paddy_fields

Gristoi, thank you for your reply. Before I got round to seeing your response I got this working with the method below. I realise you've said to avoid this method, but are there any major downsides? This is the only javascript I'm using on the page so would this method be faster for page execution that including the whole jquery library? /* AJAX code inserting a shortlist entry */ //Browser Support Code function ajaxShortlist(doSave, jobid, candidateid) { var ajaxRequest; // The variable that makes Ajax possible! try { // Opera 8.0+, Firefox, Safari ajaxRequest = new XMLHttpRequest(); } catch (e) { // Internet Explorer Browsers try { ajaxRequest = new ActiveXObject("Msxml2.XMLHTTP"); } catch (e) { try { ajaxRequest = new ActiveXObject("Microsoft.XMLHTTP"); } catch (e) { // Something went wrong alert("Your browser broke!"); return false; } } } // Create a function that will receive data sent from the server ajaxRequest.onreadystatechange = function () { var div = document.getElementById("shortlist" + jobid); if (ajaxRequest.readyState == 4) { div.innerHTML = ajaxRequest.responseText; } else { div.innerHTML = "<p>loading...</p>"; } } var queryString = "?jobid=" + jobid + "&candidateid=" + candidateid; var url = "includes/shortlist.php"; ajaxRequest.open("GET", url + queryString, true); ajaxRequest.send(null); // var ajaxRequest2; // The variable that makes Ajax possible! try { // Opera 8.0+, Firefox, Safari ajaxRequest2 = new XMLHttpRequest(); } catch (e) { // Internet Explorer Browsers try { ajaxRequest2 = new ActiveXObject("Msxml2.XMLHTTP"); } catch (e) { try { ajaxRequest2 = new ActiveXObject("Microsoft.XMLHTTP"); } catch (e) { // Something went wrong alert("Your browser broke!"); return false; } } } // Create a function that will receive data sent from the server ajaxRequest2.onreadystatechange = function () { var div2 = document.getElementById("shortlist-list"); if (ajaxRequest2.readyState == 4) { div2.innerHTML = ajaxRequest2.responseText; } else { div2.innerHTML = "<p>loading...</p>"; } } var url2 = "includes/shortlist2.php"; ajaxRequest2.open("GET", url2, true); ajaxRequest2.send(null); }

From staring at the code I'm guessing that i could repeat the process, with ajaxRequest2 = new XMLHttpRequest(); after the code first ajaxRequest (but still inside the main function), so they will execute one after the other. i'll test this and report back!

Hello I have a 'save job' button next to my list of results, which a user can click to add to their 'shortlist'. The AJAX I have written for this works fine... when the button is clicked it magically turns into a 'added!' message and inserts the data into the database. I want to expand on this to have a seperate div on the right hand side that lists all the users shortlist entries. So when the 'save job' button is clicked, I want the AJAX request to also refresh the list on the right with the next entry. /* AJAX code inserting a shortlist entry */ function ajaxShortlist(doSave, jobid, candidateid) { var ajaxRequest; try { // Opera 8.0+, Firefox, Safari ajaxRequest = new XMLHttpRequest(); } catch (e) { // Internet Explorer Browsers try { ajaxRequest = new ActiveXObject("Msxml2.XMLHTTP"); } catch (e) { try { ajaxRequest = new ActiveXObject("Microsoft.XMLHTTP"); } catch (e) { // Something went wrong alert("Your browser broke!"); return false; } } } ajaxRequest.onreadystatechange = function () { var div = document.getElementById("shortlist" + jobid); if (ajaxRequest.readyState == 4) { div.innerHTML = ajaxRequest.responseText; } else { div.innerHTML = "<p>loading...</p>"; } } var queryString = "?jobid=" + jobid + "&candidateid=" + candidateid; var url = "includes/shortlist.php"; ajaxRequest.open("GET", url + queryString, true); ajaxRequest.send(null); } How do I go about writing this into my script? Do I simply need to repeat the var queryString part and make another ajaxRequest.send, or does this require an entire new AJAX script? I'm a novice at javaScript... it took me a very long time to get the above working! Any pointers/explanations would be great Cheers

You need to close the <a> tag as well. The content between the tags is what will be displayed as the text on the link. <a href="the_address.php">the link text</a> EDIT: sorry, scrap that, I just saw it's on the next line

Thanks for all the advice guys - much appreciated. I will look into VPS, and check out Linode and ICDsoft

Oh and I will need to be able to host PHP/MySQL

Hello I'm launching my own web design company and need some advice on a suitable hosting provider. I will be hosting my clients sites myself. Is the a major downside of using a site like 'GoDaddy' to host the sites? I have looked into dedicated managed servers on RackSpace but they charge around £600 per month... and this is too high for me at the moment as I'm just starting out. Is a dedicated server the way to go? I'm looking to have 1-2 new sites hosted every month, so it will start small, and then hopefully greatly expand in capacity needs - if that needs to be considered when chosing the right hosting option? Any advice would be invaluable

Thanks, it all works as expected once I introduce the errors.

I've tried to implement the ROLLBACK and COMMIT as suggested... and it appears to work. Well, it still creates both entries into each table and throws no errors at least. Is there a way I can test the rollback? $db->autocommit(FALSE); /* insert into members table */ if ($stmt = $db->prepare("INSERT INTO members (email, password, salt) VALUES (?, ?, ?)")) { $stmt->bind_param('sss', $email, $password, $random_salt); if (!$stmt->execute()) { header('Location: ../error.php?err=Member was not inserted'); exit(); } $member_id = $db->insert_id; $stmt->close(); /* insert into candidatePool table */ $stmt = $db->prepare("INSERT INTO candidatePool (firstName,lastName,email,telephone,registered,members_id) VALUES (?,?,?,?,?,?)"); $stmt->bind_param('sssssi', $firstName, $lastName, $email, $telephone, $registered, $member_id); if (!$stmt->execute()) { $db->rollback(); header('Location: ../error.php?err=Candidate was not inserted'); exit(); } $candidate_id = $db->insert_id; $stmt->close(); $db->commit(); $db->autocommit(TRUE);

Great, thank you. I shall give it a go this evening and undoubtably come back to you with more questions

I realise 'undo' is the wrong term for this and I'm pretty sure it can't be done... but it's worth asking When inserting a new user their details are put in different tables, a 'members' table with their login, a 'candidatePool' with other info, and a 'cvPool' with the the location of their cv. (a candidate doesn't need to be a member to be in the candidatePool, and one user can have many cv's so it can't all be in the same table) When i insert the user into the member table i take the insert_id() and use that for the foreign key data for the next insert. the problem I'm thinking is, what if the first query executes but the second fails? I would want the first query to then effectively delete what it's just inserted. Is the solution to put a delete query in the 'failed query' part of the second, which will then delete the row from members according to the insert_id(), if that makes sense? /* insert into members table */ if ($stmt = $db->prepare("INSERT INTO members (email, password, salt) VALUES (?, ?, ?)")) { $stmt->bind_param('sss', $email, $password, $random_salt); if (!$stmt->execute()) { header('Location: ../error.php?err=Member was not inserted'); exit(); } $member_id = $db->insert_id; $stmt->close(); /* insert into candidatePool table */ $stmt = $db->prepare("INSERT INTO candidatePool (firstName,lastName,email,telephone,registered,members_id) VALUES (?,?,?,?,?,?)"); $stmt->bind_param('sssssi', $firstName, $lastName, $email, $telephone, $registered, $member_id); if (!$stmt->execute()) { //SHOULD I PUT A DELETE QUERY HERE, TO DELETE THE RECORD I'VE JUST INSERTED INTO MEMBERS?? header('Location: ../error.php?err=Candidate was not inserted'); exit(); } $candidate_id = $db->insert_id; $stmt->close();

$sql = "UPDATE bloging SET title=".$nTitle.", tekst=".$nText." WHERE title=".$oldTitle;

You could just put your code for page2 at the top of page3, and make the form send to page3 originally. In answer to your question, If page2 just contains PHP code and doesn't print anything to the page, put this at the bottom of page2... header('location:page3.php'); That will then redirect the user to page3.php once the page2 code has been parsed.

I'm not really getting your problem here, if you know the title of the required file, then just enter it into the $filename string $filename = "cells_20140106_165532.csv"; $file_contents = file_get_contents($filename); $importcsvsql = ""; But I'm guessing that I'm not understanding the point you're trying to get across

Unless you have a filename that matches the exact date and time that you are requesting the file, then you won't find a matching file within your directory Calling date('Ymd_hmi') will always produce the current time and date in the format yyyymmdd-hhmmss

Ah, I see. I've just altered ON DELETE CASCADE ON UPDATE CASCADE on both of the related tables and it works like a charm. Thank you

Hi, I'm trying to implement foreign key constraints but have hit learning curve! When a job is deleted from jobBoard I would like any associated rows in jobViews to also be deleted. At present when I run a delete query on a row in jobBoard (that has associated records in the other table) it fails and shows the error below; Cannot delete or update a parent row: a foreign key constraint fails (`recruitsmart`.`jobviews`, CONSTRAINT `fk_jobViews_jobBoard1` FOREIGN KEY (`jobBoard_id`) REFERENCES `jobBoard` (`id`) ON DELETE NO ACTION ON UPDATE NO ACTION) In my head this should be the reasoning... the relationship should be one to many, jobBoard to jobViews. ie one job can have many views. the relationship should be un-identifying as a job view cannot exist without a job. This is what I've based my relationship on but evidently it's wrong! I've attached the ERD if anyone could point me in the right direction? Also my syntax is below for the jobViews table; CREATE TABLE `jobViews` ( `viewDate` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, `jobBoard_id` int(11) unsigned NOT NULL, KEY `fk_jobViews_jobBoard1_idx` (`jobBoard_id`), CONSTRAINT `fk_jobViews_jobBoard1` FOREIGN KEY (`jobBoard_id`) REFERENCES `jobBoard` (`id`) ON DELETE NO ACTION ON UPDATE NO ACTION ) ENGINE=InnoDB DEFAULT CHARSET=latin1;

I suppose I could modify the htaccess file?

Thanks davadannis, I like the idea of timing out the IP address whitelist... that's going on the list. And I agree rgarding password length, the application still needs to be easily accessable by a user who isn't trying to simply hack the site! sKunKbad, how would I block someone at server level? Do you mean I should log their IP address and then not even allow them to access the login form at all? ie- redirect to a 'go_away_you_bugger.php' if they try to access login.php?

... then you should probably put it back in the oven?

I second that interest... a tutorial section would be a nice addition to the forum.

Thank you.

I've implemented a login script, and now want to pull all of the rows of data related to the user to display on the page once they have logged in successfully. This is the function that logs the user in... function login($email, $password, $db) { // Using prepared statements means that SQL injection is not possible. if ($stmt = $db->prepare("SELECT id, username, password, salt FROM members WHERE email = ? LIMIT 1")) { $stmt->bind_param('s', $email); // Bind "$email" to parameter. $stmt->execute(); // Execute the prepared query. $stmt->store_result(); // get variables from result. $stmt->bind_result($user_id, $username, $db_password, $salt); $stmt->fetch(); // hash the password with the unique salt. $password = hash('sha512', $password . $salt); if ($stmt->num_rows == 1) { // If the user exists we check if the account is locked // from too many login attempts if (checkbrute($user_id, $db) == true) { // Account is locked // Send an email to user saying their account is locked return false; } else { // Check if the password in the database matches // the password the user submitted. if ($db_password == $password) { // Password is correct! // Get the user-agent string of the user. $user_browser = $_SERVER['HTTP_USER_AGENT']; // XSS protection as we might print this value $user_id = preg_replace("/[^0-9]+/", "", $user_id); $_SESSION['user_id'] = $user_id; // XSS protection as we might print this value $username = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $username); $_SESSION['username'] = $username; $_SESSION['login_string'] = hash('sha512', $password . $user_browser); // Login successful. return true; } else { // Password is not correct // We record this attempt in the database $now = time(); if (!$db->query("INSERT INTO login_attempts(user_id, time) VALUES ('$user_id', '$now')")) { header("Location: ../error.php?err=Database error: login_attempts"); exit(); } return false; } } } else { // No user exists. return false; } } else { // Could not create a prepared statement header("Location: ../error.php?err=Database error: cannot prepare statement"); exit(); } } I can see two options here, either... 1. change the script above to store each item from the row as it's own session, ie - '$db->prepare("SELECT id, username, password, salt.. // and every other row I want to display from the table...// ") , then bind each to a variable, and assign each to their own session variable. With the view to then echo each when needed, such as $_SESSION['address']; 2. after the user is logged in, run a query on the desired page such as "SELECT * FROM myTable WHERE username = $_SESSION['username']" and manage the data that way. Could someone give me some advice as to the more effective/secure method?

Nice idea! I'm not sure if I could warrant that 'per login' but for the inital login for each user that would be a very nice method - espcially on a new brower or possibly from a new IP address? Would it be feasible to have a whitelist of IP addresses, or is that still quite simple for a hacker to get around?

Thank you both. Dowlat - I appreciate the detailed run through it's very helpful. i was referring more to the technical strength of the code in question but I will make sure to implement expiring passwords as you say. I probably wouldn't have thought to do that if you hadn't have pointed it out. As my clients data is sensitive I need to do all I can to make it as secure as possible. I'll start with this method in the tutorial to begin with, and then add additional security mesures afterwards such as expiring passwords and strict rules on password suitability.