Jump to content


  • Content Count

  • Joined

  • Last visited

  • Days Won


Everything posted by maxxd

  1. Yes, every field has to have a name attribute for PHP to recognize it. So, yeah - it's a good point, depending on how you're pages are set up you'll probably want a hidden field to pass the product ID. My point was mostly don't pass the price for the product and assume that it hasn't been modified by the user. Which leads us to the next question: Sure - put this on your local dev environment: <?php if(!empty($_POST)){ print("<p>{$_POST['hidden_field']}</p>"); }else{ print("<p>not set</p>"); } ?> <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Document</title> </head> <body> <form method="post"> <input type="hidden" name="hidden_field" value="originally set!" /> <input type="submit" /> </form> </body> </html> Load the script into your browser and click the submit button; see where 'not set' changes to 'originally set!'? Groovy - now, open your developer tools from the browser and select the field with the 'hidden_field' name attribute and change the value attribute on that field to 'hacked, yo!'. Now click the submit button again. Without any sort of validation or server-side checking, the form happily passes 'hacked, yo!' to the processing script, and if that script processed a product price the user could easily change it to 0.00 or less. *edit* If they mess with the product ID.... well, honestly who cares? They'll just end up paying the correct price and getting a different product. It doesn't really help them out at all.
  2. Pass a product ID and quantity to the order form, then get the product price from the database and calculate the total price at that point. These fields should both be visible to the user. You can use a hidden honeypot or nonce field if you really want to, but if you're charging money I'm not sure many bots would actually pay for something at random (though I could be wrong so don't quote me on that). The only time you should deal with the price on the server-side (other than for output purposes) is when the order is being completed - you need to make sure the user doesn't use the developer tools to change the price during the sale, but once the sale is made you need to track how much the product cost at the time of the purchase in case the price changes in the future (which it will).
  3. Part of the reason jQuery became what it is is because of cross-browser compliance. You didn't have to do the `if(ie), else(everyone_else)` jig. However, as requinix pointed out, these days an AJAX call is pretty much an AJAX call regardless what browser you're using, assuming it's not an obsolete browser. Shoot, even fetch() is supported by everything except ie11, and I'm pretty sure there's a polyfill for that.
  4. I remember we had issues with the Mojave > Catalina upgrade on our iMacs at my last job.
  5. I've seen some articles where they pass `idekey` and `remote_host` via the arguments parameter, but that doesn't seem to make a difference here. I also tried passing the path to the specific script that I'm trying to test - again, AFAIR that didn't make a difference. `cwd` is actually set in my launch file, and again I don't recall `externalConsole` having any affect. The others I didn't know about - thanks for the pointers, I'll do some digging. The thing I find most annoying is that every tutorial or set up or walk-through I find seems to use a different subset of the launch settings - the only consistent one I've found is `remote_connect_back` should be set to 0 or it won't work. Admittedly, it's probably a setting somewhere else in the system; I'm afraid I may just have to nuke it from space and start over.
  6. It's a macbook pro - I do try to keep up to date with OSx, though honestly I have no idea what animal, mountain, or lake they're on right now...
  7. Hi y'all. I've been scrubbing Google for this and from everything I'm reading and seeing, this should be working - problem is it's not... Here's the deal. I've got a docker image spun up with my development environment and all that's fine. I've updated the php.ini on the image with the following: [xdebug] xdebug.remote_autostart=1 xdebug.remote_enable=1 xdebug.remote_log="/var/log/xdebug.log" xdebug.remote_host=host.docker.internal xdebug.remote_handler=dbgp xdebug.remote_port=9000 xdebug.remote_connect_back=0 xdebug.collect_vars=1 xdebug.collect_returns=1 xdebug.collect_assignments=1 xdebug.profiler_enable=1 xdebug.idekey=VSCODE I created a new config in launch.json as so: { "name": "Remote XDebug", "type": "php", "request": "launch", "port": 9900, "pathMappings": { "/var/www/html" : "${workspaceRoot}/myDir" }, "cwd": "${workspaceRoot}/myDir" } I set a few breakpoints in VSCode in my file on the host system, start the debugger, and docker-compose run into the image, where I `php test.php` and expect to be brought into the debug session as I would on the host system (that part works). However, it doesn't happen - I never get into the debug session on the host system. My xdebug.log does, however, look like everything should be working: [11] Log opened at 2020-05-04 20:37:03 [11] I: Connecting to configured address/port: host.docker.internal:9000. [11] I: Connected to client. :-) [11] -> <init xmlns="urn:debugger_protocol_v1" xmlns:xdebug="https://xdebug.org/dbgp/xdebug" fileuri="file:///var/www/html/testing/test.php" language="PHP" xdebug:language_version="7.1.33" protocol_version="1.0" appid="11" idekey="VSCODE"><engine version="2.9.1"><![CDATA[Xdebug]]></engine><author><![CDATA[Derick Rethans]]></author><url><![CDATA[https://xdebug.org]]></url><copyright><![CDATA[Copyright (c) 2002-2020 by Derick Rethans]]></copyright></init> [11] -> <response xmlns="urn:debugger_protocol_v1" xmlns:xdebug="https://xdebug.org/dbgp/xdebug" status="stopping" reason="ok"></response> [11] Log closed at 2020-05-04 20:37:03 Oh, and my docker-compose file maps port 9900 on the host to 9000 image. service: build: context: '.' volumes: - ../myDir/:/var/www/html/ - ../logs/:/var/log/ ports: - 80:80 - 443:443 - 9900:9000 networks: - test environment: - ENVIRONMENT=development depends_on: - database Anybody have any ideas? I'm just burning time on this now, but I'd very much like to be able to debug in the docker container because I'm currently working with a couple different companies that use wildly different php/server setups and I don't want to have to try and keep that straight or have to continually nuke my machine. Thanks in advance!
  8. maxxd


    Code, perhaps?
  9. Either change the AJAX method or the PHP method. They have to match.
  10. You're checking $_GET, but using POST in your ajax call.
  11. Caveat to keep in mind, though - any time/date data you've inserted into a database is now technically incorrect as it was inserted using the server's timezone. If you have any queries that pull data by date/time, that may become a factor - daylight savings and whatnot can sometimes cause returns to be a full day off, depending on how the query is built and how the data was stored. Of course, that could just be the lingering PTSD from the several months long timezone-based project I just finished at work...
  12. What's the fault code and string it should output on failure? The docs state that SoapClient::__construct() will throw a SoapFault exception if the WSDL URI can't be loaded - it doesn't look like your endpoint is WSDL.
  13. That is the format for CSS. Cut everything between '<style>' and '</style>' out of the current file and paste it into the other file.
  14. The github repo is marked unmaintained and the pear page shows the last release was in 2017, so I think it's probably not a safe bet. However, you could try it and see if anything errors out...
  15. It might help to post those errors here.
  16. Count the number of equals signs on that line. Remember 1 is for assignment, 2 is for comparison.
  17. maxxd


    If you're trying to comment on an existing comment, you need a parent_id column in your table. The id of the initial comment would then go into that column. For a more robust and future-proof solution, you'd create a separate table to track the parent/child relationships between comments, but the idea is the same.
  18. You should be getting at least a notification as the 'status' array in the response doesn't have a 'tickets' index. Check your data nodes before attempting to output anything, and make the code more explicit in what it's trying to do: $return = json_decode($response, true); if($return['status'] == 'success' && !empty($return['data']['tickets'])){ foreach($return['data']['tickets'] as $ticket){ echo $ticket['ticketNumber'].' - '; echo $ticket['title'].' - '; echo $ticket['content'].'<br />'; } } If the call fails, I assume 'status' will not be 'success' and 'tickets' will be empty - the above will stop your program from crashing at that point.
  19. The error means you're not passing any variables to the function. Once you add $fn and $ln to the function definition you need to actually pass the first name and last name when you call that function.
  20. You need to use JavaScript to change page contents without refreshing or redirecting the page. Basically, you'll attach a click handler to your button that reads the contents of your input field, uses AJAX to communicate with a PHP script on the server - it's this script that will figure out what image to serve up - and then replaces the image with the information sent back from the PHP script.
  21. Where is ClockingInDate coming from? You mention a timestamp and a timestamp from db - what is where, and what data does everything contain?
  22. You've gotten some things confused, I think. Take a step back and think about what you're trying to do, what you're doing currently, and what needs to be done to do what you actually want to do. For instance, you know you're going to update lyrics, right? Does the name of the column containing lyrics change? I'm going to bet not, so why then not just use the column name directly - there's no need for a variable. Also, you set $id to whatever the value of $_SESSION['id'] is, assign $_POST['lyricsId'] to a variable before you check whether or not it exists, and then completely ignore $lyricsId in favor or $id (which I think is probably not the same thing) to let the database know which record to update. And while you're at it, get into the habit of using prepared queries. Right now your query is wide open to SQL injection attacks - learning to avoid this from the outset is a lot easier than trying to relearn how to do things later on. Just ask Little Bobby Tables's school administrators...
  23. In addition, leave the `action` attribute off your opening form tag. By not supplying an action the form will submit to it's own address, and I believe that $_SERVER['PHP_SELF'] can be altered or spoofed. In a similar vein, instead of checking $_SERVER['REQUEST_METHOD'], you could always check the actual variable you're about to use - that way you'll know that what you want to print actually exists. if(!empty($_POST['Name'])){ echo htmlspecialchars($_POST['Name']); }
  24. Yes. Just remember that there are a lot of tutorials still on the web that were written in a simpler time, so if it doesn't mention having to authenticate the request it's very likely rather old and probably won't work. I can't guarantee that's the case, of course, but given the privacy concerns (or lack thereof) that have come to light recently it probably is.
  25. Look up Jen Simmons and Rachel Andrew about grid - they're amazing with it (among other things they're both awesome at). Rachel Andrew has this repo that's also pretty fantastic.
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.