JenniferLawrence

Well, the first mistake I look for in people's code is if they use isset($_POST['']); to check for form submission. I don't get why people think this is actually secure. If you don't actually have that specific HTML element in your code base, your "isset($_POST['']);" will fail despite how secure your actual code base is. If someone is smart enough, they can actually test to see how horribly put together your code is by just entering random junk data using your website. It's kind of like a beta tester for games, they test to see what works and what doesn't, what breaks and what doesn't. If you don't have volunteer debuggers or have any knowledge in the PHP programming, it is recommended that you should search what is the best practice before actually copy&paste codes off the internet and seenig if they work or not. I know that I may sound pretty rude, but I see this stuff so much times, I feel like all these new PHP users aren't actually looking at the codes they copy&paste. The second thing I see a lot in people's PHP codes is stripping or escaping the user's password. I can't........ I just can't....... If you modify someone's password, you limit the possiblity of how secure it actually is. If I came across a website that didn't let me choose special characters as my passwords, I would probably delete my account on there and write a review on how bad their code base is. Let's say your user inputs Php/freak+sistheb,est!@#$^*~(~`\ Your whole "escape_string($_POST['password'])" fails entirly. It will turn a secure as booty password such as the above to something like this. Phpfreaksisthebest How secure is this? If you haven't heard of the rainbow table, you should really look into it. It will make you want to change your way of importing and exporting data. You should also look into brute force. Save upi some time on how secure someone's password really is. Someone once said to me. And I wonder why SQL Injections exists.

Thanks for all your help. It worked. Part of it wasn't actually the downloading and storing I guess. I just looked at the source code where the zip files were being stored and I guess I had the headers do something like. header('Content-disposition: attachment; filename=' . dirname(__DIR__) . '/random_zip_file.zip'); header('Content-type: application/zip'); Which was wrong because the first header is not needed. I got it to work now. Thanks for you help.

Same thing is happening. sys_get_temp_dir() doesn't like Windows temp folder because I guess it's write protected so I changed the folder it's pointing to a writeable folder and same thing happens. The file is corrupted and can't be opened. The problem isn't really storing the file. It's more of getting the file with its original tribute. May I see screenshots or video clips of this working example? I don't know why it isn't working for me. Again, the folder storing isn't the problem, it's getting the file and keeping the original tribute on it. If I was to compare this example and they example reguinix had made (my modification version of hers), they do practically the same exact thing except yours uses cURL and hers just uses the copy command. The files are corrupted for both methods. If it doesn't work at all, I might have to just forget about this topic and do the actual download/ upload .zip file thing.

I'm using xampp. It's enabled automatically. The problem I'm running into isn't whether things are enabled or not. When my script copies over files. The file gets copied, however only parts of it are copied and therefore the file won't open. Same thing with images. Since it isn't properly downloaded, the file is corrupted. I see bits of filesize being added and taken from the file, but not the actual filesize of the orginal file. I'm starting to think this is impossible so I'm probably going to just make a download link so that the clients can download it and upload them to their server. I think this is the best possible way because this auto download/ extract seems to not be working at all.

Sorry, my mistake. I forgot to add the zip file for the temp variable in this comment. I already had it in my code, but it still doesn't work. I tried it with an image and the image seems to have file sizes, but the image as well can't be opened or displayed. Umm, that's what we are doing here already. If you didn't read Ch0cu3r and requinix's response. They said the same thing. No need to repeat what is already said. She is already helping me achieve that. I have also Google searched how to download zip files to remote servers and extract them. They all give them same exact answer. None of them seems to be working. They achieve the same results, but all of them can't download the right bytes in order for the zip file to not be corrupted nor unable to be opened.

Ok so I got the copying the zip file to a local server with the right name all set up. The problem now is that it has 0 bytes in it. I know it has something to do with the header content-type and what not. Here's my code. $remote_file_location = 'http://docs.google.com/random_zip_file.zip'; $temp = '/root_of_the_directory/extracted_files/'; if(copy($remote_file_location, $temp)) { // extract $temp print($temp); die(); } else { print('error'); die(); } It seems that if I took away the error checking for the file size, I get the temp file. If I add in the file size checking, I get an error. What seems to be the problem?

Tried that. Filesize always ends up being 0 and coping to local temp folder doesn't work. Would just copying the file to a folder within the local server work? And then just extract the zip file from the local folder. EDIT: Nvm, seems like we were on the same page, just that I thought of it differently. Seems to work now. Probably going to extract all of the content first before I delete the zip folder.

The weird part is that it actually works for only zip folders within the server. If it is located on a different server, it won't open. I've tried this many times on my localhost and it seems to work. I'm looking to store zip folders in which I can use my code to download and extract without actually downloading the zip folder to my actual computer and re-uploading the zip folder and extracting it to the appropriate folder. This makes it take too much time and it is a hassel for some of my users. I would like to make it kind of like SMF where you can extract the zip folder straight from their website and extract it to your themes folder making it easier for users to use.

What I did was check to see if the installation folder existed first. If it did, it would proceed to the installation process. If the database configuration does not exist in the configuration file, I would redirect the client back to the installation folder. If they happen to remove the installation folder, it would tell them that they are missing the installation folder and that the configuration database does not exist.

Is it possible to get a .zip file without downloading it to a computer and just extract the file into a remote server? So something like this http://docs.google.com/random_zip_file.zip --------------> Extract using PHP | | V http://domain.com/extracted_files/ If I do something like this <?php $extract = new ZipArchive(); if($extract->open('/root_of_the_directory/directory_where_the_zip_file_exists/') === TRUE) { $extract->extractTo('/root_of_the_directory/extracted_files/'); if($extract->close() === TRUE) { print('Extraction was a success!'); } else { print('Something went wrong with extracting the file.'); } } else { print('Could not find the .zip file'); } It works, but then if I do something like this. <?php $extract = new ZipArchive(); if($extract->open('http://docs.google.com/random_zip_file.zip') === TRUE) { $extract->extractTo('/root_of_the_directory/extracted_files/'); if($extract->close() === TRUE) { print('Extraction was a success!'); } else { print('Something went wrong with extracting the file.'); } } else { print('Could not find the .zip file'); } It doesn't work because I was thinking that $extract->open only works for files on the same server. If it's on a different server, I would need to use file_get_contents. However, with file_get_contents along with $extract->open like so. <?php $extract = new ZipArchive(); $get_file = file_get_contents('http://docs.google.com/random_zip_file.zip'); if($extract->open($get_file) === TRUE) { $extract->extractTo('/root_of_the_directory/extracted_files/'); if($extract->close() === TRUE) { print('Extraction was a success!'); } else { print('Something went wrong with extracting the file.'); } } else { print('Could not find the .zip file'); } I get this error. Warning: ZipArchive::open(): Empty string as source in /root_of_the_directory/extract.php on line 102 What is the best approach to extract files to a remote server without actually downloading the .zip file to a desktop?

Yes, there are many solutions. However, that wasn't what I was actually looking for. To go in depths, I have a presenter that controls all requests and sends it to the core file. With that in mind, since the controller can be requested through this method as well, it is a problem since if it is an actual directory, it will add an extra trailing slash to it making it tell the user that the request is an actual folder. That was the problem because all requests should not make it so obvious for the user. Therefore, I searched and searched and finally found the solution. It was the removal of trailing slash for directory redirection.

Hello, how would I hide a specific directory and make it not accessable? I'm pretty sure it's not possible, but it doesn't hurt asking. So I have a controller that I don't want to be shown however, the controller is in a sub-directory that I want to hide. At the moment I'm using Options -Indexes Which only works if I don't want indexing where people can see what folders I have in that sub-folder. That's not what I want. So let's say the controller is put into the URL like so http://domain.com/this_is_my_controller Since this_is_my_controller is the sub-folder that the controller is in, I don't want it to do something like this. http://domain.com/this_is_my_controller/ It just tells the other person that the controller is within a folder which is bad. How would I be able to ignore the trailing forward slash and just make them think that the controller is an actual file itself and not a sub-folder? The reason why I'm doing this is because all the other controllers are in that sub-folder. It's important for me to separate controller files from random files. This keeps everything tidey if I have all controllers in its own sub-folder. EDIT: Never mind. I seem to have found the solution.

If you aren't using a 3rd party software and you are making your own. I'd suggest doing what mac_gyver said. Use PHP's default password_hash. All you do is something like $password = password_hash($_POST['password'], PASSWORD_BYCRIPT, 10); It's that simple. If you want to compare if the 2 passwords match or not, just use password_verify in an if statement. You will have to grab the password from the database of the current requested account, compare it to the $_POST['password'], throw a couple of custom errors at the user if the account doesn't exist or if the password was not correct and that's it. If you are running PHP 5.5 +, you can use this feature by just typing it in. If you have PHP 5.4 below, you can use ircmaxell's workaround for password_hash. If you want to use ircmaxell's workaround, you'll have to include the file before you are doing the hash because you will be thrown fatal errors if you don't do so. With PHP, if you want to call something, you have to have it before your call. Otherwise, you will be thrown fatal errors. https://github.com/ircmaxell/password_compat

First rookie mistake I always see beginners do.... if(isset($_POST['submit'])) Are you finding these codes online? If you are, the tutorial or page you found it on is probably written from the late 90's - early 2000's. It is time to update. Plus, isset($_POST['submit']) is a hack which will never work ever. Let's say you have someone who randomly typed up their paper and have every requirement correctly put in, but instead. They hit the "ENTER" key on a <input type="text" name="" value=""> element? What then? The so called "hack" version of checking to see if the submit button has been hit is now broken and the user will be thrown an error simply because the "submit" button has not been hit. Everything they typed up is now lost and their entire 30 page essay has been lost. They have everything correct however, no button was hit. What then? It's best to use $_SERVER['REQUEST_METHOD'] because it is fool proof and is the actual proper way of checking to see if a form was submitted.

It is best to show us the code. I'm speculating that you are still pulling data from a database. Otherwise, where is the data being pulled from? A text file? An array of lists in your code? There has to be at least some sort of data type for you to pull from.

The mysql_connection() is bugging me. Are you mix matching the old deprecated mysql_* functions with PDO or is mysql_connection() going to be PDO's correct database connection?

Typically, this happens in a database call if you don't code it right. Let's say I have the following code WRONG SAMPLE CODE: <?php $id = filter_var($_GET['id'], FILTER_SANITIZE_NUMBER_INT, FILTER_FLAG_STRIP_HIGH); $db = new mysqli('localhost', 'root', 'root', 'root'); $mysqli = $db->prepare("SELECT name FROM test_table WHERE id = ?"); $mysqli->bind_param("i", $id); $mysqli->execute(); $mysqli->bind_result($name); while($mysqli->fetch()) { print_r($name); } ?> It actually will throw you that error because your code looks through your database with the information you are giving it via $_POST, $_GET, .etc. However, since the data it is looking for does not really truly exist in the database, there is no error handling for it so it will just continuously look for the data over and over and therefore the script will actually not stop. That is why you are getting the exhaust error. You have to put your code inside an if statement to make sure that it truly does have that data in your database. Here is the right code. RIGHT SAMPLE CODE: <?php $id = filter_var($_GET['id'], FILTER_SANITIZE_NUMBER_INT, FILTER_FLAG_STRIP_HIGH); $db = new mysqli('localhost', 'root', 'root', 'root'); $mysqli = $db->prepare("SELECT name FROM test_table WHERE id = ?"); $mysqli->bind_param("i", $id); $mysqli->execute(); $mysqli->store_result(); if($mysqli->num_rows) { $mysqli->bind_result($name); while($mysqli->fetch()) { print_r($name); } } else { print("Requested data does not exist."); } ?>

Actually, it is possible. I solved my problem by appending the target="_parent" to the links inside the iframe. I controll both iframe and index.php so what about saftey reasons again?

Hi, so I have an iframe that has links in it. I want the links to target the appropriate page and when the page is done executing, instead of redirecting inside the iframe and having the page in the iframe change, I want the parent page to refresh. index.php <---------------------------- page is done executing, redirect the actual page. Not the iframe | | v | iframe -----> links inside the iframes are clicked ---> actions with the links are done This is how I want it to perform. Can this be done?

Makes sense. Thanks for the help though. Much appreciated.

Thanks a lot. That actually solved my problem with 1 single line. Thanks for the help. I think I'll stick to CroNix's answer for now. Although yours works as well. EDIT: If it saves me time, I'll most likely use some else's approach since my approach isn't correct.

Hi. I have a problem with basic syntax. I'm trying to fetch all rows with the column name "user_id" from the table "posts_determine". From there, I select the column name "post_counts". "post_counts" is going to be a numeric string so I want to convert the array of rows into strings. Then add them all up to get a total count. That is what I hope to achieve, but I can't seem to do it. Basically, I'm trying to figure out the total of posts someone makes per account. $user_id = filter_var($_SESSION['user_id'], FILTER_SANITIZE_NUMBER_INT, FILTER_FLAG_STRIP_HIGH); $prepare = $db->prepare("SELECT post_counts FROM posts_determine WHERE user_id = ?"); $prepare->bind_param("i", $user_id); $prepare->execute(); $prepare->store_result(); if($prepare->num_rows) { $prepare->bind_result($post_counts); while($prepare->fetch()) { $total = $post_counts+$post_counts; print($total); } } However, since I am adding post_counts to itself, it won't work because it is doubling instead of just adding up the total. That's where I am a bit confused about. If I append [] to $post_counts, it becomes an array and there for I cannot add a regular string to an array of strings. However, if I have an array of strings, I can append a number to it and the number will be added to the numeric string. This however has flaws. Since I cannot predict how much a person posts, I cannot append just a random number to the array. Such as $posts_counts[29]. It's string because that is the only way I could convert an array to a regular string and then add it up. Need some guidance as to what I'm supposed to be doing.

Thanks, but I think I solved this with the approach I was looking for. Had to delete the ;charset=utf8 part and then I had to add this line below it. $db->setAttribute(PDO::MYSQL_ATTR_INIT_COMMAND, "SET NAMES utf8");

Hello, I want to be able to insert foreign characters into my database. However, my problem is that it is inserting the characters as question marks instead. I am using PDO as my API library. Let's say I want to insert a Japanese character like so ハッカー I get the following ???? I know it has something to do with setting the character set using UTF-8, however, I've tried that with the following codes below and nothing has changed. Here is my Database connection. $user = 'root'; $pass = 'root'; $options = array(PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_OBJ, PDO::ATTR_ERRMODE => PDO::ERRMODE_WARNING); $db = new PDO('mysql:host=localhost;dbname=test;charset=utf8', $user, $pass, $options); Here is my datbase insert. $message = filter_var($_POST['message'], FILTER_SANITIZE_STRING); $prepare = $db->prepare("INSERT INTO post (message) VALUES (:message);"); $parameters = array(':message' => $message); $prepare->execute($parameters);