-
Posts
46 -
Joined
-
Last visited
MutantJohn's Achievements

Newbie (1/5)
0
Reputation
-
There's also this : http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers
-
Holy crap, dude O_o I'm going to have to take my time and really comb through that. And yeah, I finally caught that error with the password_hash() thing XD Edit : Your PHP is a pleasure to read, actually. Very interesting approach. I dig it. I was also going to save the CSS and JS for the end but thank you for taking the time to draft something up.
-
Are you sure your PHP matches you command-line SQL? Also, I recommend using PHP's PDO instead of the mysql stuff.
-
Hey all, I'm writing a small user registration page in MySQL and, of course, PHP. I'm wondering if someone would like to take a look and tell me if there's something obvious I'm missing or something I just did completely wrong. Here are the pages : register.html <!DOCTYPE html> <html> <head> <title>ditacms User Registration</title> </head> <body> <p>Complete the registration form below</p> <form method="post" action="register.php" id="registration_form"> <label>Username : </label> <input type="text" name="username" /> <br/> <label>Email : </label> <input type="text" name="email" value="" /> <br/> <label>Password : </label> <input type="text" name="password" value="" /> <br/> <label>Re-Type Password : </label> <input type="text" name="confirm_password" value="" /> <br/> </form> <button type="submit" form="registration_form">Register</button> </body> </html> register.php <!DOCTYPE html> <html> <head> <title>Registration Processing</title> </head> <body> <?php define( "EOL", "<br />\n" ); // data source name define( "DSN", "mysql:host=localhost;dbname=ditacms;charset=utf8" ); define( "USER", "account_creator" ); define( "PASSWORD", "UrsaOwnsRoshan" ); function db_connect() { try { $db = new PDO( DSN, USER, PASSWORD ); } catch( PDOException $ex ) { // echo $ex->getMessage(); // echo $ex->getTraceAsString(); echo "Attempt to connect to database failed!" . EOL; exit(); } return $db; } function verify_post_register_params() { $username = $_POST[ "username" ]; $email = $_POST[ "email" ]; $password = $_POST[ "password" ]; $confirm_password = $_POST[ "confirm_password" ]; // if the user left any field blank... if ( empty( $username ) || empty( $email ) || empty( $password ) || empty( $confirm_password ) ) { echo "Empty field found in form submission!" . EOL; echo "Please complete the form." . EOL; return false; } // if the passwords do not exactly match... if ( strcmp( $password, $confirm_password ) !== 0 ) { echo "Password mismatch!"; return false; } $username = filter_var( $username, FILTER_SANITIZE_STRING ); $email = filter_var( $email, FILTER_SANITIZE_EMAIL ); $password = filter_var( $password, FILTER_SANITIZE_STRING ); if ( $username === false || $email === false || $password === false ) { echo "Sanitization failed! Potential attack!!!" . EOL; return false; } if ( filter_var( $email, FILTER_VALIDATE_EMAIL ) === false ) { echo "Invalid email address!" . EOL; return false; } $register = array( "username" => $username, "email" => $email, "password" => $password ); return $register; } function user_exists( $db, $username ) { $query = $db->prepare( "SELECT username FROM `ditacms`.`members` WHERE username = :username" ); $query->bindValue( ":username", $username, PDO::PARAM_STR ); $query->execute(); $rows = $query->fetchAll( PDO::FETCH_ASSOC ); // if the rows returned are empty, the user // does NOT exist so return false if ( empty( $rows ) === true ) { return false; } // if the rows returned are NOT empty, the // user DOES exist so return true else { echo "A user with that username already exists!" . EOL; return true; } } function create_new_user( $db, $username, $email, $password ) { echo "Creating new user..." . EOL; $insert = $db->prepare( "INSERT INTO `ditacms`.`members` (username, email, password) VALUES(:username, :email, :password)" ); $hash = password_hash( $hash, PASSWORD_DEFAULT ); $insert->bindValue( ":username", $username, PDO::PARAM_STR ); $insert->bindValue( ":email", $email, PDO::PARAM_STR ); $insert->bindValue( ":password", $hash, PDO::PARAM_STR ); if ( $insert->execute() === false ) { echo "Insertion failure..." . EOL; return false; } else { echo "Successfully registered new account!" . EOL; return true; } } /* * main() loop */ echo "<p>Processing user registration request...</p>"; $register = verify_post_register_params(); if ( $register === false ) { echo "Bad POST parameters. Exiting script..." . EOL; } else { $db = db_connect(); // if the user does NOT exist, create one if ( user_exists( $db, $register[ "username" ] ) === false ) { create_new_user( $db, $register[ "username" ], $register[ "email" ], $register[ "password" ] ); } } ?> <a href="/ditacms.com/register.html">Return to registration page</a> <br /> <a href="/ditacms.com/">Return to homepage</a> </body> </html>
-
I've been doing a lot more research since making this topic and I gotta say, it's scary what people can do O_o I've heard even the MIME type stuff can be faked. I've seen some tips that a good handle on the permission system is a good idea. For example, removing the executable permission. This is for a Linux server, btw. I've also heard that its best to move uploaded files to something not in the web root and that you should also store the files with a randomly generated name and use a database to map the random name to the "real" name and this way, I can create another script that'll serve the files how I specify. Is there any merit to this?
-
Hey everyone, I'm trying to create a way for users to upload files to the server but I'm kind of a web development noob so I was wondering, does anyone know how to make sure users don't just destroy everything? I've figured I can check the upload extension and use a whitelist to ensure proper extensions (so no PHP file or binary uploads). But aside from basic stuff like checking the file size and extension, what else should I be wary of?
-
PHP Newb here. How do I link this text?
MutantJohn replied to jarrodwhitley's topic in PHP Coding Help
Are you not able to just type the anchor tag out manually in your print/echo statements? Like <a href="... -
scandir() fails for directory names contains spaces (Linux)
MutantJohn replied to MutantJohn's topic in PHP Coding Help
Okay one thing, every time I put "../" anywhere in the URL, the PHP script doesn't seem to get called. For example, if I try /ditacms.com/users/christian/.., the PHP script seems to be ignored and I'm brought back the /ditacms.com/users/christian Is there a way to prevent that? Because I tried the code you posted and it doesn't seem to be working... It's like the path is resolved by the server before the PHP script is even invoked. -
scandir() fails for directory names contains spaces (Linux)
MutantJohn replied to MutantJohn's topic in PHP Coding Help
Holy poop, I'm so sorry I didn't see your reply! I'm going to read it very carefully and try to absorb all that info because it looks really legit. Seriously, thank you. I'm such a baby web developer it hurts sometimes. -
scandir() fails for directory names contains spaces (Linux)
MutantJohn replied to MutantJohn's topic in PHP Coding Help
Ah, yes. I think I just suck at Apache XD Okay, here's the whole shebang : I'm using the basic LAMP stack because I'm stuck in 1974. I have a site in my web server directory. The root folder is ditacms.com. In ditacms.com, I have my-awesome-php-script.php and a .htaccess file that looks like this: DirectoryIndex index.html my-awesome-php-script.php ditacms.com also contains a "users" directory which, guess what, contains a list of user directories and files therein. No other sub-folder of ditacms.com contains an index.html file so instead, the PHP script is called. I'm trying to use this PHP script to generate the index listing. I want one awesome PHP script to handle all the building of the indexes and I only want this file to exist in one place. So I was using REQUEST_URI but it kept giving me this if I were to click a link to the users directory from the home index.html page from the site's root directory : /ditacms.com/users/ (I can't remember if there was a slash at the end or not) PHP kept telling me this directory didn't exist. I think this is because the script is seeing everything from where it's located. So I suck at the rewire module for Apache so I decided to re-write the URI using PHP and the explode() function. That's why there's 3 items, because it's split twice (the first slash and then second). Using this, I just rewrite the URI to be this instead : ./users This works. And it also works for further nested directories because I've limited the number of explosions. I think this isn't the most elegant but it works. -
scandir() fails for directory names contains spaces (Linux)
MutantJohn replied to MutantJohn's topic in PHP Coding Help
Oh... Omg. Do I literally fix this with a urldecode() call?