Travis1128

Hello. I have a few questions about the hashing methods available. I have read plenty of articles on the net about how MD5 and SHA0/SHA1 are not ideal methods to hash your data. PHP.net has recommended crypt() or hash(), but I am curious if salting even protects your users passwords? I know salting protects against rainbow tables ... but is there no way to defend against Brute Force or Dictionary Attacks? Anyways. What do you guys recommend I use just to make sure my user's password's are not ... compromised. I guess the first-layer of defense would be to make sure your database passwords are secure and under a DMZ. But solutions like that including IDS / Firewall are ranging between $2500-$5000 a month. Any help would be greatly appreciated. Thank you.

Thanks your for reply. Your script worked however this is how I am trying to implement it. private function displayOptions($atID){ $this->mysqlConnect(); $sql = "SELECT * FROM pcs_attribute pa, pcs_attribute_option pao WHERE pao.attribute_id = '$atID' AND pa.attribute_id = '$atID'"; $query = $this->mysqlQuery($sql); print('<div class="attribute_items">'); while($fetch = $this->mysqlFetch($query)){ // This is where the attribute options are retrieved and displayed } print('</div>'); } private function displayAttributes($setID){ $this->mysqlConnect(); $sql = "SELECT * FROM pcs_attribute WHERE attribute_set_id = '$setID' OR attribute_is_global = '1' ORDER BY attribute_set_id ASC"; $query = $this->mysqlQuery($sql); print('<div class="filter_by">Filter By</div>'); while($fetch = $this->mysqlFetch($query)){ // This is where the attributes display // This is the options $this->displayOptions($fetch['attribute_id']); } } So function displayAttributes(); is the function that displays the attributes within the database example, - Processor Type - Memory Size - Color And displayOptions(); is the function that displays the attributes within the attribute_options database. Example, - AMD - Intel - 3Gb - 4GB - 5GB - Red - Blue Each table also is assigned to the attribute above ("processor_type", "memory_size", "color") through the attribute_id. This is a numerical entity (i.e. 1,2,3) and really has no relation but felt I should mention it. There is a final function called displayFilters(); public function displayFilters(){ // Contsruct HTML $this->buildHtml(); // Connect the MySQLa $this->mysqlConnect(); // Check the Category to verify it is correct. if($this->checkCategory($this->mysqlEscape($_GET['catID']))){ // The result is returned true. // Now lets begin to filter and find products within he attributes database. if($this->checkCategorySet($this->mysqlEscape($_GET['catID']))){ // The result is returned true. $this->displayAttributes($this->getCategoryInfo($this->mysqlEscape($_GET['catID']), 'attribute_set_id')); } else { // The result is returned false. // This means there is no set assigned to this category print($this->message('1011')); } } else { // The result is returned false. print($this->message('1010')); } } This is where it displays the final build of everything. If you have any questions please ask. I am working hard on this as well and I appreciate your help.

Thank you for your code. I am having a bit of an issue with another piece of code in relation to this. private function displayOptions($atID){ $this->mysqlConnect(); $sql = "SELECT * FROM pcs_attribute pa, pcs_attribute_option pao WHERE pao.attribute_id = '$atID' AND pa.attribute_id = '$atID'"; $query = $this->mysqlQuery($sql); print('<div class="attribute_items">'); while($fetch = $this->mysqlFetch($query)){ // Code Input } print('</div>'); } Basically I am trying to get this script to post a link containing the data of the example below, www.domain.com/category.php?catID=1 - This is the default But when the user clicks on "Processor Type -> AMD" I want it to take them too www.domain.com/category.php?catID=1&processor_type=amd Sounds simple right? This is where it gets tricky for me. I also am trying to create a no duplication protection from it which I am having the most trouble on. So in the example below you wont get this, www.domain.com/category.php?catID=1&processor_type=amd&processor_type=amd if the user can click on "processor type" still. I also am trying to make the "filters" stackable when clicked. Example, www.domain.com/category.php?catID=1&processor_type=amd then the user clicks a link and it changes www.domain.com/category.php?catID=1&processor_type=amd&memory_size=3gb If you or anyone else could help that would be great. If you have any more questions please do not hesitate to ask. I will continue to work on it and experiment and post back if I do find the solution. Thank you.

Thank you for your reply. My setup for this example looks like this, <?php error_reporting(0); // Filter Arrays $filter = Array("demo","demo2","demo3"); As you can see I am trying to attempt to find if the filter values in the array above are being used. Example, www.Domain.com/search/productsearch.php?catId=112&demo=test The customer then selects another filter and the url looks like this now, www.Domain.com/search/productsearch.php?catId=1123&demo=test&demo2=test I could not really get your method to apply to my script, and I was curious if you knew anything about how to implement it. Basically I am trying to attempt this, Filtered Search - Filter the products by filtering attributes. - Allow the customer to remove/add filters based on their needs. I was thinking as well, perhaps cookies or sessions would work with filtering data? I am not sure. - Travis

Hello guys it's me again. I have not posted a question in awhile so I am glad to be on PHPFreaks again. Anyways here is my question, I have simple "Filter By" or "Refine By" script I am developing. It's foundation is primarily database (MySQL) and does not use XML or other table files. This script simply add's filtered array ("objects") to the url as the customer filters his/her search. An example, $attributeCodes("processor_type","color","memory"); // These arrays are defined and built from the database on the time of the request. So they are automatically updated. The above array is used in an if/and/or statement to look for these attribute codes. If it finds it and it has a value it then refines the MySQL query to look for products with the said attribute code. Now that we have the basics out there of how it works I am at the part where it confuses me. I give the user the ability to filter his/her search, however I want the user to be able to remove these filters separately if wanted. So for example the customer filters, Domain.com/search/productsearch.php?catId=112&processor_type=AMD&memory=2gb The customer does not need the memory filter and wishes to remove that specific item or vice-verse he/she does not want to search by processor_type. How is it that I can remove specifically one attribute and its value from the URL? So the url will then look like, Domain.com/search/productsearch.php?catID=112&processor_type=AMD or Domain.com/search/productsearch.php?catID=112&memory=2gb Any help would be great. Or if you have any suggestions on a different method to filter by attributes products. Suggestions and criticism are welcome. Please do not be shy or modest when it comes to giving me advice as I am trying to learn efficiently. - Travis

Thank you for your swift reply. I believe I prefer the defined version as it gets to the point and is easier to output etc. Now I want to use $_SERVER["DOCUMENT_ROOT"] but I have been hearing mixed thoughts about it and it possibly being a security hole in your script. How? I am not sure completely but I have been reading and some people have said it poses as a threat. What is your opinion on it?

I am in a bit of a debate on which structure I should use and want your guy's opinion, ####################### # Configuration Array # ####################### $config = array( "mysql" => array( "db1" => array( "name" => "example", "username" => "exampleUser", "password" => "passw0rd", "host" => "localhost", ), ), "base_info" => array( "baseURL" => "http://example.com", ), "paths" => array( "resources" => "/resources/", "template" => "/resources/template/", "library" => "/resources/library/", "images" => "/images/", "css" => "/css/", "js" => "/js/", ), ); ##################### # Defined Variables # ##################### # MySQL define('DBHOST', 'localhost'); define('DBNAME', 'example'); define('DBUSER', 'exampleUser'); define('DBPASS', 'passw0rd'); # Base Information define('BASEURL', 'Http://example.com'); # Paths define('RESOURCE_PATH', '/resources/'); define('TEMPLATE_PATH', RESOURCE_PATH . 'template/'); define('LIBRARY_PATH', RESOURCE_PATH . 'library/'); define('IMAGES_PATH', '/images/'); define('CSS_PATH', '/css/'); define('JS_PATH', '/js/'); Which one would you choose? Or would you do it a different way?

I mean a simple validation attempt like, if(!$_SESSION['user_logged']){ // Return an error } else { // Do something } That would limit someone from just making their own <form> up and having it hosted on their site correct. You could just have that placed in auth.php and include the auth.php on pages you need to authenticate a users session in order to submit data.

Alright. Thank you for your quick replies. So for simple validation you could easily just validate that the input data is an interger or a certain length string ... etc if it exceeds the normal "input" for the specific function you simply return an error based on data input.t. By the way, could you give an example in your own way of how such Spoof's would be done and how to counteract them? Just curious if I could get all the help I can get.

Just a quick question if anyone could answer. On, http://www.phpsec.org/projects/guide/2.html it talks about Spoofed Form Submissions and HTTP Requests. Is defending against Spoofed Form Submissions the same deal of filtering the input just as we discussed before? I.e., if its MySQL Related use mysql_real_escape_string() or if its HTML Output use htmlspecialchars() etc... What about Spoofed HTTP Requests is that something to be concerned about? - Travis

This. Every input data that comes from outer source (web page, users or whatever outer src, including all $_GET and $_POST etc.) needs to be validated before using in your scripts. Never trust that data blindly. Yep. I understand that portion. However what phpSensei pointed out is each validation should not be as elaborate as the functions I displayed above. Any MySQL Input Data $_POST, $_GET should be validated with mysql_real_escape_string, however if the specific code requires higher security do more to protect yourself. Any HTML/BBCode etc Input Data $_POST, should be validated with htmlspecialchars() when outputted. Validation Methods to Use: mysql_real_escape_string() htmlspecialchars() filter_input() : in some cases when security level (higher) than above requires it.

Thank you phpSensei. So from what I have gotten through your reply is, 1. Do not directly clean/filter a variable. 2. Only escape or filter a string from an outside source that is necessary to do so with. 3. MySQL Insertion of any "string" or data should use mysql_real_escape_string(). 4. For Outputting HTML strings (comments, user text, profile text.. etc) use htmlspecialchars() for filtering the output. 5. Only use the above if the security calls for that specific output/input of data. If I am wrong please correct me. I try to learn new things and then the right way to do it. - Travis

Hello. I have below two validation functions that validate the input from $_POST and $_GET. I was curious if you think it's effectively decent for protection from XSS and SQL Injection based attacks. I know this is not the only layer I should have, but this is the middleman defense I have planned to put in place. Please let me know what you think, validatePost Function function validatePost($input, $level, $mysql){ // Output variable $output = ''; // Determine the validation level if($level == 0){ // No validation process for FILTER_INPUT() $invp = htmlspecialchars($_POST[$input]); } else if($level == 1){ // Standard removal of HTML Special Characters. $invp = filter_input(INPUT_POST, "$input", FILTER_SANITIZE_SPECIAL_CHARS); } else if($level == 2){ // Advanced removal of HTML Special Characters. $invp = filter_input(INPUT_POST, "$input", FILTER_SANITIZE_FULL_SPECIAL_CHARS); } // Determine if MySQL Validation is required if($mysql != null){ $invp = mysql_real_escape_string($invp); } // Validate the end output $output = htmlentities($invp); return $output; } validateGet Function function validateGet($input, $level, $mysql){ // Output variable $output = ''; // Determine the validation level if($level == 0){ // No validation process for FILTER_INPUT() $invp = htmlspecialchars($_POST[$input]); } else if($level == 1){ // Standard removal of HTML Special Characters. $invp = filter_input(INPUT_GET, "$input", FILTER_SANITIZE_SPECIAL_CHARS); } else if($level == 2){ // Advanced removal of HTML Special Characters. $invp = filter_input(INPUT_GET, "$input", FILTER_SANITIZE_FULL_SPECIAL_CHARS); } // Determine if MySQL Validation is required if($mysql != null){ $invp = mysql_real_escape_string($invp); } // Validate the end output $output = htmlentities($invp); return $output; } Example of validateGet Use $id = validateGet("id", 1, null); switch($id){ default: echo $id; break; } That above script designed to print the output of ?id ($id) prints all output when validated, however it removes all HTML/Script elements. Please let me know what you think. - Travis

You're a Beast. Thank you for your help mjdamato. This code you provided works perfectly and is what I need. So far it is doing exactly what I want it to, and that is selecting and highlighting the associated categories. Code used: Provided by mjdamato $p_id = $_GET['p_id']; $query = "SELECT C.ID, C.Name, IF(C.ID = PC.Cat_ID, 1, 0) AS selected FROM Categories AS C LEFT JOIN Product_Categories AS PC ON C.ID = PC.Cat_ID AND PC.Product_ID = $p_id ORDER BY C.Name"; $result = mysql_query($query) or die(mysql_error()); //Create options list $catOptions = ''; while($option = mysql_fetch_assoc($result)) { $selected = ($option['selected']==1) ? ' selected="selected"' : ''; $catOptions .= "<option value=\"{$option['ID']}\" $selected>{$option['Name']}</option>\n"; } ?> <select name="p_categories" multiple='multiple'> <?php echo $catOptions; ?> </select>

I have been messing with your code, but with my experimentation I have not found a way to make it work the way I want. ?p_id is the $_GET['p_id']; i.e., Http://www.YourDomain.com/products.php?p_id=10 Here is the code I have been messing around with it is your's, however I am trying to get it to display correctly the information I need. $query = "SELECT C.ID, C.Name, IF(C.ID = PC.Cat_ID,1, 0) AS selected FROM Categories AS C LEFT JOIN Product_Categories AS PC ON C.ID = '". $_GET['p_id'] ."' ORDER BY C.Name"; $result = mysql_query($query); //Create options list $catOptions = ''; while($option = mysql_fetch_assoc($result)) { $selected = ($option['selected']==1) ? ' selected="selected"' : ''; #$catOptions .= "<option value=\"{$option['ID']}\">{$option['Name']}</option>\n"; #$catOptions .= "<option value='". $option['ID'] ."'>". $option['Name'] ."</option>"; $catOptions .= "<option>". $option['selected'] ."</option>"; } ?> <select name="p_categories" multiple='multiple'> <?php echo $catOptions; ?> </select> It should get the ?p_id, find the product in product_categories, every row. List which row it's in (does not matter) how many times. Then you gather the category table rows and display them. The rows of which the product is listed from product_categories those rows in the select box will be selected or highlighted. I am sorry if I am causing an inconvenience and I want you to know that I have been experimenting all night with the code. - Travis