redbullmarky

with all due respect lad, if you'da taken off your site when i first suggested, rather than questioning why, then maybe i wouldnt now be staring at the PROPER meaning of 'secrete' ;D your clients sites should not be public until money has exchanged hands and the site is ready. if youre gonna keep it on a public server, at least lock it down with a password or two.... still...hopefully you still have the power. take it down.

[quote author=thorpe link=topic=117906.msg481441#msg481441 date=1165624238] That laste person had a point though. There is no [i]e[/i] on the end of secret. [/quote] unless you WANT porn ads ;)

right - i just added a comment in your feedback box. you can see what it does. if i had the patience, i could do a lot more - yet javascript is my weak point. so what happens when someone comes along with a bit of experience? look up strip_tags (for getting rid of HTML inserts, etc) and htmlspecialchars for turning potentially unwanted input into safe-for-display output.

ok, leave the site up then and let them slowly take your entire career to pieces. alternatively - do as i say. then - pop a setup of LAMP on your local computer, and work on it locally. when you know its all cool, upload it.

no worries. what many coders that use template engines need to kinda realise is that, unless your coder is a donkey, typing <?=$header ?> really isnt too much harder than typing {header}. as that article explains, and as i've come to realise through my own toying around, PHP is a perfectly good templating engine itself. obviously beware of sites that have the short tags (like <? and <?=) turned off, but it seems to be on by default these days and signs suggest that even PHP6 will continue to support the short tags/alternative syntax (like foreach/endforeach, if/elseif/endif, etc) good luck.

[quote author=businessman332211 link=topic=117906.msg481430#msg481430 date=1165623220] Ok what do you suggest. [/quote] [quote author=redbullmarky] erm - shut the site down before they REALLY go to town? [/quote] although i do feel that if the person who's doing it is a viewer of this forum, then the responses you're giving are kinda fueling the fire a little bit....

erm - shut the site down before they REALLY go to town? mysql_(real_)escape_string will help, but it always pays to be paranoid about user input. i had a problem the other day where i was using an old script that dealt with addslashes on user input automatically - only when i ran that through mysql_(real_)escape_string too (without realising that my code was doubling up like this), the results were pretty unpredictable. you really need to take a closer look on what sort of thing you want to accept. as you've already realised - not checking user input causes ALOT more problems than just some muppet displaying 'hello you got pwnd' on your homepage or posting adverts to stiffy-pills. with the code you posted at the start, it could be easily adapted to take out some important stuff, especially considering the amount of code you've posted on here that could give paths, etc, away.

very true. in my experience, there isnt a 100% reliable way (so far) to make sure every last thing is covered as far as uploads go, but a mixture of everything doesnt hurt. 1, check the extension of the file. also check the 'mime' type. $_FILES['myfile']['type'] 2, keep uploads OUTSIDE of the web root. this way, they cant be accessed directly - so if it IS a script, then it cant be accessed. 3, as AndyB said - getimagesize works a treat. BM - dont take this the wrong way or anything, but I need to point something out to you, before you call in the Army, Navy and SAS to bomb this dudes house: what he did was technically illegal, but IMO the fact that he wiped out just your index file - count yourself lucky. now means you're looking at ways to lock your scripts down - meaning that in the future, when you get to grips with entire databases of customer details or paid-for downloads/subscriptions, you're not gonna get stung. or at least you'll be more concious. if this guy never hacked your site, you'd still be coding sites with more security holes than a tramps socks. just a thought....

the regular armoury of PHP's search+replace functions will do the trick. in terms of templating, [url=http://www.php.net/preg_replace]preg_replace[/url] will do nicely, but be prepared to enter the murky world of regular expressions :) however - there's plenty of info in the 'Regex board' here: http://www.phpfreaks.com/forums/index.php/board,43.0.html if its just templating to the point where you want to seperate your main code from your views, then it maybe worth taking a read through (my favourite!!!!) this: http://www.massassi.com/php/articles/template_engines/ Hope that helps Mark

looks ideal Daniel - only wont install on FF2. I'll grab an older copy of FF and test it though, if it does what it says on the tin. Cheers

Jocka, the rest of the code I sent you strips the header off the doc file before the stripping of stuff even begins. in the loadFile method, you'll notice this: [code] <?php function loadFile($filename = '', $header_len = 2560) { // ... check stuff   $this->header = fread($fo, $header_len); //...read rest of file } ?> [/code] which whips off the first 2560 bytes from the DOC - so it's actually this bit that gets to the start of the 'real' content. i came up with this figure after testing out several doc files from Word 97/Office XP, etc. then comes the StripSpecial method that cleans things up. part of the StripSpecial method was gotten from Bartek's post in the PHP manual [url=http://uk2.php.net/htmlentities]here[/url], which I added bits to to clean up things even further.

ted, DEMANDING help in such a fashion will get you absolutely nowhere. the people on this site donate their time for free. In addition, most of the help you've currently been after shows ABSOLUTELY NO SIGN that you've tried to help yourself - but rather you EXPECT others to write the scripts for you. I for one would rather help someone with a little more patience. You may want to read the [url=http://www.phpfreaks.com/forums/index.php/topic,6264.0.html]forum posting guidelines[/url], as you're on a one-man mission to break most of the rules an etiquette. [move]the manual is your friend, go and read it[/move]

ahh lovely. does the trick, at least for now. if anyone knows of a plugin though that does the same, that'd be grand. if there isnt one, then will someone please write one. the world needs it ;) safari's good enough for me as i use it a fair bit. i've been trying to tweak sites so that they dont look rubbish on big screens, using % widths, only things often seem to get pulled apart alot more especially after putting it together on a 1024x768 screen. cheers Mark

yeah thats what made me have doubts but i've done a bit of checking around. it seems though (unless i'm being stoooopid and not reading things properly) that the second param of md5 is only available in PHP5, not 4 (which most of the php world are still on)

please note too that the code i showed is not a one off. i dont have a single header redirect that doesnt have an exit following it, and the only reason i ever use ob_start is for collecting a layout/part of a layout in a variable for use while templating. glad it worked.

c'mon lad - do yourself a favour. read back over the replies. look at whats what and what goes where. you could do a lot worse than try getting your head around what you've already written and trying to understand it first, before moving on. which begs the question - i mentioned NOT just copying and pasting it and just assuming it'll work, but instead doing what you need to do, getting to grips with it and understanding it, yet only a few mins later.... i posted that as i was in a good mood. now do yourself a favour and have a think about the new problem yourself, try it out, and post back if you have any specific problems. getting your code totally written/modified for you for free is pretty rare. good luck

yup. 1) open up the 'Manage Sites' for the site you're dealing with. 2) make sure you're looking at it in 'Advanced' mode (recommeded anyway - not that hard once you're used to it) 3) Under 'Remote Info', check the box that says 'Automatically Upload files to server on save' bingo hope that helps Mark

the IP address is generally the way that springs to mind. other than that, setting up something in the initial instance in the way of a cookie (a random generated hash that gets stored both in the DB and on their comp). sure, its not perfect, but otherwise there arent too many surefire ways to make sure that someone is on the same machine. if its a private system and not so much a website, then the $_COOKIE method is good. provide the user with a link to set up the cookie in the first instance, and voila.

i dont normally do this, but: [code] <html> <head> <title>web.blazonry : PHP : Upload and Resize an Image</title> <?php if ($_SERVER['REQUEST_METHOD'] == "POST") { $imgfile = $_FILES['imgfile'];     /* SUBMITTED INFORMATION - use what you need      * temporary filename (pointer): $imgfile      * original filename           : $imgfile_name      * size of uploaded file       : $imgfile_size      * mime-type of uploaded file  : $imgfile_type      */      /*== upload directory where the file will be stored           relative to where script is run ==*/         $uploaddir = ".";         /*== get file extension (fn at bottom of script) ==*/     /*== checks to see if image file, if not do not allow upload ==*/     $pext = getFileExtension($imgfile['name']);     $pext = strtolower($pext);     if (($pext != "jpg" && $pext != "jpeg" && $pext != "bmp" && $pext != "png"))     {         print "<h1>ERROR</h1>Image Extension Unknown.<br>";         print "<p>Please upload only a JPEG image with the extension .jpg or .jpeg ONLY<br><br>";         print "The file you uploaded had the following extension: $pext</p>\n";         /*== delete uploaded file ==*/         unlink($imgfile['tmp_name']);         exit();     }     //-- RE-SIZING UPLOADED IMAGE     /*== only resize if the image is larger than 250 x 200 ==*/     $imgsize = GetImageSize($imgfile['tmp_file']);     /*== check size  0=width, 1=height ==*/     if (($imgsize[0] > 250) || ($imgsize[1] > 200))     {         /*== temp image file -- use "tempnam()" to generate the temp              file name. This is done so if multiple people access the             script at once they won't ruin each other's temp file ==*/         $tmpimg = tempnam("/tmp", "MKUP");         /*== RESIZE PROCESS              1. decompress jpeg image to pnm file (a raw image type)              2. scale pnm image              3. compress pnm file to jpeg image         ==*/                 /*== Step 1: djpeg decompresses jpeg to pnm ==*/         system("djpeg {$imgfile['tmp_name']} >$tmpimg");                 /*== Steps 2&3: scale image using pnmscale and then              pipe into cjpeg to output jpeg file ==*/         system("pnmscale -xy 250 200 $tmpimg | cjpeg -smoo 10 -qual 50 >$imgfile");         /*== remove temp image ==*/         unlink($tmpimg['tmp_name']);     }     /*== setup final file location and name ==*/     /*== change spaces to underscores in filename  ==*/     $final_filename = str_replace(" ", "_", $imgfile['name']);     $newfile = $uploaddir . "/$final_filename";         /*== do extra security check to prevent malicious abuse==*/     if (is_uploaded_file($imgfile['tmp_name']))     {        /*== move file to proper directory ==*/        if (!move_uploaded_file($imgfile['tmp_name'],"$newfile"))        {           /*== if an error occurs the file could not                be written, read or possibly does not exist ==*/           print "Error Uploading File.";           exit();        }      }     /*== delete the temporary uploaded file ==*/     unlink($imgfile['tmp_name']);         print("<img src=\"$final_filename\">");     /*== DO WHATEVER ELSE YOU WANT          SUCH AS INSERT DATA INTO A DATABASE  ==*/ } ?> </head> <body bgcolor="#FFFFFF">     <h2>Upload and Resize an Image</h2>     <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST" enctype="multipart/form-data">     <input type="hidden" name="MAX_FILE_SIZE" value="50000">     <p>Upload Image: <input type="file" name="imgfile"><br>     <font size="1">Click browse to upload a local file</font><br>     <br>     <input type="submit" value="Upload Image">     </form> </body> </html> <?php     /*== FUNCTIONS ==*/     function getFileExtension($str) {         $i = strrpos($str,".");         if (!$i) { return ""; }         $l = strlen($str) - $i;         $ext = substr($str,$i+1,$l);         return $ext;     } ?> [/code] there are a few things i dont understand in there, so havent fixed/changed it, but that should set you on your way. PLEASE PLEASE PLEASE dont just copy the code and hope it'll work. look at the changes i made, try and suss out why i made them and whats going on, and see how you go. Cheers Mark

no. the code i posted was to give you an example - ie, to use $imgfile['name'], not $imgfile_name. the general idea of the code would work, but a few mistakes like that will stop it in its tracks. either way, the fact you posted my example code (the 'echo's) and looking  at the output shows that the file is being uploaded correctly. one change for example: [code] <?php     $pext = getFileExtension($imgfile['name']); ?> [/code] you need to make those changes throughout the code in the relevent places. substitude your references to imgfile (imgfile_name, etc) with the ones i gave in my example and you should be a little closer to getting it working. cheers Mark

post your updated code. throw it between some [ code ] and < ?php tags to make it clearer for us to read.

then in the case of an error, providing your code terminates and never reaches the line: [code]       header("location: redirect"); // example, I redirect here [/code] you shouldnt have too many problems. as per my previous post, you need: [code] <?php       header("location: redirect"); // example, I redirect here       exit; ?> [/code]

in this case, you want $_FILES['imgfile'], not $_POST['imgfile']. you use post to get regular input fields, and $_FILES for files. a couple of other things. [code] <?php $imgfile = $_FILES['imgfile']; echo $imgfile['name']; // original filename - NOT $imgfile_name as you have it echo $imgfile['tmp_name']; // the actual filepath/name of the uploaded file on the server echo $imgfile['type']; // the MIME type. always good to use this instead/as well as of the file extension echo $imgfile['error']; // any error messages. 0 = successful upload. ?> [/code] [b]edit:[/b] also, its generally better to use [url=http://www.php.net/move_uploaded_file]move_uploaded_file[/url] instead of copy in this case. [b]edit2[/b]: also: [code] <?php if (($pext != "jpg" or "jpeg" or "bmp" or "png")) ?> [/code] should be [code] <?php if (($pext != "jpg" && $pext != "jpeg" && $pext != "bmp" && $pext != "png")) ?> [/code] take those points into account in your code, and you should get it fixed.

you need to set up an auto-incrementing primary (unique) key for the users table. taith, just out of interest, why is this faster: [quote author=taith link=topic=117461.msg479204#msg479204 date=1165343751] just  as a subnote... this is about 2-3x faster Edited: [code] $password = bin2hex(md5($_POST['password'])); [/code] [/quote] than the previously suggested $password = md5($_POST['password']) ?

if you want terrible messy code, then sure - put some display work, put some logic, put some more display work, a bit more logic, followed by a mix of everything else. without even seeing your code, i'm guessing it's gonna be quite unmaintainable. one thing i learned is whilst total seperation (MVC type thing) is not totally necessary, keeping some form of neat structure to your code goes a long way. even if i'm not using a template of some form, and not using MVC pattern, i'll always still make a point of doing ALL my logic first, and only then will i display the page. try it, and see the difference yourself. instead of displaying the validation errors where you have them, store them in a var/array UNTIL it gets to outputting your template/HTML stuff, and THEN display the errors.