PHPEnthusiast

o. o That doesn't make any sense what's so ever because now you're going against your own words. The words you typed up yourself. Straight from your post. Run these lines and tell me what you get or better yet. I'll save you the time (being lazy) and show you the results. The difference from running a code that has no classes and objects v.s. running a code with classes and objects. Without class With PDO var_dump(new PDO('mysql:host=localhost;dbname=sample', 'root', 'root')); The line above outputs object(PDO)#1 (0) { } Which is still calling the database. With class class Connection { private function connections() { var_dump(new PDO('mysql:host=localhost;dbname=test', 'root', 'root')); } } The line above outputs With MySQLi Without class var_dump(new mysqli('localhost', 'root', 'root', 'sample')); The line above outputs object(mysqli)#1 (19) { ["affected_rows"]=> int(0) ["client_info"]=> string(75) "mysqlnd _._.__ - ________ - $Id: b0b3b15c693b7f6aeb3aa66b646fee339f175e39 $" ["client_version"]=> int(50010) ["connect_errno"]=> int(0) ["connect_error"]=> NULL ["errno"]=> int(0) ["error"]=> string(0) "" ["error_list"]=> array(0) { } ["field_count"]=> int(0) ["host_info"]=> string(20) "localhost via TCP/IP" ["info"]=> NULL ["insert_id"]=> int(0) ["server_info"]=> string(6) "_._.__" ["server_version"]=> int(_____) ["stat"]=> string(135) "Uptime: 22139 Threads: 1 Questions: 1596 Slow queries: 0 Opens: 173 Flush tables: 1 Open tables: 0 Queries per second avg: 0.072" ["sqlstate"]=> string(5) "00000" ["protocol_version"]=> int(10) ["thread_id"]=> int(936) ["warning_count"]=> int(0) } With classes class Connection { private function connections() { var_dump(new mysqli('localhost', 'root', 'root', 'sample')); } } The line above outputs This means that the database connection will never be called if the class hasn't been called yet. Putting your codes outside of the root folder puts more effort on you. Reason why I said you are going against yourself is because PHP in general has classes, objects, and methods built-in so I'm not sure why you are putting your codes outside of the root folder just to protect them from direct access. Also, when I mean by lazy I meant that the stuff you should be using, you don't. But the stuff that it wasn't meant for, you're putting more effort into that. Sorry anyone reading this. Went off-topic there. Back on topic, I'm still looking for some answers as to if I should be using htmlspecialchars or filter_input.

Great reply. Aren't all of your replies just criticizing everyone's ideas? It doesn't help anyone if all you have are negative response. Off-topic: Also, your reply for the singleton topic is a bad example of a programmer. Your idea is putting the database connection such as $connection = new PDO('mysql:host=localhost;dbname=sample', $user, $pass); into a file and then including it throughout the whole website. This is a lazy idea for programmers. If someone were to access your database connection file, it would still be executed because the lines $connection = new PDO('mysql:host=localhost;dbname=sample', $user, $pass); run a true statment if the connection does not fail. This means people can access your database if they really knew how to because the command lines still are executing. Since others are smart and they want singletons, classes, and methods. They avoid this mess and their database connections are only called when their singletons, classes, and methods are called. The only way to execute a class is to call it in your codes. If someone were to access your file directly, the classes will not be called.

When sanitizing user inputs, if I'm already using htmlspecialchars around user inputs do I still need to use the filter_input functions or do I need to stop using htmlspecialchars and start using filter_input? While I was looking through the PHP manual for filter_input, it basically has the htmlspecialchars and more, but do I really need all of that? I'm just escaping what the user has put in for any type of user based inputs like $_GET and $_POST. Mostly looking to escape any bad characters that the user has put in when it's really not suppose to be there. For $_GET, I'm using filter_var($var, FILTER_SANITIZE_URL); So if user types something like <script>alert("XSS")</script> into the input field, it would just be output like this <script>alert("XSS")</script>

Because using singletons and classes are like an MVC pattern. Coding it without an MVC pattern makes it hard to manage in the long run when you want to change something. Yes, you may think including just a file with database connections is uber easy because you don't have to do a lot of things. That's just being a lazy programmer. Also, singletons do the same thing, but it's safer because it doesn't execute the script without calling the class first. If you just include a database in a file, it's still being executed on the server side, but you don't see anything being done on the client side. This means it's going to waste resource because it's still using up resource, but just sitting there and being closed at the end of the PHP tag.

Thanks for letting me know. I guess I can't rely too much on it then.

Try ob_start(); and ob_flush(); It should be able to solve your problem. Just place ob_start at the very top after your <?php and ob_flush at the very end of your document.

Thank you for enlightening me. However, is it possible to reject Curl from accessing or does it act like a regular user?

Hello! So I have a new random question to ask. I have a script that relies on Jquery requests. I've read on a lot of websites that relying on Jquery requests isn't a good thing because it can be spoofed however while I was testing it on my localhost using Curl, it just showed me the default login page and that's it. So the logic behind my "Only Jquery requests can read these files" is because I'm trying to prevent people from seeing the contents directly. I know that .htaccess can do this already, but I'm trying to prevent someone from accessing the actual file directly in case someone is snooping around for file names. This is so they can't execute any PHP codes. It also will trick them into thinking that the page they're on does not exist. Here is my code for jquery_test.php // Check to see if the request was made via Jquery or not if(filter_input(INPUT_SERVER, 'HTTP_X_REQUESTED_WITH') === 'XMLHttpRequest') { // Request is from Jquery or Ajax. Put the actual codes in here. } else { // Request was made directly to the file. Don't put any executable codes in here. If the user is not logged in, throw them the default login page; this can also be made an error 404 page with a login form to trick the user. If they are logged in, throw them a error 404 page. } Here is my Curl code. It's supposed to be simple. $ch = curl_init("http://localhost/jquery_test.php"); $fp = fopen("curl_export.txt", "w"); curl_setopt($ch, CURLOPT_FILE, $fp); curl_setopt($ch, CURLOPT_HEADER, 0); curl_exec($ch); curl_close($ch); fclose($fp); Here is what it exported. <html> <head> <title>Login</title> </head> <body> <h1>Login Page</h1> <p>Hello, please login to view this page.</p> <form action="action/login" method="POST"> <input type="text" name="username"> <input type="password" name="password"> <input type="submit" name="submit"> </form> </body> </html> Now, how are people spoofing Jquery requests when I tried to spoof my own, it just shows up the login page. This is exactly what my code was suppose to do. Check to see if request is made via Jquery or direct. If request was made via Jquery, load the codes and execute them to select appropriate tables. If request was made via direct access, check to see if the user is logged in first. If user is not logged in, throw them a login page. If the user is logged in, throw them a 404 page.

But wouldn't it just be easier to store specific tables in a specific database? There are actually more things to this then just logs. The log's ID gets grabbed from the first database which is the main database. Then the log summary gets grabbed from the second database in which it is stored by the user's ID. Is that still a waste? I keep thinking that if I actually stop doing all this and store everything in 1 database, it will get filled up and it would be hard to manage. Basically, everyone's log would be in 1 table and trying to find if user ID (13) has an existing log in a huge table would take longer then expected while if it's stored in a separate database with the table name "13_logs", it would be easier to find and manage because if the log is empty, the icon would be greyed out. If it has entries, the icon would be blue.

Is it ok to create separate tables for user stuff? Example, I am using the user's ID to create their own unqiue table so that they can use them instead of having them all in 1 table. So instead of having a table like CREATE TABLE IF NOT EXISTS `user_logs` ( `id` int(11) NOT NULL AUTO_INCREMENT, `user_id` int(11) NOT NULL, PRIMARY KEY (`id`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ; I have something like CREATE TABLE IF NOT EXISTS `1_logs` ( `id` int(11) NOT NULL AUTO_INCREMENT, `textfield` longtext NOT NULL, PRIMARY KEY (`id`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ; CREATE TABLE IF NOT EXISTS `2_logs` ( `id` int(11) NOT NULL AUTO_INCREMENT, `textfield` longtext NOT NULL, PRIMARY KEY (`id`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ; CREATE TABLE IF NOT EXISTS `3_logs` ( `id` int(11) NOT NULL AUTO_INCREMENT, `textfield` longtext NOT NULL, PRIMARY KEY (`id`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ; So that each user can track their own logs. Is that an ok thing or is that going to waste a lot of resource and be redundant?