RedInjection

function generateRandomString($length = 5) { $characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'; $charactersLength = strlen($characters); $randomString = ''; for ($i = 0; $i < $length; $i++) { $randomString .= $characters[rand(0, $charactersLength - 1)]; } return $randomString; } This is my function - Is this ok?

Also tested this $pageURL = 'http'; if ($_SERVER["HTTPS"] == "on") {$pageURL .= "s";} $pageURL .= "://"; if ($_SERVER["SERVER_PORT"] != "80") { $pageURL .= $_SERVER["SERVER_NAME"].":".$_SERVER["SERVER_PORT"].$_SERVER["REQUEST_URI"]; } else { $pageURL .= $_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"]; } $c = $pageURL; print $c; if(!file_exists("404.php")) if($c=="home"){include("header.php");}else{include("kf.seg/intheader.php");} include("kf.pages/$c.php"); include("kf.seg/footer.php"); Create a 404 page or add a rule htaccess to say its missing

Create a .htaccess file RewriteEngine On RewriteCond %{SERVER_PORT} 80 RewriteRule ^(.*)$ https://yourwebsite.com/$1 [R,L] PHP <?php if(empty($c)){$c="home";} // not sure what this is? if(!file_exists("kf.pages/$c.php")){$c = "404";} if($c=="home"){include("kf.seg/header.php");}else{include("kf.seg/intheader.php");} include("kf.pages/$c.php"); include("kf.seg/footer.php"); ?> Can I check what are you trying to do with $c="home"; ?

$pageURL = 'http'; if ($_SERVER["HTTPS"] == "on") {$pageURL .= "s";} $pageURL .= "://"; if ($_SERVER["SERVER_PORT"] != "80") { $pageURL .= $_SERVER["SERVER_NAME"].":".$_SERVER["SERVER_PORT"].$_SERVER["REQUEST_URI"]; } else { $pageURL .= $_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"]; } Can I check why you need to see if HTTPS? Do you use individual pages for encryption or everything? I am just asking because you could be able to remove some of this code as it's unnecessary and add a rule in .htaccess?

Hello all, I have made a script that does what I want but I am asking are there any flaws in my coding that I am missing in terms of security? * When a user registers by default the table sets the column status to pending * The key generated is a random 5 character string with a mixture of Uppercase and Numbers // IF username is missing from URL then redirect if ( empty($_GET['username']) ) { redirect_to("register.php"); } // IF key is missing from URL then redirect if ( empty($_GET['key']) ) { redirect_to("register.php"); } // SQL Query $sql = "SELECT * from users WHERE username = '{$_GET['username']}'"; $result = $mysqli->query($sql); $row = $result->fetch_assoc(); if ( $row['status'] == 'pending' ) { if ( $_GET['key'] == $row['activation'] ) { $sql = "UPDATE users SET status='enabled' WHERE username='{$_GET['username']}' LIMIT 1"; $result = $mysqli->query($sql); $sql = "UPDATE users SET activation='' WHERE username='{$_GET['username']}' LIMIT 1"; $result = $mysqli->query($sql); echo 'Your account is now <font color=green><strong>ACTIVE</strong></font>'; } } if ( $_GET['key'] != $row['activation'] ) { redirect_to("register.php"); } Thanks for your feedback! I hope I done okay as I am learning

Thanks for your quick help!

Hello, print $_GET['id']; If a users goes to page.php?id=X then it will show the value but how do I make it if a user goes page.php that it shows no error as it say's its not defined? Is there a simple way of doing it or do I need to write an IF function that sets id as nothing initially and if it has value then display?

Hello, I have a PHP script that reads information from a table and display the information in file.php?id=X format. I have designed the page so the <title></title> and META description is unique for each X. Do search engines automatically crawl this format I have used or is there something I need to do to make it work? Thanks for your help!

Hello all! I am learning SQL and from what I understand DISTINCT is what I need to hide duplicates? SELECT provider FROM categories ORDER BY provider In my table I have several 'provider' that are duplicates, I don't want to delete them but i just want to hide them, what is the best practice of doing this?

Fixed it be reinstalling PHP, without any modifications my original script post works <?php $sql = "SELECT role FROM users"; $result = $mysqli->query($sql); $row = $result->fetch_assoc(); $checkrole = $row['role']; if (logged_in() == true AND $checkrole == 'admin' ) { ?> <b>I am admin</b> <?php ; } <?php if (logged_in() == true AND $checkrole == 'user' ) { ?> <b>I am user</b> <?php ; } ?>

I am creating a jquery that hides/displays information when a hyperlink is clicked, so I have a while loop to count records but jquery needs me to define a variable for each hyperlink so I am going to increment it. I need to integrate jquery so I need to be able to insert it because of this

Hello all! I am aware of how to use \" when escaping HTML tags but I want to know how people do it with javascript as I have a very complex JS I have wrote which I need to integrate with PHP As an example $(".hide1").hide(); $(".show1").show(); $('.show1').click(function(){$(".hide1").slideToggle();}); I know that ECHO '$(".hide1").hide(); $(".show1").show();'; ECHO '$('.show1').click(function(){$(".hide1").slideToggle();});'; Isn't going to do it, what characters in that above code need to be escaped, is it possible I can convert the $ sign using HTML character codes? $ so it can read it easier and allow me to produce the output I want. Thanks.

Tried to clear my cache but same result I am afraid "SELECT role FROM users WHERE role='admin' mysqli_result Object ( [current_field] => 0 [field_count] => 1 [lengths] => Array ( [0] => 5 ) [num_rows] => 1 [type] => 0 ) SELECT role FROM users WHERE role='user' mysqli_result Object ( [current_field] => 0 [field_count] => 1 [lengths] => Array ( [0] => 4 ) [num_rows] => 1 [type] => 0 ) SELECT role FROM users WHERE role='user' or role='admin' mysqli_result Object ( [current_field] => 0 [field_count] => 1 [lengths] => Array ( [0] => 5 ) [num_rows] => 2 [type] => 0 ) Appreciate your help to all!

Still showing "admin" even for a user logged in

If I run a loop it only prints the word "admin" but there are 2 entrys in the table so it's like its all picking up first row, if i remove the row from table so the user moves up it will then print user?

I changed to this $sql = "SELECT * FROM users where role = 'admin'"; It's still returning admin for when a user is logged in user role

Hello <?php $sql = "SELECT role FROM users"; $result = $mysqli->query($sql); $row = $result->fetch_assoc(); $checkrole = $row['role']; if (logged_in() == true AND $checkrole == 'admin' ) { ?> <b>I am admin</b> <?php ; } <?php if (logged_in() == true AND $checkrole == 'user' ) { ?> <b>I am user</b> <?php ; } ?> My table has 1 admin and 1 user but when I run this script the user is saying admin when it should be saying user? I had this working and now its broke, I dropped my table and recreated but didn't fix it...

I am just learning and this code isn't being published online, Prepared Statements is something I will learn next

Thanks for your suggestion - Interesting I didn't think to try this. if (isset($_POST['resetpassword'])) { if ($mysqli->connect_errno) { echo "<p>MySQL error no {$mysqli->connect_errno} : {$mysqli->connect_error}</p>"; exit(); } $sql = "SELECT email FROM users WHERE email LIKE '{$_POST['email']}' LIMIT 1"; if ($result = $mysqli->query($sql)) { $user = $result->fetch_array(); } else { echo "<p>MySQL error no {$mysqli->errno} : {$mysqli->error}</p>"; exit(); } if ($result->num_rows == 1) { echo "<font color=green><p>Password has been sent to <b>{$_POST['email']}</b></p></font>"; } else { echo "<font color=red><p>Email does not exist</p></font>"; } } I rewrote my code and tried using mysqli and I was able to make my code now work! Why would your idea be better than what I have wrote, all it's doing is checking a value? Just trying to understand if theres a security problem or it's just another way of doing it?

Hello all, if (isset($_POST['resetpassword'])) { //$sql = "SELECT email FROM users WHERE email LIKE '{$_POST['email']}' LIMIT 1"; $result = mysql_query("SELECT email FROM users WHERE email LIKE '{$_POST['email']}' LIMIT 1"); // Help needed here echo "Password has been sent to <b>{$_POST['email']}"; } else { echo "mail does not exist; } } I have a form that when submitted I would like to check an email exists and then prints yes or no, I have been trying different methods to try and check how to do this? I am very new to learning and I have tried numerous ways but keep showing as not working... Any help or suggestions would really help me to understand this really simple yet troubling query for me!! Thank you in advance for your help

Okay thanks just wanted to be clear on the function - Yes I am using deprecated tags just for testing and will finalise XHTML when I am happy the functionality works.

Hello all, I currently have a login form that works with username and password in plain text which reads from a table, I have created a register form which succesfully creates a hash using password_verify function but I am having problems what it is for the login form to check the password against the hash and allow the user to continue. $timedate = date("F j, Y, g:i a"); if (isset($_POST['login'])) { $username = $_POST['username']; $password = password_verify($_POST['password'], $hash); if (isset($_POST['remember'])) { session_set_cookie_params('604800'); session_regenerate_id(true); } if ($mysqli->connect_errno) { echo "<p>MySQL error no {$mysqli->connect_errno} : {$mysqli->connect_error}</p>"; exit(); } $sql = "SELECT * from users WHERE username LIKE '{$username}' AND password LIKE '{$password}' LIMIT 1"; $result = $mysqli->query($sql); if ($result->num_rows != 1) { echo "<tr colspan=2><td width=0%></td><td width=100%><strong><font color=red>Invalid Login</strong></font></strong></td></tr>"; } else { $user = $result->fetch_array(); $_SESSION['user_id'] = $user['id']; $_SESSION['username'] = $user['username']; $_SESSION['remember'] = $user['remember']; $sql = "UPDATE users SET lastlogin='" . $timedate . "'WHERE id={$_SESSION['user_id']}"; $result = $mysqli->query($sql); redirect_to("editprofile.php"); I am using PHP 5.5 and from what I understand password_verify is a function and I have noticed on from reading that there is a $hash variable $password = password_verify($_POST['password'], $hash); Is the $hash something I have to declare and read from mytable or is this part of the function within password_verify? Thank you your help in trying to understand this function