Jump to content

benanamen

Members
  • Posts

    2,134
  • Joined

  • Last visited

  • Days Won

    42

Posts posted by benanamen

  1. On 10/23/2019 at 10:14 AM, Barand said:

    I see no problem with this (eg if date comes from a date picker)

    What guarantee do you have that it was actually submitted by the users form and the users date picker? There are several ways to make a Post Request without using the users form. Bottom line, it is user supplied data and you well understand to NEVER trust user supplied data.

    The one case where you can safely get away with a variable in the query is if the date (or whatever) comes directly from the code, but then then that isn't user supplied data is it?  But why do it? Consistency is always a good thing.

     

    Quote

    I changed the code so that it is using prepared statements

    No you didn't. Read the manual and see what you did wrong.

  2. BEWARE

    This user @haymanpl will threaten you with physical violence if he doesn't like your post. The exact response on the cross post that prompted this user was "Didnt you like the help you were getting on the other forum" (This one).

     

    Quote

    Dickhead Kevin. Stop behaving like another useless troll from the most hated country on the planet. No wonder America has 450 mass shootings every year and the highest incaceration rate in the world. Within the next 5 - 7 years your country will have over 1000 mass shootings. It’s because of weak cowards like you there’s so much hatred in your shitty little country which fuels the mass murder of hundreds of thousands of Mexicans your country uses to supply drugs to Americans. 20% of your entire country is on drugs. You would never behave like that to me face to face because i would bash your brains in. Something, you can avoid for the time being while you will need to hide for the rest of your life. I won’t forget you Kevin!

     

  3. It doesn't make sense to override a method with the same exact method.

    How about telling us what the real problem is you are trying to solve instead of asking about your attempted solution to solving it.

     

    Quote

    the additional code is not printing.

    How do you expect it to print anything when there is no code to output anything? No echo, no return, no nothing.

  4. 45 minutes ago, Barand said:

    Agreed, you should let the user keep trying to register until eventually, in desperation, they try a different user name. At that point, when it works, they realize that the problem was a duplicate username. But at least, you didn't tell them.

     

    Assuming Sarcasm....

    So are you saying you are OK with explicitly verifying 50% of a valid system login to an attacker? So instead of just saying "Username Invalid " you want to say "Congratulations, that exact username is in the database. Now you just need to guess the password that goes with it"?

  5. Just how many different errors do you expect? The registration (insert query) is either successful (true) or it fails (false).

    duplicate error = false
    other error = false
    no error = true

    You do not want to output system error messages to the user. In the case of a duplicate username, you do not want to specify that the username is already used. That would open you up to a User Enumeration Attack.

  6. In addition to what @Barand said, your Method should return a Boolean. You have hard coded a redirect and have done nothing in case of failure which could be something other than a duplicate user.

    As is, if you want to redirect somewhere other than what you hard coded you have to edit the Class. Classes should be closed for modification. That is known as the "Open-closed Principle" and the the "O" in the SOLID Principal of Object-Oriented Programming.

    Do the redirect outside the class in the program flow.

    PSEUDO Code

    if ( $var->regUser($x,$y,$z) )
    {
    // Success
    }

    OR

    $status = $var->regUser($x,$y,$z) ? 'Success' : 'Failed';

    I would not put the password hashing in the method or class. Hashing a password is not really related to doing a DB insert query which when you get down to it, is really what you are doing. It would also mean you have to duplicate the hashing code such as the case of a password change. Pass the hashed password to the Class.

  7. 1 hour ago, SaranacLake said:

    If you were me would you stick with using MySQL for my business or switch to MariaDB?

    It just doesn't matter. MariaDB is a drop-in replacement for MySQL. If you really want to head down this path you might as well throw in the "What about Percona?" which is another drop-in replacement fork of MySQL.

  8. I ran the code and it works. The only problem is you need to change the error variable like so: echo mysqli_error($con);

    Add this to the top of your page: mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);

    If your still having problems it is likely with the path to $con. You need to check that ABSPATH ."resources/ points to where con.php is.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.