Jump to content

JonnoTheDev

Staff Alumni
  • Posts

    3,584
  • Joined

  • Last visited

  • Days Won

    3

Everything posted by JonnoTheDev

  1. Sephirangel is correct. I think you may need to do a little reading on sessions. If a session is set after a user logs in successfully and the value of the session variable contains their user ID that comes from a users database table so: // login successful $_SESSION['user'] = $userId; the session will remain active until it is destroyed by using unset($_SESSION) - this may be in a logout script, or the closing of the web browser, or a period of inactivity by the user. So when your database queries insert the records into various tables you can add a userId field to those tables and in your queries: // part of mysql query INSERT INTO tableName SET userId='".$_SESSION['user']."', field1=''
  2. This must have something to do with the number of iterations in your loops containing the SQL. I would get it to print text to the screen within the loops rather than perform the SQL query for a test. If the sentence print out more than expected then you know the loops are incorrect
  3. This is a common question and is usually caused by the page either being loaded twice or a user hitting forward, back, refresh in their browser. This is easily solved by redirecting the user back to the page after the insert query has run successfully // database query mysql_query("INSERT INTO blah,blah,blah"); // redirect user header("Location:mypage.php");
  4. If this was my application then the closing of auctions would definatly be an event trigger. This could be a function in a common include file throughout the site that is run every time a page request is made. This would as other have said check a date time field in a database and set a flag value to indicate the auction is over. If you used a cron job (scheduled task) for this then auctions may not close at the correct time. Lets say you had a cron running every 5 minutes then an aution due to close in 1 minute may remain open for another 4. The idea of using the same method to transfer monies in my opinion is not good at all. So I click on index.php and it triggers a cash transfer between you and the user - wooo bad! What if I close my browser as the script is running? This should definately be a script run via a scheduled cron in a secure area of your webserver. Not in the web root for sure! If your programmer is any good then he should set up the program to report on any errors that may occur with transactions so you can take action. Hope this helps.
  5. First you need to find a whois service that isnt going to ban you making all these requests. Here is an example of a whois lookup: http://whois.domaintools.com/mydomain.com Do not use this service in your script as they will certainly ban you! mydomain.com can be any domain name. The bottom of the page contains the WHOIS data. You need to write the script so it can extract this data from the page. Use PHPs CURL to make the request. If there is WHOIS info then you know the domain is registered. If not you may see something like NO MATCH FOR domainname.com which indicates it is expired or unregistered. If this is the case get the script to notify you by email. Set the script off on a cron to run every x mins/hours, etc.(you will need to ask you hosting provider if you can do this in your plesk control panel)
  6. What I am trying to say is that if there is any damage an automated script could do by logging into your website then use a captcha. If not then dont bother. Never look at what other websites do as you can never compare your applications to the likes of facebook, myspace, ebay, etc. These are major enterprise sites and more than likely have security measures in various formats, hardware, etc.. that can detect these things quickly
  7. Bots are really off topic from this post but yes there are other ways of deterring them with what are called bot traps. Looking for things like user agents, request times in your web logs, etc. But remember people who make these are clever and will always get around traps one way or the other. Not sure why you would want to login to paypal with a bot unless you wanted your accounting to be done automatically. Ebay allows bots and there are certainly websites that can set ebay bots running for you to get the items you want. Some websites actually encourage bots to post data as they may provide good content to lets say an article directory or a blog rather than just spam links.
  8. Thats a fair opinion. Just make sure that you use them on any form that can send out emails on submission such as a contact form. If you dont then it wont be long before you run into trouble! Its naive to think that any website form is safe in this day and age of spammers, hackers, etc.
  9. There is a very good reason for it on a login form! CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart and that is exactly what it is doing. I have webbots that can login and post details into websites and captcha makes this extremely difficult (if it is a good captcha). Imagine if your website was an auction site for example. I could easily have a robot do the logging in and bidding for me making it verry difficult for human users to purchase the items they want to as a robot knows exactly when to login and get the item at the last seconds.
  10. You require a more complex regex specifying word boudaries. The best tool I have found as regex can be complex is regex buddy. Check it out: http://www.regexbuddy.com/ This tool you will use more than once for sure and is definately worth getting even if the regex for your query is posted by another user.
  11. If there should be only 1 record in the database for the value you are adding into the query then use this code: $result = $db->query("SELECT group_id FROM group_members WHERE user_id = ".$config['last_reg_user_id']." LIMIT 1"); $row = $db->fetch_assoc($result); if(is_numeric($row['group_id'])) { print "found group id: ".$row['group_id']; } else { print "no record found"; }
  12. OK so your query is indeed returning values. When your are returning the query data in the form of $row through a loop you are adding to the $newest_user_group array: $newest_user_group[] = $row; To see what the array contains use after the loop: print_r($newest_user_group); This will be the field values in the database records that you returned with your query
  13. Does this array value contain any data $config['last_reg_user_id']? If not it will return no results. Your query is certainly gramatically correct. Try printing the $sql variable to the screen first to check
  14. My code sinppets are not complete and wont work. They are just examples to get you on the right track. If you have a duplicate key then get rid of the bad value and make sure that you definately have an auto incremental field for your primary key an no other uniques indexes on fields taht may product the error. If there are values in your variables. I assume that you have tested this then this code will work (I have assumed the names of your database fields so make sure that you change them in the following SQL): $sql = "INSERT INTO clients SET client_id='".$client_id."', client_fname='".$client_fname."', client_lname='".$client_lname."', client_address='".$client_address."', client_city='".$client_city."', client_state='".$client_state."', client_zipcode='".$client_zipcode."', client_phone='".$client_phone."', client_cphone='".$client_cphone."', client_email='".$client_email."', client_website='".$client_website."', client_notes='".$client_notes."')";
  15. Look at the php eval() function http://uk2.php.net/manual/en/function.eval.php
  16. zero is a MYSQL stop word meaning it will not be included in any search. See http://dev.mysql.com/doc/refman/5.0/en/fulltext-stopwords.html However stop words can be modified in your mysql config
  17. Just a style preference I have values ('".$client_id."', '".$client_fname."' I hate this sort of query using the "VALUE" syntax, especially if you modify the structure of your table and forget about queries written like this. SET is much more efficient as the order of fields makes no difference.
  18. also are you supplyinmg the correct number of fields for values. You said you had an auto incremental key so there should be: values ('', '".$field1."' It is much better writing: SET name='".$name."', address='".$address."' etc
  19. Remove the single quotes around your php variables! values ($client_id, $client_fname or values ('".$client_id."', '".$client_fname."'
  20. That is confusing! But it seems to me that all that is required is a simple SELECT query: SELECT fieldRequired1, fieldRequired2 FROM tableName WHERE fieldYouHaveValueOf='X'
  21. I would put the initial login form then behind an .htpasswd (if linux)
  22. This depends on the type of certificate. Obviously the most expensive offer the highest protection and are probably way beyond your needs. Go to godaddy.com or someone similar. UK price is about £40 for a cert and we use to protect payment details, etc on websites without any issue.
  23. If it is the case that this is for website authentication and you are not confident that the above would help then purchase and install an SSL certificate. Users passwords can still go through your function and marry up to database stored versions.
  24. If a user has javascript turned off then the value will not be encrypted and then never match up to any encrypted stored password anyway so they would never be able to authenticate. You can also detect this behaviour in your application anyway using <noscript> tags
  25. Im guessing that you are checking if a record exists in the database with a certain value and if not then update it. Some similar code but it may not fit entirely: if(isset($_POST['go'])) { // escape server vars for database query $_POST['id'] = mysql_escape_string($_POST['id']); $_SESSION['login'] = mysql_escape_string($_SESSION['login']); $result = mysql_query("SELECT * FROM challengeid WHERE challengeid = '".$_POST['id']."' AND username != '".$_SESSION['login']."' LIMIT 1"); // secord already exists if(mysql_num_rows($result)) { print "Record already exists"; } else { $_POST['result'] = mysql_escape_string($_POST['result']); mysql_query("UPDATE challengeid SET userresult = '".$_POST['result']."' WHERE challengeid = '".$_POST['id']."' AND username = '".$_SESSION['login']."'"); print "Record Updated"; } } Your first step in debugging is to check that your POST values are actually created from your form. You should always test/escape your post values before placing in any database query otherwise you are wide open to attack and could end up with unexpected results. Has there been a value entered for $_POST['result'] and $_POST['id']? Is there a value set for $_POST['go'], I assume this is a hidden form field. Rather than running the initial query, change your code to print it to the screen and then test with mysql. Is the query correct with the correct values? The first query that you have written is running through a loop indicating that there may be more than 1 record in the challengeid table with a challengeid of x and a username of X, is this the case? If not using a loop is incorrect, check for a single record as in my example.
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.