Jump to content

Jacques1

Members
  • Posts

    4,207
  • Joined

  • Last visited

  • Days Won

    209

Everything posted by Jacques1

  1. *sigh* You've been doing this for 10 years, you've been told several times to look out for SQL injections and use prepared statements. Haven't you learned anything?
  2. Do you see any references to $key or $value in your loop? Me neither. Then how do you expect to get the entries? If you don't remember how loops work, relearn the PHP basics before you start any complex project.
  3. No, no, no, no, no. For the love of god, stop it. I have no idea what you're trying to do there, but this is fucked up even for PHP standards. There's a handful of PHP experts who know when and how to use eval(), but you aren't one of them. Whenever you think eval() is the right solution, you're horribly, horribly mistaken. Strike this function from your memory. For a newbie, it's like playing Russian Roulette with a fully loaded gun. Once again: Tell us what you want to achieve, not how you think it can be achieved.
  4. Guys. The problem has been solved last week. You can stop explaining how time works. The OP got it. I know that reading is tough, but when you open a thread, try to at least check the current state. Repeating what everybody else has already said just isn't very helpful.
  5. Checking the string length is the job of strlen(), so forget about that when you write the regex. There are three logical steps here: Write a pattern for an alphanumerical sequence without a dash. That's the prefix. Write a second pattern for an alphanumerical sequence preceded by a dash. Put the two together and repeat the second with the * quantifier. And learn what anchors are. Right now, you're merely doing a substring search.
  6. Why don't you debug this? If the first path fails, then it's simply the wrong path. This has nothing to do with hard-coded strings. A string is a string. So the obvious solution is to compare the strings and find out where they differ. <?php var_dump($uploaddir); var_dump($image_path); // do a hex dump as well var_dump( bin2hex($uploaddir) ); var_dump( bin2hex($image_path) );
  7. So “apparently it's not opening” means that the die() is triggered, yes? Turn the error reporting all the way up and enable logging. Then add proper error handling for the JSON parsing. If there's something wrong with the file itself, then file_get_contents() will give you an exact error message. If the parsing fails, the JSON extension will tell you. Operations in PHP don't just silently fail.
  8. There's no such feature in MySQL. The DATEDIFF() function gives you calendar days and has nothing to do with time. Use the DateTime class in your application. <?php const MYSQL_DATETIME_FORMAT = 'Y-m-d G:i:s'; $input = '2017-07-31 19:15:74'; $now = new DateTime(); $input_datetime = DateTime::createFromFormat(MYSQL_DATETIME_FORMAT, $input); $diff = $now->diff($input_datetime); echo $diff->format('%d days, %H hours, %I minutes, %S seconds');
  9. What are you talking about? Your idea of a “key” has nothing to do with cryptographic keys which a purely random byte sequences, and a 128-bit long ciphertext cannot possibly fit into 20 decimal digits. Why would you even do that? You should explain what you want to achieve, not how you think you can achieve it. What is the background of this strange task?
  10. Then you've obviously tested it with full hours. https://3v4l.org/hPa2n Maybe we need a new tutorial: How the clock works.
  11. Creating a script to produce a single URL is nonsense, so that's out of question. Surely you have an application-wide configuration. If you don't, now is the time to create one. Put the URL into the configuration, then simply reference it whenever you need the URL. <a href="<?= html_escape(config_get('foo_url'), 'UTF-8') ?>">text</a>
  12. Dude. Stop – writing – random – PHP – code. Stop it. No code. I don't need your code. I need you to start thinking. You said you understand the idea, but you clearly don't, so let's try that again in plain English: You take one parameter at a time. Not two. Not three. One. One parameter. If the parameter doesn't exist, then you display an error message. If it does exist, you check if it's empty. In case of an empty parameter, you display another error message. That's the procedure for one parameter. Now you have two. A dumb approach would be to randomly try different combinations and hope that one of them is right. You did that, and it failed. The smart approach is to simply do one step after the other: First you validate one parameter, then you validate the next. No combinations. Just a sequence of checks. Do you think you can write pseudo-code (not PHP code) for two checks? Of course this can later be optimized with loops etc., but right now, the goal is to understand the procedure.
  13. CB150Special: You've been told at least three times by different people to escape variables. E – s – c – a – p – e. If you're unable to remember this information, then write it on a post-it note and stick that on your monitor. Making a mistake is fine. If it happens again, well, maybe you aren't the fastest learner. But when you make the exact same mistake over and over and over again without showing any sign of progress, there's something wrong. As to the rest of the code: Don't try to come up with your own fancy structure. Constantly switching between HTML markup and PHP business logic is just bad, and putting individual queries into separate scripts makes even less sense. Use the standard structure described by ginerjm. <?php // the business logic (queries etc.) goes here $name = 'test'; ?> <!-- the HTML markup goes here --> <!DOCTYPE html> <html> <head> <title>An HTML standard template</title> <meta charset="utf-8"> </head> <body> <!-- an escaped(!) PHP variable --> <?= html_escape($name, 'UTF-8') ?> </body> </html> <?php /** * HTML-escapes a string so that it can safely be included in an HTML document * * @param string $raw_input the string which should be escaped * @param string $encoding the character encoding of the target document * * @return string the encoded string */ function html_escape($raw_input, $encoding) { return htmlspecialchars($raw_input, ENT_QUOTES | ENT_SUBSTITUTE, $encoding); } If you want a smarter approach with markup reuse etc., then use a template engine like Twig. This will also help you with the HTML-escaping.
  14. You're still in random-code mode. Forget about the code. Close the editor or IDE. Take a piece of paper and write down the necessary steps for one variable. Just one. Don't write actual code, use informal text or pseudo-code. if parameter "from_date" does not exist, then display error: "Missing parameter: from_date" -- you could also log this, because a missing parameter may indicate a problem with your form else if parameter "from_date" has an empty value then display: "Please specify the start date" Do you understand those steps?
  15. Forget about tutorials and actually think about the code you're writing. You first check if $required isn't set. How, exactly, can it not be set when you've just set in line 4? That seems impossible, doesn't it? Then I've told you how empty() is wrong. And what do you have in your code? empty(). Programming isn't about producing random code and then shuffling characters around until it “works”. It's about understanding the problem. So before you write a single line of code, you should have a clear plan of what you want to do. If necessary, write it down, draw a diagram or use pseudo code. Anything that helps you better understand the task. So once again: empty() is bad and doesn't belong into validation code at all. This is not my “opinion”, it's a fact which I've already explained in #12. You need two checks. You first do an isset() check of the input parameter (not some array which you've set yourself). As in if (!isset($_POST['a_parameter'])) // if you want to check an URL parameter, then of course you need $_GET instead of $_POST { // the parameter doesn't exist at all } Then you check if the value of the parameter is an empty string: if ($_POST['a_parameter'] === '') { // the parameter has an empty value } Two checks. First an existence check. Then a check if the value is empty. As long as you're struggling with the basic concepts, forget about loops and fancy validation schemes. Just do the checks one after another.
  16. No, that wouldn't make any sense. What “can't” you do? Show the code and explain the problems.
  17. I've explained the solution at least three times, so, yes, you are a troll. Or too stupid to follow simple instructions.
  18. This is wrong and stupid and will give you invalid documents. Anyway, I get the impression that you're now more interested in trolling than actually solving the problem. Good luck.
  19. Yeah, because this is exactly how you've stored it: +------+-------------------------------+----------+---------------+------------------------+ | Yr | Achievement | SeasonID | CompetitionID | CompetitionName | +------+-------------------------------+----------+---------------+------------------------+ | 2016 | GO BACK TO SCHOOL Cup Winners | 12 | 8 | GO BACK TO SCHOOL Cup | <---- | 2016 | UN Peace Cup Winners | 12 | 9 | UN Peace Cup | | 2016 | Kyanja U-14 Cup Winners | 12 | 10 | KYANJA U-14 Cup | | 2016 | NDIV V Winners | 12 | 7 | Nakawa Fifth division | | 2016 | GO BACK TO SCHOOL Cup Winners | 12 | 8 | GO BACK TO SCHOOL Cup | <---- | 2015 | UN Peace Cup Winners | 13 | 9 | UN Peace Cup | | 2015 | Kyanja U-14 Cup Winners | 13 | 10 | KYANJA U-14 Cup | | 2015 | NDIV V Winners | 13 | 7 | Nakawa Fifth division | +------+-------------------------------+----------+---------------+------------------------+ If that's an error (which it looks like), then you need to repair your data and table definitions to prevent this from happening again.
  20. Before you do anything, you need to actually learn how to use mysqli – or even better: switch to PDO. mysqli isn't the kind of extension which “just works” as long as the code vaguely makes sense. It's a hard-core low-level interface for people who carefully read the manual and spend a lot of time getting every detail right. Let's be honest here: That's not how you operate. If, for some crazy reason, you want to use mysqli nonetheless, then the first thing you need to learn is error handling. You can't just assume that methods never fail. As you just saw, they do. That means you either have to check – every – single – return value. Or you must enable exceptions. If you enable exceptions, do not catch them. I know PHP programmers have the strange urge to wrap everything in try-catch statements and print error messages on the screen. But exceptions should usually be left alone. That crypt() stuff you've copied and pasted from the Internet is also messed up. Again: Read the manual. It explicitly tells you to use the Password Hash API. Like mysqli, crypt() is a low-level interface not intended for the average programmer. And it's even harder to use.
  21. No, this does not change the HTML content. Test it, and you'll see that you end up with <p>This is some new text</p> Why? Because you've created text, not an HTML element node. If you still don't understand the fundamental difference, I'm afraid this project won't be very successful.
  22. Make that session_regenerate_id(true); ^^^^ Otherwise the old session is still intact and will contain everything you've written to it before the ID change. The truth is: Implementing secure sessions is tough, because the PHP session mechanism was clearly never designed for this purpose. The session_start() function is a combination of start/adopt/resume, and you never know what you get. a fresh session with a server-generated ID or a fresh session with a user-provided ID that may have been set by an attacker (unless session.use_strict_mode is on) or an old session which may contain all kinds of data and also have an ID set by an attacker What I would do is write wrapper functions to cleary distinguish between actually starting a session and resuming an old session. But that's a whole new topic.
  23. I would start from scratch. Trying to repair the code you currently have will likely take more time than writing a new implemention in modern PHP, and I'm fairly sure you can do better than your predecessor. In a nutshell: As gizmola already said, you should use PDO and prepared statements to safely pass values to queries. mysqli is not really recommended, because it's very cumbersome and counter-intuitive. Use the Password Hash API instead of MD5. This will apply a specialized hash algorithm (currently bcrypt) which is able to withstand common attacks. Make sure to HTML-escape values before you insert them into an HTML context. CSRF protection is also important. Store a random token in the session and include that token in every (POST) form as a hidden field. Only accept requests with a valid token. Get rid of the custom session handler (yes, it replaces the default handler). Writing a correct implementation is tricky even for experienced programmers, and you don't seem to need it anyway. I understand this is a lot to learn, and you may not get it right the first time. But you obviously take the job seriously, and that's the most important part. If you have specific questions, feel free to discuss them here.
  24. As you can clearly see in the session class, this application doesn't use file-based session at all. It implements a wonky MySQL session handler, and now something went wrong. What went wrong is impossible to tell from here, because the class does everything to hide this information. But this is by far the smallest problem. The entire code is riddled with security vulnerabilities, defects and plain nonsense. Putting this online is irresponsible and will put your users, your server and everybody within reach at great risk. This is not a joke. Even if you think that the website itself is irrelevant, you will be in trouble as soon as the server gets compromised and spreads malware or attacks websites.
  25. Remember what I said about parsers creating tree structures? You're now dealing with nodes, not text. Google for "php domdocument remove all children". Then create and append the new nodes.
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.