-
Posts
1,698 -
Joined
-
Last visited
-
Days Won
53
Everything posted by maxxd
-
Well, glad to know it at least doesn't disseminate questionable or outdated information and techniques. Shame there's no real content to the course, though. Good to know all the way around. He's not written any code - done some HTML and LESS, but that's it - and seems to enjoy when he's got a concrete footing to begin with, so the intro may be a good spot to start. I'll point him towards the PDO tutorial, and I'm ordering the security book for myself! Thanks much!
-
Hey y'all. I've got a friend that wants to learn PHP and I plan to help him out on it. Unfortunately, I don't have much free time right now and he wants to get started before I've got the chance to sit down with him. Most of the bound books that I have are utterly out-of-date by now, and the more recent are e-books, so I can't loan them out. Has anyone used codecademy before - is it at least decent? It looks like the topics are good, but again I don't really have enough time to audit the classes. I'm pretty much just wanting to make sure that it's not going to start him off down the wrong road; mostly that it's using up-to-date PHP functions and native PHP objects where applicable. Even though he's not planning on doing OO-style PHP from the outset, I think it'd be a boon to learn to use (for instance) the DateTime objects instead of taking the time to learn date(), then to have to relearn everything in DateTime(). Well, that and I do OOP, so I figure it may be a bit easier to use some of my code as examples if he's used to seeing code written in that style. I've run a couple searches through this board and not yet found any concrete opinions (a couple "it's well regarded", or "I hear it's good", but no-one as far as I've found has actually used the site), so if I've missed anything please feel free to point me toward the thread and I can read from there. I very much welcome and thank you for any opinions or thoughts on starting points!
-
Barand is right - use your prepared statement correctly. Right now you're wide open to SQL injection attacks and your single quotes are irregular and incorrect in several spots. A prepared statement will take care of those issues for you. Also, I'd recommend against using $_REQUEST. You should know where your data is coming from, and look only there for it - $_GET, $_POST, or $_SESSION. $_REQUEST is a catchall superglobal and can open you up to more security issues.
-
Use a ternary operator: $ass = empty($htmlVideoDetails->subtitile1) ? null : JURI::base()."components/com_contushdvideoshare/{$htmlVideoDetails->subtitle1}"; Of course Joomla's not based on an alien programming language, but it is - for lack of a better term - a dialect of PHP. Every framework has a different way of doing things. For instance, if the call to $htmlVideoDetails->subtitle1 hits the database or moves a SQL resource pointer forward in the result set, you'll not want to do it this way because you'll move past your intended data by doing the empty() check and return the second record, which may very well be null or empty. This is why it would be helpful to let people know what framework you're using; a 'bug' like this one isn't technically a bug, it's a logic flaw. Anyone who responds with the code above may lead you down a rabbit hole of hours or even days trying to figure out why the code "doesn't work", when it is, in fact, working perfectly. It's just that it's not returning what you expect it to return, and therefor looks like a bug. Hope that makes sense.
-
Help with my first super simple "Hello World" Wordpress plugin
maxxd replied to Cp1's topic in Applications
The code looks like it should work, but your hook choices are a bit off. I know you're just playing around and trying to learn, but the wp_print_scripts hook has been replaced with wp_enqueue_scripts, and the get_footer and get_header hooks aren't mean to be used for output as any output will happen before the markup. While testing, you may be better off using the the_content hook to prepend or append any output to the WP post content. That way you can see it right there in the middle of the page. -
Jacques1 - thanks much for the info, links, and advice!
-
Excellent information - thank you!
-
Thanks for the input! Really, I was looking to (ab)use htmlspecialchars() - in this case - as a last-gasp attempt to at least scramble any tag-based XSS attacks that got through. I figured that <script>bad stuff</script> would better than an unexpected <script>bad stuff</script> regardless where it landed. It's probably naive, admittedly - I'm not a security expert by any means. I do what I can to make what I code as safe as possible and try to keep up with the latest information; hence the question. My concern is this - I gather that $_SERVER['PHP_SELF'] can be spoofed pretty easily and shouldn't be used; is there the same level of concern with $_SERVER['REQUEST_URI']? For instance, if a (clearly really, really bored) hacker decides my little site is worth the effort, he or she can fake a post request to my endpoint. Assuming somehow that he or she can fake or grab a correct nonce and set of database-verified session credentials, would $_POST['REQUEST_URI'] then show my form address or his or her fake request address? And would it matter that much either way? Really, what it comes down to is that I've never had an interest in malicious hacking so I'm not even really sure how one would go about doing some of this stuff, which makes it difficult to test for in a safe development environment. I've read books and articles on the topic and have some basic manual testing methods that I use, but I want to be better at it...
-
Hey y'all. I'm a bit brain-fried and afraid I'm overlooking or forgetting something simple on this, and wanted some opinions/experiences. I'm working on a home-spun CMS using a router and mod_rewrite. Now, the back-end is clearly going to have forms that allow the manipulation of the data on the site, and I want to use the PRG pattern to avoid possible duplicate requests. However, we all know that PHP_SELF isn't safe, not to mention it returns index.php every time due to the router/rewrite combo. $_SERVER['REQUEST_URI'] returns the path I need to refresh properly, but I just want to make sure that using it in a 303 redirect header is fairly safe. I'm planning on using htmlspecialchars() and checking the returned value for quotes and/or semicolons, but honestly I've got enough other things to do to not want to waste my time writing that if it's innately an unsafe or bad solution. Any opinions, ideas, thoughts, or rants?
-
I'm in the same boat as Muddy_Funster - my job is currently got me very, very busy. I'll be more than happy to help out when I can with advice and code snippets, but can't commit to a full commission. If you want to keep working at it, post your updates and work here. If that's not a possibility, best bet is to follow Muddy_Funster's advice and post to the job board.
-
$user_login is apparently a global returned by the WordPress function get_currentuserinfo() (see here). You'll need to call the function and declare the variables global in order to use it. However, there are issues beyond that in what you've got. First off, Muddy_Funster is more than likely correct in that you don't want the greater-than comparator in your query. $user_login will return the current user name, but trying to get anything greater than or equal to that value is probably going to give you some odd results. I say 'more than likely' and 'pobably' because I don't have a full understanding of the business logic, so I could be wrong there. Secondly, you're moving the internal pointer past the first returned row of the result set before you start to loop through the results by using mysql_fetch_assoc() to try retrieving the 'total' value, which is a value you don't even select in your query. Which means it's not going to be there. Third, when you do attempt to loop through what should now be an empty record set (see the first part of the previous comment), you attempt to get the value using $yourfield, which isn't set anywhere. You know the column you're attempting to retrieve (money), because that's the only column you've selected - use that index ($row['money']). Finally, the mysql* functions have been removed from PHP. As soon as your hosting provider updates, everything you're writing will break. It's best to use PDO or MySQLi, unless the 'moneysql' table is in WordPress database. In which case, it may be easier to simply use the WordPress WP_Query object. At least that will handle some of the low-level stuff behind the scenes. For instance, WP finally updated the core code to stop using plain mysql_* functions, so you don't have to worry about that. Admittedly, they only did that a little less than two years ago as far as I can tell, but hey, it's done.
-
That's what I get for posting early in the morning. Good point.
-
$paid = ''; if($paid == 0) { header("Location: employer-profile.php"); } $paid will never equal 0 if you just set it to an empty string the line above the if() statement...
-
You don't need a header to stay on the same page. Check if $paid == 0; if it does, redirect the user. If not, just continue the script execution on that page.
-
Your code made me nostalgic for all things '90s, and I didn't feel like cleaning the house yet, so I knocked up a slightly more modern version. It's completely untested so don't expect to copy and paste it, but hopefully it'll put you on the right track. Also, don't quote me on the JavaScript validation - the concept is valid, but the syntax might be a bit wonky. <!html> <head> <link rel="stylesheet" href="//code.jquery.com/ui/1.11.4/themes/smoothness/jquery-ui.css"> <script src="//code.jquery.com/jquery-1.10.2.js"></script> <script src="//code.jquery.com/ui/1.11.4/jquery-ui.js"></script> </head> <body> <?php $message = ''; $addresses = array( 'hr' => 'hr@youremail', 'gr' => 'gr@youremail', 'spa' => 'spa@youremail.com', 'mkt' => 'marketing@youremail.com', 'acct' => 'accounts@youremail.com', 'reso' => 'reservations@youremail.com', 'event' => 'events@youremail.com', ); if($_SERVER['REQUEST_METHOD'] == 'POST'){ $message = mailIt($addresses, $_POST['regarding'], $_POST ); } /** * See https://github.com/PHPMailer/PHPMailer for documentation. * Remember you'll need to validate and sanitize all the user-submitted data. * I didn't do that in this example... * * @param array $addys Array of possible email addresses * @param string $reg The user-selected email address to send to * @param array $fields User-submitted form field values * @return string */ function mailIt(array $addys, $reg='hr', array $fields){ $mail = new PHPMailer(); //set up your configuration according to the PHPMailer documentation here $mail->setAddress($addys[$reg]); $mail->setFrom('contact@youremail.com'); $mail->Subject = 'Contact form filled out'; $mail->Body = '';// Build the body of the email from the $fields array if($mail->send()){ return "Your mail has been sent. Thank you!"; }else{ return "Sorry! There was an error. Please try again"; } } ?> <form name='contact' method='post' id='contact' class='form contact'> <div class='response'><?= $message; ?></div> <fieldset> <label for='firstName'>First Name*</label> <input type='text' name='firstName' id='firstName' data-req='required' /> </fieldset> <fieldset> <label for='lastName'>Last Name*</label> <input type='text' name='lastName' id='lastName' data-req='required' /> </fieldset> <fieldset> <label for='eAddy'>Email Address*</label> <input type='text' name='eAddy' id='eAddy' data-req='required' /> </fieldset> <fieldset> <label for='phone'>Phone*</label> <input type='text' name='phone' id='phone' data-req='required' /> </fieldset> <fieldset> <label for='regarding'>Regarding</label> <select name='regarding' id='regarding'> <option value='reso'>Reservations</option> <option value='gr'>Guest Relations</option> <option value='spa'>Spa</option> <option value='mkt'>Marketing</option> <option value='hr'>Human Resources</option> <option value='acct'>Accounts</option> <option value='event'>Groups/Weddings</option> </select> </fieldset> <fieldset> <label for='checkInDate'>Check In Date</label> <input type='text' id='checkInDate' class='datePicker' name='checkInDate' /> </fieldset> <fieldset> <label for='checkOutDate'>Check Out Date</label> <input type='text' id='checkOutDate' class='datePicker' name='checkOutDate' /> </fieldset> <fieldset> <label for='comments'>Comments</label> <textarea id='comments' name='comments'></textarea> </fieldset> <input type='submit' value='SUBMIT' name='submit' class='submit' /> </form> </body> <script language="javascript" type="text/javascript"> $('.datePicker').datepicker('option','format','d MM, yy'); $('#submit').click(function(){ $('#contact input').each(function(){ if($(this).attr('data-req').val() == 'required'){ if($(this).val() === ''){ alert('Please fill out all required fields'); return false; } } return true; }); }); </script> </html>
-
Error? Can someone help on my file upload to database connection.....
maxxd replied to charliehoward's topic in Applications
Clearly it's going to be difficult for anyone to help when you've not posted any code. Just make sure you remove your database credentials before posting here. While I'm here, though; I don't know if it's semantics or your actual plan, but you don't want to store the actual images in a database. Use PHP to upload the image to a directory on the server, and store the file path in the database. -
Completely missed that - thank you!
-
Does Twig automatically escape output now? I know you can set a template to auto-escape blocks of output, but you have to specifically set it to do so. Otherwise you escape on the value, such as <div>{{ some_value|e }}</div> <div>{{ some_value|escape('html') }}</div> unless that changed... Either way, Twig is fantastic and very much recommended.
-
The query will return the job costs figures grouped by month, as you need. Add an ORDER BY clause using YEAR(exrdate) AND MONTH(exrdate), then figure out how to calculate the profit margins, and print the data using a loop.
-
In addition, you switch from HTML to php in your form without opening or closing php tags. Without knowing what "it's just not working" specifically means, it's hard to tell if that's a by-product of cutting and pasting bits of code or if it's an actual error.
-
Admittedly, it's late so I may be overlooking something, but your connection string looks like it should work assuming the username, password, database name, and host are correct. The only thing I see that looks a little off is the space between the host and dbname assignment. The dsn strings that I've seen and used in the past don't have a space there. So perhaps changing $db_connection = new PDO("mysql:host=$host; dbname=$db_name", $db_user, $password); to $db_connection = new PDO("mysql:host=$host;dbname=$db_name", $db_user, $password); might help? To make sure the constants.php file is being included, just add a die('Hi there! This is constants.php'); at the top of the script an see if it prints out or not. Might be a path issue, although if you have error reporting turned on that should tell you the file isn't found. That having been said, the entire logic behind the class you've designed makes no sense. You're assigning the DB connection to a method-scope variable, then calling a static object method to attempt to return the variable you just assigned to the method-scope variable (and which the static object method knows nothing about) to another method-scope variable?
-
For comparisons like this, I recommend using DateTime() objects. Everything suggested so far will obviously work, but I personally find them easier to deal with and more extensible as the comparison criteria inevitably grow and get more complicated.
-
What should be a simple issue is making me nuts... Help please.
maxxd replied to Johninbc's topic in PHP Coding Help
You're missing a quote in front of the first parameter's value. Change "...VALUES ($company','$first',..." to "...VALUES ('$company','$first',..." Are those values integers or strings? If integers, you don't need the quotes anyway. In addition, $writedata is a string in the context you posted, and doesn't actually run the mysqli_query() function - you're missing a comma between your parameters and would have received an error if it'd actually run. Furthermore, you're using Mysqli - which is good - but you're still wide open to SQL injection. Use a prepared statement for the insert. -
Update field but do nothing when field value equals
maxxd replied to cobusbo's topic in PHP Coding Help
Or set the value to null for those that are permanent. Then you can simply add a not null check to your query WHERE string. -
Also sounds like the op parameter is the operation, so instead of using '+','=','/' and '*' as your cases in your calculate() method, you'd use 'm' for multiplication, 'd' for division, 'a' for addition, and 's' for subtraction. Honestly, what I'd do in that situation is pass both numbers as parameters to the class constructor, then use the operations parameter as a method call. If the operation parameter maps to a method that doesn't exist in the object, throw an error. Otherwise, return the modified value. That being said, what you have will work just fine, so that's just a personal preference.
- 4 replies
-
- query string
- http_build_query
-
(and 1 more)
Tagged with: