ajoo

Hi, I am creating charts using phpgraphlib - a very easy to use graphing library. once the graph is created in graph.php it just needs to be called from the HTML as follows:- <html> <img src="graph.php" /> </html> and the graph is plotted. Within graph.php a data array is required which carries the values to be plotted. Now I need to plot about 10 graphs and in my HTML file I have created a 10 Tabbed layout that should each display one of the 10 graphs. In my Graph.php I have have also created the 10 data arrays from mysql that I require for the 10 graphs. So almost all the work has been done in graph.php and all I need to do is to configure the graph and display the 10 graphs like this. //configure graph $graph->addData($dataArray); $graph->setTitle("Sales by Group"); $graph->setGradient("lime", "green"); $graph->setBarOutlineColor("black"); $graph->createGraph(); ?> But then I need the 10 graphs in 10 files like graph1.php, graph2.php and so on which can be called from their respective tabbed HTML and I need to pass each of these 10 files their data array calculated in graph.php. If I was to repeat the entire code of graph.php in graph1.php, graph2.php and so on for all 10 files & each of these files had to calculate their own data and invoke the graph it will work but it would be a lot of ( 10 times of ) recalculation of the data arrays. ( All data for the 10 graphs can be calculated from the same single query). I was just wondering if there can be some method by which I can somehow achieve this without repeating the same process 10 times. I hope I was able to explain the issue well. Looking for some way out of this. Thanks all.

Thanks guru Barand, Great solution !

Hi Guru Barand, Thanks for the reply. Is there a function to then merge the corresponding values derived from mySql into this array of all date keys with values 0? Or would I need to use a for loop again and replace each key- value pair from the mysql result into this all dates array? Thank you very much.

Hi all ! I wish to create a graph from data collected in two columns of a table. The two columns are Date(dd-mm-yyyy), AvgScore. ====================== | Date | AvgScore | ====================== | 26-02-2015 | 40 | | 28-02-2015 | 45 | | 01-03-2015 | 45 | | 04-03-2015 | 46 | | 05-03-2015 | 45 | | 06-03-2015 | 47 | | 12-03-2015 | 47 | | 18-03-2015 | 46 | | 26-03-2015 | 45 | ====================== As can be seen there are gaps in the dates when the user came in to play. Those dates have to be accounted for. The scores on the dates when the user did not come in to play will be counted as zero. Therefore I need to create an array which will have all dates from 26-02-2015 till 26-03-2015 with AvgScore as '0'(zero) on days when the user did not come to play. Further the data needs to be presented to the charting API as Array("26-02-2015"=>40, "28-02-2015"=>45, "01-03-2015"=>45, ...); I would be glad if someone can tell what would be the simplest and possibly the fastest way to achieve this? Thanks !

HI ! Thanks for the reply. That pretty much takes care of the issue except that it allows Warnings to go through without being caught by the Catch block. For e.g. if there is a mismatch in the number of parameters in the line $stmt->bind_result($db_id,$db_user,$db_pw); a warning is issued about the mismatch by php but the execution continues. This I found is solved by using MYSQLI_REPORT_ALL. This ofcourse is just an observation. I am not saying that we should use MYSQLI_REPORT_ALL because such errors can be found and removed while in the development stage. Further BOTH ALL & STRICT fails to catch an exception if there is no connection to the server. I included the include_once 'dataconnect.php' within the catch block but it failed to catch the exception. Instead php echoed out that there was an undefined $connection variable. How can I have the try block catch this final ( I think n hope) error. Thank you so much.

Yes Guru Barand, I agree on that but otherwise is the code block above good enough to be put in production code as is ? I have also seen code such as $query = "SELECT Id, User, Pass, FROM $table WHERE User = ?"; if($stmt = $con->prepare($query)) { $stmt->bind_param('s',$user); if($stmt->execute()) { $stmt->bind_result($db_id,$db_user,$db_pw); $stmt->fetch(); } } along with a comment that said since each of the statements could fail , they should all be tested. I think that that is most cumbersome especially if there were a large number of queries. Hence my confusion. Kindly suggest what's the way to go. Thank you very much for all your replies. Much obliged.

Hi Guru Barand, Yes I have tested out the lines of code as suggested by you and yes they give out warnings in addition to the default php error reporting. The warnings are more precise about the errors. So I guess this is great during testing. However in production all error reporting would have to be turned off. Coming back to the original block of code, $query = "SELECT Id, User, Pass, FROM $table WHERE User = ?"; $stmt = $con->prepare($query); $stmt->bind_param('s',$user); $stmt->execute(); $stmt->bind_result($db_id,$db_user,$db_pw); $stmt->fetch(); I would like to ask another question and that is How fit/good would be these lines of code in production? Is there any improvement that I could make to make this code more robust? Thanks loads

No it's not Guru Barand. In fact after posting the question I am doing the same very thing. Just thought I would get a nod from you and be sure. Thanks. Will revert with the result and any further issues.

Hi Guru Barand and Fastsol, Thanks for the response. I would request you both to please elaborate the explanation of the two different solutions suggested. Guru Barand, would doing what you suggested halt / kill/ the further execution of the script if $query = "SELECT Id, User, Pass, FROM $table WHERE User = ?"; had, say, a syntax error? In case my question is not clear I'll restate it. What I am looking for is a simple way that would test each line in the block of code. In fact such that the next line would execute only if the previous one executed successfully or else it would quit further processing with an error. Kindly clarify. Grateful for the reply.

Hi all ! Here is a small piece of code that I wrote to Select from a DB:- $query = "SELECT Id, User, Pass, FROM $table WHERE User = ?"; $stmt = $con->prepare($query); $stmt->bind_param('s',$user); $stmt->execute(); $stmt->bind_result($db_id,$db_user,$db_pw); $stmt->fetch(); ... Each of these statements warrant that they be checked for failure and for possible exceptions since each of these can fail. However such similar blocks of code may be present at 100's of places in a large application and so checking for failure after each line of code would be make it a very lengthy & cumbersome procedure. I was wondering if there is a simpler, elegant way to handle these kind of failures or exceptions. And that's what I wish to ask. Thanks loads everyone.

Hi requinix, Thanks for the reply. I think I get it but just to be doubly sure I'ld like to ask some more. Do you mean like log into using phpMyAdmin? Would setting a password in code affect my logging into phpMyAdmin ?? I don't think so but please confirm. What if my application is altering or updating the tables based on the user interaction - for eg. inserting the scores of the user in a database or altering them? Now that would tantamount to a write operation and so would I need to allow INSERT and UPDATE privilege to the user? Thanks for the reply and look forward to some more clarifications.

Hi all, An article on wikihow on Secure Login Script, in Part 2, under the heading Configure the MySql Database states that we can create previliges for users. It then goes on to create a user with details : USER : "sec_user". Password "eKcGZr... WU" It then states that "Remember it doesn't need to be a password that you can remember so make it as complicated as possible." The question is regarding this last statement. Why don't we need to remember this password? Also I would like to ask what other security measure do we need to take as regards the MySql database? Also things like settings in the config files etc. Thanks all !

HI scootstah ! Thanks for the reply. Definitely I am removing the sec_session_start() from all my page starts. No the reason I am asking this is that I want to be as sure as possible on Sessions. I am asking this to remove all my doubts about sessions regenerate id. So thanks again for the reply. PS. I also wish to add to anyone looking for similar information that last year I had asked a near similar question on this very forum and Advanced Member Jacques1 had also provided a most complete & comprehensive answer to it. Searching in My Content in my account today came across it and could really appreciate the answer provided by Jacques1. This would be incomplete without a link to that answer. Please find attached the heading under which I had asked the question and Jacques1 had replied: The answer I marked as the best answer. secure login, strong(est) session ID's and secure site navigationThanks scootstah and Jacques1

Hi scootstah ! Thanks for that reply once again. I have read through all that information. phpsec.article was really nice though not conclusive. But then I guess any solution related to sessions security cannot be 100% conclusive. Still Thank you. Just one or two points that I would still like to clear. 1. Supposing my script uses php_regenerate_id() at the beginning of each page, then it would leave a trail of phpsessid's in the tmp folder which are not deleted. Now would these pose a security threat 1. While the user is still browising the website? 2. Even after the user has logged out ? 3. The user has not logged out but simply closed the browser? How would that threat be posed or how can these phpsessid's be used to gain unauthorized access? Thanks loads.

Thanks ! That was really clear, concise & informative. Will go through the related articles. Much obliged. Thanks again !

Hi , try this : Caution : I changed the database name and the field username to suit my own testing. It works and gives no errors index100.php <?php include('login100.php'); // Includes Login Script session_start(); ?> <!DOCTYPE html> <html> <head> <title>Login Form in PHP with Session</title> <link href="style100.css" rel="stylesheet" type="text/css"> </head> <body> <div id="main"> <h1>PHP Login Session Example</h1> <div id="login"> <h2>Login Form</h2> <form action="" method="post"> <label>UserName :</label> <input id="name" name="username" placeholder="username" type="text"> <label>Password :</label> <input id="password" name="password" placeholder="**********" type="password"> <input name="submit" type="submit" value=" Login "> <span><?php echo $error; ?></span> </form> </div> </div> </body> </html> login100.php <?php session_start(); // Starting Session $error=''; // Variable To Store Error Message if (isset($_POST['submit'])) { if (empty($_POST['username']) || empty($_POST['password'])) { $error = "Username or Password is invalid"; } else { // Define $username and $password $username=$_POST['username']; $password=$_POST['password']; // Establishing Connection with Server by passing server_name, user_id and password as a parameter $connection = mysqli_connect("localhost", "root", "", "test"); // To protect MySQL injection for Security purpose $username = stripslashes($username); $password = stripslashes($password); $username = mysqli_real_escape_string($connection, $username); $password = mysqli_real_escape_string($connection, $password); // SQL query to fetch information of registerd users and finds user match. $sql = "SELECT * FROM users where password='$password' AND name='$username'"; $result = mysqli_query($connection, $sql); if ($result === false) { echo mysqli_error($connection); } $rows = mysqli_num_rows($result); if ($rows == 1) { $_SESSION['login_user']=$username; // Initializing Session header("location: secure100.php"); // Redirecting To Other Page } else { $error = "Username or Password is invalid"; } mysqli_close($connection); // Closing Connection } } ?> secure100.php <?php session_start(); echo " Welcome ".$_SESSION['login_user']; echo " You are logged in."; ?>

Hi thanks for the reply. I would like to ask that in that case what should I use on the rest of the pages ? Would a simple session_start() suffice ? How safe would that be for session security? Kindly clear my doubts. Thanks !

Hi all, I have been coding in php now for almost an year but yet i feel like a newbie when it comes to sessions !! That's an honest confession. Like many newcomers I too came across the sec_session_start() which is a common function that is easily found on the net for people looking for a secure login script. Here is the function: function sec_session_start() { $session_name = 'secure_session_main'; // Set a custom session name $secure = false; // Set to true if using https. $httponly = true; // This stops javascript being able to access the session id. ini_set('session.use_only_cookies', 1); // Forces sessions to only use cookies. $cookieParams = session_get_cookie_params(); // Gets current cookies params. session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly); session_name($session_name); // Sets the session name to the one set above. session_start(); // Start the php session session_regenerate_id(TRUE); // regenerated the session, delete the old one. } I used it in my login page and on the other pages of my application. It seemed to work fine and then it started to create problems. I wrote about it on this forum. Every time I would click on a button or a link on my page, i would get logged out. I discussed that issue on this forum but no solution was found. Then I found that if I removed the (TRUE) from the session_regenerate_id(), things became fine. So I removed the TRUE and proceeded wanting to come back here at a later time like now. I was actually quite pleased that I had found a solution to my problem. But now while reading more on session_regenerate_id, I came across a number of articles that said that not using session_regenerate_ID with the argument TRUE is not effective in preventing session hijacking or was it session fixation. The articles pointed as also some of the answers to the questions in the forums that session_regenerate_id should be used only when 1. logging in, 2. logging out & 3. when privileges change. However I am using this sec_session_start on each and every page of my application instead of using session_start() and I want to use this function to use the session_regenerate_id(TRUE) since that it seems is more effective against the session attacks. The latest issue that I have encountered is the generation of an error message that says " session_regenerate_id(true) failed. I would like to ask if I my using the sec_session_start() on each and every page is incorrect & too oft used usage of the function. In that case what should I use on the beginning of each of those pages to start a session? I would like to know if there is any flaw in my thought process above? And anything else related that would shed some more light on using the session_regenrate_id(TRUE) in the above function. Basically the right way to initiate a new session securely . PS - my program seems to work correctly otherwise. Even when the error is generated "session_regenerate_id(true) failed", the variables in the application remain intact and save properly. If I remove the (TRUE) all problems seem to cease but then, like I mentioned above, the discussions I have read say that that usage is ineffective against session attacks. Thanks loads.

HI CroNIX, Thanks for the reply. I think I found what the problem is anyways. Thanks !

Hi all ! The following code has two similar queries. Query 1 and Query 2. While Query 1 works just fine, Query 2 simply fails persistently. I have not been able to figure out why? I have checked every single variable and field names but found no discrepancy of any sort or any mismatch of spelling with the fields in the database. I would be grateful if anybody can point out what is preventing the second query from returning a valid mysqli object as the first one does. Here is the code for the two. <?php $db_host = "localhost"; $db_user ="root"; $db_pass =""; $db_database ="allscores"; //////////////// CHECKING VARIABLE FILEDS IN A UPDATE QUERY ////////////////////////////////// //////////////// QUERY 1 ///////////////////////////////////////////////////////////////////// /* $db_database ="test"; $db_table ="users"; $RecNo = 1; $field1 = 'name'; $field2 = 'password'; $field3 = 'email'; $field4 = 'id'; $val1 = "Ajay"; $val2 = "howzatt"; $val3 = "me@mymail.com"; $con = mysqli_connect($db_host,$db_user,$db_pass,$db_database) or die('Unable to establish a DB connection'); $query = "UPDATE $db_table SET $field1 = ?, $field2 = ?, $field3 = ? WHERE $field4 = ? "; // session terminated by setting the sessionstatus as 1 $stmt = $con->prepare($query); var_dump($stmt); $stmt->bind_param('sssi',$val1,$val2,$val3,$RecNo); if($stmt->execute()) { $count = $stmt->affected_rows; echo $count; } //////////////// QUERY 1 END ///////////////////////////////////////////////////////////////////// */ //////////////// QUERY 2 ///////////////////////////////////////////////////////////////////// $con = mysqli_connect($db_host,$db_user,$db_pass,$db_database) or die('Unable to establish a DB connection'); $table = 'scores'; $date = date('Y-m-d H:i:s'); /* $prestr = "Mrt_M_"; $STATUS = $prestr."Status"; $S_R1 = $prestr."Scr_1"; $S_R2 = $prestr."Scr_2"; $PCT = $prestr."PPT"; $DPM = $prestr."DSP"; $TIMETAKEN = $prestr."TimeTaken"; */ $STATUS = "Mrt_M_Status"; $S_R1 = "Mrt_M_Scr_1"; $S_R2 = "Mrt_M_Scr_2"; $PPT = "Mrt_M_PPT"; $DSP = "Mrt_M_DSP"; $TIMETAKEN = "Mrt_M_TimeTaken"; $TimeOfLogin = $date; $no_of_logins = 10; $time_of_nLogin = $date; $m_scr_row1 = 5; $m_scr_row2 = 5; $m_ppt = 20; $m_dsp = 60; $m_time = 120; $date = $date; $RecNo = 24; $query = "UPDATE $table SET TimeOfLogin = ?, no_of_logins = ?, time_of_nLogin = ?, $S_R1 = ?, $S_R2 = ?, $PPT = ?, $DSP = ?, $TIMETAKEN = ?, $STATUS = '1', TimeOfLogout = ?, WHERE RecNo = ?"; $stmt = $con->prepare($query); var_dump($stmt); $stmt->bind_param('sisiiddssi',$TimeOfLogin,$no_of_logins,$time_of_nLogin,$m_scr_row1 $m_scr_row2,$m_ppt,$m_dsp,$m_time,$date,$RecNo); if($stmt->execute()) echo " DONE !"; ?> Thanks to all

Ok I managed to find a solution. With a slight modification. Here it is:- $btypes = array('issi'); $bvalues = array($room_no,$bmm,$bnn,$bll); $params = array_merge($btypes, $bvalues); $refs = array(); foreach($params as $key => $value) $refs[$key] = &$params[$key]; ... call_user_func_array(array($stmt, 'bind_param'), $refs); There are actually 3 best answers to this Guru Barand's initially, then Guru Kicken's and finally MacGyvers which pointed me to call_user_func_array() for dynamically binding the variables. Thanks all !

Hi, all, Back again. I now tried as follows: $pp = "(ms.level = ? || ms.level = ?)"; $qq = 'ms.diff <= ?'; $mm = 'Beginner'; $nn = 'Intermediate'; $ll = 7; $room_no = 4; // $bmm = &$mm; // $bnn = &$nn; // $bll = &$ll; // $broom_no = &$room_no; // $bvalues = array($broom_no,$bmm,$bnn,$bll); $btypes = "issi"; $types = &$btypes; $bvalues = array($room_no,$mm,$nn,$ll); $values = &$values; $params = array($types,$values); $query = "SELECT md.Member_reg_id, md.fname, md.lname, md.email, md.cell, ms.level, ms.diff, ms.score, r.ID_Status FROM register as r JOIN member_detail as md ON r.ID = md.Member_reg_id JOIN memstatus as ms On r.ID = ms.ID WHERE r.room_no = ? AND r.ID_Status ='A' AND $pp AND $qq ORDER by level, diff, score DESC"; $stmt=$fcon->prepare($query); call_user_func_array(array($stmt, 'bind_param'), $params); and this gives me the following warning: I have tried the same with a changes as well but I am not able to get thru this. I have 4 bound parameters in the query and I have passed 4 values thru the array so I don;t know why I am getting this error. Please can someone show me how to devise the params array correctly or what might be the error here. Thanks all !

Thanks Sir, I have just shifted over to mysqli prepared queries so it will be a while before I make the transition to PDO. I have already converted more than 60% of the code to use mysqli prepared statements. I will however keep that in mind as I have been advised by some other gurus too besides yourself. I will now look up and try out the functions that you have just suggested above. Will revert. Thanks very much!

Hi All, Thanks for all the inputs. I have been trying to use them all to find a fit all solution. I think, after a few trials, that the solution posted by Guru Kicken would work great if there is a way for the query to extract the values to be bound from an array. i.e. Can the bound variables in the statement $stmt->bind_param('iss',$room_no,$pp,$ll); be somehow replaced by an array of values like this $stmt->bind_param('iss',$param[]); This was suggested by Guru Kicken. So I request Guru Kicken or anyone to suggest a simple way to "bind whatever is in the params" to the query using an array. However the length of the array would be varying depending upon the conditons involved. That should solve this quite elegantly. Thanks all !

Hi Mac_gyver, Well the values come from two drop down menus where the user selects these values. The Level dropdown has three values as of now:- 1. All 2 Beginner 3. Intermediate. and will have one more value Expert eventually. 2. Diff is another drop down and has values from 1. All and Numbers from 1 to 10. ( Hence 11 values in the dropdown) The user select these from these menus and the output displays the records accordingly. By default both Level and Diff have a default value of All. i.e. Level = Beginner OR Level =Intermediate and Diff <= 10 I hope this helps. If any one has a better idea on implementing such queries in a more elegant manner then please share it with me. Thanks loads everyone.