phppup

Are inline scripts inherently bad structure? Is the value gained from the meta tag worth the hassle of re-organizing my JavaScripts? Or can I get the same level of security from other approaches? I always thought that HTML was the easiest option of a webpage for a malicious actor to exploit. What makes the HTML meta tag any different?

Stumbled across this tag <meta http-equiv="Content-Security-Policy"> and was interested in learning whether the tag is worthwhile, how effective it is, and how to best test its usefulness. Some reading seemed to indicate that once set, you cannot UNSET or lower restrictiveness, so I was confused as to how to test it appropriately. Any information, worthwhile links or advice pertaining to using this tag in association with pages that would interact with PHP and JavaScript code would be appreciated. Thank you.

@mac_gyver I appreciate the additional insight but I generally like to understand the code that I use. Thus, even if I were "handed" a solution, I wouldn't use it unless I would be comfortable with it. I thought my initial post would kick right in and function as planned, but SURPRISE... LOL Meanwhile, I've modified what I had and will manually cut & paste the result to save some keystrokes (unless I find some quick reference to enlighten me). Ironically, I've probably spent MORE keyboard pounding and time overload TRYING to make this work, than the potential time that the dynamic process would ever save. LOL But I suppose that is what makes this so much fun. Thanks to everyone that offered their advice and insight.

I've taken @mac_gyver advice and abandoned the effort. [PS: Did I miss a solution?? LOL]

I wanted to take a list of table headings and use the identical titles as variables (to save time ... LOL) Tried this $list = array('fname', 'lname', 'email'); foreach($list as $val){ $new = "$".$val; echo $new; //see if this is working visually $newArray[] = $new; } print_r($new); //see if this is working visually And while it LOOKS as if it was accomplished, the values are NOT functioning as variables, BUT rather as values that begin with a dollar sign. How can I create $fname, $lname, $email and make them function as variables without physically repeating the keystroke process?

@Strider64 so how would I adapt this instead of a query to SQL that is trying to determine if a username already exists? I'm trying to research and understand race conditions. I always thought that code just moved in a straight line.

I said $sql = "SELECT id FROM yourTable"; instead of $sql = "SELECT * FROM yourTable"; But I guess what I REALLY should post is $sql = "SELECT id FROM yourTable WHERE id = $yourValue "; I think it would have been more helpful (especially to the initial poster) if @benanamen would have shown the correction as a way to advance progress to a solution

I'm with @requinix on this one. Although I don't enjoy PDO and haven't used GET, I would approach this by starting this way $sql = "SELECT id FROM yourTable"; if($result = mysqli_query($conn, $sql)){ if(mysqli_num_rows($result) > 0){ //do stuff to the record that was found //and since an id is unique, it will either exist or not } else{ echo "No record was found."; } } You can then adapt the code with another condition of it's between 0 and 101. BTW, if you're pulling your current info from an array, remember that the FIRST position is ZERO. This could be the problem also.

NULL, NOT NULL, or none? I've read that if a field is NOT NULL, then a new row cannot start until the field is filled. Does this mean that if several users are completing a two part form which will be inserted and then updated, that users completing the form will be "frozen out" until the lead user completed part 2? What exactly occurs and how is it best approached? If PHP is verifying that a username is unique before allowing submission, is there any advantage to using A UNIQUE field in the SQL table? Is it necessary/advised to put a number quantity for field characters [ie: name varchar(22)] ? Are characters beyond the indicated size simply dropped off? Why not simply set everything to the maximum? What is the default? Is this necessary for an auto-increment field?

header("Cache-Control: no-store"); had no effect

@kicken I suppose in the greater scheme of things it's not THAT important. Perhaps I'll just leave the changes and then someday (when I've forgotten about it) I'll take a look and be surprised to see that the button is blue and the phrasing was updated. LOL

@ginerjm And how is that supposed to help me? How does it even relate to the issue I described??? @kicken It's the right file (edited directly on the server and checked the path several times). Alternately, if it were the incorrect file or path, the other changes that DID show up would not have existed. Is there some way to check or clear the server cache? Or do I need to just wait in hopes that sometime in the future the hosting company flips a switch? Still, seems ODD that some changes are being "accepted". If it were cached, wouldn't everything be cached?

@Steveinid and @mac_gyver Sorry if I missed something. I stand corrected and apologize.

Within my PHP code is a section as follows echo '<form action="" method="POST"><button type="submit" name="xyz" value="123"> click to apply </button> </form>'; There were some issues with scripting that followed, and I thought I had them figured out. But when I implemented my solutions, the results were inconsistent. I went back to the drawing-board several times until I concluded that the problem wasn't so much with my solution as it was with the server/browser SAVE process. I went to the bottom of my file outside of the ?> tag and typed "TEST in HTML" and it appeared on my webpage I went to the top inside the <? and added echo "TEST PHP"; and it showed up at the top of my page. But when I CHANGE my button from "click to apply" to "never click this button ever ever ever" the "click to apply" remains constant. The characters I replace are not taking affect. I've cleared browser cache and viewed the saved webpage on THREE different PCs on different networks, yet the OLD version continues to appear. Is it me? The code? Seems VERY odd to me. Solution? PS: just REMOVED the entire form code, but the form did not vanish from my webpage

This is not a forum where someone is going to write the code for you. I suggest you learn the way I do, and use a search engine to help you visit tutorial websites dedicated to your task. You need to find information about using SELECT statements, so "PHP select statement" would be a good start. Some sites are more beneficial than others, so you may want to visit a few to understand variations and implementation. Most good sites will demonstrate a concept and then allow you to click NEXT to expand on your knowledge. You will likely need information to SELECT, use a WHERE statement, and understand JOIN. Good luck, and come back if you run into issues that require coding refinement. That's where this forum is most helpful.

@kicken I guess that's the road I'll have to take. I was surprised to see that target= [which I suppose is really an HTML structure] was a solution to this problem. (I've never had occasion to use it until now) I had originally attacked this issue from a PHP perspective, but after your info, I tried many variations of _blank to resolve this. Some tests created duplicates of the form page, and others negated the new window and opened the data in a new tab (not what I wanted). I did consider the possibility of adding a count++ so that every new window has a unique name but thought I'd see if there was a more simplified option 'built-in' that I wasn't uncovering online. Thanks for your help and let me know if you have any other valuable ideas.

I want the user to have the potential of clicking the same button a million times and having a million open windows on the screen. As it stands now, the code will TARGET one window and refresh it a million times. Please help me achieve MY goal by reading the previous posts. With all due respect, I don't need to use AJAX or add buttons to close windows.

I have a script that ends with mysqli_close($connection); [which I've been told is a "proper" methodology, although not a requirement] I've now decided to add an option of } else { header("Location: https://example.com"); } if conditions force the code to take this route, is the mysqli_close($connection); ever implemented? Is there a Best Practice for addressing this instance?

I'm getting closer, I suppose. Using @kicken suggestion is giving me a separate window that processes and displays the desired information. But apparently the target="xyz" forces the xyz-page to refresh with each click to submit. As I mentioned to ginerjm, so I want a new window [that would need to be physically closed by the user] with every individual click event.

@ginerjm Yes, absolutely. For example: a form with a drop-down of employee names that will provide data on a totally separate new window. If data for a second employee was requested, a second new window would open to provide that data. Theoretically, these windows could now be placed side by side for comparison and the main form would still be available and unchanged.

I want to have the results of a SQL query appear in a newly launched browser window. As I am aware that this is a JS function, I have managed to accomplish that portion of the task by having the processing script become the new window. action="processing.php" onclick="windowScript()" function windowScript(){ window.open("processing.php"); } but at this point, the $_POST data is NOT interacting. I suspected that this is because the PHP processing script is no longer directly receiving the submitted data. What is the best way to proceed?

I would think that if the code was successful on PC then the issue causing the problem is NOT the code. Although altering the code and checking for other errors might help. Have you tested the upload process on mobile with different size images? Perhaps the movie has internal settings to limit duration and size of transfers. Is the mobile giving the same results when used through your service provider as it does it connected to WiFi? (Be sure to clear cache BEFORE testing out you may get unreliable results.)

@requinix I understand what you're saying, but at the same time, isn't allowing every keyboard symbol in an input field also offering a skeleton key to a hacker-wannabe. Yes, I expect a person's name to contain only letters (unless you're Elon Musk's kid). But aren't there certain symbols that effectively take the challenge away from a malicious effort if they are accessible (ie: opening tags for code), especially when that code is headed for a database. Or should my question be: what's the best way to secure a db?

Well, there's that. But also the degree of security to thwart malicious efforts and hacking attempts. Let's say for a comment text area to be stored in a db.

While on the subject of being paranoid, what characters are safe to use [or totally unsafe] for usernames and other text inputs? Is a Reg Ex excluding < > ? adequate? (probably not, but is there a basic template to use all around?)