LeJack
Members-
Posts
51 -
Joined
-
Last visited
Profile Information
-
Gender
Not Telling
LeJack's Achievements
Newbie (1/5)
2
Reputation
-
security issues in the extract ( ) in php coding ?
LeJack replied to hairulakli's topic in PHP Coding Help
So is Captcha. You argue about security and then back down on it when people are looking for IP banning. So you're telling me that if requinix bans both me and you, you're still able to login to your account with a different IP? You're telling everyone to listen to you when you talk about security, but then you encourage people to look away when it comes to validating and IP Banning. It's the same exact thing. Don't even lie about it because you are BSing it to make yourself look smarter. Which in fact, you make yourself look like a choking fool. If you preach about security so much. Then preach about protecting user inputs instead of turning your head the other way when it comes to security. I used to look up to you, but you are such a failure since the past few years. I've seen how you talk with people and that is the same exact way people think you're an a-hole. You're too damn lazy to ban IPs so you blatantly put the burden on your users to use Captchas? Oh my god. You preach so much about security yet you say NO don't use it because "it's only secure if Jacques1 gives it to you". I'm done here. I'm tired of seeing your two-faced personality showing up and making yourself look like a fool when other people want to use security. Good luck destroying this community as you did with devshed. Wait. The last time you were on devshed, people left. Now since you came on here, people came back to devshed and now people are leaving this forum. -
security issues in the extract ( ) in php coding ?
LeJack replied to hairulakli's topic in PHP Coding Help
Check if the form was submitted, if not then do nothing. If the form is submitted, validate to see if each field was inputted. If any field is empty, print or echo out an error or warning. If every field was inputted and it is what you are expecting, then echo out what the user has typed in. -
security issues in the extract ( ) in php coding ?
LeJack replied to hairulakli's topic in PHP Coding Help
No, that is the worst way to take values from a form. You are forgetting a ton of things that makes your code safer. You're just basically looking for best possible way without doing a lot of stuff. What if someone left a field empty and submitted everything else? $_POST will most likely return true since the method is "post". If someone submits the form, that will still return true. This is why you should validate user inputs. -
Updating and inserting does the same jobs. Insert inserts into the database if it doesn't exist, update updates the data if it exists. So when you update the data, it will replace anything you specify in the "update" string. That being said, you are replacing every field in that string meaning it will update with an empty field if it does not get inputted correctly. Try this for size. configuration.php <?php define("HOST", ""); define("USERNAME", ""); define("PASSWORD", ""); define("DATABASE", ""); // All of the fields are validated and this is a great thing $db = new mysqli(HOST, USERNAME, PASSWORD, DATABASE); if($db->connect_error) { // Do not display the actual error. Also, it is best to disable error logging onto your screen. // Best suggestion is to enable error logging to a file so that you can view it from a safer source // Only use this as a debug on a local machine // die('Connect Error: ' . $db->connect_error); } // Check to see if these two parameters are in the URL if(!isset($_GET['p'])) { if($_GET['p'] != "edit") { die('A parameter is missing!'); // Display an error } } elseif(!isset($_GET['id'])) { die('A parameter is missing!'); // Display an error } select_from_testimonials.php <?php if(isset($_GET['id'])) { // Always check to see if the $_GET parameter has the id in it or someone can abuse the fact that you are selecting form an invalid row $query = $db->prepare("SELECT testimonialID, name, stars, testimonial, location FROM testimonials WHERE testimonialID = ?"); $query->bind_param("d", $get_testimonial); // Bind the placeholder to avoid SQL Injection $get_testimonial = $_GET['id']; // Get the id from the URL $query->execute(); // Execute the prepared statment $query->store_result(); if($query->num_rows) { $query->bind_result($testimonialID, $name, $stars, $testimonial, $location); // Bind all the results from the query string // Loop the result while($query->fetch()) { $passing_testimonialID = $testimonialID; // Self explanatory $passing_name = $name; // Self explanatory $passing_stars = $stars; // Self explanatory $passing_testimonial = $testimonial; // Self explanatory $passing_location = $location; // Self explanatory } // We can now pass the variables outside of the while loop $new_testimonialID = $passing_testimonialID; $new_name = $passing_name; $new_stars = $passing_stars; $new_testimonial = $passing_testimonial; $new_location = $passing_location; } else { // No such data with the $_GET parameter defined } } testimonials_submit.php <?php if($_SERVER['REQUEST_METHOD'] == "POST") { // Check to see if the URL has the $_GET parameter "p" if(isset($_GET['p'])) { if($_GET['p'] == "edit") { // Validate these fields so that you don't update empty fields if($_POST['name'] == "") { echo "Please type something in for the name"; // The name field is empty } elseif($_POST['stars'] == "") { echo "Please select the appropriate stars"; // The stars field is empty } elseif($_POST['testimonial'] == "") { echo "Please type something into the testimonial field"; // The testimonial field is empty } elseif($_POST['location'] == "") { echo "Please select a location"; // The location field is empty } else { // Check to see if the ID is passed into the URL if(isset($_GET['id'])) { // Use prepare instead of the deprecated MySQL_* function which is the worst thing to use $stmt = $db->prepare("UPDATE testimonials SET name = ?, stars = ?, testimonial = ?, location = ? WHERE testimonialID = ?"); $stmt->bind_param("sdssd", $name, $stars, $testimonial, $location, $testimonialID); // Bind these placeholders to separate them from SQL codes and PHP codes. Best way to avoid SQL Injection $name = $_POST['name']; // From the post $stars = $_POST['stars']; // From the post $testimonial = $_POST['testimonial']; // From the post $location = $_POST['location']; // From the post $testimonalID = $_GET['id']; // Get the id from the URL $stmt->execute(); // Execute the query // echo '<a href="./">Back Home</a> | <a href="./testimonials">Tesimonials</a><br><br>'; // echo 'Yay, Successful. PS: There is no error handling so this really just means you submitted it.'; // We don't need the above if we are redirecting the user. header("Location: " . $_SERVER['HTTP_REFERER']); // You need this in order for the new data to be refreshed. You may remove or comment this line if you want, but the user will not see new data until they refresh their page. } else { echo "Please do not modify the URL, it must include the ID as well"; } } } else { echo "Get parameter is defined, but it is not 'edit'"; } } } testimonals.php <?php require('configuration.php'); // Requires this for your database connection require('select_from_testimonials.php'); // Requires this to display the records require('testimonials_submit.php'); // Requires this for the form to be submitted ?> <a href="./">Back Home</a> | <a href="./testimonials">Tesimonials</a><br><br> <form action="testimonials?p=edit&id=<?php if(isset($new_testimonialID)) { echo $new_testimonialID; } ?>" method="POST"> Name:<br><input type="text" name="name" value="<?php if(isset($new_name)) { echo $new_name; } ?>"/><br><br> Stars:<br><input type="text" name="stars" value="<?php if(isset($new_stars)) { echo $new_stars; } ?>"/><br><br> Testimonial:<br><textarea name="testimonial"><?php if(isset($new_testimonial)) { echo $new_testimonial; } ?></textarea><br><br> Location:<br><input type="text" name="location" value="<?php if(isset($new_location)) { echo $new_location; } ?>"/> <input type="submit" name="submit" value="submit" /> </form> Your original code seems to be very broken and if you continue to use it, you won't get no where. You have A. No way for the server to tell if the form was submitted (you do, but this is an odd approach) B. No way of user validation. Not everyone on the internet is nice and not everyone cares if your website is broken or not. C. (You are) using the deprecated MySQL_* functions from 1990's. Update the code because this is 2014 > Going on 2015. Most web hosters are now updating their PHP features and MySQL_* will most likely be removed causing your code to throw "function ____ deprecated" D. (You are) stuffing the actual variables inside the query string. This is not the most safest approach. As I said in the codes, when you prepare. You avoid SQL Injection because SQL Injection comes from miss-interpreted codes. If someone does 1=1' or 'xx' for your code. They will most likely select every single row that exists in your table. C. (You are) using the asterisk (*) in the query string which is unsafe. Only select what you want or need. Do NOT use (*) because if you only wanted to display about 4 columns. When you get attacked, the attacker will be getting 20 rows instead of 4. Please take my advice as a learning precaution. If you continue to use the above listed on a live server. Don't come to me or anyone here and say that you got hacked or attacked.
-
Why are you checking if $_POST exists? What is $_POST? If you don't have $_POST defined, but you're checking to see if $_POST exists, it won't submit your form. I suggest using $_SERVER['REQUEST_METHOD']. This will allow the form to be submitted, but you must define the method with $_SERVER['REQUEST_METHOD']. Also, how are you going to validate that each field is appropriately submitted? Let's say you accidentally pressed the "submit" button. Everything in your top code will be submitted with blank entry causing your current data to be blank as well. This will be a havoc trying to see what was the original data for that row. I would also suggest validating if each field was correctly inputted. If it returns an empty field, print or echo out an error or warning so that the user or person who is using this will check their submission again. You can test it out yourself. Erase all data from the "name" field and submit it. I guarantee you'll have a record of ____ (underscore meaning blank - name), (whatever was inputted for stars), (whatever was inputted for testimonials), and (whatever was inputted in location).
-
The reason why you are seeing the home page of localhost is because you're using "/" which represents the base folder or URL. If you have this file saved in a sub folder and you're trying to do something like localhost/website, you need to add the website name after the / because HTTP will assume that you are looking for the main page of the URL which is localhost. Again, this is not a PHP problem. This is an HTML problem.
-
There's also stuff like the Ant Video downloader. You just install it onto your FireFox or what ever Ant is compatible with and it auto detects anything that is either video or music. Then you can download that particular thing. If you're trying to protect your videos, then you're going to be searching for a long time. Nothing on the internet is safe. People think someone can simply use Javascript to disable right click and disable viewing sources, it's super easy to view sources. FireFox: Tools > Web Developer > Page Source or CTRL+U Internet Explorer: F12 Chrome: (The 3 horizontal lines on the top right corner) > More Tools > View Source or CTRL+U If you don't want people downloading photos from your website and you don't make a download button for people to use. Well, all they need to do is right click on the picture then Save As. Or even better, if you disable right clicking, all they need to really do is what ever browser they're on, go to Page Info and it automatically shows all of the images and what not used for the that certain page. In FireFox, it shows what they are used for whether it'd be a background image or a background video. So what I'm trying to say is, nothing on the internet is safe from downloading. Unless you put the file outside of your website where it's not accessible or if you Chmod it.
-
Was going to tell you that the logs folder and www folder are two different folders so you might want to chmod 77 www and not the logs folder, but I saw that you have chmod 777 www already so I scratched off what I was going to say.
-
Scratch it.
-
Doesn't look like you have a REQUEST_METHOD set, are you getting any errors?
-
Like Notion said. I think this would also help you out. <?php $myname = "Noxin"; echo "<p>This is PHP</p>"; echo "<p>My name is $myname</p>"; echo "<p>My name in another notation is still " . $myname . "</p>"; ?> If you're not the type to echo out everything, then I guess you can do a whole line just like Notion mentioned. Always end your echos with a semicolon or you'll always receive an error.
-
Well, you could, but I'm not sure how to configure Apache to point to a different destination cuz I have mine installed on Windows so I basically installed mine in my C drive. I believe it's possible to install your workspace on other places, but you'll have to configure it in the apache2.conf file. Not sure if that helps.
-
It shouldn't be any different because it's running the same Apache configuration. All I can think of right now is the .conf file is missing some key configurations, but I could be wrong. I remember I just had to update my Ubuntu and it worked. I'm not really sure what's going on with LandSlyde's localhost.