chrisrulez001

Hi I'm reading from a MySQL database and then looping though the results with PHP. I'm having an issue of using a progress bar within the loop, it's showing the progress bar but it isn't reading the value of a hidden field with the value. The value of the progress bar should be 200 (value in hidden field) but it's just not showing I've uploaded an image of what's happened. Is there something obvious that I'm not seeing? PHP: <?php $List = $this->conn->query("SELECT users.username as Username, challenge.item as Item, SUM(challenge.cost) as Cost FROM users LEFT JOIN challenge ON users.ID = challenge.user_id GROUP BY users.username"); $List->execute(); $row = $List->fetchAll(PDO::FETCH_ASSOC); echo "<div id=\"Challenge\">"; foreach($row as $user) { echo "<div class=\"ChallengeHeader\">"; echo $user['Username']; echo "<span id=\"ChallengeAction\"><input data-index=\"".$user['Username']."\" type=\"submit\" class=\"ChallengeExpand\" id=\"Expand\" value=\"Expand\" /></span>"; echo "</div>"; echo "<div id=\"".$user['Username']."\">"; echo "<div class=\"ProgressBar\"></div>"; echo "<input class=\"Value\" type=\"hidden\" value=\"".$user['Cost']."\">"; echo "</div>"; } echo "</div>"; ?> jQuery: $(document).ready(function(){ $("#Challenge").each(function(){ var $div = $(this); var val = $div.find(".Value").val(); $div.find(".ProgressBar").progressbar({ max: 600, value : val }); if($div.find(".ProgressBar").progressbar("value") <= 500) { $div.find(".ProgressBar").css({ 'background': 'White' }); $div.find(".ProgressBar > div").css({ 'background': 'LightGreen' }); } else { $div.find(".ProgressBar").css({ 'background': 'White' }); $div.find(".ProgressBar > div").css({ 'background': 'Red' }); } }); })

Ok thanks your your help

Ok thank you for your informative post Jacques1 I'll have a look at Twig and implementing a Content Security Policy. With regards to htmlspecialchars(), I see from your other post you use ENT_QUOTES | ENT_SUBSITITUTE are these the best flags to use?

Hi there, It's been a few months since I've touched PHP. I've read that you only use htmlspecialchars() when outputting data (for example from a database). Is that the correct way of doing it? Put to prevent XSS from getting into the database from the form, could you not use preg_match() to whitelist what you can actually enter into the field? Thanks

Thank you very much for helping me out with this. I'll probably use the ->query() method to run this query. EDIT: As I need to pass values to the query, I would probably be best setting PDO prepared query to emulated as suggested EDIT 2: Just tried this with what was suggested above and it works. Thanks again

Thanks for your reply, I'm connecting to the database at the moment through the root account, although that probably makes sense why it isn't creating events. The PDO connection is set to throw any exceptions but I'm not catching any exceptions for this query through a try catch, I'll try that. PHP's error reporting is set to E_ALL. Edit: I tried creating a new user with global privileges and re-ran the query, unfortunately this hasn't worked. I also tried a try catch on the query, no exceptions are thrown, PHP doesn't report any errors either.

Hi there, I'm trying to create a MySQL event using the built-in MySQL event scheduler. This is so that in an hour the users account can be automatically unlocked. The following is the query I'm trying to run: CREATE EVENT update_locked ON SCHEDULE AT CURRENT_TIMESTAMP + INTERVAL 1 HOUR DO UPDATE `check_locked` SET `is_locked` = :locked WHERE `check_locked`.`username` = :username; Now if I take out the :username and replace it with a valid user from the database, example 'admin' and also replacing the :locked with 0, the query is run fine from PHPMyAdmin and the event is created. But when I run the query from PHP I get no errors and the query supposedly runs but when I check the events table in the MySQL database. Here is the code I'm trying to run in a function: protected function Lock_Account($username) { //Reset the login attempts to 0 $this->Reset_Login_Attempts($username); //Lock the users account //Use prepared query $Lock = $this->db->prepare("UPDATE check_locked SET is_locked=:locked WHERE username=:username"); //Bind values to prepared query //Execute the lock user prepared query $Lock->execute(array(":locked" => 1, ":username" => $username)); //Create event to unlock the users account after an hour //Use prepared query $Lock_Event = $this->db->prepare("CREATE EVENT update_locked ON SCHEDULE AT CURRENT_TIMESTAMP + INTERVAL 1 HOUR DO UPDATE `check_locked` SET `is_locked` = :locked WHERE `check_locked`.`username` = :username;"); //Bind values to prepared query and execute the set the lock event prepared query $Lock_Event->execute(array(":locked" => 0, ":username" => $username)); } I've tried just running the query from PHP with the :locked replaced with 0 and :username replaced with 'admin', that didn't create the event. Thanks in advance.

Hi there "it won't send to mysql" isn't detailed enough to help at this stage. Is there any specific error messages?

Your welcome. Please mark this as fixed.

You usually start the connection in connect.php and then include it on the pages that you are connecting to the database. From line 2 to line 12 would be classed as the database connection. However the connection process is different if you are using mysqli. Did you manage to connect to phpMyAdmin from the members area using the username and password you added to the code? Edit: Sorry hadn't noticed you'd managed to fix the problem

Can you login to phpMyAdmin using the same username and password? If you can login, then I think maybe you need to double check the hostname.

I'm not familiar with 000webhost but I think they use phpMyAdmin to manage the databases? When you login to phpMyAdmin you use a specific username and password, you need to put the username in the username variable and password in the password variable. mysqli is actual PHP code that is used to connect to (for example: phpMyAdmin). Take a look at this tutorial: http://codular.com/php-mysqli Edit: Take a look at this on the 000webhost's FAQ: http://www.000webhost.com/faq.php?ID=25

Your welcome. The error message is saying that you are trying to login to your mysql server without a password and is giving you an access denied message. I see at the top of the code are these variables: $username="root"; //mysql username default is root. $password=""; //blank if no password is set for mysql. Is root the username and is the password blank for logging into your mysql server? Also what are you using for a mysql server? I should also point out that the mysql_* functions are now depreciated, you should be using mysqli or PDO.

Hi there, After testing this code, and also taking into account of what sKunKbad has said, I think I might have found your problems. You have a capital letter, it should probably be lower-case letter on a few lines and you are missing the semi colon at the end of line 15. Line 15 should probably be include not Include. Line 15 is missing ; at the end of the line. Line 17, 19 and 27 If should probably be if. Line 21, 29 and 33 should probably be echo not Echo. Line 23 and 31 should probably be else not Else. These changes should be made in conjunction of the suggestion that sKunKbad has made. Hope this helps.

Thanks very much for your help. Everything you suggested is in place and fixed

Thank you very much for all the excellent information. I'll get straight onto fixing the issues in the code. Just one quick question, how do you check that it takes one second to complete the hash? I had a look on the link you sent about bcrypt and it doesn't mention about checking how long it takes.

Thanks to you both for your replies. In response to your question, I was just wondering if this was a secure way of doing things. But it probably will be after I implement he suggestions made by Jacques. But thanks for your suggestion about run it every so often. Would 10minutes be a reasonable time? I will certainly implement all that everyone has said. The purpose of the logged_in_users table is basically a log of which users are logged on. The purpose of the unique key is to check that it is the user using that session id and I read what you said in the other thread about session hijacking and thought it might add another layer of security. Thanks for the suggestion about the global $db. I don't know what I was thinking when I added the cannot connect to the db error. The password hash is running through hash_hmac and is sha512 and the salt is a random string about 50 characters in length. But I will look into crypt definatly. It does make life easier. Just a quick question about bcrypt, it mentions cost, does this mean how long it takes to generate a hash? Thanks again to you both and hope this helps elaborate on a few items.

Update to code: (Fixed some bugs) Reason for edit is that I retested the code and found some bugs, was unable to edit first post so replied in second post with updated code. function Login($username, $password) { try { $db = new PDO("mysql:host=".DB_HOST.";dbname=".DB_NAME.";charset=utf8", DB_USERNAME, DB_PASSWORD); $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); $db->setAttribute(PDO::ATTR_EMULATE_PREPARES, false); } catch(PDOException $ex) { echo "Unable to connect to DB"; error_log($ex->getMessage()); } try { $User_Info = $db->prepare("SELECT * FROM users WHERE username=:username"); $User_Info->bindValue(":username", $username, PDO::PARAM_STR); $User_Info->execute(); $Info = $User_Info->fetch(); $salt = $Info['salt']; $password = $salt . $password; $password = $this->CreateHash($password); $unique_key = $this->GenerateRandom(); $unique_key = $this->CreateHash($unique_key); $Check_User = $db->prepare("SELECT * FROM users WHERE username=:username AND password=:password"); $Check_User->bindValue(":username", $username, PDO::PARAM_STR); $Check_User->bindValue(":password", $password, PDO::PARAM_STR); $Check_User->execute(); if($Check_User->rowCount() > 0) { while($row = $Check_User->fetch()) { session_start(); $_SESSION = array(); session_regenerate_id(true); $_SESSION['username'] = $row['username']; $session_id = session_id(); $_SESSION['unique_key'] = $unique_key; $user_id = $row['id']; $_SESSION['user_id'] = $user_id; $Check_Logged_In = $db->prepare("DELETE FROM logged_in_users WHERE user_id=:user_id"); $Check_Logged_In->bindValue(":user_id", $user_id, PDO::PARAM_STR); $Check_Logged_In->execute(); $has_changed = $Check_Logged_In->rowCount(); $Logged_In = $db->prepare("INSERT INTO logged_in_users (id, user_id, session_id, unique_key) VALUES (NULL, :user_id, :session_id, :unique_key)"); $Logged_In->bindValue(":user_id", $user_id, PDO::PARAM_STR); $Logged_In->bindValue(":session_id", $session_id, PDO::PARAM_STR); $Logged_In->bindValue(":unique_key", $unique_key, PDO::PARAM_STR); $Logged_In->execute(); $affected_rows = $Logged_In->rowCount(); if($affected_rows > 0) { return true; } return false; } } return false; } catch(PDOException $ex) { echo "Unable to complete query"; error_log($ex->getMessage()); } }

Hi there, I've been searching the internet for the best way to check if the user has been logged in. Some codes have security breaches. So I'm not sure where to start. Here's what I've come up with: The user logs in and is checked whether he/she is a valid user, if not return false and if true carry on and create session, I read the post that Jacques1 made about session feedback and implemented what he said. After that the session variables are assigned and then the user id, session_id and a unique identifier to check against on each page load are inserted into a database and then the user is logged in. Here's my code: (please note this is in a class and only shows the login function) function Login($username, $password) { try { $db = new PDO("mysql:host=".DB_HOST.";dbname=".DB_NAME.";charset=utf8", DB_USERNAME, DB_PASSWORD); $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); $db->setAttribute(PDO::ATTR_EMULATE_PREPARES, false); } catch(PDOException $ex) { echo "Unable to connect to DB"; error_log($ex->getMessage()); } try { $User_Info = $db->prepare("SELECT * FROM users WHERE username=:username"); $User_Info->bindValue(":username", $username, PDO::PARAM_STR); $User_Info->execute(); $Info = $User_Info->fetchAll(PDO::FETCH_ASSOC); $salt = $Info['salt']; $password = $salt . $password; $password = $this->CreateHash($password); $unique_key = $this->GenerateRandom(); $unique_key = $this->CreateHash($unique_key); $Check_User = $db->prepare("SELECT * FROM users WHERE username=:username AND password=:password"); $Check_User->bindValue(":username", $username, PDO::PARAM_STR); $Check_User->bindValue(":password", $password, PDO::PARAM_STR); $Check_User->execute(); if($Check_User->rowCount() > 0) { while($row = $Check_User->fetchAll(PDO::FETCH_ASSOC)) { session_destroy(); session_start(); $_SESSION = array(); session_regenerate_id(true); $_SESSION['username'] = $row['username']; $session_id = session_id(); $user_id = $row['id']; $Check_Logged_In = $db->prepare("DELETE FROM logged_in_users WHERE user_id=:userid"); $Check_Logged_In->bindValue(":user_id", $user_id, PDO::PARAM_STR); $Check_Logged_In->execute(); $has_changed = $Check_Logged_In->rowCount(); if($has_changed > 0) { $Logged_In = $db->prepare("INSERT INTO logged_in_users (id, user_id, session_id, unique_key) VALUES (NULL, :user_id, :session_id, :unique_key)"); $Logged_In->bindValue(":user_id", $user_id, PDO::PARAM_STR); $Logged_In->bindValue(":session_id", $session_id, PDO::PARAM_STR); $Logged_In->bindValue(":unique_key", $unique_key, PDO::PARAM_STR); $Logged_In->execute(); $affected_rows = $Logged_In->rowCount(); if($affected_rows > 0) { return true; } } return false; } } return false; } catch(PDOException $ex) { echo "Unable to complete query"; error_log($ex->getMessage()); } } Thanks

You could move the variable declaration after the first include. That way only b.php can access the variable.

Ok thank you for your time. I've had a look at bitwise and I can't seem to get my head around it. So possibly going to create a permissions table and keep it at that. Thanks for your help and thank you to the other people who have participated.

Is there a security risk with doing it the way I have been? I suppose if the table was injected you could see all the permissions but with doing it the way your saying, by referencing the ID of the permission in the users table rather than the actual permission. So would this be a better solution? Permission Table: permissionID, permissionName User Table: username, password, permissions (random key), rest of columns... Information table: ID (random key for specific user which matches the random key in user table), permission_list (store list of permissions here in bitwise) Then possibly do a foreach to grab the permission and whether the permission has been granted?

For example these privileges: "create_user, edit_user, delete_user" When they are then needed, they are exploded and then say if the user tries to create a user, then it's checked against the exploded string.

Ok thank you for your time to post the suggestion. I have been working on an idea. I have a list of privileges stored in the code, and I have a table where all the users information is and then have a privileges column and the privileges that the user can do is grouped together in that column and is called when the user is logged in.

Hi there, Tje On the login form I have changed the type of the password input box from text to password, this hides the password when the user types it. Login Form: <form class="form-signin" role="form" id="form1" method="post" action="log.php"> <h2 class="form-signin-heading text-center bluetxt">Sign In</h2> <input type="text" id="email1" class="form-control" name="email1" placeholder="Email address" autofocus <?php if(isset($_COOKIE['username'])) { echo " value=\"".$_COOKIE['username']."\""; } ?> /><br /> <input type="password" id="pwd1" class="form-control" name="pwd1" placeholder="Password" value=""/><br/> <label class="checkbox"> <input type="checkbox" value="remember" name="remember" <?php if(isset($_COOKIE['remember'])) { if($_COOKIE['remember'] == "remember") { echo " checked=\"checked\""; } } ?>> Remember me </label> <input type="submit" value="Login" onclick="ValidationLog()" style="color:#FFF;" class="btn btn-lg btn-primary btn-block"/> </form> PHP Code: <?php $mail = $_POST['email1']; $pwd = $_POST['pwd1']; $remember = $_POST['remember']; $con = mysql_connect("localhost","root",""); if(!$con) { die('Could not connect:'.mysql_error()); } mysql_select_db("biz",$con); if((($mail)&&($pwd))==""){ header( 'Location: index.php' ); }else{ $result = mysql_query("SELECT mail,pw FROM reg WHERE mail = '$mail' AND pw = '$pwd'"); $num_rows = mysql_num_rows($result); mysql_close($con); if($num_rows == 0) { } else{ header( 'Location: user/' ); if($remember == "remember") { setcookie("remember", $remember, time()+3600); setcookie("username", $mail, time()+3600); } } } ?> I know you asked for the login form to remember the password for 1 hour, this is not really recommended if the user uses a shared computer as anyone with physical access to the computer can access the users account. Also in the PHP code, you might want to hash or salt the user's password to protect it in the database. This link might help on password hashing: http://php.net/manual/en/faq.passwords.php You might want to add some SQL injection prevention (maybe use mysql_real_escape_string()). This link might help on SQL Injection: http://php.net/manual/en/security.database.sql-injection.php Hope this helps.