[Question about Form calling itself]

No.

 

Care to elaborate?

 

It seems to me that some people have said that the second block of code is more *secure* because it prevents a hacker from injecting in a different Form name and routing my website to somewhere it shouldn't go...  (But this note is like 4-6 months old, so my memory is foggy at best?!)

 

 

Debbie

 

[Question about Form calling itself]

I have a note here in my To-Do List that I am unsure what it means...

 

If I have a Form that loads back onto itself, I have been using...

 

<form id="changeEmail" action="" method="post">

 

 

My note to myself has...

 

action="<?php echo $_SERVER['SCRIPT_NAME']; ?>"

 

...and I am wondering if I'm supposed to replace the former with the latter?? 

 

Suggestions?

 

 

Debbie

 

 

 

[Capturing IP and Hostname]

doubledee,

 

I've incorporated some of the security measures you're thinking about in one of my sites in the past, including elements like storing it in a SESSION and comparing it to ensure that it hasn't changed between sessions.  I've learned, however, that this doesn't really provide the level of security you want in a reliable fashion. 

 

For example, using my example of checking for a changing IP during the same session--it completely destoyed mobile access to the site (which was bad considering it was the trouble ticket system I wrote for my PC repair business and I had difficulties using it in the field with my phone!).  A phone moving from one "cell" to another can get reassigned an IP addess in no time flat, so just travelling down the Interstate can cause this check to flag the action and declare a "fail"

 

Additionally,while I can see your point about ensuring that someone from one IP checking one person's profile a large number of times would be cause for concern, there are a few things to think about here:

This check won't stop someone from using anonymizer (sp?) services.  One person can look like 20 unlogged people throughout the day because they constantly have a different address.  Additionally, have a chat with your lawyer.  One thing I've learned over time is that when you do something you aren't required to do, even when (maybe especially when), when the proverbial poop hits the fans, the suing attorneys will not say,"Well, at least you tried."  Instead, they'll say, "You intentionally set up a system so that you could flag occurances like that man stalking a single profile.  Yet he stalked that profile for three days before he killed my client's daugher and you did nothing about it, although you clearly had the ability to do something."  It sucks, and it's a shame, and I personally think it weakens society, but when you try to do take those extra non-required-by-law steps, it actually puts more of a legal burden on you, not less.

 

Also, based on the sound of this site, you should keep a sharp eye /ear out for recent developments on the individual state levels about social networking sites (especially dating sites) and state requirements about forcing registered sex offenders to announce themselves within the site and requiring the site owners to do background checks on its members.  Seems to me that if you're designing a site that would cause you pause enough to check if someone is stalking another member's profile, you might be affected by some of these laws that are currently being kicked around committees in different state houses. 

 

If you want to track IP, go into it knowing that there are very simple ways to defeat it and that any information you glean from it has to be taken with a grain of salt.  It can give you a general idea, but never anything with actionable specific detail. 

 

All of that to say my $.02 is: No, don't make it fail if you can't get that info.

 

jcanker,

 

Some interesting non PHP comments.

 

Thanks for your 2-cents!!

 

 

Debbie

 

 

[Capturing IP and Hostname]

Google Analytics is free, unless you want premium features. See

http://www.google.com/analytics/premium/index.html

 

 

I looked at the link and it says this...

 

Premium $150,000 Annual Flat Fee

 

 

Care to spot me an extra $150,000?? 

 

 

Debbie

 

 

[Error-Handling if Count Fails]

You need to decouple logging an error from displaying an error.  While both fall under the general heading of error handling, they're opposite sides of the process and (as you're now seeing) not necessarily dependent on one another.

 

You should be able to stick the code that logs the error in a function.  That way, you can log errors without a redirect.  results.php should only serve as an error screen when needed.

 

I'm sure you are right on all of this, but I'd say this is a Version 3.0 project.  (I'm finishing up v2.0 now)

 

The risk of me doing something seemingly simple and breaking all of my code would be catastrophic?!

 

 

Debbie

 

 

[Add IP Addy to Coalese]

To be devil's advocate, why is displaying Anonymous Visitors' IP Addresses a bad idea?

 

 

Perhaps, but your use case was displaying the last 10 visitors.  With anon ymous users there is no real information being provided, as you pointed out.  A fair compromise might be:

 

4 Anonymous users
George Washington

 

To do that, I guess I would need two queries, right?

 

But it sounds like you still don't see any value in displaying how many unique anonymous visitors visited a Member's Profile, huh?

 

 

Debbie

 

[Add IP Addy to Coalese]

Displaying the IP addresses of visitors is a bad idea.  I personally would remove all Anonymous visitors from that list --- of what value is it?

 

Just letting you or I get an accurate representation of WHO is visiting our Profiles...

 

It just seemed like a good idea to me.

 

Maybe 20 Registered Members visited my Profile.  Okay.  But maybe 200 Non-members are checking me out.  Might be interesting to know...   

 

 

Debbie

 

[Error-Handling if Count Fails]

Okay, well your returned $totalVisitors will automatically give you true, assuming that number will never be 0.

 

Yes, I guess.

 

But here is the kicker...

 

(Remember I am a NEWBIE here...)

 

The way I created my website's error-handling is like this...

 

		// Check # of Records Returned.
		if (mysqli_stmt_num_rows($stmt1)==1){
			// Details Found.
			// Do something...

		}else{
			// Details Not Found.
			$_SESSION['resultsCode'] = 'DETAILS_NOT_FOUND_2133';

			// Set Error Source.
			$_SESSION['errorPage'] = $_SERVER['SCRIPT_NAME'];

			// Redirect to Display Outcome.
			header("Location: " . BASE_URL . "/account/results.php");

			// End script.
			exit();

 

So whenever there is an error, I re-direct to my "results.php" script which logs the error by inserting a record in an Error Table and then I display the Erro with possible options to take action like this...

 

// Details Not Found.
case 'DETAILS_NOT_FOUND_2133':
	echo '<h1>Details Not Found</h1>';
	echo '<p>Your member details could not be displayed due to a System Error.</p>';
	echo '<p>Please try again. (2133)</p>';
	echo '<a class="button" href="' . BASE_URL . '/account/my_account.php">Return to My Account</a>';
	break;

 

I think this system work very well, except for two problems in this case...

 

1.) My code is not set up to JUST log an error without also displaying an Error-Page

 

2.) If an insignificant things like "getVisitorCount()" fails, I do NOT want to redirect to an Error-Page - especially since it was a technical snafu and nothing the User can fix.

 

I mean I do have a fair amount of Errors that I handle like this...

 

// Member Not Found.
case 'EDIT_COMMENT_MEMBER_NOT_FOUND_2310':
	echo '<h1>System Error</h1>';
	echo '<p>A Fatal Error has occurred.  Please contact the System Administrator. (2310)</p>';
	break;

 

...but that just seems like overkill here?

 

Maybe that is what I should do?! 

 

 

I do know that I am sure there is a MUCH more sophisticated way of logging errors than what I have, but we all have to start from somewhere, right?!

 

 

Debbie

 

 

[Error-Handling if Count Fails]

Does your function currently return anything?  I don't see you doing anything with $visitorCount.

 

Here is my converted Query to Function code...

 

//****************************************************************************
function getProfile_TotalVisitors($dbc, $sessMemberID){
	/**
	 * Returns Total Unique Visitors to a Member's Profile.
	 *
	 * Take logged in Member's ID and determine how many people have visited
	 * the Member's Profile, including Other Members and Anonymous Visitors.
	 *
	 * Written On: 2012-06-27

	 * @param	Object		$dbc
	 * @param Integer		$sessMemberID
	 * @return Integer
	 */

	$q1 = "SELECT COUNT(DISTINCT visitor_id) AS total_visitors
					FROM visitor_log
					WHERE member_viewed=?";

	// Prepare statement.
	$stmt1 = mysqli_prepare($dbc, $q1);

	// Bind variable to query.
	mysqli_stmt_bind_param($stmt1, 'i', $sessMemberID);

	// Execute query.
	mysqli_stmt_execute($stmt1);

	// Store results.
	mysqli_stmt_store_result($stmt1);

	// Check # of Records Returned.
	if (mysqli_stmt_num_rows($stmt1)==1){
		// Query Succeeeded.

		// Bind result-set to variables.
		mysqli_stmt_bind_result($stmt1, $totalVisitors);

		// Fetch record.
		mysqli_stmt_fetch($stmt1);

	}else{
		// Query Failed.
		$totalVisitors = '';

	}

	return number_format($totalVisitors, ',');
}
//****************************************************************************

 

 

 

That said, remember our last conversation about how boolean true can be represented.  Any value that can be represented as a non-zero integer will be true.

 

Yes, I do recall that.

 

 

Debbie

 

 

[Add IP Addy to Coalese]

I am using this query to display the "Last 10 Visitors" to a Member's Profile...

 

$q8 = "SELECT COALESCE(m.username,'Anonymous Visitor') AS username
		FROM visitor_log AS v
		LEFT OUTER JOIN member AS m
		ON m.id = v.visitor_id
		WHERE v.member_viewed=?
		ORDER BY v.created_on DESC
		LIMIT 10";

 

 

The query works just fine except for the fact that if "JoeBlow" or <unknown user> visits my Profile 9 times I get this undesired result-set...

 

Anonymous

Anonymous

Anonymous

Anonymous

Anonymous

Anonymous

Anonymous

Anonymous

Anonymous

GeorgeWashington

 

 

Initially, when I saw this issue, I was just going to change things so I got this...

Anonymous

GeorgeWashington

 

But that wouldn't be accurate, since I did have 9 unique Visitors - they just all happen to have the same assigned name which is confusing?!

 

 

Since I capture everyone's IP Address when they visit a Member's profile, I am thinking it would be more useful to have an output like this for Anonymous Visitors...

 

Anonymous (75.100.20.1)

Anonymous (75.100.20.2)

Anonymous (75.100.20.3)

Anonymous (75.100.20.4)

Anonymous (75.100.20.5)

Anonymous (75.100.20.6)

Anonymous (75.100.20.7)

Anonymous (75.100.20.8 )

Anonymous (75.100.20.9)

GeorgeWashington

 

 

So, is there some fairly easy way to insert/append the IP Addy to "Anonymous" in my COALESE statement above??

 

(I'm not sure if this would be easier to do in PHP or SQL??)

 

Thanks,

 

 

Debbie

 

 

[Error-Handling if Count Fails]

True would mean the query (and therefore the function itself) executed correctly and you were able to get the visitor count.  I'm not sure why that would be odd/confusing.  Boolean flags are quite common.

 

IMO, you should, at the very least, log errors of this nature.

 

Are you saying the Function would return TRUE + VisitorCount on success?

 

 

Debbie

 

[Error-Handling if Count Fails]

Why not make the function return true/false, and then redirect to an error screen based on that?

 

if(!visitorCount()){
    // redirect to error
}

 

I don't follow why you would want to return TRUE?

 

A "visitorCount" of TRUE is meaningless?!  (I can see a "visitorCount" of FALSE, though.)

 

My bigger question is, "Do I really care or need to handle if my Function and or Query fail??

 

(I'm not exactly TD AmeriTrade here!!)  *LOL*

 

The only reason my Function would fail would be a database or server hiccup, and as long as much code handles that "gracefully", I am hoping that is good enough for a value that is mainly "decorative"...

 

What does everyone else think?!

 

 

Debbie

 

[Error-Handling if Count Fails]

Below is the standard approach I take to writing my Prepared Statements...

 

// **********************************
// Create 'Total Visitors' Dataset.	*
// **********************************
$q9 = "SELECT COUNT(DISTINCT visitor_id) AS total_vistors
		FROM visitor_log
		WHERE member_viewed=?";

// Prepare statement.
$stmt9 = mysqli_prepare($dbc, $q9);

// Bind variable to query.
mysqli_stmt_bind_param($stmt9, 'i', $sessMemberID);

// Execute query.
mysqli_stmt_execute($stmt9);

// Store results.
mysqli_stmt_store_result($stmt9);

// Check # of Records Returned.
if (mysqli_stmt_num_rows($stmt9)==1){
	// Query Succeeeded.

	// Bind result-set to variables.
	mysqli_stmt_bind_result($stmt9, $visitorCount);

}else{
	// Query Failed.
	// Do Nothing...

}//End of CREATE TOTAL VISITORS DATASET

 

 

In the // Check # of Records Returned. section, normally on a SELECT query I would be check if if (mysqli_stmt_num_rows($stmt9)>0), and if records are returned (THEN) I would assign the results to variables (ELSE) I would re-direct to an Error-Page.

 

But since my query uses a Function, I'm not sure how to tweak my code? 

 

- Do I just assume that it runs successfully?

 

- Is the way I modified things okay?  (In this particular case, I don't want to display an error if the query fails, because that would mean my entire "profile.php" page gets re-routed to an error page for something that is really non-fatal).

 

- I guess on the ELSE, I should probably do $visitorCount=''; or $visitorCount=0;

 

What do you think?!

 

 

Debbie

 

 

[Show "Anonymous" when No MemberID]

If you keep saying you like the way mikosiko did it why didn't you do it that way?

 

Please re-read what has been said (and done) in this thread.

 

I said I liked this query best and I am using it...

 

SELECT IF(v.vid=0,'Anonymus',m.username) AS username
  FROM visitor_log AS v
       LEFT JOIN member AS m ON m.id=v.visitor_id
  WHERE v.member_viewed=19;

 

 

Debbie

 

[Count Unique Visitors?]

use COUNT(DISTINCT visitor_id) in your query.

 

That did it.

 

Thanks!!!

 

 

Debbie

 

[Show "Anonymous" when No MemberID]

Where did the "Solved" button go?????

 

 

Debbie

 

 

[Show "Anonymous" when No MemberID]

id member_viewed visitor_id

 

The visitor_id should be 0, not the id.

 

No, in the Member (lookup) table you would need id=0 so when you have a visitor_id=0 it maps to that Member record.

 

See?

 

But like I said, I liked mikosiko's query solution the best.

 

 

Debbie

 

 

[Count Unique Visitors?]

I have a table which keeps track of every visit by other people, like this...

 

 

visitor_id

------------

1

1

1

2

3

2

 

 

If I just did a COUNT, it would yield 6, but I want to get back that 3 unique people visited Debbie's Profile, if you follow me?!

 

How do I do that in SQL?

 

Thanks,

 

 

Debbie

 

 

[Show "Anonymous" when No MemberID]

MySQL complained when I tried to INSERT a record with an id=0 and instead gave it a "37"

 

I did an edit and it took the "0" on the second attempt.

 

It just feels hokey having a record with "0", "Anonymous" and a bunch of NULLs in this pseudo record...

 

Personally, I like your query idea better...

 

 

Debbie

 

 

[Show "Anonymous" when No MemberID]

an alternative

SELECT IF(v.vid=0,'Anonymus',m.username) AS username
  FROM visitor_log AS v
       LEFT JOIN member AS m ON m.id=v.visitor_id
  WHERE v.member_viewed=19;

 

Why did you switch to a LEFT JOIN??

 

 

to me your #1 is a more reasonable option in case that down the row you want to change the 'Anonymus...'  text to something else... that way you will need make the change in just one place

 

Because if I did it the first way you showed, then if I changed what "0" represents, I would need to re-run the query for all people for the change to show, right?

 

 

Debbie

 

[Show "Anonymous" when No MemberID]

See IFNULL. http://dev.mysql.com/doc/refman/5.0/en/control-flow-functions.html#function_ifnull

 

That wouldn't work, because I need "Anonymous" when the visitor_id = 0 (versus NULL).

 

 

Debbie

 

 

[Capturing IP and Hostname]

I hooked up Google Analytics to my website about a year ago, and have personally NOT been that impressed.  (The Analytics package I pay for from GoDaddy is more informative than Google Analytics, or at least the free one I am using...)

 

Your host will always have access to more information than Google running it's scripts on your pages. They probably use the raw access logs.

 

I don't have both in front of me, but what I like more about GoDaddy is that is tells me things like...

 

- Who visited my website

- Each visitors IP addy

- Time on Site

- Time on each Page

- Where they came from

- Keyword Search

 

 

The main thing I recall about the free Google Analytics I am using is all of this crap about Keyword Ranks and other stuff that makes no sense to me?!

 

If I used an image of a "Fuzzy Baby Chick" I don't care if the world is search for "Fuzzy Baby Chicks"?!

 

I care about people searching for Topics/Content on MY website.

 

I'm sure this is a much more complex topic than either of us are talking about, but at first impression, I personally think GoDaddy gives me more useful info for about $5/month.

 

 

Google Analytics is free, unless you want premium features. See

http://www.google.com/analytics/premium/index.html

 

I'll check that out after supper!

 

 

Google Analytics is used by 57% of the 10,000 most popular websites (as ranked by Alexa Internet)

 

Must be the "premium" one, because the free one is lame...

 

 

If you're not impressed, by all means, create your own solution. If your host is already logging these details though, I don't see why you need to collect it again in your scripts.

 

Well, the context of what started this was me wanting to track Who/What/Where for *security* reasons, and not for Marketing reasons.

 

I figure it can never hurt o capture a person's IP when they register or do other important things like send a PM or Checkout, but that is just me?!

 

 

Debbie

 

[Show "Anonymous" when No MemberID]

Hmmm... How to explain this?! 

 

I am trying to add a feature to my website which displays the "Last 10 Visitors" to a Member's Profile.

 

I have a "visitor_log" table with these fields and data...

 

id 	member_viewed 	visitor_id 	ip 		hostname 	created_on 			updated_on
1 	19 			0 		127.0.0.1 	localhost 	2012-06-26 17:38:14 	NULL
2 	19 			20 		127.0.0.1 	localhost 	2012-06-26 17:40:07 	NULL
3 	19 			21 		127.0.0.1 	localhost 	2012-06-26 17:40:17 	NULL
4 	19 			25 		127.0.0.1 	localhost 	2012-06-26 17:40:29 	NULL

 

 

And here is my query...

SELECT m.username
FROM member AS m
INNER JOIN visitor_log AS v
ON m.id=v.visitor_id
WHERE v.member_viewed=19

 

 

The problem is that there is no record in the Member table for "0" but I want "Anonymous Visitor" to appear in my query result-set so the Member can see any non-Members that visited as well.

 

 

What is the best way to do that?

 

1.) I could created a "filler record" in my Member table with an id=0 but that desn't see like a good idea?!

 

2.) I could stick the value in with PHP, but that doesn't seem like a good approach either when I want the lable "Anonymous Visitor" to show up in the database result-set!

 

3.) Maybe there is some way to get my SQL to swap in "Anonymous Visitor" when it sees a "0" ??

 

4.) I suppose I could also display the Anonymous Visitor's IP Address in lieu of a "Username", so I would be open to that idea too.

 

Some help is needed on this one!!

 

Thanks,

 

 

Debbie

 

 

[Capturing IP and Hostname]

all of that information should already be stored in your apache log files.  With the exception of hostname though.

 

I do agree with xyph though.  Google Analytics is where it's at.  They even have a feature now that will show you a live feed of who is doing what on your website... live!

 

Is that free?

 

I hooked up Google Analytics to my website about a year ago, and have personally NOT been that impressed.  (The Analytics package I pay for from GoDaddy is more informative than Google Analytics, or at least the free one I am using...)

 

 

Debbie

 

 

[Capturing IP and Hostname]

Sounds like people's comments in the PHP Manual sort of advise against using gethostbyaddr().

 

I just remembered that one reason I wanted to capture IP and Hostname is for all of the Visitors visiting someone's Profile who do not have accounts on my site or aren't logged in.

 

It seems important to me to know that someone at 58.44.1.150 is constantly checking out one of my Member's Profile...

 

(Having the Hostname would just be a bonus.)

 

 

Debbie