Drongo_III

Thanks Guys Both of those answers are super helpful! I will give some thought and figure on which approach best suits.

Hi Guys I'm building a php application where users must login to access a set of private images. The images display as a set of thumbs to the user, which they can click to download the full size image. so I need to read a whole batch images (500+) of them from a directory. So I'd like some advice on the best way to: 1) Keep files from being world readable. I know you could probably achieve this using htaccess or storing them outside the document root but which is best given that I need to read a whole directory with hundreds of images? 2) How to access the images If it turns out storing the images off document root is the way to go, what's the most efficient way to read a directory off the doc root and access the individual images (readfile for instance)? Thanks in advance, Drongo

Hello This may seem like a silly question but if you never ask you never know... Lets say I json encode a php array. When I echo out the encoded json string into a JS variable it looks something like this in the resultant markup: var arr = ["cow - Copy (10).jpg","cow - Copy (2).jpg"]; So in this instance the string I've echoed out is equivalent to a JS array and I can use it straight away. My questions: 1) Is it valid to do what I've done above? 2) Since I can use the array right away is there any need to JSON.parse? 3) When would you use JSON.parse? Thanks, Drongo

SCRATCH THAT! - had a typo... Hi Guys I have another SQL question and I hope someone can help. I'm trying to run a query with two 'IN' statements. The first IN statement is compiled from a sub-query and the second is hard coded (its from an external list, which is actually much larger than in the example below) I keep getting an sql error when I run this through PHP MyAdmin but the error isn't giving me much to go on and I'm not even sure if it's valid to run two IN statements in the same query. Any help on how I might achieve the above would be most welcome! Oh and postNumber is an integer representing posts but there are some duplicates in the database hence the DISTINCT query SELECT * FROM `posts` WHERE `postNumber` IN (SELECT DISTINCT(`postNumber`) FROM `post` WHERE `postYear` >2013) OR `postNumber` IN ('10088','9813','7991') Drongo

I'm still confused. So if I wish to select all records that are like a particular keyword, but in instances where there are multiple records on the same postID only return the highest version number, would I do something like this? SELECT * FROM table t1 WHERE title LIKE '%SOME-TITLE%' AND version = (SELECT MAX(version) FROM table t2 WHERE title LIKE '%SOME-TITLE%'); I don't have the database in front of me at the moment to test it although I'm not sure I quite understand how to construct the query for what I am trying to achieve.

Hi Guys I have a table which in it's shortened form has the following columns: id | postID | title | content | version The column for postID has a number that can be shared by multiple rows - differentiated by version number. I want to run a query to select all records that are like a given keyword (i.e. %LIKE%) but where results share the same postID I only want to return the highest version number for that record. The difficulty is some records may have multiple version numbers that match the like statement and some may have only one. So this variance with the LIKE search is causing me some confusion. I've tried this in a few ways using a sub-query but for the life of me I cannot work out how to do it. Any help would be appreciated, Drongo

Thanks Requqinix - your advice is much appreciated. I will use the OR flag then to not complicate things I can't really fix the injection for this xss attack as it's based on someone appending to a valid url. So I'm not sure how I've thwart that. I have another post on here where it's all explained: http://forums.phpfreaks.com/topic/292145-reflected-xss/ I was looking to use x-content-security-policy header but I've since read that trying to recognise certain patterns in the url is also a way to go. How would you recommend getting around an xss where someone appends something like this to the url? %22%3E%3Cimg%20src%3da%20onerror%3dalert(1)%3E6f54e?sub=t Sorry btw - don't mean to start covering things from other threads but as it came up...

Thanks for the reply. So if I did wish to do it all in one line what is the correct syntax? Also, are you sure that request_uri contains the query string data? It's just on the apache website they state for request_uri: The real reason I'm exploring this is a long story but it has to do with trying to sniff out dodgy url encoded data to stop reflected xss attacks - i.e. through scripts appended to the url. I've seen fixes for this that all target the query string parameters but the xss attack i'm trying to fix doesn't use a query string. So I figured it would be prudent to run a condition on both the query string and the url. Incidentally this is for a flat php website so there isn't much I can do to protect the url besides htaccess.

Hi Guys This may be a silly question. Apologies in advance. Lets say I wanted to write a rewrite condition where I need to test both the query_string and the resquest_uri against the same regex. Is it possible to almost parametise these in one line? e,g. RewriteCond %{REQUEST_URI, QUERY_STRING} SOME-PATTERN etc. Or would I have to always split these across two lines using the [OR] flag: RewriteCond %{REQUEST_URI SOME-PATTERN etc. [OR] RewriteCond %{QUERY_STRING} SOME-PATTERN etc. Thanks, Drongo

Hello It was brought to my attention that my website is susceptible to reflected xss attacks. I should say that all pages on my site are static php. The attack was demonstrated to me by adding the following to the end of a page's url %22%3E%3Cimg%20src%3da%20onerror%3dalert(1)%3E6f54e?sub=t For the sake of brevity this adds an image to my page with the onerror event firing the alert. Presumably this can be adapted to incorporate an external script. I've trawled around trying to find a concise checklist of what needs to be done to thwart this type of attack. The only solution I've come upon so far is to use Header set X-Content-Security-Policy "allow 'self' in the htaccess file and white list all legitimate scripts. My questions 1) Is using the x-content-securty-policy header actually a solid solution for guarding against reflected XSS? 2) What else should be on my checklist of things to do to guard against this specific attack? Any help would be very much appreciated!

I never cease to be impressed by regex and the people who get it Thank you!

Hi Guys I have a regex conundrum that at first I thought would be very easy but then appears to be quite hard :/ I want to match a string with a regex where the regex can only pass if it contains letters and numbers (nothing else) and it has to contain at least one of each. I've been trying out lookaheads but just can't get it right. Any help is appreciated. Drongo

Hi Guys I have a question about maintaining scope in OOP. I may just be going about it in completely the wrong way but I'm here to learn. Lets say I have a base class called 'first; set out as per the code below. In the first class there is a method that instantiates another class - called second. This second class extends the first class and I want it to be able to set errors on the first class. The only way I can maintain it's scope is to pass $this into the constructor of the second class. My questions are: 1) Is this the right way to maintain scope? 2) Would this be bad practice and I should explore a different model for setting out these classes? 3) Would it be considered better practice to make $errors a static property? Keen to do things the right way so any advice is very welcome class first { public $errors = array(); public function __construct(){ $this->callSecondClass(); $this->render(); } public function callSecondClass(){ $t = new second($this); } public function render(){ echo "I am rendering errors:"; print_r($this->errors); } } class second extends first { public function __construct($obj){ $obj->errors[] = 'ERROR FROM SECOND CLASS'; } }

Thanks for the response hopeless. I think maybe I was looking at it incorrectly... So would something like this be correct? /^www.mysite.com[\/]?[a-z\-\_]*(?!php|html|htm)[\?\=\&a-z0-9]*$/ So match the literal url, an optional forward slash, then match anything that might be a file name (but this is optional), then negative match any of those file extensions and if they aren't present match something representing a query string (optionally). Does that make sense?

Thanks Kicken that worked perfectly. I need to go away and dissect this now to understand what's going on.

Hi Guys Bit stuck on a negative lookahead and not sure that what i want to achieve is possible. Lets says I have a domain: www.mysite.com I want to have a regex that will match www.mysite.com?q=123&g=34 but I don't want to match any file extensions like .php or .html So the first part of matching the query string and the literal url is fairly straightforward (below) which matches any query string that may be applied /^www.mysite.com[\/]?[\?\=\&a-z0-9]*$/ But then I want to use a negative lookahead to avoid matching a file extension, e.g. /^www.mysite.com[\/]?[\?\=\&a-z0-9](?!php|html|htm)$/ But this doesn't work - presumably because the negative lookahead is following a character class. So my questions: can you use a negative lookahead in this way? If not, how can I achieve what I'm trying to? Any help appreciated! Drongo

Hi Guys I'm a bit stuck on a query and hoping someone can help. I'm sure this has a really simple solution. Below is a simplified representation of a table and I'm trying to select all of the data but where there are instances of the same postID I want to only select the row with the highest version number. So for instance in a select all on the table below I would expect to get IDs of 2,3 and 4. id | postID | version 1 2 1 2 2 2 3 1 1 4 3 1 Any help is much appreciated.

Hi Guys Thanks for sticking with me whilst I try to grasp what is probably an overwhelmingly simple concept...however... This is what has me confused. Excerpt from the google page I referenced: So what I don't understand is what's the value that "uniquely identifies a resource..." when you place the following in your htaccess? How does the eTag get it's unique identifier? Is it set automatically somehow? <Files somefile.css> FileETag MTime Size </Files>

I would suggest two possibipities: 1) check your include path -get_include_path 2) could it be that you are returning a relative path?

Thanks jacques. I'm still confused as to how etags are implemented on a per resource basis. I realise it can be implented through htaccess but how would you define it for a particular resource ? Sorry if I am being slow on this but nothing I read on google leaves me very enlightened.

Hi Guys I have recently been looking into implementing browser caching after reading this: https://developers.google.com/speed/docs/best-practices/caching There are a few things in that google article that don't make much sense to me so I'm hoping someone can clarify. Firstly Question The document says: " we recommend that you configure your web server to explicitly set caching headers and apply them to all cacheable static resources" This implies you can set caching headers for just some resources. How would you do this? Lets assume I only wanted to set caching headers for a file styles.css - would I need to output headers within the CSS file and then change the extension to .php? e.g. <link rel="stylesheet" href="styles.php"/> Second question Etags have me very confused. How would you set etag headers for specific files and then generally? And if you set the etag in the header of the main php page does that mean everything gets cached? Any help someone can provide would be very, very welcome! Drongo

Hello It sounds like you want to remove an event handler? If so here are some options: 1) IF registering events with jquery .on() then you can use jquery .off to remove the event temporarily 2)If you simply wish to stop the event bubbling then you can use e.stopPropagation() method which will stop the bubbling of a child element executing parent element click handlers. Hope that helps - possibly with more clarity I could help more.

The example code below returns the values of the photoFiles array: var json = {"status":1,"recId":"PL-17534","collectionDate":"08-04-2014","collectorsName":"asdf","donorsName":"","sciName":"asdf","family":"asdf","comName":"asdf","variety":"","area":"asdf","photoFiles":["1.jpg","internet.jpg"]}; $.each(json.photoFiles, function(key, val){ //return '<img src="'+val+'"><br>'; console.log( '<img src="'+val+'"><br>'); }); I'm not sure I fully understand what you are trying to achieve by returning in an anonymous function but that code works to give you access to each of the values.

Little more research has uncovered the answer. Apparently function declarations are loaded into the execution context before anything else. Whereas a function expression is evaluated only when the parser reaches it. Hope that helps anyone else confused by this quandary.

Hi Guys I wonder if someone can explain something that is probably quite basic. When I try to add an event listener and target a normal function this works fine - e.g. 'window.addEventListener('load',test)'. However, if I try to target a function that is a property of an object this fails - e.g. 'window.addEventListener('load',initialiser.init)'. Further in this latter case I also get a console log saying it's undefined. The code for this example is below. So my question is why does it fail onload when I use a function in an object as opposed to a straight function? Presumably it's something to do with the way the document and the code are loaded or initialised but what is it that makes them behave differently. Thanks, Drongo <script> //this function call works fine //window.addEventListener('load',test); //this functiton call fails and is undefined in console window.addEventListener('load',initialiser.init); //example object holding a method var initialiser = { init:function(){ alert('Init called!'); } }; //some random function function test(){ alert('test called!'); } </script>