davidannis
-
Posts
627 -
Joined
-
Last visited
-
Days Won
2
Posts posted by davidannis
-
-
I'm not sure what davidannis means by using data like the e-mail address as a “salt”. That's not a salt, and I don't see the point of this.
My reasoning is as follows: If you just hash passwords a user who uses a password like "password" is vulnerable to anyone who has run a dictionary through the salting algorithm and gets a copy of the hashed passwords.
Concatenating a fixed salt (e.g. "X2wq9K") to all password before hashing means two users both with the password "password" will get the same hashed value as each other and a hacker trying to run the dictionary through the hashing algorithm would need to also add the hash. If the hash is compromised running the dictionary plus the hash will be enough to compromise both accounts.
So, we want to concatenate each password with a unique salt before we hash it. One way is to create a different random salt for each record (e.g. "X2wq9K" for the first password, "adjkhf88383!" for the second, etc.) An attacker who gets the file with all the salts and a file with all the passwords would then need to run the dictionary plus each salt (and since there is one per user, each user) through the hashing algorithm which is very resource intensive. However, if instead of running a concatenated value of $random_salt.$password through the hash I run $email.$password.$user_id through the hash an attacker needs to run the dictionary once per user and I get the same benefit as I would with a random salt without having to create a random salt for each record and without storing the salt in the db (making guessing which field or fields make up the salt more difficult for an attacker). Because the hashed value of a concatenated password and email is essentially as random as a the hashed value of a password plus a random salt we lose nothing. There is however the additional overhead of needing to require a password, to check it and to rehash if the fields used to hash are changed.
-
Your process looks good to me. I do something similar with a few minor differences. I like to use another existing field that does not get passed back to the user for the salt (the user's full name, id number, e-mail, etc.) because then I don't need to store a separate salt for the reset. I also store an expiration date with the reset record and delete it after it has expired.
-
I think I have it now. For anyone who may want to see my script looks like this:
function addRow(tableID) { var table = document.getElementById(tableID); if (!table) return; var row = table.insertRow(); cell = row.insertCell(); cell.innerHTML = '<input type="hidden" name="category_code[]" value="'+tableID+'"><input type="text" name="description[]" size="60">' ; cell2 = row.insertCell(1); cell2.innerHTML = '<input type="text" name="amount[1][]" value="" onblur="this.value = formatNumber2Comma(this.value);" >' ; // Add the new row to the tBody (required for IE) var tBody = table.tBodies[0]; tBody.insertBefore(row, tBody.lastChild); -
I think I have identified the problems:
// Now get the inputs and modify their names var inputs = newRow.getElementsByTagName('input'); for (var i=0, iLen=inputs.length; i<iLen; i++) { // Update inputs[i] }do nothing and ought to go. Also, trying to use a string where an object is required.
TypeError: Argument 1 of Node.insertBefore is not an object. tBody.insertBefore(newRow, tBody.lastChild);
Now just need to figure out how to create a tr object in js
-
Those examples were very helpful in understanding, but since the input fields are in a table I need to insert not just the fields but a whole row and getting the row outside of the cell that the add a row button was in was proving challenging, so I decided to try a different tactic. I now have something that comes very close to working. The table looks like this:
<table id="INCO"><thead><tr><th>Income</th></tr></thead><tr><td><input type="hidden" name="category_code[]" value="INCO"><input type="text" name="description[]" value="Sales" size="60"></td> <td><input type="text" name="amount[1][]" value="" onblur="this.value = formatNumber2Comma(this.value);" ></td></tr> <tr><td><input type="hidden" name="category_code[]" value="INCO"><input type="text" name="description[]" value="Interest Income" size="60"></td> <td><input type="text" name="amount[1][]" value="" onblur="this.value = formatNumber2Comma(this.value);" ></td></tr> <tr><td><input type="hidden" name="category_code[]" value="INCO"><input type="text" name="description[]" value="" size="60"></td> <td><input type="text" name="amount[1][]" onblur="this.value = formatNumber2Comma(this.value);" ></td></tr></tbody></table> <a href="#" onClick="addRow('INCO');">Add another line</a><br><table id="EXPE"><thead><tr><th>Expense</th></tr></thead><tr><td><input type="hidden" name="category_code[]" value="EXPE"><input type="text" name="description[]" value="Operating Expenses (excluding Depreciation and Amortization)" size="60"></td> <td><input type="text" name="amount[1][]" value="" onblur="this.value = formatNumber2Comma(this.value);" ></td></tr> <tr><td><input type="hidden" name="category_code[]" value="EXPE"><input type="text" name="description[]" value="Interest expense" size="60"></td> <td><input type="text" name="amount[1][]" value="" onblur="this.value = formatNumber2Comma(this.value);" ></td></tr> <tr><td><input type="hidden" name="category_code[]" value="EXPE"><input type="text" name="description[]" value="" size="60"></td> <td><input type="text" name="amount[1][]" onblur="this.value = formatNumber2Comma(this.value);" ></td></tr></tbody></table> <a href="#" onClick="addRow('EXPE');">Add another line</a><br><table id="CAPX"><thead><tr><th>Capital Expenditures</th></tr></thead><tr><td><input type="hidden" name="category_code[]" value="CAPX"><input type="text" name="description[]" value="Capital Expenditure" size="60"></td> <td><input type="text" name="amount[1][]" value="" onblur="this.value = formatNumber2Comma(this.value);" ></td></tr> <tr><td><input type="hidden" name="category_code[]" value="CAPX"><input type="text" name="description[]" value="" size="60"></td> <td><input type="text" name="amount[1][]" onblur="this.value = formatNumber2Comma(this.value);" ></td></tr></tbody></table> <a href="#" onClick="addRow('CAPX');">Add another line</a><br><table id="WORK"><thead><tr><th>Working Capital Changes</th></tr></thead><tr><td><input type="hidden" name="category_code[]" value="WORK"><input type="text" name="description[]" value="Increase (decrease) in working capital" size="60"></td> <td><input type="text" name="amount[1][]" value="" onblur="this.value = formatNumber2Comma(this.value);" ></td></tr> <tr><td><input type="hidden" name="category_code[]" value="WORK"><input type="text" name="description[]" value="" size="60"></td> <td><input type="text" name="amount[1][]" onblur="this.value = formatNumber2Comma(this.value);" ></td></tr></tbody></table>and the js looks like this
function addRow(tableID) { var table = document.getElementById(tableID); if (!table) return; var newRow = table.rows[1].cloneNode(true); // Now get the inputs and modify their names var inputs = newRow.getElementsByTagName('input'); for (var i=0, iLen=inputs.length; i<iLen; i++) { // Update inputs[i] } // Add the new row to the tBody (required for IE) var tBody = table.tBodies[0]; tBody.insertBefore(newRow, tBody.lastChild); }the problem is that the cloned row contains the value in the description field, so I tried to replace the line that assigns the cloned row to newRow with:
var newRow = '<tr><td><input type="hidden" name="category_code[]" value="'+tableID+'"><input type="text" name="description[]" value="Sales" size="60"></td><td><input type="text" name="amount[1][]" value="" onblur="this.value = formatNumber2Comma(this.value);" ></td></tr>';
but when I do that the script appears to do nothing when I click add a row.
-
Edit: I have tried it without the <table></table> tags in the string argument to the append function. That was left over from troubleshooting.
-
Yeah! I agree but I must make this one without...
Why would you need to make it without? Easy to install versions of MySQL are available for Windows, Mac, Linux, and even Android.
-
I have a website with a variable number of inputs in various categories. I want to allow the user to add rows to the table with the input lines in every category. The table looks like this:
<tr><th>Working Capital Changes</th></tr><tr><td><input type="hidden" name="category_code[]" value="WORK"><input type="text" name="description[]" value="Increase (decrease) in working capital" size="60"></td> <td><input type="text" name="amount[1][]" value="" onblur="this.value = formatNumber2Comma(this.value);" ></td></tr> <tr><td><input type="hidden" name="category_code[]" value="WORK"><input type="text" name="description[]" value="" size="60"></td> <td><input type="text" name="amount[1][]" onblur="this.value = formatNumber2Comma(this.value);" ></td></tr> <tr><th>Depreciation and Amortization</th></tr><tr><td><input type="hidden" name="category_code[]" value="DEPR"><input type="text" name="description[]" value="Depreciation and Amortization (for taxes)" size="60"></td> <td><input type="text" name="amount[1][]" value="" onblur="this.value = formatNumber2Comma(this.value);" ></td></tr> <tr><td><input type="hidden" name="category_code[]" value="DEPR"><input type="text" name="description[]" value="" size="60"></td><td><input type="text" name="amount[1][]" onblur="this.value = formatNumber2Comma(this.value);" ></td></tr>I tried adding the following near the top of the page:
<script src="//ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js"></script> <script type="text/javascript"> var count = 0; $(function(){ alert ('wow'); $('tr#add_field').click(function(){ alert ('whee'); count += 1; $('#container').append('<table><tr><td><input id="field_' + count + 'type="hidden" name="category_code[]" value="DEPR"><input type="text" name="description[]" value="" size="60"></td><td><input type="text" name="amount[1][]" onblur="this.value = formatNumber2Comma(this.value);" ></td></tr></table>' ); }); });I get the wow alert on page load and whee when I click the link:
<tr id="add_field"><th><a href="#">Click to add another line</a></th></tr>
that I added to the bottom of the table before the </table> but I do not get an additional line
I have tried moving the add_field line outside of the table and changing the <tr></tr> to a <p></p> but that does not help.
-
I have tried to delete from multiple tables using a variety of queries and I'm getting closer.
DELETE projection, projection_detail FROM projection INNER JOIN projection_detail ON projection.projection_id=projection_detail.projection_id WHERE company_valuation_id='1' and year='1'
almost works. However, unless my testing is wrong, it leaves rows in the projection table that have no detail in the projection detail table.
-
I have two tables, one (projection) with a description of each item in a projected financial statement and the second (projection_detail) with detail for each row. The detail file can have 1 (annual), 4 (quarterly), or 12 (monthly) rows for each row in the projection file. Table structures are projection:
+----------------------+-----------------------+------+-----+---------+----------------+ | Field | Type | Null | Key | Default | Extra | +----------------------+-----------------------+------+-----+---------+----------------+ | projection_id | int(10) unsigned | NO | PRI | NULL | auto_increment | | company_valuation_id | mediumint( unsigned | NO | MUL | NULL | | | year | smallint(5) unsigned | NO | | NULL | | | category_code | char(4) | NO | | NULL | | | description | varchar(60) | NO | | NULL | | | amount | decimal(12,2) | NO | | NULL | | +----------------------+-----------------------+------+-----+---------+----------------+
and projection_detail
mysql> describe projection_detail; +---------------+----------------------+------+-----+---------+-------+ | Field | Type | Null | Key | Default | Extra | +---------------+----------------------+------+-----+---------+-------+ | projection_id | int(10) unsigned | NO | PRI | NULL | | | period | smallint(5) unsigned | NO | PRI | NULL | | | amount | decimal(12,2) | NO | | NULL | | +---------------+----------------------+------+-----+---------+-------+
I can select all the data for a year using something like this:
SELECT * FROM projection JOIN projection_detail ON projection.projection_id = projection_detail.projection_id WHERE company_valuation_id = '1' AND year = '1'
but I want to DELETE those rows from both tables and this gives me an error.
DELETE FROM projection JOIN projection_detail ON projection.projection_id=projection_detail.projection_id WHERE company_valuation_id='75' and year='1' You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'JOIN projection_detail ON projection.projection_id=projection_detail.projection_' at line 1
How do I delete a year's data from both tables without having to loop in php?
Thanks,
David
Edit: The amount column in projection is left over from when all projections were annual and will be deleted.
I'm open to other suggestions on a better way to structure the tables.
-
I like to mock up pages in a word processor, describe what they'll do, lay out the database in phpMyAdmin or even excel, then start coding. I look for things I am already doing that can be done better with automation. So far I have done business valuations (which I do for work), Japanese learning (for fun), and SEO tracking (for both). I also volunteer to code for non-profits which brings interesting projects.
I'm not great, but I code well enough to get things done. The ability to get things written is a better starting goal IMHO.
-
You should also take a look at switch / case instead of if /elseif /elseif, else http://www.php.net/manual/en/control-structures.switch.php
-
Than I write the escape code ( I think it is only necessary in the input, not the radiobutton).
NO, you need it for the radiobutton name too or I can create a form like this:
<form action="http://yourserver/yourscript" method="POST"> <input type="text" name="yourRadioButtonName" value="my malicious code"> <input type="submit"> </form>
or I can just write a script to submit directly to your script. Either way, you leave me a huge security hole.
-
I just had a similar problem, solved with help from phpfreaks. You need to use the php multibyte string functions. Documentation here: http://www.php.net/manual/en/ref.mbstring.php
-
From looking at the script it looks like the form is very long so I think the OP wants the user to be able to suspend in the middle and come back to complete the form. Is that right?
-
Here's what I'd do on question 2:
You need a select with an "Other" or not in list value. In this example I have one for corporate structure:
<p>Corporate Structure:<SELECT NAME="corp_struc_code" id="corpstructure" onclick='corpstructurejs()' > <OPTION VALUE="OTH"> Other </OPTION><OPTION SELECTED VALUE="CCORP"> C Corporation </OPTION> <OPTION VALUE="LLP"> Limited Liability Partnership </OPTION><OPTION VALUE="PARTNE"> Partnership </OPTION> <OPTION VALUE="SCORP"> S Corporation </OPTION><OPTION VALUE="PROPRI"> Sole Proprietorship </OPTION> <OPTION VALUE="LLC"> The company is organized as an LLC </OPTION></select></p> <div id="corpstructurejsOTH" style="display: none;"><textarea name="corporate_structure" cols="70" rows="4" >YOU NEED TO ECHO THE OTHER VALUE HERE IF IT ALREADY EXISTS</textarea></div>
When you click on the SELECT LIST it executes the corpstructurejs()
In it you need a function to show a text input if the value is not in the list:
<script type="text/javascript"> function corpstructurejs() { if (document.getElementById('corpstructure').value == 'OTH') { document.getElementById('corpstructurejsOTH').style.display = 'block' ; } else { document.getElementById('corpstructurejsOTH').style.display = 'none'; }} </script>Then on SUBMIT, you need to record the answer. In this case, I store the other value in a different table, so I've quickly editted a bit of code to do what you want but it is untested.
$rfs = mysqli_real_escape_string($link, $_POST['reason_for_selling_code']); if ($rfs != 'OTH') { $query = "SELECT * from select_reason_for_selling where code='" . $rfs . "'"; $result = mysqli_query($link, $query); $reason = mysqli_fetch_assoc($result); } else { $select = "INSERT INTO mytablename VALUES ('$my_escapedvalue1','$my_escaped_value_2')"; // Do the rest of the insert into your table here } //do something with their choice here. -
I will come back when I have more time and try to post an example of adding a value not in the drop down.
-
Put this at the top of your php
error_reporting(E_ALL | E_STRICT | E_NOTICE); ini_set('display_errors', '1'); -
You need something between option and /option or nothing will show in your list except blank lines.
foreach($result as $row) { echo "<option value='" . $row['store_name'] . "'></option>"; } echo "</select>";should be:
foreach($result as $row) { echo "<option value='" . $row['store_name'] . "'>{$row['store_name']}</option>"; } echo "</select>"; -
I think you should just submit and use php header() to redirect. Using Ajax is great to save time and bandwidth so the entire page need not be retransmitted from the server but there is no advantage to using it to redirect since after the redirect the server will transmit the entire page anyway. Even if you can get it to work it does not save you time or bandwidth.
-
Hi davidannis,
Thanks for your great reply and for your help. Only I want it a little bit different I think. It's not that there is a right or wrong answer to the questions. I want to work with points. So if a user choose answer A for example, I want to add 2 points to all products, if they choose B, I want to add 3 points to all products etc. The points are different with each question. In the end, the product with the most points is number 1!
Please tell me how I can make this? I'm willing to learn and try things out, but I need to know how to start. I hope you can help me!
Thanks!!! Really appreciate it!
What I did will add one point to each product for every answer that the user picks which agrees with the value for that product in the databases. "Adding 2 points to all products (I assume just those products that agree with the user's preference) for one question and 3 points to all products that agree with another question requires an additional field in the database that tells how many points a question is worth.
-
You need to use the mysql JOIN http://dev.mysql.com/doc/refman/5.0/en/join.html
-
Not really enough detail in the question to give a great answer but either submit the form and serve a new page which is easy but takes more computing resources or use Ajax (which is difficult but fast). Post what you have tried for a more specific answer.
-
No. Keeping scripts and static files on separate domains is a wise decision, because there's absolutely no reason to have the client send their entire set of PHP-related cookies to every single CSS file, image or whatever.
Depends on the situation. I can picture a header that needs only a few files and a client who would break the page on site1 by changing the name or location of a css file without thinking through the consequences. Besides, I wonder if the OP is dealing with a client or just trying to replicate the look and feel of another of his own sites.
PHP Session variables unavailable
in PHP Coding Help
Posted
You can use click the icon on the editor that looks like <> and then paste the code in the resulting box