mac_gyver
-
Posts
5,450 -
Joined
-
Days Won
175
Everything posted by mac_gyver
-
if you don't have the programming skills to attempt to modify this script, just find a different script that works using page numbers.
-
the code you found or wherever you learned php is 11 years out of date and won't work on current versions of php. throw that code away and find an up to date source of php information to code from.
-
you could try, as a learning exercise at one point, none of the people reading this knew how to do it either, but they tried and kept trying until they got it to work and learned something along the way. without trying, there's no possibility of learning.
-
the value in that code that is being called a "page" is actually the starting row number, starting at zero. it's the offset value being put into the LIMIT offset, row_count statement. to change the code so that the page number is actually the page number, starting at 1, the first step would be to take the submitted $_GET['page'] value and calculate the starting row offset from it - $offset = ($page - 1) * $per_page; the above value would be used in the LIMIT statement instead of the $page value. you also need to modify the code that produces the pagination links so that it just increments the page number, starting at 1, instead of adding $per_page to it.
-
put the "included" files into a folder that doesn't permit any web access. there's two ways of doing that - 1) put the folder outside, rather than inside, your web root folder or 2) put the folder inside your web root folder and put a .htacess file into the folder that deny's all http requests to the files in that folder. search for "htaccess deny all" to find out how.
-
when you have code that's producing the wrong result (in your case, you expect it to return a true value when the entered password is correct), it's not a matter of getting opinions on what could be causing the problem. it's a matter of actually finding which of the multiple possible problems is causing that wrong result. your first step will be to determine which of the four points in the code that can return a false value is the one that actually is doing it, because that determines where to look to fix the problem.
-
no matter what code you use, you must find out why it isn't working, because the cause of the problem could be somewhere else, such as in the registration code that is producing the values and inserting them into the database table or in the database table definition itself. if all you are doing is copying code and praying it will work (copy-n-pray is not a useful programming pattern), you are not going to get very far very fast.
-
there's 4 different conditions in the login() function that return a false value and since the code isn't reporting in any way why it is failing you need to debug at what point the code is returning the false value to find out why it is failing. the first one is if the prepare fails. that's a fatal application error. during development your code should be screaming at you at that point telling you exactly why it failed. the second one is if the email is not found. that's an application warning and it means that someone tried to log in using an email that doesn't exist. you should be logging everything about that occurrence and during development your code should be screaming at you at that point actively telling you why the function is returning a false value. the third one is if the checkbrute() function doesn't pass. same comment as for the second one. the fourth one is if the passwords don't match. same comment as for the above two cases.
-
are there any php detected warnings or notices?
-
How can I make this MySQL Insert statement secure?
mac_gyver replied to vbmark's topic in Frameworks
the code is building what appears to be a prepared query, with ? placeholders for the values. as long as the table and column names are not coming from unvalidated external data and the ->query() method is actually running a prepared query, it's secure against sql injection. edit: the code should also place the table name within back-ticks if it is trying to be universal code that won't fail with an error for any arbitrary table/column names. -
that means it is returning a false value, not a true value, and it's going to the code in the else part of the statement.
-
how do you know it is always returning a true value? what output, error, url, or other symptom are you getting?
-
how would anyone here know if your code is doing that or if that is even relevant to the problem? you have all the code, you should be able to answer that question yourself. this is your error message. did you read it and try to solve this yourself? you are calling the mysqli_query() function. it expects parameter 1 to be an instance of a mysqli connection. you are supply a null non-existent value. you have either not made a database connection, have closed the database connection, or the program scope where the template code is running at is not the same program scope where the connection exists.
-
your first error is because $db_connex doesn't exist. based on the line numbers, that's probably all your code and you aren't making a database connection at all, let alone a connection in $db_connex. your second error is because of the first error.
-
search results: extract month & year from the date field
mac_gyver replied to bickyz's topic in PHP Coding Help
your thread title is just about the literal answer to your question - http://dev.mysql.com/doc/refman/5.1/en/date-and-time-functions.html#function_extract WHERE 201305 = EXTRACT(YEAR_MONTH FROM your_datefield) -
the login() function code needs to return a true value when there is a successful login.
-
in your existing thread for this, PaulRyan pointed out what you need to do to make it work - the query you posted in this thread is just testing where the id is a true value and returning the first row.
-
the null that is returned if the prepare fails is == to false (just tested) and the code goes to login.php?error=1 for that case.
-
your code functioned as expected for me. a mismatch in passwords goes to login.php?error=1 and matching passwords goes to member.php?id= i'm going to guess that when it redirects to login.php?error=1 that either the logic or output on that page makes it look like it logged in correctly or code on that page is redirecting to make it look like it logged in correctly or the absence of exit statements after your header() redirects allows some code to run that makes it look like it logged in correctly. what have you done to debug what your code is actually doing?
-
your code in the login() function probably contains a logical error.
-
the problem could be anywhere in the form or the form processing code. what have you done to find out what is actually happening in your code when you click on each of the buttons? does the browser go to the target page of the buttons or does it stay on the form page? is the right data being submitted to the target page? is the code seeing the right values in the right places and running the logic for those buttons? are the database queries being formed correctly and being run? do the queries produce any errors? you have 100s of lines of code for these three buttons with 1000s of characters in them. a typo or the wrong variable name or a wrong value anywhere in the code could prevent the buttons from working. you need to debug what your code is actually doing to find out where the problem is at in it.
-
the function you are using can be fooled to give you an arbitrary ip address that doesn't have anything to do with where the requests are coming from. the HTTP_ values are just data in the header of the request and can be set to any value in any request. the only "trust worthy" value in that code is the REMOTE_ADDR and you are giving the HTTP_ values priority over the REMOTE_ADDR value. the REMOTE_ADDR value comes from the data packets the web server received and is where the output from the web server will be sent back to. if you have a site that is being abused, you need to record all the information that you can about the user. i would record the REMOTE_ADDR "physical" address and the "apparent" ip address that your function returns. this will give you more information to decide what to do about the abuse. it sounds like you have a registration system, implying you have accounts with usernames. you should be preventing access to your site by disabling the account and preventing future registrations using the email address. if you have a need to ban users, your user system needs to query your user database on each request to check the banned status. your registration system should only activate an account after you send the user an email with an activation link in it.
-
two or three people have already mentioned that
-
what have you tried? there's a point where helping becomes doing and that isn't likely to happen for thousands of lines of code (the device class is just over 1000 lines of code, which could have been about 500 lines if the author had programmed smarter instead of programming harder) in a 3rd party script. you are the only one here who wants this application to have the extra fields added to it. it's up to you to attempt to do the work needed. i will give a hint: the device() class is defined in the assets.inc.php file.
-
Login Function Can't Find DB, but Other Functions Can?
mac_gyver replied to wildbuddha's topic in PHP Coding Help
you have a mysql_query in your code. you are trying to use a mysqli database connection. you should be using a mysqli_query. you are repeating code for your mysqli database connection in each function. that will lead to typo and other errors. you should be creating one database connection per page and passing it into any function or class that needs it.