Jump to content


Staff Alumni
  • Content Count

  • Joined

  • Last visited

  • Days Won


Everything posted by mac_gyver

  1. it sounds like you are manually creating new code each year/season with hard-coded values in it. your time would be better spent making one instance of the code dynamically produce/operate on whatever is different each year, so that you only have to find and fix whatever is causing the current error once.
  2. mac_gyver

    Site Won't Submit Multiple Variables

    you need to start by specifically defining what you are trying to accomplish, including what the scope and limitations are. then write and test just the code needed to accomplish the stated goal (you currently have a bunch of code and queries written out for each combination of search fields - this is not how to do this, you would dynamically build a query with just the parts it needs.) you have shown one example of a composite value, the 1;3 for Chesapeake or Virginia Beach. is this the only multiple location or are you planning on producing all possible combinations once you get this working for the one example OR do you actually just want to allow any of the listed cities to be picked? if your assignment is just to allow multiple cities to be picked, you have been given the answer on at least one of the forums, add the multiple attribute to the <select tag and make the select name attribute an array. this will let you select one or more cities from the listed cities. note: you should be dynamically producing the select option choices from the available cities, the form and the form processing code should be on the same page, and you should make the form 'sticky' by selecting any option choice(s) that have already been selected and submitted. next, for the form processing code, start small. get this city id code to work first, then add other search fields. your form processing code should detect and validate any inputs before using them, as already stated - dynamically build the query, fetch the data from the query into a php array variable, then just test and loop over this variable to produce the output. since you are doing pagination, you need two queries, the first one gets a count of the matching rows, the second one gets the logical page of data. the table, join, and where clauses in both these queries must be the same and should just be built once, then re-used in both queries.
  3. mac_gyver

    Arrays: concatenation operator .= vs =

    since the $array[] syntax always appends a new element to the array, it won't contain anything to concatenate to, so, the use of the . has no meaning and is probably producing a php undefined error. what sort of error, symptom, or problem are you having that causes you to ask this?
  4. mac_gyver

    MySQL pulling results twice

    just use the LEFT JOIN query, with corrected join condition and where clause. if you fetch all the data from the query into a php array variable and use var_dump(), you will be able to see what result the LEFT JOIN produces when there are and are not corresponding row(s) in the D table.
  5. mac_gyver

    bots and forms

    your html is either broken (no closing > for that input) or you have multiple fields with the same name. it would take having the actual html of your form page to help. you might also be setting $_POST['email'] to a value somewhere in your php code. if you use var_dump($_POST) to see what value it contains, you can back-track to find where the value is coming from.
  6. mac_gyver

    MySQL pulling results twice

    the reason you are getting the wrong result is because you are only joining on the menu_item_id for the table D LEFT JOIN condition, but both the menu_id and the menu_item_id are what associates a menu/item with its' quantity in the D table (you probably have the same menu_item_id in more than one menu.) you should also be using a.menu_id in the WHERE clause in both queries. you should actually have an auto-increment id column in the B table. this will define a menu/item id. you would use this id in the D table. this will also simplify the form fields since there's only one id involved with each quantity. next, you don't need two sets of code/queries. the LEFT JOIN with the D table will give the quantity if there is one, or a null (which php will treat as a zero) if there isn't a row for an item.
  7. mac_gyver

    php help

    the users table should only hold unique/one-time user information - first name, last name. this would produce a user_id (auto-increment integer column.) you would store any repetitive user information, such as the weight/date data in a second table, related back to the user through the user_id value. once you have properly stored the data, you can write sql queries to get any user(s) information for any date or date range.
  8. check your DNS records at tools.dnsstuff.com start with the DNSreport tool.
  9. mac_gyver

    proper PRG form handling

    the Redirect part of PRG is to the exact same URL that the post method form submitted to. if after successfully processing the post method form data, you are redirecting to a different URL, that's not what the PRG pattern is.
  10. mac_gyver

    Update script to PHP7.2

    didn't state that. it is possible to convert old code to use a new database extension and to manually modify any sql query that has data being directly put into it to be a prepared query (the query function needs to accept a second optional array of input data and either just execute the query if there is no input data or prepare and execute the query if there is.) this is simpler if the code is using a database abstraction layer, which the code has (some user written functions), but isn't consistently using everywhere, so, it would first require that all database interactions be rewritten to use the existing functions.
  11. mac_gyver

    Update script to PHP7.2

    the php mysql_ extension has been removed from php. however, if the script is old enough to still be using the mysql_ extension, it is probably using other removed features (the error you got is just the first of many.) it would require reviewing the entire script and rewriting everything that's been removed and to also add security for database queries (php's attempt at protecting against sql special characters in external data from breaking sql queries was also removed.)
  12. mac_gyver

    Best way to secure inputs

    htmlentities/htmlspecialchars are output functions. they are used when you output dynamic values in a html context (web page, email.) they are not used when data is received by a script.
  13. mac_gyver

    help with a registration form

    by lumping this logic into one statement, you will never know which condition is failing, which would help pin down where the problem is. also, the 1st and 3rd conditions mean the same thing - the username was found. your program logic should be - 1) execute the SELECT query to find the row matching the username. if you use exceptions to handle errors, as was stated in a reply above, you won't have to add conditional logic at each statement that can fail. your main code will only need to deal with error free execution since program flow will automatically transfer to the exception handler if there is an error. 2) fetch and test if the username was or was not found - you can do this with one statement. also, the negative condition (not found) is often shorter code, so by inverting the logic test and dealing with the negative/not condition first, you get its' code out of the way. 3) if the username was found, verify the password. If the password verifies, save the user's id in a session variable to identify who the logged in user is. while you should setup and output the same 'invalid username/password' message if the username didn't match or the password didn't verify, by testing these conditions separately, you have specific points in your logic where you can output or log debugging information that would tell you which condition is failing. the following logic is all you need - // execute the SELECT query here... if(!$row = mysqli_fetch_assoc($res)) { // username not found $errors['login'] = "Invalid Username/Password."; } else { // username found, verify password hash if(!password_verify($password,$row['password'])) { // password doesn't match $errors['login'] = "Invalid Username/Password."; } else { // password matches $_SESSION['user_id'] = $row['id']; } }
  14. mac_gyver

    help with a registration form

    see the following example showing the items listed above - <?php session_start(); // detect if the current visitor is already logged in/registered if(isset($_SESSION['user_id'])) { header('location:index.php'); // go somewhere else die; } require 'pdo_connection.php'; // put database connection code in an external .php file and require it when needed // note: the connection code should - set the error mode to exceptions, set emulated prepared queries to false, and set the default fetch mode to assoc $errors = []; // an array to hold errors $post = []; // an array to hold a trimmed working copy of the form data // post method form processing if($_SERVER['REQUEST_METHOD'] == 'POST') { // trim the submitted data $post = array_map('trim',$_POST); // if any of the form fields are arrays, use a recursive trim call-back function here instead of php's trim function // validate the submitted data if($post['username'] == '') { $errors['username'] = "Username is empty."; } if($post['password'] == '') { $errors['password'] = "Password is empty."; } if($post['password2'] == '') { $errors['password2'] = "Confirm password is empty."; } // if no password errors, compare password/confirm password if(empty($errors['password']) && empty($errors['password2']) && $post['password'] != $post['password2']) { $errors['confirm'] = "Password and the confirm password don't match"; } // if no errors, use the submitted data if(empty($errors)) { $sql = "INSERT INTO register (username, password) VALUES (?, ?)"; $stmt = $pdo->prepare($sql); try { // a 'local' try/catch to handle a specific error type $stmt->execute([ $post['username'], password_hash($post['password'], PASSWORD_DEFAULT) ]); } catch (PDOException $e) { if($e->errorInfo[1] == 1062) // duplicate key error number { $errors['username'] = "Username is already in use."; } else { throw $e; // re-throw the pdoexception if not handled by this logic } } } // if no errors, success if(empty($errors)) { header('Location: registered.php'); // if it works relocated person to registered.html die; } } // at the point of (re)displaying the form, use the data in $errors to display any error messages and in $post to repopulate the form fields (you may not desire to populate password fields) // any 'dynamic' values should have htmlentities() applied when they are being output on a web page to help prevent cross site scripting ?> output a complete and valid html document starting here... <?php // display any errors if(!empty($errors)) { echo implode('<br>',$errors); } // output the form ?> <form method='post'> Username: <input type='text' name='username' value='<?php echo htmlentities($post['username'] ?? '',ENT_QUOTES); ?>'><br> Password: <input type='text' name='password' value='<?php echo htmlentities($post['password'] ?? '',ENT_QUOTES); ?>'><br> Confirm password: <input type='text' name='password2' value='<?php echo htmlentities($post['password2'] ?? '',ENT_QUOTES); ?>'><br> <input type='submit'> </form>
  15. mac_gyver

    help with a registration form

    there a bit more than a missing i. all the php database statements must be from the same extension. you have mix of mysqli and mysql statements. also, the SELECT query syntax is incorrect, there's no $username variable at the point where you are using it, and you would need to have single-quotes around the $username variable since it is string data. here's a list of things your form processing code should do - 1) detect that the current user isn't logged in (there's no point in allowing registration if the current user is already registered and logged in.) 2) detect that a post method form was submitted (this will prevent form processing code from running until the form has been submitted.) your form processing code and the form should be on the same page as this results in the least amount of code and the best User eXperience (UX.) 3) trim the submitted form data so that you can detect if all white-space characters were entered (this can done with a single line of code using array_map().) 4) validate all the inputs before using them, storing validation errors in an array. this array is also an error flag. if the array is empty, there are no errors. to display the errors at the appropriate point in the html documented when you re-display the form, access elements in this array. 5) if there are no validation errors, simply run the INSERT query and detect if there was a duplicate key error (requires that the username column be defined as a unique index.) 6. use a prepared query, as already mentioned, when supplying external/unknown data to the sql query statement. this will actually simply the sql query syntax since the php variable(s), single-quotes around them, and any concatenation dots or {} (which you are not using) are all removed and replace with a simple ? place-holder for each value. 7. use exceptions to handle all the database statement errors and in most cases let php catch and handle any error, where it will use its' error_reporting, display_errors, and log_errors settings to control what happens with the actual error information. you would then remove any error handling logic you have now, simplifying the code. the exception to this is when detecting the insertion/update of duplicate data (and other data value errors) - see item #5 in this list. lastly, the php mysqli extension is overly complicated and inconsistent, especially when dealing with prepared queries. if you are just starting out, learn the php PDO extension instead. an addition benefit of learning the PDO extension is that the same php statements can be used with about a dozen different database types (the actual sql query syntax may be different), so you won't have to keep learning a different set of php statements should you ever need to use a different type of database.
  16. mac_gyver

    php to mysql, INSERT problem

    there's no guessing in programming. it is an exact science. you must know what the input parameters are, what the statement does, and what value is returned. mysqli_connect is NOT used to execute a query.
  17. mac_gyver

    php to mysql, INSERT problem

    the error is in the mysqli_connect statement call, not the posted code.
  18. mac_gyver


    you would have to post that version of the code if you want help with it. here are some points about the code that will simplify it and keep you from having to keep changing the error handling - 1) UPDATE queries do not return result sets. the ->store_result(), ->fetch(), and ->close() statements after each update query are unnecessary. 2) if you use exceptions for errors and let php catch and handle the exception, it will use its' error_reporting, display_errors, and log_errors settings to control what happens with the actual error information. you would then remove all the error handling logic in your code. to enable exceptions for errors for the mysqli extension, add the following line of code before the point where you make the database connection - mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT); 3) the petid should be unique and there isn't any apparent $userid variable in the function. the queries should only need the petid value. any user to pet ownership should have been determined in the php code prior to calling the function. 4) the level is derived from the experience and should just be calculated when needed and not stored. this will eliminate 2/3's of the code. 5) the php PDO extension is simpler and more consistent than the mysqli extension. if you can, switch to use PDO. lastly, you should not just update a value in a row for doing this, since there is no audit trail. you will never know if a logic mistake, double form submission, or nefarious use has caused the value to be incorrectly altered. you should INSERT a new row in the table for each transaction that affects the value, along with all the who, what, when, where, and why information about each transaction. then, to get the current value, you would just SUM() the amounts in the query, GROUPed BY the petid.
  19. mac_gyver


    the function code does not have access to the connection (the error message should state more, but php has been making less than desirable changes to error messages lately.) you also likely don't have php's error_reporting set to E_ALL, as there should be a second error about $mysqli not being defined. if the connection is being made in addon.inc.php, it won't exist if addon.ini.php has been previously included. your main code should make the database connection, then pass it into any function that needs it as a call-time parameter. you would then remove any attempt at creating a connection inside the functions. that's because, as has been stated in each reply in this thread, the problem is with the $mysqli variable, it's what is not an object.
  20. mac_gyver


    you have a variable scope or naming problem or a connection problem. the entire error message, which you didn't post enough of, states if the bad value is a null or a boolean. it would take having all the code needed to reproduce the problem, less the database connection credentials, in order to help you.
  21. the 'echo'ed sql query statement has some single quotes around the 2nd occurrence of the time column. this 1st showed up in the OPs post. edit: which Barand just posted too without any notification from the form software about a new post in the thread.
  22. mac_gyver

    Invalid Request to service file falls through

    the above logic is a problem unto itself. password_verify() returns a boolean true/false value. the above logic will change operation depending on what $dbPassword starts with. remove the !=$dbPassword from that line.
  23. mac_gyver

    Invalid Request to service file falls through

    for the example you posted, they are not empty values. they consist of two double-quotes each. empty values would be - username=&password=. of concern would be why your ->authenticate() method call is returning a true value for a username equal to a string consisting of "" and a password equal to a string consisting of "" also, your use and test of $_GET['secureSubmit'] will be true as long as there's any non-empty/non-zero value in the url. the =true in the url is a string consisting of the letters - t,r,u, and e. only secureSubmit=&... and secureSubmit=0&... would fail the logic test.
  24. mac_gyver

    Is 'password_hash' broken?

    password_hash() is used when the hash of a password is saved, i.e. during registration/password changes, and the hash it produces for a given input is different each time since a random salt is generated and used each time it is called. password_verify() is used to test if a submitted password corresponds to a saved hash.

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.