Jump to content

StevenOliver

Members
  • Content Count

    147
  • Joined

  • Last visited

  • Days Won

    4

StevenOliver last won the day on May 5

StevenOliver had the most liked content!

Community Reputation

11 Neutral

About StevenOliver

  • Rank
    Advanced Member

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Easy. First, pause your page (make it private) because it is a security risk right now. 1.) Turn on error reporting in both PHP, and mySQL. 2.) Echo your query (echo "$q";) and directly try what's echoed in mySQL. 3.) When you get it working, sanitize, sanitize, and sanitize (at very minimum, do mysqli escape string functions). 4.) You have "if ($_POST["add_record"])", but how do you know if a record was actually inserted? You might want to do a quick mySQLi query to make sure a valid record was inserted. Always assume the worst, e.g. "people are trying to hack your website now," "nothing is getting inserted into mySQL," "my code is not doing what I want it to do," "we will be in lockdown forever LOL," and then you'll be good :-)
  2. With PHP security, it's important to really learn what you are doing -- no guesswork! If you google "password_hash" you'll see a lot of explanations and examples. In the "olden days" passwords were encrypted, and stored in a database (which could later be hacked). Many encryption functions can result in strings that can be easily decrypted. In fact, there are a lot of websites that will attempt to decrypt your "super-duper encrypted string" for you, and usually do it in about 5 seconds. Nowadays, password "hashing" is popular. The password_hash function uses a random string each time to generate a "hash," which, when tested against the original password (using "password_verify"), will result in either a 'true' or a 'false.' You've noticed when you use "password_hash" you will get a different result each time. That is because this function uses a random string. In the case of your example, "PASSWORD_BCRYPT"). However, regardless how many password_hash results are generated against a specific password, they will all verify as "true." Nowadays, most websites choose to store actual password hashes in databases, rather than actual passwords. Instead of "PASSWORD_BCRYPT" it is popular to use "PASSWORD_DEFAULT" because as new algorithms are invented with PHP upgrades, "PASSWORD_DEFAULT" supposedly uses the latest and greatest. So, if it were me, even though "PASSWORD_BCRYPT" is considered pretty darn good, I would use "PASSWORD_DEFAULT" instead. Again, "security related PHP issues" is not the place to just throw in any line of code you found off the net as one might do when searching for "cool CSS button effects," etc. At the very minimum, do some googling and understand what you are doing. Google "password_hash" "password_verify" and learn all the caveats.
  3. gizmola, thank you for mentioning that "Can I use" site. That should definitely be useful for me. Another site I use is that one that displays what my website looks like in different browsers. I forgot the name of it, but I like to be cross-platform. Nothing bugs me more than websites that say "You must use xyz to view this site properly."
  4. Thank you all! This will work in Netscape Navigator, right? Javascript sure has come a long way since the 90's.
  5. Requinix, thank you! When you say "inline event handlers," do you mean "onClick" and "onInput?" With my simple script, what are some things that could go wrong?
  6. This is the best I can do. This appears to work whether the visitor hand-types their input, or pastes their input: <script> var character_count = 5; var multiples = 1; function show_alert(n) { if (n > (character_count * multiples)) { alert(" At least 5 more characters were entered. "); multiples++; } } </script> <textarea onInput="show_alert(this.value.length);" > </textarea> Your thoughts please?
  7. Question: How do I get an alert after every input (keypress or paste) of 5 or more characters are pasted into a textarea? // This doesn't work: function alert_every_five() { var incrmt = 5; if ( document.getElementById("my_input").value.length > incrmt ) { alert("you input another five-or-more characters"); incrmt += 5; } } Example: Visitor types the words "Good day! How are you today?" Desired effect while typing: As soon as visitor types the "d" in "day," the alert should trigger. No more alerts should trigger until each 5 character increment (i.e. as soon as they type the "H" in "How," the "r" in "are" etc. etc.). Desired effect while pasting: Alerts should trigger only if "5-or-more" characters are input: If visitor pastes "good day! How are you today?" : just one alert. If visitor pastes "good day" and then "How" and then "are you today?" : alert after "good day" and no more alerts until "are you today" is pasted. Thank you!
  8. Requinix, thank you. Here are my thoughts: 1.) Regarding Microsoft, I think the line of code "else { xmlhttp = new ActiveXObject("Microsoft.XMLHTTP"); }" simply helps cover all bases. 2.) Using jquery looks cool and a jquery function only needs a couple lines to type. 3.) However, adding jquery.js turns my 4K page into a 50K, and at least I "see" what's going on when using the XMLHTTP style. 4.) I like "decision making" and I dislike how jquery is a 50k of intimidating code, of which I need only a couple lines of anyway. So, I would choose the XMLHTTP style, and I'm ready to dig through all my code and replace the jquery version with the XMLHTTP version. However, if you said that jquery is a.) safer, or b.) more browser compliant, or c.) traps errors better, or d.) better in some other way, I would change my code back to jquery. So I'm curious which one you'd choose?
  9. Background: I'm comparing 2 styles of Ajax: 1.) "jquery style" 2.) "ActiveXObject Microsoft.XMLHTTP style" Question: Is one better (faster, more cross-browser compliant) than the other? My experience: Both seem equally fast. The Microsoft style is a bit longer, but I don't have to load jquery.js to my page! Code Examples: Jquery style on my PHP page: function getInfo(ProductNumber){ $.ajax({ url:'Ajax-PHP-Page.php?ProductNumber='+ProductNumber, success: function(html) { document.getElementById("my_div").value = ''; document.getElementById("my_div").value = html; } }); } Microsoft style on my PHP page: function getInfo(ProductNumber) { if (window.XMLHttpRequest) { // code for IE7+, Firefox, Chrome, Opera, Safari xmlhttp = new XMLHttpRequest(); } else { // code for IE6, IE5 xmlhttp = new ActiveXObject("Microsoft.XMLHTTP"); } xmlhttp.onreadystatechange = function() { if (this.readyState == 4 && this.status == 200) { document.getElementById("my_div").value = this.responseText; } }; xmlhttp.open("GET","Ajax-PHP-Page.php?ProductNumber="+ProductNumber,true); xmlhttp.send(); } Thank you!!
  10. No problem. A perfect place to start is by learning a bit more what PHP is about (browse this). Then this should help you with your question: https://www.php.net/manual/en/reserved.variables.post.php
  11. Not to be a debbie downer, but the specific login script you mention uses MD5. If your website's password security is important, to you, please read "no one should be using MD5 anymore" at https://en.wikipedia.org/wiki/MD5 (MD5 is broken). From what I understand, php's built in "password_hash" function is much, much better than MD5. If you please read the question and answer about the "password_hash" function here. you might be inclined to go ahead and use mySQL. There are some pre-written login scripts on the net using "password_hash" that even I (a total PHP dumbo) can understand (just google "simple password_hash login scripts"). Just a thought.
  12. Still terrible code but safer: <?php $dubious_query_string_values = explode('&',$_SERVER['QUERY_STRING']); foreach ($dubious_query_string_values as $var => $val) { $val = preg_replace('/[^\d=]/','',$val); $parts = explode('=',$val); echo 'SELECT * FROM table WHERE sub="'.$parts[0].'" AND pro = "'.$parts[1].'";'; echo '<BR>'; } ?>
  13. I agree with the answers given. However, I'm happy to provide a dubious 1990's-style PHP answer to your dubious question 😀 <?php $dubious_query_string_values = explode('&',$_SERVER['QUERY_STRING']); foreach ($dubious_query_string_values as $var => $val) { $parts = explode('=',$val); echo 'SELECT * FROM table WHERE sub="'.substr($parts[0],3).'" AND pro = "'.substr($parts[1],3).'";'; echo '<BR>'; } ?> If your URL looks like this: www.example.com/dubious.html?sub2=pro73&sub2=pro76&sub2=pro79&sub2=pro90&sub2=pro92&sub3=pro73&sub3=pro74&sub3=pro87&sub3=pro90, the above code will give you: SELECT * FROM table WHERE sub="2" AND pro = "73"; SELECT * FROM table WHERE sub="2" AND pro = "76"; SELECT * FROM table WHERE sub="2" AND pro = "79"; SELECT * FROM table WHERE sub="2" AND pro = "90"; SELECT * FROM table WHERE sub="2" AND pro = "92"; SELECT * FROM table WHERE sub="3" AND pro = "73"; SELECT * FROM table WHERE sub="3" AND pro = "74"; SELECT * FROM table WHERE sub="3" AND pro = "87"; SELECT * FROM table WHERE sub="3" AND pro = "90"; Again, this is PHP from the 80's before hacking got invented. Please heed gw1500se's and Barand's advice: never ever put raw input into mysql queries, etc.!
  14. Aside from the "column not found" error, would it be worth trying wrapping the string values in quotes in your SQL query? Or, for example, converting the IP addresses to integers before using comparison operators (using inet-ntop function)?
  15. Kicken, thank you. I added your line of code and removed the "sub(new DateInterval('PT8H'))" portion. It now gives the correct time! 😀 date_default_timezone_set('America/Los_Angeles'); $date = new DateTime(); $currentTime = $date->format('F j, Y \a\t g:ia'); echo $currentTime; I guess that means I never have to monkey with it again, adding and subtracting for daylight time, server location, etc. Thank you again!!
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.