paddy_fields

Hi, I've written the function below to check the permissions of a user based on the table structure of.... staff staff_roles_id (foreign) staff_roles id roleName staff_roles_permissions staff_roles_id (foreign) staff_permissions_id (foreign) staff_permissions id permissionName function checkPerm($permission){ global $db; $user = $_SESSION['userid']; if(!$stmt = $db->prepare("SELECT * FROM staff LEFT JOIN staff_roles ON staff.staff_roles_id = staff_roles.id LEFT JOIN staff_role_permissions ON staff_roles.id = staff_role_permissions.staff_roles_id LEFT JOIN staff_permissions ON staff_role_permissions.staff_permissions_id = staff_permissions.id WHERE staff.id = ? AND staff_permissions.permissionsName = ?")){ echo $db->error; exit; } $stmt->bind_param('is',$user,$permission); if(!$stmt->execute()){ echo $db->error(); exit; }; $stmt->store_result(); $authenticate = $stmt->num_rows; $stmt->close(); return $authenticate; } So for example if I then had the permission of 'adminAccess', I would use the code below to check access, referring to the 'staff_permissions' table if(checkPerm('adminAccess')){ echo 'you are authorised'; exit; } else { echo 'you are not authorised'; exit; } This works, but Is this the correct way to be going about access for group based permissions or am I missing a glaring security vulnerability here? If this is suitable then I intend to turn it into a class, and add checkRole() which would just check the user against the 'staff_roles' table. This would then be called by $security->checkRole('example'); $security->checkPermission('example'). Would that be a good idea? Any advice would be great - I'm not great with functions (and just starting to learn classes!) Cheers.

I can't quite grasp what you're asking from your grammar, but you can block bots from your website using .htaccess There is a tutorial here: http://www.thesitewizard.com/apache/block-bots-with-htaccess.shtml

Your syntax is wrong on the if statement, you have an opening bracket before the strpos when it isn't needed; $sectionname = 'Belts'; $productname = 'This is a belt'; if ( $sectionname == 'Belts' && strpos($productname, 'belt') !== false) { echo "Section Name: $sectionname, "; echo "Product Name: $productname"; } P.S Wrap your code when you post using the forum posting tools, it's much easier to read.

If you're not using 'check' in the form, then there's no need for the foreach in the PHP as it has no purpose; <?php if(isset($_POST['submit'])) { $to = "admin@designcarlossimao.com"; $subject = "Novo Site"; $name_field = $_POST['name']; $email_field = $_POST['email']; $message = $_POST['message']; $option = $_POST['radio']; $dropdown = $_POST['drop_down']; $body = "From: $name_field\n E-Mail: $email_field\n Option: $option\n Drop-Down: $dropdown\n Message:\n $message\n"; echo "Data has been submitted to $to!"; mail($to, $subject, $body); } else { echo "blarg!"; } ?>

On a side note, you should really look at using PHPMailer for sending emails in PHP. https://github.com/PHPMailer/PHPMailer

Thanks, I've learnt a lot from this! Particularly interesting about the prepared statements only needing to be prepared once, I can go back and edit quite a lot of my code to cater for that. Cheers all round!

Thanks guys, much appreciated. I think I've incorporated all of the comments? if ($_FILES['csv'][size] > 0) { //get the csv file $file = $_FILES['csv'][tmp_name]; $handle = fopen($file,"r"); //set the row counter $csv_row = 0; //prepared statement $stmt = $db->prepare("INSERT INTO test (firstName,lastName,email) VALUES (?,?,?)"); $stmt->bind_param('sss',$firstName,$lastName,$email); //loop through the csv file and insert into database while ($data = fgetcsv($handle)){ //add 1 the row counter $csv_row++; //assign the variables $firstName = $data[0]; $lastName = $data[1]; $email = $data[2]; //clear errors $errors = ''; //validate the inputs - set $errors as TRUE if any fail if(!ctype_alpha($firstName)){ $errors = TRUE; } if(!ctype_alpha($lastName)){ $errors = TRUE; } if(!filter_var($email, FILTER_VALIDATE_EMAIL)){ $errors = TRUE; } //check whether there were any errors in the validation if(!$errors){ //insert into database $stmt->execute(); } //there was an error, store the affected row number in the error array else { $error_report['error'] = "There was an error on row $csv_row"; } //end error check } //end single row import //close the statement $stmt->close(); if($csv_row>0){ $success = TRUE; } } // end csv import

I've written the script below to import a csv file into the database. I've tried to make this as secure as possible by sanitizing and validating the data, but is there anything else I could do to improve it? I'm happy with the way it works so far. All I can think to add is a meme check via php but I can't find a way to check whether it's specifically a csv file (other than just checking the extension but that's not secure) <?php if ($_FILES[csv][size] > 0) { //get the csv file $file = $_FILES[csv][tmp_name]; $handle = fopen($file,"r"); //set the row counter $csv_row = 0; //loop through the csv file and insert into database do { // start the import if ($data[0]) { //add 1 the row counter $csv_row++; //clear errors $errors = ''; //sanitize the inputs $firstName = addslashes($data[0]); $lastName = addslashes($data[1]); $email = addslashes($data[2]); //validate the inputs - set $errors as 'YES' if any fail if(!ctype_alpha($firstName)){ $errors = 'YES'; } if(!ctype_alpha($lastName)){ $errors = 'YES'; } if(!filter_var($email, FILTER_VALIDATE_EMAIL)){ $errors = 'YES'; } //check whether there were any errors in the validation if($errors!=='YES'){ //insert into database $stmt = $db->prepare("INSERT INTO test (firstName,lastName,email) VALUES (?,?,?)"); $stmt->bind_param('sss',$firstName,$lastName,$email); $stmt->execute(); } //there was an error, store the affected row number in the error array else { $error_report[] = "There was an error on row $csv_row"; } //end error check } //end single row import } while ($data = fgetcsv($handle)); if($csv_row>0){ $success = 'YES'; } } // end csv import ?>

They are logical operators: http://www.php.net//manual/en/language.operators.logical.php && = AND || = OR So I assume that the script isn't working in the way you intend if '&&' is failing. At present your script is only matching either $sectionname or $productname, but not both. Echo what you have in $sectionname and $productname to check

Thank you for the explanation, I'll look into the diff method of patches it seems quite interesting! I think you may be right about what the hosting company was referring to - I'll call them to clarify. Cheers

Just ask them to provide an email address, then automatically generate an email to that address with a unique download link which will only work once (use a token in the URL). Insert the email address into your database, and check whether that email address has been previously used before sending the email. If it has been used already, alert the user.

Just to play devils advocate here, but if you don't provide feedback to the user if an unregistered email adress is entered, then there is the chance they could slightly mispell their own email address and be none the wiser. They will then be waiting indefinitely for their email to arrive (you'd assume they'd try again after while, but still) I completely undertand the privacy issue, but I think the level of importance may be down to what sort of industry the site you're making falls into? I did some random testing on large well-know sites, such as Outlook, and Ebay, and they provide feedback when an unregistered email address is entered.

I know this is a very simple and probably stupid question - but what is a patch? i've tried searching online for an explanation but I just find articles on the 'best practice' and it doesn't break it down into what it actually is! I've just been looking into new hosting and they offer a managed service, which includes database patching. Could someone please enlighten me?

Ah, I see. I've majorly overcomplicated things. The reason I was sending the userid is because the I needed to find the salt associated with that particular id - as the token in the link needed to be hashed with it, and then compared to the hashed token in the database Without the salt I see I can just hash the token that is on the link and then compare that directly to the database. Thanks, I'll give it another go P.s cheers for the other advice too, I'll incorporate them both

Cool, thank you. I'm glad it's on the right track. I just thought I'd check in case there was a glaring secuirty hole. I'm going to add a timestamp for each record too (which I almost forgot!). Cheers.

Hello I've recently been made aware that I need to hash the token I use when allowing users to reset their password. I have a working solution but I'm hoping someone could let me know if this is an adequate way of doing it; 1. User enters their email, I check whether their actually a member and then... create a passcode (1) create a salt (2) hash them together to create a passcode_hash (3) insert the (2) and (3) into the database send an email to the user with a link using (1) and the userid in the address 2. When the link is followed... $_GET the userid and lookup the salt and passcode_hash for that id hash together the passcode in the URL with the salt, and compare that to passcode_hash if that is successfull then allow an update of the password (show the update form) 3. The password update form is sent along with two hidden fields (the passcode and userid from the URL) On the form processing script I perform the same check as on Step 2 to check the passcode and user id have not been messed with Update the password and delete the passcode Hopefully that makes sense... is that correct? Here is my code that compares the passcode with the passcode_hash.... // get the passcode and email from URL (I will sanitize these) $passcode = $_GET['passcode']; $member_id = $_GET['uid']; // find the salt associated with the userid $stmt = $db->prepare("SELECT passcode,salt FROM members_verify WHERE members_id = ?"); $stmt->bind_param('i',$member_id); $stmt->execute(); $stmt->bind_result($db_passcode,$salt); $stmt->fetch(); $stmt->close(); // Create salted password $passcode_hash = hash('sha512', $passcode . $salt); if($passcode_hash===$db_passcode){ $allowUpdate = 'yes'; } Any advice would be great

You have opening PHP tags in there for some reason change; mail($mailto, $subject, $messageproper, "From: \"$name\" <$email>\nReply-To: \"$name\" <$email>\nX-Mailer: chfeedback.php 2.03" ); header( "Location: $thankyouurl" ); exit ; to something like this; $headers = "From: $email" . "\r\n" . "Reply-To: $email" . "\r\n" . 'X-Mailer: chfeedback.php 2.03'; mail($mailto, $subject, $messageproper, $headers); header( "Location: $thankyouurl" ); exit;

Jaques1, my site with tokens hasn't gone live yet... thankfully... as I completely forgot to hash the token! Lifesaver!

You haven't incorporated either of our comments into your solution As Jacques says, hashing the username is pointless - you only need to hash the password As I said previously but in more detail.... 1.a - Add a column in your token table to store a timestamp of when the token was requested 1.b - At this point a new row will be inserted into the token table, along with the new token, user id, and current timestamp 1.c - An emai will be sent to the user with the token link 2.a - The link is followed, compare the token to the database and see if they match 2.b - Find the current date and time 2.c - Compare this to the timestamp in the row, and if it meets your criteria (ie 24 hours) allow then to update the password

Add a column in your token table to store a timestamp of when the token was requested Then when the the token is used just compare the current date and time, to that of the timestamp in the token table You can then use a conditional statement to see if the condition - say less than 24 hours - has been met. Otherwise throw an error

I worked it out... I should have added the attribute to the $xmldoc, not $root $attr1 = $xmldoc->createAttribute('LOADTYPE');

Hi, I've tried my best to get my head around this but I'm still coming up short I'm trying to get my script to.... find the ADVERT tag (which is already in my XML file) Add a new ROOT tag after ADVERT Add the attribute 'LOADTYPE' to ROOT assign the value 'A' to that attribute The logic of what I've written makes sense in my head but I'm getting a fatal error of undefined method DOMElement::createAttribute() I've tried researching this but I keep find 'simpleXML' references which isn't the method I'm using! $xmldoc = new DomDocument( '1.0' ); $xmldoc->preserveWhiteSpace = false; $xmldoc->formatOutput = true; if( $xml = file_get_contents( '../xml/totaljobs.xml') ) { $xmldoc->loadXML( $xml, LIBXML_NOBLANKS ); // find the <ADVERT> tag $advert = $xmldoc->getElementsByTagName('ADVERT')->item(0); // create the <ROOT> tag $root = $xmldoc->createElement('ROOT'); // add the new <ROOT> tag $advert->appendChild($root); // add 'LOADTYPE' attribute to <ROOT> $attr1 = $root->createAttribute('LOADTYPE'); // Set the value for the LOADTYPE attribute $attr1->value = 'A'; // Append attribute to $root->appendChild($attr1); // Save the updated xml $xmldoc->save('../xml/totaljobs.xml'); Is createAttribute() the right way of doing this? I'm completely new at XML so this is quite a learning curve.

Worked it out curl_setopt($ch, CURLOPT_URL, 'https://www.reed.co.uk/recruiter/HttpManagement.aspx'); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, $data); $result = curl_exec($ch);

May be missing something simple here, but I've written a CURL script to post data to Reed.co.uk (job board). Reed returns the text 'SUCCESS JobID=1' which is to show it is working... which is great. Problem is I want to be able to now use that JobID and put the details into my database after the CURL request is sent, but I can't see how I would store the '1' as a variable? Would this even be possible as it is the Reed server just outputting text?

Remove the @ sign before 'mail' and it will hopefully show you a helpful error message as to why it isn't sending. @ ignores errors messages (http://www.php.net/manual/en/language.operators.errorcontrol.php)