Chips
-
Posts
68 -
Joined
-
Last visited
Never
Posts posted by Chips
-
-
Thanks for the reply :)
-
Just had a really quick look, all i saw was this:
[code]
if ($_SESSION['auth'] = false) { [/code]
that's an assignment operator, and not an equivalence... it should be:
[code]
if ($_SESSION['auth'] == false) { [/code] -
[quote author=Daniel0 link=topic=99846.msg394012#msg394012 date=1152458022]
You could also use [url=http://php.net/mysql_real_escape_string]mysql_real_escape_string[/url].
[/quote]
But how do you actually "strip" (or essentially reverse) what this function does, or does the replacement of the extra characters only occur in mysql, and when the value stored in the database is returned, these are returned as normal - allowing you to just use stripslashes?
Furthermore I note some saying check whether your gpc_quotes or whatever is on (the thing that automatically addslashes to your POST/GEt/COOKIES before running an addslashes - to ensure you don't escape things twice - but when you run stripslashes it appears to remove ALL "\" characters, and not just doubled up ones. Presents a problem of also how to preserve a "\" character in the event that it is supposed to be in there too!
Any help with my understanding here would be greatly appreciated, as I am suddenly having to swap a DB from mssql to mysql, and am trying to ensure that I won't stuff it up too badly :P in MSSQL you just did a str_replace("'", "''", $var) - and when it was returned, well - it automatically "lost" the extra ' that was inserted, meaning no formatting required :P -
[quote author=play_ link=topic=100027.msg394304#msg394304 date=1152524672]
Well, you could assign a variable something and check it on validation.php.
so on register.php, you could do something like
$a = "this var must be set";
then on validation.php, you could check if $a exists, and if it does, does it hold the string "this var must be set".
and you could also do sessions.
or, do all 3 for maximum security.
[/quote]
Hehe, thanks - I did consider sessions, but I have another thing that checks the URL entered whenever a page is loaded for things like SELECT ' UNION LIKE etc... all of which don't exist in my site, so would indicate a possible/potential attack. Was hoping there maybe some generic solution I could similarly apply to every page with just a lil bit of coding in the index.php (as everything "goes through" that anyway) that would do similiar.
Robots right though, http_reffer isn't reliable enough to be used, at which point I was kind of floundering :P I'll go with the sessions idea unless anyone else can chip in - so many thanks in advance. -
Trying to stop someone making their own page submit to my servers page - ie if I have a validation.php, and I have a login.php or register.php that processes the form to validation.php (or maybe if it processes it to itself) - i wish to prevent someone from running a script that processes [i]their[/i] form on [i]their[/i] server from submitting to [i]my[/i] validation.php page.
Essentially I have some select fields with values, obviously the input is only of what I devise, so I never did any error checking upon it at this time. Now, obviously, I should - but I also wish to check where the data is coming from, to prevent others from trying to submit to my page.
Does this make any sense?
I noted http_reffer from http://uk.php.net/reserved.variables BUT it does mention that this shouldn't be trusted explicitly. Anyone have any suggestions? -
[quote author=wildteen88 link=topic=99803.msg393230#msg393230 date=1152296362]
append your sites document root to it like so:
if(file_exists($_SERVER[['DOCUMENT_ROOT'] . $_GET['page']))
[/quote]
That's a really useful - thankyou :) -
[quote author=craygo link=topic=99533.msg392567#msg392567 date=1152199413]
When running IIS you have to give the web account access to the folder you wish to write to. By default the web account is IUSR_[i]computername[/i]. You need to give this account modify access to the folder. when giving access you should also click advance and make sure you click the option to make it recursive.
[/quote]
Thanks, I have tried this - but it still fails to make any changes/difference at the moment. I've pretty much granted (as it's a local server, not available to the internet) everything access to everything in order to try and get it to work - all security settings on folders have been set to allow for modify (and the others that go with it), and still no joy.
Has reached the point that we are about to install linux on a partition instead - as to be honest, working with windows has been non stop headaches from day one...
Many thanks for putting things forward though, sadly its impossible to see whether I actually did things right or not, but I think i did :) -
Hoping that someone can still help, sorry for the bump... just a little bit desperate.
-
My first thought was just to explode it by the commas, and then you have an array - natural "line breaks" by the individual elements, white space can easily be trimmed too.
-
I was confused tbh, I now get at what you mean - i misunderstood what you were after. Sounds more like the implementation of abstract methods or interfaces, and its the implementing class that requires to define the method body.
Fraid my limited brain power and knowledge just can't help, sorry. Probs been more of a diversion in my posts than helpful :(
-
Posting your code woule be most beneficial to be honest, use the code tags (surrounded by square brackets, so {code} your code here {/code} but with square brackets).
-
It appears that you can do it:
[code]
<?php
class Foo {
public static function aStaticMethod() {
// ...
}
}
Foo::aStaticMethod();
?>
[/code]
So just adding the static keyword to your function declaration should sort your problem out. I say should, but bear in mind I come here to ask for help - so I am not the best person to be handing it out to be honest :P ;) -
Create an object, then call it's functions/methods. You still need the include statement.
[code]
$example = new classname();
$example->functioncall();
[/code]
This will call the function "functioncall()" from the object created for example.
If you mean something more like this (described as it is for java) where you can have a class with a [i]static[/i] method, which can then be called without constructing an object of that class by the follows...
classname.staticmethodsignature();
Otherwise you have to create an object to call the methods. Not sure if php can do this, haven't looked - but it would be an idea to lookup static + php in google and see if you can find anything about it. Would still require an include i'd imagine, just like the "import" in java ;) -
with mysql you can use the insert_id function, which can be found here - in the mysql documentation on php.net.
http://uk.php.net/manual/en/function.mysql-insert-id.php
If you have any trouble with it working, then I am sure others will be able to help - just beware that it will return the [i]last insert id[/i], so if you are running two inserts (info into two tables) it will return the id for the second table, NOT the first. -
The problem is this:
I am trying to use php for ftp uploads. I can connect and log into the server. Once logged in, I can return the list of files in the directory, I can delete files, I can create a directory and I can delete said directory - all without any trouble or issues at all.
What I am failing to do is to upload or download files via the ftp connection using ftp_put, ftp_get methods.
Here is the code I am trying to use - its taken from php.net's example under ftp_put. The filename is coming from an <input type="file"> as given under http uploads, in the $_FILES['userfile']['name'].
[code]
<?php
$file = $_FILES['userfile']['name'];
$endfile = 'file.txt';
$ftp_server = 'servername';
$ftp_user_name = 'username';
$ftp_user_pass = 'password';
$conn_id = ftp_connect($ftp_server) or die("Couldn't connect to server");
$ftp_login = ftp_login($conn_id, $ftp_user_name, $ftp_user_pass) or die("Cannot login to the ftp server");
if($ftp_login){
echo "logged in!<br />";
if(ftp_put($conn_id, $endfile, $file, FTP_ASCII)) {
echo "file upload successful";
} else {
echo "file not uploaded";
}
}
ftp_close($conn_id);
?>
[/code]
I have changed the FTP_ASCII to binary instead, and still no joy. The file i am trying to upload is a txt file, called mike.txt for now, although I have also renamed it to match the "endfile" name specified. I am running on a windows webserver, with iis 6 and mssql as my database (although that obviously has no bearing on this issue :D). As I say, I can do other functions, just not upload/download files.
Thanks for anyone taking the time to read/think/suggest/point anything that they can think of to me, and help is much appreciated. Any further info needed will be posted on request ;) -
Fraid that was a "copy paste" error, as the username/password (and host) were all changed from the real values.
-
Set a cookie when they login as well, with the userId being their md5 hashed sessions userid - and then check on every page that their cookie matches the sessions user id hashed?
-
Another problem:
I can connect to my server via ftp, indeed - i can not only login with ftp, but create a new folder as well - so it is working in [i]that[/i] respect, i can delete files, delete folders too... But i cannot download or upload files via ftp.
[code]
<?php
$ftp_server = 'servername';
$ftp_user_name = 'username;
$ftp_user_pass = 'password';
$conn_id = ftp_connect($ftp_server) or die("Couldn't connect to server");
$ftp_login = ftp_login($conn_id, $ftp_user_name, $ftp_user_pass) or die("Cannot login to the ftp server");
if($ftp_login){
echo "logged in!<br />";
ftp_mkdir($conn_id, "testdir");
} else {
echo "not logged in<br />";
}
ftp_close($conn_id);
?>
[/code]
Now it prints out the logged in!, and also creates the testdir - so it does log in without issue.
However, remove that part and insert the more required function: Upload a file. This is related to my earlier http upload issue, which worked on apache but not windows (and couldn't get it working either ???). Swapped to ftp thinking it would be simple to use that instead, but when trying - it doesn't work.
[code]
$file = $_FILES['userfile']['name']; // comes from a form that submits to this file, the filename is correct and working just fine
$endfile = 'file.txt';
if(ftp_put($conn_id, $endfile, $file, FTP_ASCII)) {
echo "file upload successful";
} else {
echo "file not uploaded";
}
ftp_close($conn_id);
?>
[/code]
Now it always says "file not uploaded". I've tried binary transfer, tried changing filenames, paths, etc. The file is selected via input type="file" and this is the method as per my previous post that successfully uploaded via http transfer to my apache server. Therefore I know that the file to upload [i]is[/i] selected correctly, obviously it's the actual upload that isn't working and I cannot find any php.ini settings that are relevant to it. The filesize is small, under 2kb - so it doesn't exceed any settings in php.ini for max filesize.
Does anyone have any bright ideas, clues, experiences etc with this sort of thing? Running a local windows server IIS 6, and like I said - I can make folders (suggest any other functions if you wish).
Oh yes, I can log into the local server with ipswitch ftp program, and copy/upload/download files all day - so the userlogin etc is perfectly fine, and the permissions must be fine too... -
The code is near identical to that of php.net's example... and it WORKS under linux/apache servers. However, I am trying to get the darned thing working upon WINDOWS IIS instead, which is giving problems. So it works on one platform, but not on another. Essentially the question is, does anyone know why? Sessions can be written to the local temp folder of the windows server, so I would have assumed that it's okay to upload files to that location as well (only admins can upload files, and at this moment- security isn't an issue, tis a local server for local people... no strangers on here!).
[code]
<table width="100%" class="padded">
<tr height="140">
<td align="center">
<form enctype="multipart/form-data" action="uploader.php" method="POST">
<input type="hidden" name="MAX_FILE_SIZE" value="11111111" />
<table border="0" cellpadding="0" cellspacing="0">
<tr>
<td>
Choose a file to upload:
</td>
<td rowspan="2">
<input name="userfile" type="file" />
</td>
</tr>
<tr>
<td><span class="small">(max filesize is 1111111)</span>
</td>
</tr>
<tr>
<td colspan="2" align="center">
<input type="submit" value="submit" name="submit"/>
</td>
</tr>
</table>
</form>
</td>
</tr>
</table>
[/code]
Uploader.php
[code]
// Where the file is going to be placed
$target_path = '';
/* Add the original filename to our target path.
Result is "uploads/filename.extension" */
$target_path = $target_path . basename($_FILES['userfile']['name']);
echo $target_path;
if(move_uploaded_file($_FILES['userfile']['tmp_name'], $target_path)) {
echo "The file ". basename( $_FILES['userfile']['name']).
" has been uploaded";
} else{
echo $_FILES['userfile']['error'] ." - error uploading the file, please try again!";
print_r($_FILES);
}
?>[/code]
Any input or suggestions would be much appreciated. -
Is this because you aren't doing anything with returned data?
[code]
html>
<head>
<title>Drop Down Results</title>
<body>
search me via search box
<form method="post" action="<? $_SERVER['PHP_SELF'] ?>">
<SELECT NAME="name">
<?
$db=mysql_connect("dbhost","dbname","dbpass");
mysql_select_db("dbname", $db);
$query="select * from dbtable";
$result=mysql_query($query);
while($record=mysql_fetch_assoc($result)){
echo"<OPTION VALUE='".$record["category"]."'>".$record[category];
}
?>
</select>
<input type="submit" value="submit">
</form>
</body>
</html>
[/code]
This is all fine, the submit submits back to this same page. But you haven't set it up to actually do anything when submitted...
First thing I'd do is put that into a function (note that it jumps out of php into html at start of function, and back into php at end).
[code]
function displayDropDown() {
?>
search me via search box
<form method="post" action="<? $_SERVER['PHP_SELF'] ?>">
<SELECT NAME="name">
<?
$db=mysql_connect("dbhost","dbname","dbpass");
mysql_select_db("dbname", $db);
$query="select * from dbtable";
$result=mysql_query($query);
while($record=mysql_fetch_assoc($result)){
echo"<OPTION VALUE='".$record["category"]."'>".$record[category];
}
?>
</select>
<input type="submit" value="submit">
</form>
<?php
}
[/code]
The next thing I'd do is add a check to your page when it first loads:
<?php
if(isset($_POST['name'])){
//do all your database query to return the results
} else {
displayDropDown();
}
?>
So if you haven't had a submit (you could do if($_POST['submit']) instead of if(isset($_POST['name'])) ) it will just display your drop down list.
If it [i]has[/i] been selected, you can [i]still[/i] display your drop down list, but also then display the table of your results...
[code]
if(isset($_POST['name'])){
$name = $_POST['name'];
$db=mysql_connect("dbhost","dbname","dbpass");
mysql_select_db("dbname", $db);
$result=mysql_query("select * from dbtable where category='$name';");
displayDropDown();
?>
<table width="100%">
<tr>
<th>Date</th>
<th>Time</th>
<th>Employee</th>
<th>Category</th>
</tr>
<?php
while($row=mysql_fetch_assoc($result)){?>
<tr>
<td><?php echo $row['date']; ?></td>
<td><?php echo $row['time']; ?></td>
<td><?php echo $row['employee']; ?></td>
<td><?php echo $row['category']; ?></td>
</tr>
<?php
}
?>
</table><?php
} else {
displayDropDown();
}
?>
[/code]
Now this should display the drop down. If you select an option, click submit - it should reload the page (submits to itself) and this time, it should present the drop down at the top, with underneath it a table. The table should consist of all the results (if any) that are pulled from the database.
If you then select another category in the drop down list and hit submit, it should do it again - but with the next category that matches.
Hope that this helps... -
[quote author=All4172 link=topic=99489.msg391793#msg391793 date=1152086415]
I"m attempting to search MYSQL and if the field keyword has a term that matches the user's keyword, it will display a message saying SORRY KEYWORD ALREADY EXISTS. So far I'm having no luck. Here's what I have so far but doesn't work:
[code]
$keyword = $_REQUEST['keyword'];
$result = mysql_query("SELECT * FROM joa
WHERE keyword LIKE '%$keyword%''");
if (isset($result)){
echo "Keyword exists";}
else {
echo "Keyword doesn't exist";}
[/code]
Any advice would be appreciated :)
[/quote]
Could try (until someone who's better comes along) this:
[code]
if (mysql_num_rows($result) > 0) {
echo "Keyword exists";
} else {
echo "Keyword doesn't exist";
}
[/code]
and see if that works instead... -
I had an index.php file, which also includes a header, if logged in (user is logged in that is) then the main page is divided into two, with the menu displayed to the left for the users links, like account etc - which is just an include 'logged.php'; and content.php included for the rest of the page.
Footer included beneath them.
content.php has a switch statement - kind of like:
[code]
switch($_REQUEST['option']){
case 'news':
include 'news.php';
break;
case 'login':
include 'login.php';
break;
case 'downloads':
include 'downloads.php';
break;
default:
include main.php;
break;
}
[/code]
Well, to be strictly honest, it's actually functions not includes, and each function performs a series of actions - including just outputting html code, or including other files etc. There are error checks on whether its a string etc being passed, and also an overall error check on index.php which gets the url, explodes it around the ? and checks for things like SELECT, UNION, JOIN, ", ', ;, etc.
Each "page" that gets included can check for other things, such as $_GET['id'] for the news - as in the news id if they select a news item to view in full.
Since it all goes through the index.php (as everything is included through it), all my links are index.php?option=xxxx&id=xxxx
So for your case it would be index.php?option=login
The login.php can have a form on it, or do error checking on processed things (ie you can submit back to index.php?option=login, and check to see whether your post variables are set with the correct values etc, and then login - otherwise display a form. Keeps the index.php small and neat, and everything else is fairly "independant" of the page - so changing login methods requires just swapping a file about, and not surfing through TONS of index.php code! -
Are you utilising a windows server with IIS as your web server?
I had issues on a setup with this, and in the end I found another mail class function:
http://phpmailer.sourceforge.net/
That's the solution I used, and now it's all working great. When I used an apache webserver, I managed to use the mail function without trouble, most likely smtp difficulties on the windows server, but the admin said the smtp was set up correctly. Took the best part of a day to sort, and if you are still having trouble - I'd suggest trying that phpmailer. -
Okay, so turns out there are only 30 days in June, and getting the number of days wrong in a month for a query is a very bad idea :(
New User Registration using Email as Primary Key
in PHP Coding Help
Posted
[code]
$query="select * from users where id=$id";
$result=mysql_query($query);
if(mysql_num_rows($result) > 0){
echo "Sorry email tacken please use another one cheers!
<a href='what_ever_you_called_this_page.php'>Please Try Agin[/url]":exit;
} else {
//insert statements etc
}[/code]
I'm not the best coder in the world by a long shot, so this should be subject to change upon other recommendations.