moose-en-a-gant

Alright. Well thank you very much for your help. And the further explanation.

Yeah I'm aware that I have some uhh... what's the word... lingering? code like the repco which is one of my first website projects that someone outlined for me the basics of a php form submit page on coding forums

Haha the title So I created a simple username database comparison to see if a username is already registered, this works in one website but not in the one I'm working on now. They have different databases and the logins work, I have inserted data into the second website which I'm having problems with. So this is website one which works I am told not to do multiple logins, yes I agree, however when I tried to only do one at the moment it does not work, not sure why $servername = " "; $username = " "; $password = " "; $dbname = " "; $link = new mysqli("$servername", "$username", "$password", "$dbname"); if($_SERVER['REQUEST_METHOD']=='POST'){ $errors = array(); function test() { $test = test_input($_POST['userrname']); $servername = " "; $username = " "; $password = " "; $dbname = " "; $link = new mysqli("$servername", "$username", "$password", "$dbname"); $stmt = $link->prepare('SELECT DISTINCT username FROM User where username=?'); $stmt->bind_param('s',$test); if($stmt->execute()) { // This variable ($repco_from_db) will hold the result from the database. $stmt->bind_result($username_from_db); if($stmt->fetch()) { $test = $username_from_db; return $test; } } } $value = test(); if (empty($_POST['userrname'])) { $errors['username'] = "A username is required"; } else if(!empty($value)) { $errors['username']="Username already exists"; }else { $userrname = test_input($_POST['userrname']); } Here is the second website $servername = " "; $username = " "; $password = " "; $dbname = " "; $link2 = new mysqli("$servername", "$username", "$password", "$dbname"); if($_SERVER['REQUEST_METHOD']=='POST'){ $errors = array(); function test() { $test = test_input($_POST['userrname']); $servername = " "; $username = " "; $password = " "; $dbname = " "; $link = new mysqli("$servername", "$username", "$password", "$dbname"); $stmt = $link->prepare('SELECT DISTINCT username FROM Users where username=?'); $stmt->bind_param('s',$test); if($stmt->execute()) { // This variable ($repco_from_db) will hold the result from the database. $stmt->bind_result($username_from_db); if($stmt->fetch()) { $test = $username_from_db; return $test; $link->close(); } } } $value = test(); if (empty($_POST['userrname'])) { $errors['userrname'] = "A username is required".'<br>'; $errors['userrname-n'] = "*"; } else if(!empty($value)) { $errors['userrname']="Username already exists".'<br>'; $errors['userrname-n'] = "*"; }else { $userrname = test_input($_POST['userrname']); } Just to clarify the problem, on website two when I first visit it, the page loads, if I don't fill in anything and press submit, the page is blank, no database inserts, I look around and the problem is the $stmt->execute, when I remove this, the page redirects, data is inserted however fields being blank of course in the database. There is an insert statement farther down not shown here which utilizes the server login information above post. So I'm not sure what is going on, I do a variable dump on $stmt->execute() (not the whole thing just $stmt) and the array output says object, but that's pretty much it, nothing really useful (to me anyway). So I'm curious why the blank page. I realize too the logic of the code, if there are no entries, and no username to check, is an "emtpy value recorded" which even with that "mystery" <- dumb, it still works because the first website uses this and it works. I even add an else statement that sets $test as null which I read is equivalent to empty, but the whole page stops at $stmt->execute, so why is that? I imagine it has to do with the server connection not working, if I remove $stmt->execute, the entire page does its thing, partially complete data is inserted. So what do you guys think is the problem?

I'd like to implement that from here on out. Just as a refresher, to do that what would I do? Query the database for the information, pass it through the escape function and then output that? Is that enough or ? XSS is a real acronym? cross-site scripting, hmm nice

I haven't worked with sockets yet, it is next on my list as in later today or tomorrow. I don't know much, I've just read about sockets on wikipedia, socket io Anyway, my current application or intention of sockets is live messaging, eg. refresh upon post, no polling, no refresh required. I have no idea how to implement this, C is the language I found on wikipedia. If anyone has a bit of information to tell me I'd appreciate it. Like how to implement it with the apache server, end points, initializing, unique id's etc...

I don't get this Can you state a circumstance that would require this? I think I have one in mind from another thread of mine, or post somewhere, displaying photos only showing photos from server even if bad code got through

HA! I dun see what you dun did dar <- WHY? Thanks for your humor and response. I know what you're saying, appositives? Something about English.

I've heard this a lot. (Then why haven't you listened?) because I don't know... it's my Go To place to learn I guess. The test_input was primarily for "injection" which I realize parameter binding, but I thought it was a standard to "modify" input for potential harmful code I will be looking into the "...allow(filtered)HTML..." in the future Thanks for your responses and your time

I'm working on a dating website for tablets, pretty simple stuff, mostly the purpose on my end aside from hoping to make money from traffic / photos is learning about sockets, dragging and in this case automatic payment system. The ideal plan is that a person is limited to their verification photo and a free photo file upload (fake women haha), and then for just a meager price of $0.20 each, an extra photo slot. Ideally they are not limited to how many photos they can post hence I created a table of just photos with a username, then incrementing number of photos. Anyway, the plan is (despite how absurd it might seem), the person buys a photo slot, which they can freely modify, it's just a photo slot, for $0.20 and this is done through paypal and their credit card information is "stored" (yeah sketchy) for future purchase convenience. I'm just looking for some input about this, you don't have to write the code, I haven't gotten to this part yet but if anyone has experience with automatic payment system and php/sql database cause-and-effect sort of automation... If this thread is deleted I'll understand. I did say absurd like "Who is going to buy a photo slot?" but it's not about that, the site isn't about "how many photos" you have or "profiles" really it's a lazy dating site, just skip, skip, skip, ooohhh, message, sort of thing and additionally if a person is so inclined, sees that there are more photos of this person... I think it's a pretty good idea having a mandatory selfie that people have to take to prove they are not a bot. This is also useful for people to "verify" this person, so they see the mandatory photo selfie then compare it to the uploaded photos which may have obviously been altered. Yeah it doesn't sound like a sound "business plan" like who wants to "be themselves" but as I said, it is primarily a learning experience on my part. And an excuse to use my tablet that I recently purchased.

I did an array cost test on my old server and this was the result, I upped cores and ram so maybe I have a higher cost, will need to do the test again. This is the script, I picked it up from somewhere, this also says 9 for my current server which has 4 cores, 8 GB of RAM, it's a VPS <?php /** * This code will benchmark your server to determine how high of a cost you can * afford. You want to set the highest cost that you can without slowing down * you server too much. 8-10 is a good baseline, and more is good if your servers * are fast enough. The code below aims for ≤ 50 milliseconds stretching time, * which is a good baseline for systems handling interactive logins. */ require_once('password_compat-master/lib/password.php'); $timeTarget = 0.05; // 50 milliseconds $cost = 8; do { $cost++; $start = microtime(true); password_hash("test", PASSWORD_BCRYPT, ["cost" => $cost]); $end = microtime(true); } while (($end - $start) < $timeTarget); echo "Appropriate Cost Found: " . $cost . "\n"; ?> I didn't intend to modify their password, it was a mistake I carried over, something I overlooked as I just assumed <- first mistake, that every input should be passed through the function test_input which is something I picked up from W3Schools. Quick talked to me about this, too about the test_input function. Thanks for your response and your time. I added the required_once because password_hash seems to have been deprecated last time I worked with it and again I carried this over once I got it to work.

I wonder if that explains why my hashed values are so short... well I didn't modify those but... hmm I don't get it here's an example password reset code I generated using these lines of code $reset = rand().rand().rand(5, 15); $prc = password_hash($reset, PASSWORD_BCRYPT, array("cost"=>9)); which generates something like this $2y$09$D.47EPRqwcUEgKJnAWkl6.o76kDqdFtotog649T6II3I73MDVRUQy even a password isn't that long is that normal? or is it the array("cost"=>9)) ? Man thank you, haha jesus what a major save you have just given me wow "Do you understand the gravity of your situation?" says John Goodman

Man that was huge, thanks for that whew... haha (dumb look) hahahaha Jesus, this could have perpetuated through all of my future websites, thank you very much.

Here's a huge question. Why are you modifying a user's password? You should NEVER ever modify a user's input password. What if they use special characters to make their password stronger? You're making a secure future like bcrypt less secure by not allowing users to use special characters. Where do you see that? The test_input function? I see your point, but I have used a password... ahhh so when I use one with an exclamation point, it doesn't store the exclamation point and removes it... duly noted so don't check the password part at all then? Just take it as is? What about a username or anything else in general should I still apply stuff like strtolower and the rest of the test_input function : $data = trim($data); $data = stripslashes($data); $data = htmlspecialchars($data); ?

Yet another can of worms has been opened haha. Great suggestion / advice, I'll need to look into this.

It would be cool if when you hover over someone's thread a brief popup window appears showing a snippet of what is inside so a person can easily decide whether or not to click on a thread, I realize that could lower the potential "clicks" which in turn would lower the potential revenue from ads but...

I'm talking like /uploads at the main folder where index.php or index.html goes These photos theoretically are meant to be publicly viewed anyway so what is bad about that? Let's say profile pictures. I mean couldn't anyone scrape facebook and "steal" profile pictures? I don't know why but I'm just wondering.

I don't know what this means : $link->error Is that literal, like type that in or var_dump($stmt); or what? By "doesn't work" I mean it does not connect to the database so the query fails, hence I open a new one and then it works, the query is fine and updates the hash by the password reset code

Quick helped me with the file upload, using the "browse file" eg. input type="file" method, what I'm looking for is the webcam access which I got to work with a Windows 8.1 Tablet I'll have to look into this more, god things all over the place

Yeah I have to learn more about ajax / jquery, I only briefly read about 3 - 5 pages on w3schools Thanks for your guys' responses

If I only use one, it doesn't work, the $stmt2 is false I'm not saying this is correct, I'm using it because it works. This is not one of my "top projects" and I realize that great things are built from the basic building blocks so... if the building blocks are shit then the bigger project is shit. The answer to your question, I am not doing it the best way, I did that because it worked. Quick helped me with setting up dbcon.php which has the server name, username, etc... and that worked but I think I only used it once...

Well the problem is the link I know repetition is bad, I am not happy being half ass, this works though but I don't intend to keep this habit of half ass, I guess it's one of those things that follows you from when you're younger... don't have to try hard, put in less effort, then things start to get more challenging, more important, and you still half ass... god how many drone platflorms have I destroyed because of my half ass soldering, or finding random points on the circuit board to attach an antenna too only to laugh at my own stupidity as the aircraft loses control and crashes... a simple $20.00 fix becomes $500.00 anyway this is the code as is, just the top php it is a mess <?php session_start(); mysqli_report(MYSQLI_REPORT_OFF); error_reporting(E_ALL); ini_set('display_errors', TRUE); error_reporting(-1); require_once(dirname(__FILE__) . DIRECTORY_SEPARATOR.'password_compat-master/lib/password.php'); function test_input($data) { $data = trim($data); $data = stripslashes($data); $data = htmlspecialchars($data); return $data; } $servername = " "; $username = " "; $password = " "; $dbname = " "; $link = new mysqli("$servername", "$username", "$password", "$dbname"); if($_SERVER['REQUEST_METHOD']=='POST'){ $errors = array(); if (empty($_POST['resetcode'])) { $errors['resetcode'] = "error"; } else { $resetcode = test_input($_POST['resetcode']); } if (empty($_POST['newpassword'])){ $errors['newpassword']="error"; }else { $newpassword = test_input($_POST['newpassword']); } if(empty($errors)){ $resetcode = test_input($_POST['resetcode']); $newpassword = test_input($_POST['newpassword']); $hash = password_hash($newpassword, PASSWORD_BCRYPT, array("cost" => 9)); $stmt = $link->prepare('SELECT username FROM User Where prc=?'); $stmt->bind_param('s',$resetcode); if($stmt->execute()) { $stmt->bind_result($username_from_db); if($stmt->fetch()){ $_SESSION['user']=$username_from_db; $servername = " "; $username = " "; $password = " "; $dbname = " "; $link2 = new mysqli("$servername", "$username", "$password", "$dbname"); $stmt2 = $link2->prepare('UPDATE User SET hash=? Where prc=?'); $stmt2->bind_param('ss',$hash,$resetcode); if($stmt2->execute()){ $host = $_SERVER['HTTP_HOST']; $uri = $_SERVER['REQUEST_URI']; // the path/file?query string of the page header("Location: http://parsemebro.com/userpanel.php"); exit; $link->close(); } } } } } ?>

Yeah I deleted that one, I made two different versions the lazy one and the correct one eg. using the prc <- password reset code that I randomly generated and stored per user which I email to them upon the account creation. My friend asked me if he could reset his password, obviously a feature I intended to implement but have not gotten to. So, not doing the email version anymore, do something like reset my password, they enter their user name and prc code, if this matches any rows in the database, ask them for new password.

Thanks, the random indenting is because I have been using random editors, Kate, Bluefish, Cpanel... so yeah... sort of a "fix, look, works?, no, fix, look, works? ..." thing I did do a var_dump in the past and it did return false. I'm going to look at this more. Thanks for your help and the great advice.

Oh man this is still not working... I'll have to work on this, I'm like retardedly side tracked... working on so many things. This seems really simple I don't know what I'm overlooking besides not actually "learning" anything, it's a good thing I'm going to build the rapid website prototyper that has all of these things pre-written hehe, once I figure it out haha. if(empty($errors)){ $userrname = test_input($_POST['userrname']); $email = test_input($_POST['email']); $newpassword = test_input($_POST['newpassword']); $hash = password_hash($newpassword, PASSWORD_BCRYPT, array("cost" => 9)); $stmt = $link->prepare("SELECT username,hash FROM User where username=? And email=?"); $stmt->bind_param("ss",$userrname,$email); if($stmt->execute()) { $stmt->bind_result($username_from_db,$hash_from_db); if($stmt->fetch()){ $_SESSION['user']=$username_from_db; $query = "UPDATE User SET hash='$hash' WHERE email='$email' And username='$username_from_db'"; if($result=$link->query($query)){ $_SESSION['status_message'] = "Password has been reset"; } }else { echo "no good"; } $host = $_SERVER['HTTP_HOST']; $uri = $_SERVER['REQUEST_URI']; // the path/file?query string of the page header("Location: http://www.parsemebro.com/userpanel.php"); exit; $link->close(); } } This current setup, the hash update is bypassed, redirected to userpanel

Hey maxxd, Thank you for that thorough explanation. I don't really know how to express my gratitude or sincere appreciation but most if not all of my code has pieces of everyone's contribution. So whatever I amount to with the code I "write", it would be all thanks to your guys' help, so thanks.