images post rendered without doing them one-by-one?
Ryan
-
Well, I've always considered OOP an additional layer of abstraction using code structure. It offers little/no functionality to the code or page itself, just structure and clarification, modularity and inheritance. It favors large projects where reused code will save a lot of space/coding time. This is important because during actual runtime object oriented PHP code takes longer to execute than flat scripted code which does the same thing.
The argument between OO and procedural is one of those never ending battles between warring CS factions and code developers. The only advise I could give is just never make objects for the sake of making objects.
-
Noted and fixed.
-
Thanks steal for the diagnostic. Turning off indexes in apache and removing full path disclosure in php.ini should remedy just about the whole list. As for the chat, in more evolved version there will be strict checks on i/o.
What I'm worried about right now is that it the base functionality works. I'm in the midst of streamlining data throughput so that client-server pings are literally bits. Core functionality is what I'm worried about. So come in and stay a bit. Let me know the response/lagging times. Works best if theres more than a person in the room. Unfortunately users are sparse.
-
Bumping this. Optimizing the back end code and would like a few people in the room to help me test.
*Hint: Want to be mod? Just type: /auth doggie
-
You should NEVER force a user to do anything like this - it shouldn't be automated evn in an intranet environment.
OK make is easier by using the javascript but don't do anything that takes control away from the user. One nice touch maybe to save the receipt as a pdf and allow them to save it then print - or just print immediately.
While I completely agree with the sentiment, when working in a big-company environment you might not have the choice. If Mr. Big Executive wants his employees to be printing a page when they come to it, then Mr. programmer makes the site print the page. There still could be options/control of the function within the page/applet. Trust me, I've had my share of (and battles against) those kinds of requests too. Although, I'd probably take this one just for the challenge.
-
Once you send a header specifying an image MIME type to the browser, the only thing that the browser can display is an image! I'm surprised you weren't getting all sorts of errors by doing that. One thing you can consider is creating a seperate php file which returns only images and using it as the source in an HTML image tag like so:
<img src="img.php?index=5" alt="">
I generally don't store images in my db tables (although its perfectly acceptable) but using the example above should allow you to do so.
Good luck.
-
Using Javascript to open the print dialog for a page is as about as far as you can go with JS or any client side program. One possibility might be to create a java applet and implement the PrintObject class which would have the capability of automating a print job. It would still require the user to choose to trust the java applet.
If you're familiar with Java, here is a great code reference:
http://www.javacommerce.com/displaypage.jsp?name=printcode.sql&id=18252
-
I actually use a database table and tag route (kind of like IRC flags). Basically, before/as each page is called, it looks up the auth tag for that page name in the db table. If that auth tag exists in the users session auth string, then show the page.
Some pseudo code:
$dbresult = mysql_query("SELECT auth FROM pages WHERE name=."$pageURL); if(strstr($_SESSION['auth'],$dbresult['auth'])) { include($page); }This way, I can assign each user a different set of priveleges and page access combos. A default user gets a basic predefined set. I could post my actual code, but its more convoluted and contains a lot of contingency handling not discussed.
-
Oh, and if you type "<form>" into the filter box on the gallery page, some additional hidden pictures will be revealed.
-
Hey guys,
So I often find myself sticking images in a web folder and then having the apache (or IIS) indexes turned on so that my friends can browse through the file names. Not the most effective image gallery, I know. Instead of going through the thousands of open source galleries out there, I decided to create my own, heres what is different about it:
It consists of one file (the index file).
It does not rely on either flat file or SQL databases.
Creates thumbnails upon first install and whenever you add new images.
Thumbnails generator includes real-time progress bar - useful when you have a lot of images.
*Essentially the image gallery for really lazy (or busy
) developersHeres the file:
http://ryan.crawford.com/gallery.zip
Heres a demo:
http://ryan.crawford.com/yjfc/flyin07/?v=g
There are a few known bugs and issues. No documentation yet. Feel free to poke around with it and post if you have any questions. Also make sure to tell me you server configuration and the browser(s) you used to test it with.
Thanks!
Ryan
PS - And keep in mind this is an EARLY RELEASE. It doesn't have near the functionality that I'm planning for it.
-
Did you let PHP configure your apache file? Sounds like you might be missing the AddType entry for php. That line looks like this:
AddType application/x-httpd-php .php
Usually this tells the server (in addition to the module and PHPIniDir and other configs) to use PHP to execute a .php file. You will have to explain the "not opening regular HTML pages." Is there an error associated with accessing them?
-
Hi there. Assuming you are using virtualhosts to manage multiple domains, specifying an alias will work across all of them. In fact, I am not sure how to limit aliasing to just a single virtualhost. Because you would be aliasing a directory, within your original documentroot, there is no need to specify and configure another directory entry like the example alias does (for icons). Just simply add:
Alias /mail "absolute/path/to/your/directory"
Hope this helps!
-
This is more of a networking issue than Apache. You are getting your router screen because your router is set up to accept port 80 traffic by default (basically it is running a mini webserver too). This means that traffic isn't even getting to your apache server.
See if you have any configuration sections such as "port forwarding" or "port redirecting." My hunch is that you will need to assign your webserver a static (192.168.x.x) IP address (rather than aquisition through DHCP) and then have your router forward port 80 traffic to your server. Unfortunately, with the wide variety of routers and configs out there, this is a tough one to troubleshoot and I'm certainly no networking expert. Make sure you've gone through all the documentation that came with the router to ensure that it's even possible.
Good Luck
-
The key search words (if I understand the question correctly) relate to hot-linking and bandwidth theft - basically keeping users from directly access files from a web folder. It can also act to secure those files (for the most part). From apache.blog-city.com:
You can create or edit you .htaccess file and add:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mysite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(jpe?g|gif|bmp|png)$ - [F]
The first line signals Apache to turn on the Rewrite engine. Line two matches any requests from your own mysite.com url. The [NC] code means "No Case", meaning match the url regardless of being in upper or lower case letters. The third line means allow empty referrals. The last line matches any files ending with the extension jpeg, jpg, gif, bmp, or png (you can replace these with your own file types). This will return a 403 Forbidden error.
The premise is that any user who accesses those files must be referred by your website (.php page) or it will deny access to the files. Hope this helps.
Good Luck,
Ryan
-
Active Server Pages (ASP) are a Microsoft product and are built into MS IIS. There is no native apache support for ASP, but there are a few workarounds. The most popular is Apache::ASP @ http://www.apache-asp.org/ which provides emulation through Perl. I've never used this but its worth a look.
Good Luck,
Ryan
-
Do you have any network monitoring software that could be monitoring or throttling bandwidth? IE Windows Firewall settings, etc? I would suspect that there is another process chained to that port parsing activity. Thats my hunch since I have apache 2 running on Windows 2k and Windows 2k3 servers without a problem. Another place you will want to post this question if you already haven't is at apachelounge.com (exclusively for windows-apache users).
Good Luck
-
What you've typed seems to be a correct configuration. A way you could troubleshoot this is by turning on indexes for that directory and deleting the index file. Apache will then default to showing you a list of files in that directory.
If test.php is listed, you will be able to click on it and view. Any errors then given would be an apache security mis-config. If test.php is not listed then it is a documentroot problem. Even if you do not have PHP and Apache appropriately configured to parse the PHP, you should still see the files.
Good Luck.
-
Yes. The remote request procedure is the order of the day. Sorry no Java here (question left in log). Unless I found a way to remove the applet security prompt!
PHP Developer Needed [Full Time position]
in Archived Job Offerings
Posted
Hey everyone, for some of you freelancers (especially in the Atlanta area) who are looking for something more permanent: our company Encompass Digital Media (formerly Crawford Communications) has just posted an opening for a full time PHP/web development position to maintain/improve/redevelop current systems and lead the effort developing new ones.
A WAMP-stack background is preferred, but not necessary as long as you know the Apache,MySQL,PHP parts (some jQuery thrown in would be nice too). And unlike most other positions we aren't beholden to a specific framework or CMS(Zend/Cake/Joomla etc). Its great experience to have but we're just looking for a good breadth of knowledge and solid coding practices in general.
The position is in-house and the company is in Atlanta. I'm not sure if the company is hiring outside of country/state, but any such questions can be directed to company HR : hrdept@encompass-m.com
Check out the full description and apply online here:
https://home.eease.adp.com/recruit2/?id=533119&t=1
Cheers and good luck!