MutantJohn

That's amazing advice O_o Thank you for taking the time to write all of that. That's... really, really awesome! Thank you!

Yeah, it's great to see some code that I can use as a reference. I'm digging some of the approaches and it's changing how I'm coding up my application. I know it's silly to design a login system when there's more sophisticated tools out there but this is a really good learning experience for me.

There's also this : http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers

Huh, okay. Cool. This is some really helpful stuff! Also, I'm loving all the HTML5 features you included! This website is going to look so modern now! I can't thank you guys enough!

One thing I really like is how you condensed it all down to just one page. One question though, why are you filtering out the underscores from the username? Is it for security reasons or aesthetic?

Holy crap, dude O_o I'm going to have to take my time and really comb through that. And yeah, I finally caught that error with the password_hash() thing XD Edit : Your PHP is a pleasure to read, actually. Very interesting approach. I dig it. I was also going to save the CSS and JS for the end but thank you for taking the time to draft something up.

Are you sure your PHP matches you command-line SQL? Also, I recommend using PHP's PDO instead of the mysql stuff.

Hey all, I'm writing a small user registration page in MySQL and, of course, PHP. I'm wondering if someone would like to take a look and tell me if there's something obvious I'm missing or something I just did completely wrong. Here are the pages : register.html <!DOCTYPE html> <html> <head> <title>ditacms User Registration</title> </head> <body> <p>Complete the registration form below</p> <form method="post" action="register.php" id="registration_form"> <label>Username : </label> <input type="text" name="username" /> <br/> <label>Email : </label> <input type="text" name="email" value="" /> <br/> <label>Password : </label> <input type="text" name="password" value="" /> <br/> <label>Re-Type Password : </label> <input type="text" name="confirm_password" value="" /> <br/> </form> <button type="submit" form="registration_form">Register</button> </body> </html> register.php <!DOCTYPE html> <html> <head> <title>Registration Processing</title> </head> <body> <?php define( "EOL", "<br />\n" ); // data source name define( "DSN", "mysql:host=localhost;dbname=ditacms;charset=utf8" ); define( "USER", "account_creator" ); define( "PASSWORD", "UrsaOwnsRoshan" ); function db_connect() { try { $db = new PDO( DSN, USER, PASSWORD ); } catch( PDOException $ex ) { // echo $ex->getMessage(); // echo $ex->getTraceAsString(); echo "Attempt to connect to database failed!" . EOL; exit(); } return $db; } function verify_post_register_params() { $username = $_POST[ "username" ]; $email = $_POST[ "email" ]; $password = $_POST[ "password" ]; $confirm_password = $_POST[ "confirm_password" ]; // if the user left any field blank... if ( empty( $username ) || empty( $email ) || empty( $password ) || empty( $confirm_password ) ) { echo "Empty field found in form submission!" . EOL; echo "Please complete the form." . EOL; return false; } // if the passwords do not exactly match... if ( strcmp( $password, $confirm_password ) !== 0 ) { echo "Password mismatch!"; return false; } $username = filter_var( $username, FILTER_SANITIZE_STRING ); $email = filter_var( $email, FILTER_SANITIZE_EMAIL ); $password = filter_var( $password, FILTER_SANITIZE_STRING ); if ( $username === false || $email === false || $password === false ) { echo "Sanitization failed! Potential attack!!!" . EOL; return false; } if ( filter_var( $email, FILTER_VALIDATE_EMAIL ) === false ) { echo "Invalid email address!" . EOL; return false; } $register = array( "username" => $username, "email" => $email, "password" => $password ); return $register; } function user_exists( $db, $username ) { $query = $db->prepare( "SELECT username FROM `ditacms`.`members` WHERE username = :username" ); $query->bindValue( ":username", $username, PDO::PARAM_STR ); $query->execute(); $rows = $query->fetchAll( PDO::FETCH_ASSOC ); // if the rows returned are empty, the user // does NOT exist so return false if ( empty( $rows ) === true ) { return false; } // if the rows returned are NOT empty, the // user DOES exist so return true else { echo "A user with that username already exists!" . EOL; return true; } } function create_new_user( $db, $username, $email, $password ) { echo "Creating new user..." . EOL; $insert = $db->prepare( "INSERT INTO `ditacms`.`members` (username, email, password) VALUES(:username, :email, :password)" ); $hash = password_hash( $hash, PASSWORD_DEFAULT ); $insert->bindValue( ":username", $username, PDO::PARAM_STR ); $insert->bindValue( ":email", $email, PDO::PARAM_STR ); $insert->bindValue( ":password", $hash, PDO::PARAM_STR ); if ( $insert->execute() === false ) { echo "Insertion failure..." . EOL; return false; } else { echo "Successfully registered new account!" . EOL; return true; } } /* * main() loop */ echo "<p>Processing user registration request...</p>"; $register = verify_post_register_params(); if ( $register === false ) { echo "Bad POST parameters. Exiting script..." . EOL; } else { $db = db_connect(); // if the user does NOT exist, create one if ( user_exists( $db, $register[ "username" ] ) === false ) { create_new_user( $db, $register[ "username" ], $register[ "email" ], $register[ "password" ] ); } } ?> <a href="/ditacms.com/register.html">Return to registration page</a> <br /> <a href="/ditacms.com/">Return to homepage</a> </body> </html>

I've been doing a lot more research since making this topic and I gotta say, it's scary what people can do O_o I've heard even the MIME type stuff can be faked. I've seen some tips that a good handle on the permission system is a good idea. For example, removing the executable permission. This is for a Linux server, btw. I've also heard that its best to move uploaded files to something not in the web root and that you should also store the files with a randomly generated name and use a database to map the random name to the "real" name and this way, I can create another script that'll serve the files how I specify. Is there any merit to this?

Hey everyone, I'm trying to create a way for users to upload files to the server but I'm kind of a web development noob so I was wondering, does anyone know how to make sure users don't just destroy everything? I've figured I can check the upload extension and use a whitelist to ensure proper extensions (so no PHP file or binary uploads). But aside from basic stuff like checking the file size and extension, what else should I be wary of?

Are you not able to just type the anchor tag out manually in your print/echo statements? Like <a href="...

Okay one thing, every time I put "../" anywhere in the URL, the PHP script doesn't seem to get called. For example, if I try /ditacms.com/users/christian/.., the PHP script seems to be ignored and I'm brought back the /ditacms.com/users/christian Is there a way to prevent that? Because I tried the code you posted and it doesn't seem to be working... It's like the path is resolved by the server before the PHP script is even invoked.

Holy poop, I'm so sorry I didn't see your reply! I'm going to read it very carefully and try to absorb all that info because it looks really legit. Seriously, thank you. I'm such a baby web developer it hurts sometimes.

Ah, yes. I think I just suck at Apache XD Okay, here's the whole shebang : I'm using the basic LAMP stack because I'm stuck in 1974. I have a site in my web server directory. The root folder is ditacms.com. In ditacms.com, I have my-awesome-php-script.php and a .htaccess file that looks like this: DirectoryIndex index.html my-awesome-php-script.php ditacms.com also contains a "users" directory which, guess what, contains a list of user directories and files therein. No other sub-folder of ditacms.com contains an index.html file so instead, the PHP script is called. I'm trying to use this PHP script to generate the index listing. I want one awesome PHP script to handle all the building of the indexes and I only want this file to exist in one place. So I was using REQUEST_URI but it kept giving me this if I were to click a link to the users directory from the home index.html page from the site's root directory : /ditacms.com/users/ (I can't remember if there was a slash at the end or not) PHP kept telling me this directory didn't exist. I think this is because the script is seeing everything from where it's located. So I suck at the rewire module for Apache so I decided to re-write the URI using PHP and the explode() function. That's why there's 3 items, because it's split twice (the first slash and then second). Using this, I just rewrite the URI to be this instead : ./users This works. And it also works for further nested directories because I've limited the number of explosions. I think this isn't the most elegant but it works.

Oh... Omg. Do I literally fix this with a urldecode() call?

Hey guys, I'm having some trouble creating a small file explorer. I'm designing a site and so far, everything was working very well. But if directory names contains spaces, scandir() fails everytime. Here's my current PHP code : <html> <head> <style> /* TODO : Add awesome styling here */ </style> </head> <body> <?php $uri = $_SERVER[ "REQUEST_URI" ]; // Begin sanitation of the URI because I suck at Apache's // rewrite module. I guess this is more server agnostic, in // that sense $num_items = 3; $split_uri = explode( "/", $uri, $num_items ); $uri = "./" . $split_uri[ $num_items - 1 ]; // var_dump( $uri ); // now, loop through directory and build table contents... $files = scandir( $uri ); if ( $files === false ) { echo "Requsted URI could not be converted into a valid directory name" . PHP_EOL; return; } // Use DOMDocument because I think it's cleaner, more modular and overall // more maintainable than just raw echo calls $dom = new DOMDocument(); $table = $dom->createElement( "table" ); $tbody = $dom->createElement( "tbody" ); foreach ( $files as $file ) { if ( $file == "." || $file == ".." ) { continue; } $row = $dom->createElement( "tr" ); $cols = array( "name" => $dom->createElement( "td" ), "size" => $dom->createElement( "td" ) ); if ( is_dir( $uri . $file ) === true ) { $a = $dom->createElement( "a", $file ); $a->setAttribute( "href", $file ); $cols[ "name" ]->appendChild( $a ); } else { $cols[ "name" ]->nodeValue = $file; $filesize = filesize( $uri . $file ); if ( $filesize !== false ) { $cols[ "size" ]->nodeValue = $filesize . " bytes"; } else { echo "An error occurred while trying to read filesize" . PHP_EOL; } } foreach ( $cols as $col ) { $row->appendChild( $col ); } $tbody->appendChild( $row ); } $table->appendChild( $tbody ); $dom->appendChild( $table ); $dom->formatOutput = true; echo $dom->saveHTML(); ?> </body> </html> Basically, I'm using a .htaccess file in the site's root directory handle all directory requests made by users exploring their files. So that may be why the design is "weird".

Not gonna lie, I normally only really post on the C programming board but, man, you guys are awesome! I'm really digging the quality of these forums. Thanks, everyone! I'm probably going to be posting a bit more in the future.

Hmm.. Fair enough. I guess it would be kind of easier to just write out the HTML lol XD So, is there ever a good usage for the DOM stuff? Eh, I guess it'd be good to use if I'm attempting to traverse the DOM or an XML doc.

Interesting... Is using DOM frowned upon by the PHP community? I'm honestly asking as I'm kind of PHP noob. Or is it just not what I actually need in this case (i.e. I'm not fully utilizing the potential of the DOM object)?

Interesting... I'm reading up on glob() now and it seems like scandir() might be more appropriate. Hold on, I'm going to go back to back to this and see if I can't come up with some illustrative code!

I figured DOM was the most "proper" way of building HTML. It seems very similar in syntax to JavaScript and things like jsoup. And AJAX is more conditional. My fear is that a user will select a directory with an amazingly complex structure underneath. Imagine something in the tens of GB worth of files and directories. I'm scared that if I use PHP to recreate the entire structure and convert it to HTML, the process will be slow. So I figured AJAX would be an awesome way of allowing a user to navigate this huge file structure while being performant, i.e. the server only generates the structure HTML upon user request. This way I could avoid the potentially huge costs of generating the entire file structure HTML. I like your idea about the anchor tags though.

Hey everyone, So, I'm trying to use PHP to create a file explorer. The gist is, given a target home directory for a user, I want to generate a list of the contents. I want directories to be "click-able" in the sense that if you click on a directory entry, it'll expand/collapse its contents. It should look like this : - file0 - file1 - file2 - dir0 (clickable) - subfile0 -subfile1 -subfile2 My idea to do this was to use an unordered list with checkboxes for each directory entry. I would then use JS to add event listeners to each checkbox which makes a XMLHttpRequest to an appropriate PHP file which then echoes back the appropriate HTML and the JS then receives that info and appends it to the page. This way, the user can explore their entire filesystem and the server doesn't kill itself trying to recursively search the entire directory (imagine if a user had like 50,000 files or something) to generate the list. Actually, is PHP fast enough that I don't even have to worry about this? By this I mean, building the entire file list first, formatting it as HTML and then echo'ing it back? If it is, awesome! If not, I'm curious why my input tags keep lacking text content! Here's the code : <!DOCTYPE html> <html> <body> <?php // grab the user's home directory $home = "dita-ot/dita-ot-2.1.0/samples/"; // loop contents and write to page if ( is_dir( $home ) ) { if ( $dh = opendir( $home ) ) { $dom = new DOMDocument( "1.0" ); $form = $dom->createElement( "form" ); $ul = $dom->createElement( "ul" ); /* http://php.net/manual/en/function.readdir.php */ /* This is the correct way to loop over the directory. */ while ( false !== ( $entry = readdir( $dh ) ) ) { if ( $entry == "." || $entry == ".." ) continue; $li = $dom->createElement( "li" ); if ( is_dir( $home . $entry ) ) { $input = $dom->createElement( "input", $entry ); $input_type = $dom->createAttribute( "type" ); $input_type->value = "checkbox"; $input->appendChild( $input_type ); // this is where the problem is // why is there no inner text content? $li->appendChild( $input ); } else { $li->nodeValue = $entry; } $ul->appendChild( $li ); } $form->appendChild( $ul ); $dom->appendChild( $form ); echo $dom->saveHTML(); closedir( $dh ); } } ?> </body> </html>

Holy poop! It actually works! This is amazing!!! Thank you so much, you guys!

Heck if I know. That's kind of how the link I followed did it. In the sample code posted at http://blog.markturansky.com/archives/205 the author used $this->curl_post_async("http://127.0.0.1/sq/scratch/longone", $params); so I assumed I was supposed to use something similar. I get that the first part is my localhost IP and then I assume sq and scratch were directories and then longone matched the function declared in the class.

This is my directory info : $ ls -l total 16 -rw-rw-rw- 1 www-data www-data 2429 Jan 23 15:33 async.php -rw-r--r-- 1 www-data www-data 0 Jan 23 14:49 data.txt -rw-r--r-- 1 www-data www-data 11510 Jan 23 14:04 index.html This is all done on the localhost, btw, which for me on Ubuntu is /var/www/html