tork

The /private and /data folders are 755. I didn't see any config files in cgi-bin (if that's what you're saying), and in the .config folder there's only a file called .keep which has no data in it (as far as I can tell).

Thanks requinix. Here's a solution .. may help others .. [sc]=shortcut This is my directory structure: root /.config /.logs /[sc]public_html (points to /web) /[sc]my web site name without the .com (points to root) /web : /web/my web site folders Create private folders like this: /private /data /web (URL access can only read files from this folder on down, so the 2 folders above are private) Create include files in /private where they cannot be read by the browser but can include them with: require('../private/myIncludeFile.php'); The data goes in /data which needs world rw access and can be opened like this (example from w3schools): <?php $myfile = fopen("../data/webdictionary.txt", "r") or die("Unable to open file!"); echo fread($myfile,filesize("../data/webdictionary.txt")); fclose($myfile); ?> So the calling file within /web calls the include file in /private which reads the text file in /data. I tried getting the include file to run directly from the browser (not through the /web calling script) and it could not find the file. Also, I tried getting the text file from the /data text file directly from the browser and it couldn't find the file. This is what I expected to happen because only public files under the /web folder are accessible via a url. This means the folder structure makes the /web folder files safe against users who might try to gain access to /web files using uploads to /data files - hackers aside.

So, should the 'not permitted to write' of 'group' and 'other' of a folder or file prevent anything being written to that folder or file except by the owner/user(7)? Or do I misunderstand?

Ah! I'm too fast with checking once I create the folders. I just checked a new folder 10 minutes ago, and it did not show permissions. Yet now it does; 755. I guess the server's on valerian

Strange. I just checked the properties of the uploads folder that I created 7 hours ago, and it now shows permissions and they are 755, with the user and group having the same id. To see if PHP (being subject to other) could upload the image file, I ran the upload test script again and it succeeded. Should the 'no permission to write' of group and other not prevent anything being written to that folder's files except by the owner/user (being 7)? Or do I misunderstand?

I notice that the uploads directory does not show permissions, whereas all directories that I have created above it do show permissions. Those that were created by the host do not have permissions. Is all this normal?

The permissions are 644. From the image file properties, the user (owner) and group have the same id.

Yes, the default permissions are as you say. Here's my app structure: Scripts in PHP/MySql send text/images/videos/audios to the client and take form input from my users and write the data to DB; I send data back to them in the form of a report; The users may upload text/images/videos/audios if they wish, which I would then put in files with data about the files put into DB; The scripts then send back these files on request by the user. Given that security is important with this app, do I need to change permissions anywhere with this environment?

FYI, the folder that my index.php file defaults to has permissions 775, and the index.php has permissions 644.

Thanks requinix. Yes, it's shared hosting. My app is high security, so I thought I'd need to handle folder and file permissions. So I take it that even though I can change permissions that I shouldn't?

I do not have direct access to the server since I'm a developer using PHP/MySql on a remote shared server that uses Linux/Apache. I have read that it's important for security of my web site to have the permissions on the folders and files set properly. I can change them using my ftp. I am the developer. I have a number of testers who run the web app from their browsers (that accesses data files and PHP scripts and reads/writes with a db server). After testing, the app would be available to the general public on their browsers who would have the same access needs as the testers. 1. In the above context: Does 'read' mean reading the scripts or data files or both? Does 'write' mean taking user input and changing the data file or db content? And what does 'execute' mean regarding scripts and data files if not to 'run' the scripts? 2. How do I let the server know which users are User/Owner users, which are Group users and which are Other users, in order for the server to apply the appropriate User/Owner, Group and Other permissions when these users call the web pages from their browser? (I understand the 421 read/write/execute *structure* since it's all over the internet through google searches).

I made a silly error! My humble and profuse apologies guys. I was so used to entering the password on the keyboard (hundreds of times .. you know how that works) that I didn't even check the keys on the nexuses: 12 instead of qw .. :|

I’ve got a well proven php-mysqli website that works perfectly on desktops. It requests the email and password on the login page, taking that data and inspecting it before processing further. I’ve designed the presentation using CSS to be responsive and it’s working well, except for .. .. when I used it on my Nexus 4 and 7 the web site appeared. I touched the menu item ‘login’ and I entered both the correct email and password. However, the application bounced back as it should if either the email or password was wrong. So I inserted PHP scripting and confirmed that the site was receiving the correct email but a wrong password. The logic is 100% proven and the data entry correct. Is there something with the google nexus (and smartphones in general) that disallows web site passwords until some parameter is set? I'm hoping a responsive website developer accommodating nexus 4 or 7 can assist here.

I implemented google's reCAPTCHA V2 on http:// on the remote apache shared server and it worked 100%. I then changed the protocol to my shared server SSL using the same PHP script as the non-SSL script. The older version of reCaptcha had an SSL 'false' to 'true' SSL parameter, whereas I can't find one for V2. I had to use htaccess to redirect the example.com to the shared SSL server https://serverid.net/example/ which works perfectly without recCAPTCHA. I incorporated reCAPTCHA V2 and the error message where the reCAPTCHA image should be shows "ERROR: Invalid domain for site key". Here's the htaccess: RewriteEngine On RewriteCond %{HTTP_HOST} ^(.*)example\.com [NC] RewriteCond %{SERVER_PORT} 80 RewriteRule ^(.*)$ https://servername.net/example/$1 [R,L] And the recaptchalib.php code in case that helps: https://github.com/google/ReCAPTCHA/blob/master/php/recaptchalib.php Anyone know how to make this work? (If this is not the right forum for this, please direct me to the appropriate one. Thx)

Solution: if (trim($answers [success]) == true) should be: if (trim($answers ['success']) == true)

I'm implementing google's reCAPTCHA V2. It works almost perfectly except for the following error located in the recaptchalib.php: Notice: Use of undefined constant success - assumed 'success' in (script location) https://github.com/google/ReCAPTCHA/blob/master/php/recaptchalib.php Anyone got an idea how to fix this?

By trial and error I found the answer: It seems that when SSL is used (test 6), setcookie is required as follows: setcookie('sessionname', session_id(), time()+whatever, '/', 'theSSLhostaddress', true, true or false); Also, the htaccess works in test 6. The non-SSL script (test 1) did not require setcookie! Hope this helps.

Here's the input/output to make this easier to understand .. #### Test 1 input/output (HTTP): Start .. URL is HTTP into test_page_SA.php (output stating the script id) Page SA (link) Page SB (link) 28 SA session_id() = 1e3pq3v6ibj18adpigpor19ccg8ae4nl (output from server, and firebug 'cookie', with firebug secure=blank) 33 not set, so now set SA _session[test1] = test1 (output proving $_session took the value) Full name [__________] (input box) [Enter the name Jim ..] The response is .. URL is HTTP into test_page_SB.php Page SA Page SB 28 SB session_id() = 1e3pq3v6ibj18adpigpor19ccg8ae4nl (output from server, and firebug 'cookie', with firebug secure=blank) 32 SB _session[test1] = test1 (proves the session variables are being kept) 33 SB _session[name] = Jim (proves the form input is being accepted then assigned to a session variable ok) Full name [_________] #### Test 6 input/output (HTTPS): Start .. URL is HTTPS into test_page_SA.php Page SA Page SB 28 SA session_id() = eeikccp2m9d0uecqa82glvfsa6u0v3lt (output from server; firebug 'cookie' shows nothing) 33 not set, so now set SA _session[test1] = test1 Full name {_________} [Enter the name Jim ..] The response is .. URL is HTTPS into test_page_SB.php Page SA Page SB 28 SB session_id() = plqm2pnv3eqnl6bign0rr63rhl29n6kb (output from server; firebug 'cookie' shows nothing) 37 SB _session[test1] not set (The session variables are not being sent from the server) Full name {__________} (Notice that the session_id is different for each cycle in Test 6!)

I am using the scripts (at the end) on a shared debian server at my web host's remote facility. My purpose is to have a fully SSL site. The web host gave this format of URL for my SSL: https://hostaddress.net/example/ where www.example.com is the domain name. Map: /web/index.php (script below) /web/testbed/htdocs/test_page_SA.php (script below) /web/testbed/htdocs/test_page_SB.php (script below) The index.php directs to test_page_SA.php successfully in each circumstance that I'll describe, test_page_SA.php directs to test_page_SB.php as written, and test_page_SB.php directs back to test_page_SA.php. Before every test I delete the sessions at the server, and also delete the cookies, browsing and download history, and cache on the client (firefox). At each test I try both www.example.com and example.com (both lead to index.php). Whenever $params are set, they are set in index.php, test_page_SA and test_page_SB. I've searched far and wide to try to resolve this issue, and now it's forum time. Question: How do I get the session data to be saved on the server and the cookie saved on the client, while using $params secure=true and the SSL URL in htaccess? I conducted the following tests to try to isolate the issue, but failed to find an answer. Test 1 - non-SSL - the base http script that works: htaccess script is blank; http is used; $params secure = false. Result: test_page_SA and test_page_SB run successfully, unchanging cookie observed in Firebug (security = blank), at first giving the session id/cookie and the test1 session variable value, then when the input is saved, the output succeeds at giving the session id and both the test1 and name session variable values with both scripts in turn. Test 2 - non-SSL: htaccess script is blank; http used; $params secure = true. Result: test_page_SA fails to send the input to test_page_SB, cookie observed in Firebug (security = secure) and changes at every save, only the session id/cookie is shown, neither session variables shown. Identical results when input in test_page_SB has data saved. Test 3 - non-SSL: htaccess (below) is tried before using the SSL URL to be sure these lines are not an issue; http used; $params secure = true. RewriteEngine On RewriteCond %{HTTP_HOST} ^(.*)example\.com [NC] RewriteCond %{SERVER_PORT} 80 Result: Exactly the same output as Test 2. Test 4 - non-SSL: htaccess (above); http used; $params secure = false. Result: Success as in Test 1. Test 5: htaccess (below, as supplied by the web host); https used; $params secure = false. RewriteEngine On RewriteCond %{HTTP_HOST} ^(.*)example\.com [NC] RewriteCond %{SERVER_PORT} 80 RewriteRule ^(.*)$ https://hostaddress.net/example/$1 [R,L] Result: test_page_SA fails to send the input to test_page_SB, cookie NOT observed in Firebug and changes at every save, only the session id/cookie is shown as output, neither session variables shown. Identical results when input in test_page_SB has data saved. Test 6: htaccess (above); https used; $params secure = true. I understand that this parameter should be set to true when using https. Result: https://hostaddress.net/example/testbed/htdocs/test_page_SA.php shows as the URL in the address bar, as do the URLs in the two menu items hrefs. When a value is input, https://hostaddress.net/example/testbed/htdocs/test_page_SB.php shows in the address bar. As in Test 5, test_page_SA fails to send the input to test_page_SB, cookie NOT observed in Firebug and changes at every save, only the session id/cookie is shown as output, neither session variables shown. Identical results when input in test_page_SB has data saved. #### index.php <?php session_name('PHPSESSION'); $lifetime = 7200; $path = '/'; $domain = '.example.com'; $secure = false; $httponly = false; session_set_cookie_params($lifetime, $path, $domain, $secure, $httponly); session_start(); $url = "testbed/htdocs/test_page_SA.php"; header("Location: $url"); exit(); ?> #### test_page_SA.php: <?php session_name('PHPSESSION'); $lifetime = 7200; $path = '/'; $domain = '.example.com'; $secure = true; $httponly = false; session_set_cookie_params($lifetime, $path, $domain, $secure, $httponly); session_start(); ?> <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8" /> <?php ob_start(); echo "into test_page_SA.php<br><br>"; ?> </head> <body> <div><a href="test_page_SA.php" title="Page SA">Page SA</a></div><br> <div><a href="test_page_SB.php" title="Page SB">Page SB</a></div><br> <?php echo "28 SA session_id() = ".session_id()."<br>"; if(!isset($_SESSION['test1'])) { $_SESSION['test1'] = "test1"; echo "33 not set, so now set SA _session[test1] = ".$_SESSION['test1']."<br>"; } else { echo "37 SA set, so SA _session[test1] = ".$_SESSION['test1']."<br>"; echo "38 SA _session[name] = ".$_SESSION['name']."<br>"; } if (isset($_POST['submitted_A'])) { if(isset($_POST['full_latin_name'])) { $_SESSION['name'] = $_POST['full_latin_name']; echo "46 SA _session[name] = ".$_SESSION['name']."<br>"; $url = "test_page_SB.php"; ob_end_clean(); header("Location: $url"); exit(); } } ?> <form method="post" class="" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>"> <div> <label for="full_latin_name">Full name</label> <input type="text" id="full_latin_name" name="full_latin_name" /> </div> <div> <input type="submit" id="submit" name="submit" value="Save" /> <input type="hidden" name="submitted_A" value="TRUE" /> </div> </form> </body> </html> <?php ob_end_flush(); ?> #### test_page_SB.php: <?php session_name('PHPSESSION'); $lifetime = 7200; $path = '/'; $domain = '.example.com'; $secure = true; $httponly = false; session_set_cookie_params($lifetime, $path, $domain, $secure, $httponly); session_start(); ?> <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8" /> <?php ob_start(); echo "into test_page_SB.php<br><br>"; ?> </head> <body> <div><a href="test_page_SA.php" title="Page SA">Page SA</a></div><br> <div><a href="test_page_SB.php" title="Page SB">Page SB</a></div><br> <?php echo "28 SB session_id() = ".session_id()."<br>"; if(isset($_SESSION['test1'])) { echo "32 SB _session[test1] = ".$_SESSION['test1']."<br>"; echo "33 SB _session[name] = ".$_SESSION['name']."<br>"; } else { echo "37 SB _session[test1] not set<br>"; } if (isset($_POST['submitted_A'])) { if(isset($_POST['full_latin_name'])) { $_SESSION['name'] = $_POST['full_latin_name']; echo "45 SB _session[name] = ".$_SESSION['name']."<br>"; $url = "test_page_SA.php"; ob_end_clean(); header("Location: $url"); exit(); } } ?> <form method="post" class="" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>"> <div> <label for="full_latin_name">Full name</label> <input type="text" id="full_latin_name" name="full_latin_name" /> </div> <div> <input type="submit" id="submit" name="submit" value="Save" /> <input type="hidden" name="submitted_A" value="TRUE" /> </div> </form> </body> </html> <?php ob_end_flush(); ?>

For those of you who have the same issue, I found it was a class conflict in css.

Oh, I get the same results in browsers IE8, FF 26 and Chrome 32.

This is a general question, thus no script. I'm looking for hints as to what could cause the following: Is there any reason that javascript or jQuery include scripts could prevent radio button values from being sent to the server while all other values from selects and texts are correctly sent? When not using the javascript or jQuery includes the radio values are sent.

Found out what causes this, and you're correct, it is jQuery: $(function(){ /* This is shorthand for $(document).ready(function(){ which ensures all jQuery items are loaded before executing */ }); It's not the coding inside it, but just this one statement. Guess I'm off to the javascript forum now

Thanks for your advice, kicken. Point on code wraps taken. I checked web console on firefox and it shows no data sent for radio inputs. Now this gets exhilarating! Whatever is causing this is refusing to accept radio selected data or is deleting radio selected data values before it gallops down to the server. My php code certainly is not involved at the form. And the javascript has nothing to do with these inputs - it's only used for email and pw graphics. Now I'm stumped. Any other ideas or hints? Mmm .. time for a 'candy bar to brain' moment, methinks.

After checking all the posts on this forum, I tried more caffeine but it didn't work Although this code is within a php script, I believe the issue is an html one (thus this forum), so please ignore the php: The form contains text, radio and select inputs. They are able to be input by the user, yet when I test for them being posted once the script is accessed after posting, the text and select values succeed but the radio values are nil. Form Code: <form method="post" class="" action="script.php"> <div class="row"> <label for="pronounce_name_as">How is your name pronounced?</label> <label id="label_instrn">Optional: for use with ideographic characters such as used in some Asian cultures</label> <input type="text" id="pronounce_name_as" name="pronounce_name_as" value="<?php if (isset($trimmed['pronounce_name_as'])) echo $trimmed['pronounce_name_as']; ?>" /> </div> <div class="row"> <label id="label_radio">Gender *</label> <input id="female" type="radio" name="gender" value='female' /> Female<br /> <input id="male" type="radio" name="gender" value='male' /> Male<br /> </div> <div class="row"> <label id="label">Communications</label> <label id="label_instrn">Optional: this will help us provide you with appropriate study styles</label> <select id="label_select" name="comms" > <option value='not_selected' selected>Select ..</option> <option value='wo_speech'>I am without speech</option> <option value='wo_hearing'>I am without hearing</option> <option value='wo_sight'>I am without sight</option> <option value='None'>None of the above</option> </select> </div> </form> Value test code: echo "posted pronounce_name_as = ".$_POST['pronounce_name_as']."<br />"; echo "posted gender = ".$_POST['gender']."<br />"; echo "posted comms = ".$_POST['comms']."<br />"; var_dump($_POST['gender']); Output: posted pronounce_name_as = Jai-ms Smy-ly posted gender = posted comms = None string(0) "" Any ideas? Should I return to html bootcamp?