Richard_Grant

Would you scold me for using mysqli_real_escape_string ? (if it would even let me use my pdo connection as the connection variable)

You always have the best answers.

Okay i have a function function p_d_o($options, $func){//$options is a multidimensional array ..Parse $option to strings.. //when echoed $query looks like this: //$vars[":val_0", "14084"]; // this is the only value retrieved from $_POST or $_GET all other values are from PHP function calls //SELECT RAND_CODE,USERNAME FROM table WHERE RAND_CODE LIKE :val_0 LIMIT 5"; $query = $cols_ . ' FROM ' . $options["table"] . ' ' . $options["conditional"] . ' ' . (($options["limitted"])? $cond_ . ' LIMIT ' . $options["limitted"] : ""); $secure_mysqli = $con->prepare($query); $secure_mysqli->execute($vars); //vars contains :val_0 while($item = $secure_mysqli->fetch(PDO::FETCH_ASSOC)){ $func($query); } } My question is Should i be worried about the other parts of the query string that is not being binded? I was having issues binding table name and cols.

From my experience you can only bind a variable on the right side of a value. You can no bind table names or col names, correct me if i am wrong though because i was having issues trying to bind table name and cols.

What is the error saying? Your missing the "session/DBConnection.php" resource Your missing the "location:memberlist.php" resource Your missing the "location:home.php" resource i can not debug this. _ $type is not set LINE 80: if ($type=="Admin"){ try to Echo the $type variable and you should be doing this instead: LINE 80: if (strtolower($type)=="admin"){ Mysql is depreciated and is being taken out in the next version of PHP use Mysqli / PDO

There is a library known as GeoIp, the library is extremely advanced and i wouldn't even know where to start without the library. I am 100% against using libraries bu Geoip is recommended by me http://php.net/manual/en/book.geoip.php Install guide: http://php.net/manual/en/geoip.setup.php

I write with Object orientated programming style in all languages where possible. Languages i am experienced with: PHP4/PHP5 Mysql/Mysqli/PDO CSS/CSS3 Html/html5 Javascript (i prefer not to use libraries but i can use jquery just fine). C++ Console C# Silverlight C# windows phone 8.1 Graphic design: Photoshop cs6 fireworks cs6 (i prefer not to use fireworks though) Familiar operating systems: Linux Windows Extra info: I work with Apache and have experience maintaining the server. I like to work over SSH (secure shell). I program in Notepad or command prompt only!. I do not use frameworks or special software! Again i am looking for IMMEDIATE work. Thanks Sometimes i over think things and need to be told EXACTLY what it is you want VERY SLOWLY.

Apache https setup! Okay so i made my own SSL certificate for my localhost using these commands OpenSSL: ( CMD > c:\xampp\apache\bin\openssl ) req -config c:\xampp\php\extras\ssl\openssl.cnf -new -out jobnow.csr -keyout jobnow.pem rsa -in jobnow.pem -out c:\jobnow.key x509 -in jobnow.csr -out jobnow.crt -req -signkey c:\jobnow.key -days 369 when asked for common name type your ip address. Then i install import the certificate to certmgr.msc Restate Apache https//192.168.0.14 - Doesnt work 192.168.0.14 - Works fine Apache error log: [Wed Sep 10 12:05:41.299000 2014] [ssl:warn] [pid 7840:tid 260] AH01909: RSA certificate configured for localhost:80 does NOT include an ID which matches the server name [Wed Sep 10 12:05:41.301000 2014] [ssl:warn] [pid 7840:tid 260] AH01909: RSA certificate configured for 192.168.0.14:443 does NOT include an ID which matches the server name [Wed Sep 10 12:05:41.301000 2014] [ssl:warn] [pid 7840:tid 260] AH01915: Init: (localhost:80) You configured HTTPS(443) on the standard HTTP(80) port! [Wed Sep 10 12:05:41.373000 2014] [core:warn] [pid 7840:tid 260] AH00098: pid file C:/xampp/apache/logs/httpd.pid overwritten -- Unclean shutdown of previous Apache run? [Wed Sep 10 12:05:41.616000 2014] [ssl:warn] [pid 7840:tid 260] AH01909: RSA certificate configured for localhost:80 does NOT include an ID which matches the server name [Wed Sep 10 12:05:41.617000 2014] [ssl:warn] [pid 7840:tid 260] AH01909: RSA certificate configured for 192.168.0.14:443 does NOT include an ID which matches the server name [Wed Sep 10 12:05:41.617000 2014] [ssl:warn] [pid 7840:tid 260] AH01915: Init: (localhost:80) You configured HTTPS(443) on the standard HTTP(80) port! [Wed Sep 10 12:05:41.659000 2014] [mpm_winnt:notice] [pid 7840:tid 260] AH00455: Apache/2.4.7 (Win32) OpenSSL/1.0.1e PHP/5.5.9 configured -- resuming normal operations [Wed Sep 10 12:05:41.659000 2014] [mpm_winnt:notice] [pid 7840:tid 260] AH00456: Apache Lounge VC11 Server built: Nov 21 2013 20:13:01 [Wed Sep 10 12:05:41.659000 2014] [core:notice] [pid 7840:tid 260] AH00094: Command line: 'c:\\xampp\\apache\\bin\\httpd.exe -d C:/xampp/apache' [Wed Sep 10 12:05:41.661000 2014] [mpm_winnt:notice] [pid 7840:tid 260] AH00418: Parent: Created child process 7032 [Wed Sep 10 12:05:42.319000 2014] [ssl:warn] [pid 7032:tid 272] AH01909: RSA certificate configured for localhost:80 does NOT include an ID which matches the server name [Wed Sep 10 12:05:42.321000 2014] [ssl:warn] [pid 7032:tid 272] AH01909: RSA certificate configured for 192.168.0.14:443 does NOT include an ID which matches the server name [Wed Sep 10 12:05:42.321000 2014] [ssl:warn] [pid 7032:tid 272] AH01915: Init: (localhost:80) You configured HTTPS(443) on the standard HTTP(80) port! [Wed Sep 10 12:05:42.645000 2014] [ssl:warn] [pid 7032:tid 272] AH01909: RSA certificate configured for localhost:80 does NOT include an ID which matches the server name [Wed Sep 10 12:05:42.646000 2014] [ssl:warn] [pid 7032:tid 272] AH01909: RSA certificate configured for 192.168.0.14:443 does NOT include an ID which matches the server name [Wed Sep 10 12:05:42.646000 2014] [ssl:warn] [pid 7032:tid 272] AH01915: Init: (localhost:80) You configured HTTPS(443) on the standard HTTP(80) port! [Wed Sep 10 12:05:42.688000 2014] [mpm_winnt:notice] [pid 7032:tid 272] AH00354: Child: Starting 150 worker threads. [Wed Sep 10 12:05:54.589000 2014] [authz_core:error] [pid 7032:tid 1652] [client 192.168.0.14:3112] AH01630: client denied by server configuration: C:/xampp/htdocs/ [Wed Sep 10 12:05:54.682000 2014] [authz_core:error] [pid 7032:tid 1652] [client 192.168.0.14:3112] AH01630: client denied by server configuration: C:/xampp/htdocs/favicon.ico It says my server name does not match, So i changed the server name to: ( httpd-ssl.conf ) around line 80 ServerName 192.168.0.14:443 DocumentRoot to my httpd.conf document root My .key is in apache/conf/ssl.key my crt is in apache/conf/ssl.crt I hope this helps someone else! i had to post this after how much trouble it was causing me!

No matter what you do, you can not protect from ANY content that is brought to the browser. once it reaches the browser consider it up for grabs. The best way to protect the url location would be to store them as a BLOB in your database but even then the user can download the blob that you sent them. IF it were me i would write 2 applications 1 being in silverlight and the other in flash (use silverlight as the fallback for flash, there are some issues with mac user You could also get the sound waves from the file and play it back with html5.

needs a new design if you want to compete with the big dogs. Everything worked fine for me Latest version of Chrome. Check your PM.

i think this page needs a new design, you lost my interest as soon as i viewed it. http://www.aptugo.com/features i feel you need a video or some sort on the home page i really didnt want to read anything that was there.

Yeah i agree W3schools is only good for a reference of HTML or css.

Im not trying to enhance the security at ALL, A salt does NOT have to be a 128 bit purely random string. It is recommended that a salt is ATLEAST 80bits and anything less is considered obsolete (the 22 digit string i assigned by a randomized definitely needs to be longer i agree) I thank you for pointing out the BASE_64 issue. So now i will take off the appending string and generate an entirely random salt (and there is no point of me using a random generate string) So i am left with: protected function create_hash($string){ $hash = password_hash(strrev($string), PASSWORD_BCRYPT, array( 'cost'=>rand(14,18) )); //changed cost range to 14 - 18 return strrev($hash); } public function verifyhash($string, $hash_string){//verifies that the hash is equal to the password return (password_verify(strrev($string), strrev($hash_string)) ? true : false); } And i am no longer considering encrypting the beginning of the hash. I definitely agree i am over thinking a lot of things, that's why i made a post Even though your post was brutal THANK YOU keep it coming I should have though harder about what you meant exactly.

There will always be the risk of BRUTE forcing to any type of security. The point would be to hide the CRUCIAL information for brute forcing. The brute forcer would need the $2y$14$ to brute force the hash. The point here is to make it harder for them.

I am using it exactly how it was intended. http://php.net/manual/en/function.password-hash.php My password hashing works exactly the same way as intended only i wrote the random generating string myself (for a reason). I chose to randomize the cost so that every user has a different cost to make it harder for someone to brute force my database. (cost can be found out by password_get_info) Reversing the string and appending special character does NOT change the hashing functionality. I was considering removing the Information part in the hash all together and ENCRYPTING it with a key then storing it in the DB separately. Example: $2y$14$N1VbITdfWi9XfFdvcmRUbuAPbjVD3bQzrsObeoajoNHd2Hq5we7xm The First part gives information about the hash, $2y says its method is BCRYPT, while $14$ says its cost. So if someone wanted to BRUTE my hash they would have information they would need. So symmetric encrypting this part of the hash is reasonable. Symmetric encrypting the hash information then turns the entire hash into a Asymmetric encryption because now there are 2 keys to check if the password is correct, The blue and orange part of the hash are 2 separate keys. Once the 2 keys are joined its now a hash and the password can be compared to the hash but the password can never be retrieved from the hash. Hash - one way. Encryption - Fancy way of hiding information you want to be able to read.

Not sure what your talking about but php does have access modifiers class phpfreak{ protected age; protected height; protected function getage(){ return $this->name; } protected function getheight(){ return $this->height; } } class create_freak extends phpfreak{ public function create_freak($age, $height){ $this->age = 20;//protected $this->height = 100;//Protected } public function get(){ return Array(parent::getage(), parent::getheight()); } } $create_a_freak = new create_freak();//calls constructor print_r($create_a_freak.get()); //gets values

My website needs to collect credit card information WITHOUT 3rd party! I asked godaddy what i is i need for that and they told me if i get a merchandising account with my bank and call them to tell them what i want to do they will send me a script and i use that script on my site. Does anyone have experience with this? my server is PCI compliant

Part of my class: using PHP5 ( http://php.net/manual/en/function.password-hash.php) If you know of anything new in PHP5 related to please do share protected function create_hash($string){ $password = "#" . strrev($password); $grs = $this->grs("|WordToTheWise",rand(22, 50)); $hash = password_hash("_" . strrev($string), PASSWORD_BCRYPT, array('cost'=>rand(4,14),'salt'=>$grs)); return strrev($hash); } public function verifyhash($string, $hash_string){//verifies that the hash is equal to the password return (password_verify("_" . strrev($string), strrev($hash_string)) ? true : false); } private function grs($string_append = "", $length = 22) { $length = $length - strlen($string_append); $characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&()_*,./;[]|'; $randomString = ''; for ($i = 0; $i < $length; $i++) { $randomString .= $characters[rand(0, strlen($characters) - 1)]; } return $randomString . $string_append; } Okay so u use strrev on my string and hash just to make everything a bit more CONFUSING and i append the string with a "]" just to make the password harder to brute the strrev and append string is not meant to make the hash any more secure. I store the reversed hash in my DB as a varchar The point of the reverse hash is only to make the hash a little more unrecognizable to the human eye. The Const is randomly chosen 4 - 14, and the salt is randomly generated with a special string appended. How would you improve the hashing?

Not necessarily, i wouldn't say 'A VARIABLE' i would say a $_POST or $_GET, you can put any other variable that the user has no influence on without making a security risk.

Yeh but a Thank you is better than a Like. You can be thank full and not like something

I would like to personally welcome you to the forum! phpFREAKS is a great place to look to learn PHP! Here are some helpful links. https://www.youtube.com/user/phpacademy http://www.w3schools.com/php/ https://php.net/manual/en/index.php Usually when you are learning php you are using mysql, here are some mysqli links: http://www.w3schools.com/php/php_ref_mysqli.asp http://php.net/manual/en/book.mysqli.php Quick facts: When dealing with sensitive information such as (passwords) hash it. http://php.net/manual/en/function.md5.php (dont use md5 professionally only use for practice there are better ways to hash) Hashing and encryption are entirely different. Hashing is 1 way (never retrievable) and Encryption has a key to unlock the secret. PHP is best with OOP(object orientated programming) style. http://code.tutsplus.com/tutorials/object-oriented-php-for-beginners--net-12762 Don't include database information in your PHP files, write that data as an environment variable in .htaccess hope that helped

I didn't thoroughly read his post, i just got the jist and posted some options that are relevant. If your using a $_POST and you know that type should be an int, perhaps the first thing you should do is make sure its and INT before continuing and ten convert the type to an INT.

set the configuration details in a .htaccess as an environment variable. I made the text really big because that's what you should be doing. ALWAYS with sensitive information.

Psycho, whats your opinion about storing a hashed password as a binary in a mysql database?