Jump to content

mac_gyver

Staff Alumni
  • Content Count

    4,326
  • Joined

  • Days Won

    114

mac_gyver last won the day on July 21

mac_gyver had the most liked content!

Community Reputation

454 Excellent

1 Follower

About mac_gyver

  • Rank
    Staff Alumni

Profile Information

  • Gender
    Not Telling

Recent Profile Visitors

146,963 profile views
  1. i reviewed one of your earlier threads and it was using an array to hold errors. what happened, why did you take a step backwards? your existing validation logic for a 'required' field is not doing what you think, so, when you copied it for a non-required field, it has no chance of working. for a required field, if the input is empty, that's an error and there's no point in running any additional validation on that input as they will fail too. only if the input is not empty, run additional validation on that input. the logic to do this would look like - if(some required field == '') // note the comparision is with an emtpy string. php's empty() treats a zero as empty, so if zero is a valid value, you don't want to use empty() to test it. { // the field is an empty string $errors['some field name'] = "This field is required."; } else { // the field is not empty, perform additional validation step(s) if(!some other validation test) // note the ! (not) in the conditional statement { // the field did not pass this validtion test $errors['some field name'] = "This field does not meet the requirements of this validtion test."; } } for a non-required field, you don't care if the field is empty, but if it is not empty, you perform the additional validation (this is basically the else logic from above) - if(some field != '') { // the field is not empty, perform additional validation step(s) if(!some other validation test) // note the ! (not) in the conditional statement { // the field did not pass this validtion test $errors['some field name'] = "This field does not meet the requirements of this validtion test."; } } if all you are doing with preg_match is finding if a value matches the pattern, there's no need for the matches parameter. just directly test the result of the preg_match statement. your original validation logic for the account field contained miss-typed variables and incorrect preg_match parameters. do you have php's error_reporting set to E_ALL and display_errors set to ON so that php would help you by reporting and displaying all the errors it detects? lastly, when you have more than about 2-3 form fields, you should dynamically process the form data, by defining an array that holds a definition of the fields and what validation tests to perform on each field. this is a level to work toward in your coding, so that you don't find yourself writing out bespoke logic for each form field for each different form.
  2. this code is repetitive and has a number of logical mistakes. there are two different current 'owner' (uploaded) user ids, in $user->id and in $pt->user->id. the code querying for the video transaction data is getting data for all dates, but the code querying for the ad transactions is getting data for just a range of dates, so the sum of the amounts from those two things is meaningless. the code getting the $user_data, which, based on the usage, is the purchaser, is using the transaction id, not the user_id. the code is already looping over the video transactions for the current logged in user. the query and loop you just added is looping over the video transactions again, but is using some pieces of data from the outer loop, in $tr, which is why the amount and date are not changing. get rid of the query and loop you just added and use the data you already have (after you fix it so that it gets the $user_data based on the user_id and not the transaction id.) what order do you want the data to be in? the video transaction query is currently ordering the video transaction data by the user_id, which makes no sense, but the currently displayed id values are the video ids. this code/queries are doing what they were written to do, mistakes and all. it's up the programmer writing the code/queries to define what he/she wants, before writing anything, then design, write, test, and debug the code/queries to make sure they are doing what was defined.
  3. how about the letter-case and any white-space between the value in the php code/error message and the actual path and filename? any chance the php version was changed recently? if you change the statement from require_once to require, does it work?
  4. form processing code should - detect that a post method form was submitted. trim all input data (this can be done with one statement), so that you can detect if all white-space characters were entered. this is the only 'modification' of the form data that should be done. if there can be more than one form, you need some control logic (switch/case statement is one way) to detect a unique value (hidden field) to control which form processing code gets executed. the validation logic needs to store the validation errors in an array, with the array's main index being the field name (this index is used for 'dependent' validation steps to let you test if there is or is not already an error for a field and if you are outputting the error near the form field it applies to.) this array is also an error flag. if the array is empty, there are no errors, if the array is not empty, there are errors. if there are more than about 2-3 form fields, you should dynamically validate and process the form data, by defining a data structure (array or database table) that contains elements for each field that control what general purpose code does, such as defining 'required' fields, what type of validation rules to apply, and which type of processing code the field is used in. after the validation logic, if there are no errors, use the submitted data for whatever purpose it is intended for. after the data has been used, if there are no errors, perform a redirect to the exact same URL of the form processing code to cause a get request for the page. if there are errors, the code continues and re-displays the form, with any error messages (either all at once or with each one near the field it applies to), and repopulate the (appropriate) fields with the previously submitted data values (applying htmlentities() to help prevent cross site scripting), so that the user doesn't need to keep reentering the same data.
  5. the path being used in the opendir() statement either has a hard-coded '/home/sites/' in it or is using a variable that has that incorrect value in it. based on the path where the code is actually at, that part of the path should be - /home/customer/www/
  6. please post your final code. a lot of beginners end up with 'working' code, that isn't actually secure or contains a lot of unnecessary statements, variables, and php/sql syntax.
  7. yes, but that's the message you or someone else is unconditionally echoing inside the form processing code. it means that the form processing code executed. echo "Check Required Fields";
  8. it would be helpful if you posted exactly what output you get in this case. next, there's two immediate problems in the posted code - 1) if (isset($_POST)) { --- post is always set, so, all the form processing code runs every time it gets requested. if that code gets requested without any post data, it will list all the 'required' form fields as being missing. that line of code should be using if (!empty($_POST)) { 2. mysql_escape_string($_POST['AboutSelf']), mysql_escape_string($_POST['WhyJoined']) --- since the mysql_ extension has been removed from php, either you will be getting a fatal runtime error and execution will halt, or you are still running this on a php5 version and when it gets used under php7 it will produce a fatal runtime error and halt execution. so, two problems, the mysql_escape_string() calls must be removed, and the code must do something for all the external/unknown data to protect against sql injection. lastly, there's several implementation problems in the code, resulting in a large amount of unnecessary variables and logic, and without knowing what the database layer is doing, it is likely open to sql injection. just getting this code to 'function' my leave you with a site that will end up getting taken over and used for phishing sites, sending spam, ... code/queries must be secured against sql injection, email header injection, and cross site scripting.
  9. from one of your previous threads on this forum - if (IS_LOGGED == false) { header("Location: " . PT_Link('login')); exit(); } or more simply - if (!IS_LOGGED) { header("Location: " . PT_Link('login')); exit(); } this of course assumes that the code producing the IS_LOGGED defined constant is consistently being used and exists before the code you have posted. a feature like controlling who can view a certain page, like the profiles, should be part of the user permission system. does this code have a general purpose user permission system in it?
  10. here's another problem with the posted code. the $username value is being used in both an sql and a html/url context. the way to provide protection in each of those contexts is different, so the function could just 'look' like it works for expected values, but could be ineffective with the unexpected kind of values hackers would use.
  11. define: ordinary motor? the motor and power supply voltage must be within the 5 to 35 Volt range, with a MAXIMUM motor current of 2Amps. the limiting factor is the power dissipation of the controller, which i think i saw is 25Watts, but for which the heat-sink being used probably isn't big enough to dissipate, but there is over temperature protection built in. of note too, if the supply voltage is greater than 16V, you must separately supply 5V to the controller.
  12. these un-commented, out of context, snippets of code, are almost useless to us. we don't know how they fit into the grand scheme of what the application is doing. if the author of the code, who does have knowledge of and access to the whole script, cannot solve this, what makes you think we can based on seeing a small part of the script? is this a free script that is available for download on the web? if someone can download this to examine or test changes on, you will get quicker and more accurate solutions to your threads. i did get a couple of LOLs out of the above code. it has hard-code logic testing permitted page values, that would have to be found and edited, probably in several locations, anytime a new choice is added and even though the application is using pretty urls, it is building one with a ?page=... parameter in it. the way to build urls is to produce an associative array, usually starting with a copy of the existing $_GET array, adding, removing, or modifying elements in the array, and than call a user written function that knows the rules on how to produce the actual url from the entries in this array. dynamic values being put into the url must be urlencoded so as to not accidentally break the url. either on this forum or elsewhere, i helped you a number of times with the previous phpmotion script you were trying to use. it was written and organized very badly, making each change difficult and repetitive. while it looks like this current script is using some better implementation practices, it still appears to be just a brute-force built, hard-coded, un-commented, massive wall of code, that is difficult to make changes to. i hope you didn't spend any money on this. edit: and here is a problem with storing the username in a session variable to indicate who is logged in. it makes it harder to allow usernames to be edited by the user and impossible if a username needs to be edited by a moderator/administrator. only the user's id (auto-increment integer primary index) should be stored in a session variable to identify who a user is. any other user information should be retrieved on each page request.
  13. the php error you got is a result of the nonworking error handling, but is being caused by the error--prone concatenation used to build the sql query statement. you are missing needed white-space between the 0 and the following ORDER BY... term, that quoting the number satisfied.
  14. some implementation points for the code - you have semicolons ; on the end of your while(...) {; lines, so if your loops are not doing what you expect, this is the reason. 'require' isn't a function, so the () around the filename are not needed and are just cluttering up your code. you have inconsistent, nonworking, and nonexistent error handling for the database statements. you should also not unconditionally output database errors onto a live site (and you shouldn't spend your time editing code when moving it between development and a live site), as this will just give hackers useful information about your connection username and server path when they intentionally trigger errors. instead, use exceptions to handle database statement errors and in most cases let php catch and handle the exceptions, where it will use its error related settings (error_reporting, display_errors, and log_errors) to control what happens with the actual error information (database errors will get displayed or logged the same as php errors.) this will let you remove all the error handling logic you have now, simplifying the code. to use exceptions for errors for the mysqli extension, add the following line of code before the point where you make the connection - mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT); you have unused variables and unused columns being SEELCTed in the queries. you should only write code/query syntax that gets used. this is more important if someone other than you is expected to read and figure out what the code/queries are doing, such as forum members where you are asking for help. you have another race/timing problem in the code. by using the highest unixtime from the invoice table to detect new closed bids, you can miss bids if this code runs right before a new close time and takes longer than a second to run. the new unixtime that gets inserted into the invoice table can be greater than a close time that was never processed. (i know of some forum software (VB) that has/had a similar problem where remembering the last visited time and querying for records greater than that time and misses information that does exist but wasn't processed.) the correct way of handling this is to use the id of the highest bid that was processed. you would then query for bid ids that are greater than the highest bid id that was processed. you can put white-space (space, tab, new-lines) in an sql query statement to format it, so all the error-prone concatenation is not needed and is just more clutter in your code. copying variables to other variables is just more error-prone typing and clutter. just use the original variables. don't put quotes around values that are numbers. for what you are doing, inserting invoice record(s) and corresponding item record(s), you should just SELECT the item and bid information (the first JOIN query in your code), fetch the data from that query into an array of sub-arrays of rows, indexed by a composite buyer/seller value for the main array index, and an array of rows for each buyer/seller, then loop over this array of data in the rest of the code. for the rest of the code, all you will need is two nested foreach(){} loops. the first loop would get the composite buyer/seller value and the sub-array of corresponding rows. you would execute the insert query for the invoice table as part of this loop and get the last insert id from this query. the second loop would loop over the sub-array of rows and execute the insert query for the invoice_items table. speaking of looping and executing queries. you should use prepped queries, with place-holders for each value, then supply the values when the query gets executed. this will provide a performance gain (about 5% for INSERT queries) and will also prevent sql injection (any bid or item information that came from an external source could contain sql special characters that will break the sql query syntax, which is how sql injection is accomplished.) you would prepare each query once, before the start of any looping, then just supply the data values when you execute the query inside of the loops. unfortunately, the mysqli extension is overly complicated and inconsistent when dealing with prepared queries, and you should switch to the much simpler and more consistent PDO extension.
  15. the above won't work correctly if there are concurrent instances of your script running, unless you lock the table for the duration of this part of the process, which is undesirable. each occurrence of your script will get the same starting value, attempt to modify and use it, resulting in duplicate values, which should produce query errors, if your table is defined correctly with that column being a unique index, or will mess up your stored data if not. what you should do is have the invoice number column be an auto-increment integer primary key. you would just insert a new row of data, then get the last insert id from that query to use when inserting the item data in the next table.
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.