Jump to content


  • Posts

  • Joined

  • Last visited


Posts posted by HDFilmMaker2112

  1. That's unfortunately returning the same thing:





    $words = array('TEstABcDE12345678910', 'TeshgaGDasf#1345');
    $ascii = '';
    foreach($words as $word)
    $index = 0;
    while($index < strlen($word)) {
    	$ascii .= "&#".ord($word[$index]).";";
    echo $ascii . '<br />';




    As far as using htmlentities; I still plan too. This is just to go a step further and remove words that could be used in an attack.

  2. I'm looking for a way to convert a string into ascii number codes. I have the list of conversion words in an array, the problems lies in that each iteration through the array, is starting from the beginning of the array, and appending the next element in the array onto the end.


    i.e; the below is producing this:




    $string=array("TEstABcDE12345678910", "TeshgaGDasf#1345");
    foreach($string as $string2){
    for($i = 0; $i != strlen($string2); $i++)
    	 $asciiString .= "&#".ord($string2[$i]).";";
    $asciiCode = str_replace("&", "&", $asciiString);
    echo $asciiString."<br />";


    How would I make it so that it only converts each array element individually. I also need to some how add a preg_match to this as well.


    The idea would be to have the array contain a list of "forbidden words" (javascript, alert, style, among others), and then to convert those forbidden words into their ASCII code equivalents.


    This is an attempt to go above and beyond htmlentities for XSS prevention.

  3. Silkfire...you have no idea how happy you've made me! I just did a "WooHoo" out loud in my office :)


    Unfortunately for me I always decide to learn by trial and error, so I chalk this up to a very good lesson learned!!


    I do have a follow up question as well as a request if you don't mind.


    My request is, can you walk me through the "list" section of that code? I understand everything else, and that part sort of makes sense, but I want to make sure I "get it".


    My follow up question is, as you can probably tell this is for some of the company aircraft, of which we have 21 machines. How would I go about producing this same result for each aircraft in the database? If I were to guess at it I would probably say that I would have to name each query result variable a different name and then repeat it for each aircraft. The reason I doubt that is the best way is...well...because I can image how much code would be involved for this little project, never mind one that is much bigger.


    You kick ass, thank you so much for helping me out, I'm grinning ear to ear right now!




    Look into the while loop.




    You can look at the examples on this page to see it use with DB query.


  4. I set it like this:




    So how would I destroy that?


    Or is there any easy way to destroy ALL cookies and sessions for a domain (e.g., ".mydomain.com" - thats how I am setting them all).


    Did you call session_start(); before session_unset and session_destroy? If not, it doesn't have know what the values are that it should be unsetting and destroying.


    session_start should essentially be read as, check to see if there's already a session started, if so continue it; if not, start a new one.

  5. This is the first I've tried using cookies for a website. The below isn't setting a cookie.


    I have my log-in form on the home page. Which submits to this script "login.php", if the credentials match the database, then it redirects to index.php?home. On ?home I'm trying to echo out the cookies and they're coming up blank. I also checked the cookies set in my browser, and the only one set for this domain name is the PHPSESSID.



    The $login_stay_logged_in variable is set and it does = yes.

    $hased_value = kam3(md5(generatepassword()));
    $hashed_username = md5s($rows["email_address"]);
    $time = time();
    setcookie("emtco_hash", $hased_value, time()+(86400*180), "/", "beta.area51entertainment.com");
    setcookie("emtco_username", $hased_username, time()+(86400*180), "/", "beta.area51entertainment.com");
    setcookie("emtco_visited", $time, time()+(86400*180), "/", "beta.area51entertainment.com");



    <div class="left"></div>
    <div class="center">'.$_SESSION['username'].'<br /> '.$_SESSION['password'].'<br /> '.$_SESSION['login_stay_logged_in'].'
    <br />'.$_COOKIE["emtco_hash"].'
    <br />'.$_COOKIE["emtco_username"].'
    <br />'.$_COOKIE["emtco_visited"].'</div>
    <div class="right"></div>

  6. This:


    <a href="Size_Menu.html">Click here to choose</a> </td>


    Should be this:


    <a href=\"Size_Menu.html\">Click here to choose</a> </td>



    Or use single quotes around everything:


     	$display_block .='
    	<td width="1%" valign="top">'.$Verse_id.'<br/></td>
    	<td width="55%" valign="top">'.$Verse_text.'<br/></td>
    	<td width="35%" valign="top">'.$Mood_info.'<br/></td>
    	<td width="9%" valign="top"><a href="Size_Menu.html">Click here to choose</a></td>

  7. Persistent database connections only work when php is running as a server module, not when php is running as a cgi application. Are you sure trying to use a persistent connection would have any effect on your server?


    MySQLi Persistent connections weren't included in PHP until 5.3. My web server is currently running 5.2... That's the current problem.

  8. I'm trying to connect to MySQLi via a persistent connection and I'm getting an error stating:


    Warning: mysqli::mysqli() [mysqli.mysqli]: (HY000/2005): Unknown MySQL server host 'p:localhost' (1)


    function MysqliPersist($dbname){
    $DBconnect = new mysqli_errordisplay('p:localhost', "user", "pass", $dbname);
    return $DBconnect;


    In the manual it says to prepend a "p:" to the host name for a persistent connection.

  9. If you want to test if an email address is in the database, remove the count function.


    Also why does fetch_assoc return a number? Surely that should return a parsed row?


    I'm not looking to return an email address. I'm looking to return the number of rows that has that email address in it. To see if it's equal to 0 or to 1 or more. I've always counted the amount of rows to check for a value.


    Okay, if I don't count; what do I compare the result to?


    Basically I need to check if the user entered email address is in the database, if not continue with registration; if it is, prevent registration, and send them back to the form with a error message.

  10. Its because your using a COUNT function. You will always get a result set because if no rows are found matching your query, it will return a count of 0. This will in turn cause num_rows to return 1


    I also noted you have a >= 0 in your if statement. So you want it to error if there are no rows as well as if there are rows? That doesn't really make sense.


    I thought it would literally return a number either 0 or the number of rows that has that email address. Guess I thought wrong. So what should I be doing here? Maybe I'm after $number_rows[0]? To get the first value entry in the array?

  11. The below code is always placing a value of "1" into the $error array. I echoed out the $sanitized_email variable and displays the inputted email address fine.


    I checked the database via PHPMyAdmin and the email address is not in the DB.


    $check_email_DB = mysqliCOE('db_name');
    $sanitized_email=mysqli_sanitize($check_email_DB, $register_email);
    $result = $check_email_DB->query("SELECT COUNT(email_address) FROM user WHERE email_address='$sanitized_email'");
    $number_rows = $result->fetch_assoc();


    I even ran the query manually in PHPMyAdmin and it returned zero results.

  12. The following code is giving an error:


    $check_email_DB = mysqliCOE('zyquo_emotico');
    $sanitized_email=mysqli_sanitize($check_email_DB, $register_email);
    $result = $check_email_DB->query("SELECT COUNT(email) FROM user WHERE email='$sanitized_email'");
    $number_rows = $result->fetch_assoc();


    This is producing a non-object error:

    Fatal error: Call to a member function fetch_assoc() on a non-object.


    What's wrong with the above? I pretty much copied it right off the manual on php.ner


    Is there a better way to get the results from a COUNT query in MySQLi?

  13. Sorry, missed that all together. Remove the quotes from around the $connection variable. It's not a string.


    $sanitized_email=mysqli_sanitize($connection, "T'es'ts3e");


    Perfect. Thanks. Thought I had to base it as a string and some how generate a new variable to be used on the real_escape_string function; Much simpler than I though.

  14. class mysqli_errordisplay extends mysqli {
        public function __construct($host, $user, $pass, $db) {
            parent::__construct($host, $user, $pass, $db);
            if (mysqli_connect_error()) {
                die('Connect Error (' . mysqli_connect_errno() . ') '
                        . mysqli_connect_error());
    function MysqliCOE($dbname){
    $DBconnect = new mysqli_errordisplay('localhost', "user", "pass", $dbname);
    return $DBconnect;

  15. If I try passing the connection variable as $connection in the function I get this:


    Catchable fatal error: Object of class mysqli_errordisplay could not be converted to string in /home/zyquo/public_html/beta/test.php on line 5



    function mysqli_sanitize($conn,$formValue){
    if(function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) {	
    $formValue = stripslashes($formValue);
    $formValue = $conn->real_escape_string($formValue);
    return $formValue;
    $connection = mysqliCOE('db_name');
    $sanitized_email=mysqli_sanitize("$connection", "T'es'ts3e");
    echo $sanitized_email;


    Line 5 is this: $sanitized_email=mysqli_sanitize("$connection", "T'es'ts3e");

  16. I have the following function, that I'm using to quote/escape on user submitted data I'm running a MySQLi query on:


    function mysqli_sanitize($conn,$formValue){
    if(function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) {	
    $formValue = stripslashes($formValue);
    $formValue = $conn->real_escape_string($formValue);
    return $formValue;


    Now in order to use MySQLi_real_escape_string I have to provide the connection variable, or I get a non-object error. How would I pass the connection variable name into the function? I tried the following, but I'm getting the non-object error.


    $connection = mysqliCOE('db_name');
    $sanitized_email=mysqli_sanitize("connection", "T'es'ts3e");
    echo $sanitized_email;

  17. Query Error: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '10:22:47)' at line 2



    Looks like it's the join_date time. It's wrapped in parenthesis, and I'm not quoting that. So that could be the entire issue.


    EDIT: That would indeed have been it. Now working. Thanks for the help.

  18. Where do you ever define $DB?


    And SafePDOCOE(db_name);


    Shouldn't that be written as $DB = SafePDOCOE(db_name);, I mean it returns something, right?


    100% right. Literally just caught that 5 seconds before you posted.



    Now it did submited some of the data to the database, but it only did so with the second query. It didn't insert the birthday, and also missed the user_id (but that of course because the first query wasn't run). Shouldn't the rollback control have fired seeing as how nothing was submitted to the first query?


    $register_name ="$register_fname $register_lname";
    $register_birthday ="$register_year - $register_month - $register_day";
    $register_date=date('Y-m-d H:i:s');
    $DB = SafePDOCOE('zyquo_emotico');
    		$quoted_account_type = $DB->quote($register_account_type);
    		$quoted_email = $DB->quote($register_email);
    		$quoted_fname = $DB->quote($register_fname);
    		$quoted_lname = $DB->quote($register_lname);
    		$quoted_name = $DB->quote($register_name);
    		$encoded_password = kam3($register_password);
    		$quoted_gender = $DB->quote($register_gender);
    		$quoted_birthday = $DB->quote($register_birthday);
    		$quoted_membership_type = $DB->quote($register_membership_type);
    			$DB->query("INSERT INTO user (email_address, password, user_level, name, membership_type, join_date)
    			VALUES ($quoted_email, $encoded_password, '1', $quoted_name, $quoted_membership_type, $register_date)");
    			$userid = $DB->lastInsertId();
    			$DB->query("INSERT INTO user_profile (user_id, birthday, gender, first_name, last_name) 
    			VALUES ($userid, $quoted_birthday, $quoted_gender, $quoted_fname, $quoted_lname)");
    	echo "Data Entered.";
    	catch(PDOException $e){
    	echo "Query Error: ". $e->getMessage();

  19. MySQLi supports transactions as well.

    I know, but it actually requires dealing directly with MySQL to control the transactions (as far as I know), PDO has them on the PHP side of things. Easier to use in my opinion. I know there's commit and rollback controls, but how do you start a transaction? Is it simply just running the first query?


    However, the error you are getting implies that $DB is not a PDO object.


    Alright; well here's the class/functions I'm using.


    class SafePDO extends PDO {
            public static function exception_handler($exception) {
                // Output the exception details
                die('Uncaught exception: '. $exception->getMessage());
            public function __construct($dsn, $username='', $password='', $driver_options=array()) {
                // Temporarily change the PHP exception handler while we . . .
                set_exception_handler(array(__CLASS__, 'exception_handler'));
                // . . . create a PDO object
                parent::__construct($dsn, $username, $password, $driver_options);
                // Change the exception handler back to whatever it was before
    class SafePDO_errordisplay extends SafePDO {
    public function connect_db($dsn, $username='', $password='', $driver_options=array()){
    	parent::__construct($dsn, $username, $password, $driver_options);
    		try {
    		$DB = new SafePDO($dsn, $user, $password, $driver_options);
    		catch (PDOException $e) {
    		echo 'Connection failed: ' . $e->getMessage();
    // Connect to the database
    function SafePDOPersist($dbname){
    $DB = new SafePDO_errordisplay("mysql:host=localhost;dbname=$dbname", "user", "pass", array(PDO::ATTR_PERSISTENT => true));
    return $DB;
    function SafePDOCOE($dbname){
    $DB = new SafePDO_errordisplay("mysql:host=localhost;dbname=$dbname", "user", "pass");
    return $DB;


    Then on my page, it's called simply as:




  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.