schwim

It would be a good time to talk about what writing a PHP script consists mostly of, especially when new to it. Writing the code is actually the smallest portion of it all. You should be spending the majority of your time trying to break it and trying to exploit it. By breaking, as an example, you would try to input unexpected values in your form, leaving things empty, skipping processes, etc. You need to write code that recovers from things like this not just for the user's experience but for your protection. Exploitation is what's being discussed here. header injections, sql exploits, things like that can often be protected against just by using good code, good classes(like PHPMailer as an example, for mail capabilities) and utilizing built in features like var sanitation through PHP. It's cool if you don't understand what all this means yet but instead of writing an email form that can be exploited, you should be focusing on learning. Everyone being hammered by spam through your exploitable email form would thank you for it.

Since it was Personal Home Page and I'm still no good at it.

<td><img src="<?php echo $item["image"]; ?>" style="text-align:left; font-size:12px; font-family:TimeBurner;" class="cart-item-image" /><?php echo $item["name"]; ?></td> @benanamen is absolutely correct that your styles don't belong inline but I often do testing inline before moving it to my css file. If you're trying to add the style to your image, that's how you'd do it.

I would say for your needs, Wordpress would be most suitable. Joomla seems more suited toward forum community and massive cataloging type sites. Wordpress, on the other than, excels as serving informational pages out of the box. Of course, you can add extensions that provide forums, galleries, etc., etc. but it was born as a weblog software, so it's right up your alley. Another benefit of Wordpress is that there are literally thousands of themes for you to peruse and choose as a jumping off point for your project.

The site is a bit disingenuous. It's sort of like linux flavors; yes, there's thousands to choose from but most are abandonware, poorly coded and full of security holes and bugs. If you're into tinkering, that site would be a good starting point but if you actually want a CMS you can use out of the box, I'd stick with one of the well known offerings.

You would just retrieve role from the users table. If the role is user, forward to one page and if the role is admin, forward them to another. Additionally, you would need a role check on each page to ensure that the logged in user didn't manually visit a protected page.

Thank you very much for that. As a layman, I would have had no idea the scope of working with session storage and it's pitfalls.

The general rule is that you can never trust client input, so if you're thinking along that line of thinking and with your needs, it's going to be susceptible to exploitation attempts no matter what you do. They're either able to spoof session data, they can modify the form input carried over from a previous page or they simply find a way to move back a page when you didn't want them to. Since nothing was mentioned regarding why you wouldn't use SESSION in this case other than because PHP says so, I would still consider that a viable option for this example. I've used it for well over a decade and have never run into an issue that kept me from using it successfully in cases such as these. I would sanitize the input, store it and use it on the next page load, regardless of that page load is on the same page or a different one. It would require less coding and barring input from the others that are much more savvy than I at coding, I can't see a shortcoming to it.

Hi there Hansen, Your questions , while simple, comes down pretty much exclusively to how you like to learn something. My preference of digging in and learning a little bit at a time during a trial by fire via picking a small project or a tutorial found on the web and supplementing it by asking questions on a forum such as this may seem like folly to someone else that feels you need to read some books and take some courses. Looking at your site's code, it looks like you're just running a Wordpress site so most of what you're looking at would be done in web panel and when modifying it's PHP elements, would take a bit more circuitous route. Instead of modifying the PHP, there's some additional things to take into account being in the WP walled garden so learning how WP works and what it expects in code modules would be another thing to learn about. For your case in particular, I'd find out how your forms are being built, whether it's a Wordpress addon or something homegrown. Once you know that, you'll have a better idea of how to get started in modifying it.

If you want a more persistent login than solely relying on PHP sessions, save a random token to the db and store it in a cookie. If the user shows up in a different PHP session, check the token against the latest active stored in the db. If they differ, scrap all logins for that user and point them towards the login.

You didn't provide the form so there's no way to see what's being sent but you can do some print statements to see if that file is getting the data it expects: <?php ini_set('display_errors', 1); ini_set('display_startup_errors', 1); error_reporting(E_ALL); session_start(); require_once '../ayar/baglan.php'; if(isset($_POST['ekle'])) { print('POST data received'); $baslik = $_POST['baslik']; $icerik = $_POST['icerikici']; $yazar = $_POST['yazar']; $ekle = "insert into icerik (baslik,icerik,yazar) values ('$baslik','$icerik','$yazar')"; $sonuc = mysqli_query($veri,$ekle); } if($sonuc) { header("location:yonetim.php"); }else{ print('SQL not executed.); } ?>

This is interesting. What's the downside to utilizing SESSION to store data that isn't used elsewhere? Is it slower, prone to failure? I ask because I've used it in the past this way and have never run into a shortcoming that I had noticed. I hope this isn't seen as a derailment to the topic at hand, it's intended to remain relevant to the OP's post.

If you're using relative paths in engine.php and calling that file directly, moving it to a subdir will break the includes. In your example, if engine.php needed functions.php, in root it would look like include('./includes/functions.php'); the single dot meaning start in the current directory whereas, if it were in /process, it would look like include('../includes/functions.php'); the two dots meaning move up to the parent directory. Share your directory structures and include code for more relevant suggestions.

In my mind, if I weren't worried about exploiting SESSION vars(and in your usage, I wouldn't personally), I'd use SESSION as it would require less overhead and would result in less code. If you were looking to save for later use(like user leaving and returning later), then I'd look at using the db to store the values.

Depending on the complexity of the script in question, it may simply be a case of renaming some of the functions to the mysql version. https://dzone.com/articles/convert-mysql-to-mysqli

I've found a bit more out about my problem. If the Primary cat is the category matched, it shows regardless of whether it's marked as read. If, however, it's a secondary category that the match was made on, it disappears properly when it's viewed. $q_urls = " SELECT * FROM shortenified_urls WHERE EXISTS (SELECT * FROM shortenified_urls WHERE shortenified_urls.primary_cat = $vu_cat_view AND shortenified_urls.date_added > $vu_mark_as_read // This part is persisting in spite of read status OR EXISTS ( SELECT link_id FROM linkcats WHERE link_id = shortenified_urls.id AND cat_id = $vu_cat_view // This part is honoring whether it's been read or not. )) AND NOT EXISTS ( SELECT lid FROM linkviews WHERE lid = shortenified_urls.id AND uid = $viewing_user_id ) AND shortenified_urls.is_social = '1' AND shortenified_urls.active = '1' ORDER BY date_added DESC" ; I would love some insight on what I'm doing wrong, but am plugging away.

Well, my thought of bracketing the first two didn't quite work out as I expected: $q_urls = " SELECT * FROM shortenified_urls WHERE EXISTS (SELECT * FROM shortenified_urls WHERE shortenified_urls.primary_cat = $vu_cat_view AND shortenified_urls.date_added > $vu_mark_as_read OR EXISTS ( SELECT link_id FROM linkcats WHERE link_id = shortenified_urls.id AND cat_id = $vu_cat_view )) AND NOT EXISTS ( SELECT lid FROM linkviews WHERE lid = shortenified_urls.id AND uid = $viewing_user_id ) AND shortenified_urls.is_social = '1' AND shortenified_urls.active = '1' ORDER BY date_added DESC" ; That seems to give me unread, but in any category. Kind of the opposite of my first attempt.

Hi there everyone! I've got a problem combining two queries. The situation is this. I've got a list of links and I want to allow the user to get a result list of all, only unread, all in a particular category and then only unread in a particular category. My query for all: /* No filtering and no unread */ $q_urls = "SELECT * FROM shortenified_urls WHERE is_social = '1' AND active = '1' ORDER BY date_added DESC"; My query for in a particular category: /* All links in a particular category */ $q_urls = " SELECT * FROM shortenified_urls WHERE shortenified_urls.primary_cat = $vu_cat_view OR EXISTS ( SELECT link_id FROM linkcats WHERE link_id = shortenified_urls.id AND cat_id = $vu_cat_view ) AND shortenified_urls.is_social = '1' AND shortenified_urls.active = '1' ORDER BY date_added DESC" ; My query for Unread in all cats: /* Unread only for all categories */ $q_urls = "SELECT * FROM shortenified_urls WHERE shortenified_urls.date_added > $vu_mark_as_read AND NOT EXISTS ( SELECT lid FROM linkviews WHERE lid = shortenified_urls.id AND uid = $viewing_user_id ) AND shortenified_urls.is_social = '1' AND shortenified_urls.active = '1' ORDER BY date_added DESC" ; These seem to be working well. It's the next one that isn't working for me. I tried to combine the "All in a particular category" and "Unread in all categories" using the two above as starting points. The result, however, seems to be that I'm getting all in a particular category. It seems to be ignoring the unread status. /* Unread links in a particular category */ $q_urls = " SELECT * FROM shortenified_urls WHERE shortenified_urls.primary_cat = $vu_cat_view AND shortenified_urls.date_added > $vu_mark_as_read OR EXISTS ( SELECT link_id FROM linkcats WHERE link_id = shortenified_urls.id AND cat_id = $vu_cat_view ) AND NOT EXISTS ( SELECT lid FROM linkviews WHERE lid = shortenified_urls.id AND uid = $viewing_user_id ) AND shortenified_urls.is_social = '1' AND shortenified_urls.active = '1' ORDER BY date_added DESC" ; I'm not smart enough to know why it's not working, but it seems to me like I need to somehow bracket the first two parts containing the category retrieval to make this work right. The only problem is I don't know how to do that. Any help on how to get this to work would be greatly appreciated!

Hi there everyone! I'm trying my best to Google my way through this issue, but have run into an issue I can't out-Google. I'm trying to write a script that is receiving an email, breaking it apart into it's various components and then storing into a database. I would like to store: from name from email to name to email subject headers body Here's what I've cobbled together from various tutorials and demo's: $fd = fopen("php://stdin", "r"); $email_content = ""; while (!feof($fd)) { $email_content .= fread($fd, 1024); } fclose($fd); //split the string into array of strings, each of the string represents a single line, received $lines = explode("\n", $email_content); // initialize variable which will assigned later on $from = ""; $subject = ""; $headers = ""; $message = ""; $is_header= true; //loop through each line for ($i=0; $i < count($lines); $i++) { if ($is_header) { // hear information. instead of main message body, all other information are here. $headers .= $lines[$i]."\n"; // Split out the To portion if (preg_match("/^To: (.*)/", $lines[$i], $matches)) { $to = $matches[1]; } $toregexp = '/To:\s*(([^\<]*?) <)?<?(.+?)>?\s*\n/i'; if(preg_match($toregexp, $email_content, $to_dissection)) { $toname = $to_dissection[2]; $toemail = $to_dissection[3]; } // Split out the subject portion if (preg_match("/^Subject: (.*)/", $lines[$i], $matches)) { $subject = $matches[1]; } //Split out the sender information portion if (preg_match("/^From: (.*)/", $lines[$i], $matches)) { $from = $matches[1]; } $fromregexp = '/From:\s*(([^\<]*?) <)?<?(.+?)>?\s*\n/i'; if(preg_match($fromregexp, $email_content, $from_dissection)) { $fromname = $from_dissection[2]; $fromemail = $from_dissection[3]; } } else { // content/main message body information $message .= $lines[$i]."\n"; } if (trim($lines[$i])=="") { // empty line, header section has ended $is_header = false; } } My issues are many. I've got from and to names that don't reflect the true data, the from address will be the original sender and not the most recent sender if it's forwarded and finally, the body is showing up empty. Clearly, I'm not handling this properly. With all the trouble-ticket like systems out there, there has to be a fairly bulletproof method of handling this, doesn't there? I'm thinking I've gone about this totally the wrong way. Any help would be greatly appreciated!

Wehheell, thanks for everything guys! It may take me some time to try all of these suggestions, but I promise I will get back to you with a full report of how each of these worked.  It's the least I can do for all the time you've put into it. Again, thanks so much.  I'm humbled at the level of enthusiasm. thanks, json

Hi there guys! I'm having a problem on one of my community sites: My referrers are being spammed.  It was easy to block initially, because keywords were in the URL's that would never be found in a legitimate keyword for my site, and I could safely block them.  Now the spammers are using ambiguous URL's in hopes of a click to sell their wares, no longer relying on keywords in the URL: Old referrer: http:// www . buyillegalviagra . com New referrer: http:// www . mormonsarecool . com/# the majority of the spam referrers have "/#" appended to them, so I thought I'd simply add a rule blocking that, but I'm having a problem doing that.  Here's my current method of blocking via htaccess: [code] SetEnvIfNoCase Referer "^/\#" BadReferrer order deny,allow deny from env=BadReferrer deny from 80.227.0.153 deny from 69.16.200.85 <Files 403.shtml> order deny,allow allow from all </Files> ErrorDocument 403 /403.shtml ErrorDocument 404 /404.shtml [/code] but it's not working.  I created a page linking to my site on another domain, and accessed it with a pound sign at the end of the URL, and when linking, it doesn't get blocked. How do I get my current rule to block any referrers ending with "/#"? I'm very appreciative of any help you might be able to provide. thanks, json

Hi thorpe and thanks very much for the reply. I think I understand what you are saying, but this won't work for my needs. I am writing the script to be an automated testimonial block that people can install on their sites, and their needs will all differ.  Some may be integrating it into a home-brew site, some phpBB, etc. Is there no way to integrate an out of the box script install into an existing site?  I would be quite surprised to find that was the case. Thanks very much for your time, json

Hi there, Are you sending any POST data along with the script when the next page loads?  I got this same error when I was trying to use a user authorization script, and the explanation I found was that once headers are sent and page data starts to get passed, you can't go back and add any more header information. One of the solutions I found was ob_start and ob_end_flush, but I have yet to make this work successfully. thanks, json

Hi there guys, I originally asked this on another forum, but I've either worn out my welcome, or I've stumped them all. I created a script that uses a mysql connection, and it's intended to be inserted as a block in other scripts.  I'm attempting to insert it into a forum system, but it's breaking the mysql connection of the forum script when I try to use it. The db connection is made in a config file, and it's called by the block script. forum db is roughing_forum my script is roughing_automonial db client is the same for both The connection string for my script(config.php): [code=php:0] $autoconn = mysql_connect("$dhost","$dusername","$dpwd") or die ("Unable to connect to database."); $dbi=mysql_select_db($dbname,$autoconn) or die("Unable to make master connection to database from the config file!" . mysql_error()); [/code] When I insert the script into the forum via include, I get an error that shows me that the forum is now trying to use my script's db for data: [quote] Fatal error: Database error: 1146: Table 'roughing_automonial.v_pm' doesn't exist - File: /home/roughing/public_html/templates/1/header.html(54) : eval()'d code on line 26 in /home/roughing/public_html/classes/database/mysql.inc.php on line 291 [/quote] So I added the following to the very last line of my block script: [code=php:0] mysql_close($autoconn); [/code] With this setup, the error I receive makes it look like my script has now shut down all mysql connections: [quote] Fatal error: Database error: : - File: /home/roughing/public_html/templates/1/header.html(54) : eval()'d code on line 26 in /home/roughing/public_html/classes/database/mysql.inc.php on line 291 [/quote] I don't know what else to do.  I tried [code=php:0] $autoconn = null; [/code] but that put me back to the first error. Any help in solving this would be greatly appreciated. thanks, json

Hi AndyB, I tried it both with reg_globals on & off locally through .htaccess, and verifying with phpinfo. I compared the two php.ini's, (working and non-working enviroment), and didn't see much between the two that should cause the problem. [url=http://www.schwim.net/info.php]Working enviroment phpinfo[/url] [url=http://www.roughingthesuspect.com/hold/info.php]Non-Working enviroment[/url] You can see on the second machine, reg_globals is on locally. Looking at that, do you see anything that should cause a problem? Thanks very much for taking the time to help. thanks, json