StevenOliver

Google is my friend: https://stackoverflow.com/questions/6080022/php-self-and-xss I read about that last night, very interesting. I also read this article. Whenever I see two or more ways to do something, I'll google search using "vs" as a search term. For example I'll type into google: mysqli_stmt_init vs ...and then I get to read articles where people argue about which way is best. Another thing I do (for fun) is speedtest my whole PHP page ($startime at beginning of page, $endtime at bottom of page), and figure out where the slow points are. I remember spending a whole week getting my page load time from 885ms down to 665ms. That was exciting. And, yes, from this you can infer that I don't do real PHP work, I just like learning and messing with PHP. Regarding mySQLi, Barand is the forum expert here.... (his code is a work of art; he writes code that even the PHP inventors haven't invented yet), and he uses PDO. I'd like to learn PDO. PDO does seem to benchmark a tad bit slower, but it looks way cooler! One of these days....

@2020, my long lost twin 😀 It sounds like you're just like me, but quite a bit more advanced than what I know. I learned PHP code back in the late 90's... right after I learned how to fix people's broken Sony Walkmans. I'm still good at both: 90's PHP code, and fixing broken walkmans :-) Debugging code is the fun part. Just make sure you have ALL error reporting turned on, both PHP and mySQL, then start at the top few lines and comment everything out below and keep echoing stuff. When you uncomment the next block of code and you get errors, or a blank page, then that's where your first error is. This is a no-no, by the way: <?php echo $_SERVER['PHP_SELF']; ?>" (injection issues) And for your require('conn.php'), at least keep your conn.php up one level above public_html, like this: require("../conn.php"); And for housekeeping sake, I wouldn't have my form named the same as my button (both named "submit_link"). What the heck is mysqli_stmt_init.... I gotta look that one up. I'll learn something new today.

I'm still waiting for my google links 😀 I'm trying to figure out what the % means in %{HTTP_HOST} and trying to figure out when to use the != 80 vs !https there are a thousand ways to do things, one is always better than the other. Trust me, there are NO tutuorials on how to do htaccess regex. The "documentation" might give a cursory example, and so basically it takes me about a full 8 hour day to learn each symbol. And, things like "redirectpermanent" is written sometimes, and "redirect permanent" is written sometimes. And sometimes it will go like redirect "/" "www.blah.com" and sometimes there will be no quotes... and they both work. That's not fair. Shouldn't have more than one way to do things. There should be a big tutorial, all on one page, with all that stuff on it. And, just because one knows a little regex, that doesn't mean you can suddenly write your own rewrite rules, because there are secrets..... big secrets... I'm getting to old to keep being a "copy-and-paster" where someone's one-page blog with ads all over the page for their stupid out-of-date GitHub page LOL. I need to learn and KNOW this stuff for myself :-)

Oh, I learned something again. I used to do it this way: <?php require("../my_secret_file.php"); ?> (The ../ part tells PHP to go up to the directory just above the viewable public_html directory). But I like Barand's answer: by defining these hidden directories in your php.ini file, it's a bit more secure. Again, if some idiot switches off PHP at your Shared Hosting provider, everyone will be able to see the require("../my_secret_file.php") in plain text. Of course, they still won't see what's in the secret file, but they will know where it's at :-) You know those interviews they do on TV where the interviewee does not want to be seen.... so they have all the lights out. It's totally dark, and his voice is disguised. During the interview, someone accidentally comes in the room and switches on the light hahahaha. THAT can happen with PHP. And, of course, stuff like that happens while you are on a vacation, or in the middle of the night. So when you log into your site, all of a sudden you see your PHP code everywhere. Or.... worse, you go to your "www.my_supposedly_secure_page.com" and it DOWNLOADS to your desktop as a downloaded file.......THATS always fun. 😀

I've rephrased my original post. "Any suggestions for a good tutorial where I can learn how to the symbols needed to write my own mod_rewrite (and mod_alias) code?"

The documentation for mod_alias and mod_rewrite does not explain %, ^, etc., and it is impossible to google certain symbols, hence my question if anyone knew of a good tutorial.

After years of fighting with my server's time zone (shared hosting), I now have these lines of code on my PHP date page (thanks to Barand): date_default_timezone_set('America/Los_Angeles'); $date = new DateTime(); After you implement the suggestions posted above, these two lines of code on your PHP page(s) will save you the aggravation of wondering why your PHP / mySQL seems to always be off by an hour or two :-)

@2020, Error: process stops, and tells you what you did wrong. Warning: process continues, and tells you what's wrong Exception: if error occurs, the code executes what you have in place (called an "exception handler") should such an exception occur. In development (as opposed to "live for public viewing), I have: 1.) On top of all my PHP pages: error_reporting(E_ALL); ini_set('display_errors', 1); 2.) In the non-public file above the public_html directory mysqli_report(MYSQLI_REPORT_ALL|MYSQLI_REPORT_STRICT); $db = mysqli_connect("localhost" , "username" , "pass" , "database"); (Never ever ever have your mysql credentials in your public www directory.... the day will come when PHP for whatever reason decides to stop working and everybody will get to see your credentials) I didn't even notice mac_gyver did not capitalize his sentences, I'm here for info, not to be grammar police 😀 But from what I understand mac_gyver is saying (I'm the worst PHP person on this entire forum) is: 1.) turn all the errors on during testing, but MAKE SURE all error reporting is turned off when your site is live for the public. 2.) You can create exception handlers in your php/mysql code so you can debug specific parts of your code, if you want. Otherwise, Barand's #4 suggestion, combined with PHP error reporting on top of all your PHP pages should be sufficient (in most cases) to display most if not all the errors in your code.

Any suggestions for a good tutorial where I can learn how to write my own mod_rewrite (and mod_alias) code? For example, here is a simple RewriteRule: RewriteRule ^/?(.*) https://www.example.com%1/$1 I would like to change it to a corresponding "Redirect" directive, but obviously, the next line doesn't work (although it looks like it should) Redirectmatch ^/?(.*) https://www.example.com%1/$1 I'd like to learn what I'm doing, rather than being a "copy-and-paster" all my life 😀

Just found out to qualify for HSTS ("preload eligibility"), you are not allowed to have only one redirect from http://example.com to https://www.example.com. For this, you are required to have 2 redirects: 1.) From http://example.com ---> https://example.com and then 2.) from https://example.com ---> https://www.example.com If I read correctly, something about www.example.com and example.com are actually different sites, and that leaving the "www" off helps keep their preload list smaller for browsers. Whatever. Three days work down the tube.

Eh... forget it. Back to the drawing board. More than one redirect! Although using redirect inside of virtualhost files is what the rulebook says, the rulebook ALSO says "If, for whatever reason, you still want to use mod_rewrite..." Well, yes, my "whatever reason" is I only want ONE redirect no matter what the visitor types in. So I'm going to use mod_rewrite. And I'll still be following the rules! 😀

Edit: previous post missing closing "</if>" Should say: <VirtualHost *:443> <If "req('Host') != 'www.example.com"> RedirectMatch 301 /?$ https://www.example.com/ </If> ... my best post, and I screwed it up 😱

For my desired https://www.example.com result, this seems to work perfectly: I located my VirtualHost 80 and 443 files and added these lines: <VirtualHost *:80> RedirectMatch 301 /?$ https://www.example.com/ <VirtualHost *:443> <If "req('Host') != 'www.example.com'"> RedirectMatch 301 /?$ https://www.example.com/ The result? Maximum of only ONE redirect! ( I checked all these permutations on the online bulk redirect checker ) http://example.com http://example.com/file.php http://example.com/directory http://www.example.com http://www.example.com/file.php http://www.example.com/directory https://example.com https://example.com/file.php https://example.com/directory https://www.example.com https://www.example.com/file.php https://www.example.com/directory example.com example.com/file.php example.com/directory www.example.com www.example.com/file.php www.example.com/directory Thank you 😀

Kicken, hi! I wish you would have posted that an hour ago 😀 I just found it a moment ago, tried it, and that simple one-liner worked! However.... being the OCD person I am, I made my big list of 20 "bad" urls (I want the end result to only be "https://www.example.com") and typed in "example.com, www.example.com,https://example.com, www.example.com/directory, etc., etc.) into the online bulk redirect checker, and even though they ALL redirected correctly to https://www.example.com, about a third of them had 3 redirects, about a third had 2 redirects, and a third had one redirect. There is an awesome page here that shows the code where no matter what, there is ONLY ONE redirect! Not 2 redirects, not 3 redirects, but just ONE redirect! (Very thrilling!). Unfortunately, that page used the RewriteCond/RewriteRule format. Now I have to figure out how to make the simple one-liner "redirect" format mentioned in the Apache Manual correspond with the RewriteCond/RewriteRule format... I'll probably have to learn some code. Do you think that will be easy?

OMG... this is going to be a month-long project. I'm just now reading in the section "When NOT to use mod_rewrite," and it says for simple http to https redirects (and I assume also for the non-www to www redirects too), it says: I understand the instructions to mean that if I do not have access to the "main server configuration file," then RewriteRules belong in the .htaccess file. However, I do have access to the main server configuration file. Now that I've been told what NOT to do, I'm back to figuring out what I should do.... "What would Requinix do... hmmmm"

But you also said to put it in the <VirtualHost *.443> block, but that made you nervous. And, if you're nevous, then I'm nervous, we don't want that. I'm still reading the Apache manual. I'll get this figured out.

I'm nervous too, we both need a drink. So I just now RTFM, and it says that RewriteRules "...may be used in per-server context (httpd.conf)," or in a "per-virtualhost context (<VirtualHost> blocks)" amongst other things. However, I read somewhere that to keep things tidy, one must never directly edit the default httpd.conf file. Therefore, I think I was right to start with: create my own "my_rewrite_rules.conf" file, put it in "/conf-available" and then run the commad "a2enmod my_rewrite_rules.conf" And Voila! All done, everybody happy. Okay, now please tell me what's wrong about what I wrote 😀

Because I'm only hosting my own domain, I chose not to create a separate site configuration. I looked for my <VirtualHost> files, and they are located here: I only have 2 VirtualHost files that were automatically installed when I installed Ubuntu: 1.) inside of /sites-available/default.conf there is <VirtualHost *:80> 2.) Inside of /sites-available/default-le-ssl.conf there is a <VirtualHost *:443> (Certbot installed this conf file). My RewriteRule directive looks like this: <Directory /var/www/html/> RewriteEngine on RewriteCond blah blah blah RewriteRule ^(.+)$ https://www.example.com/$1/ [R=301,L] </Directory> So I am going to take another guess: I will place that RewriteRule block inside of the <VirtualHost *:443> created by Certbot. What do you think?

Okay.... I'll make a guess..... NO. Conf-available is the wrong place to put my rewriterules conf file. The directives in that conf-available (and conf-enabled) are weird higher-level goofy looking one-liner crap files like servername.conf "servername localhost" and a charset file, and a security file I dare not touch. However, the "sites-available" has files that look like they would make good friends for my custom RewriteRules.conf file. There's a default conf file, a default ssl file, and a conf file placed by Certbot in that directory. So, my guess is it would be "best practices" to place my rewriterules.conf file into sites-available What do you think? Thank you.

Best practices question: Which is correct? Placing custom Apache directives in "apache2/sites-available" or, placing them in "apache2/conf-available" ?? Specifically, I have a set of custom RewriteRules that seem to work no matter where I place them. In fact, even dIrectly editing my Apache default.conf works, too, but I heard custom stuff should always go in a separate file. : ALL THESE WAYS SEEM TO WORK : What is the "best practices" answer? Thank you!!

Do you want your colors grouped like this page here? I think the "foreach" loop you proposed would certainly loop through all the colors, but how are you going to group the colors, e.g greens, blues, etc.?

Nevermind, I figured it out. (And it only took me 40 minutes to figure it out, not 100 hours). I had a secondary firewall running which I had forgotten about. 😀

Okay, I just now changed the default SSH port in sshd_config on both my identically configured Ubuntu 20.04 servers. ssh -p 1234 user@example.com works perfect on Server #1. Server #2 won't allow me to connect (ssh times out). why why why WHY! On one hand, this is fun -- it gives me something to work on for the next 100 hours... On the other hand, it's frustrating, I have other fun things I want to do (like monkey with installing an email server and avoid getting blacklisted). Both servers have firewall (UFW) disabled while I'm trying to figure out why one server works and the other doesnt....

Ya, I did :-) I am loving Ubuntu, on my first-ever VPS. Even though I don't know what I'm doing, having total administrative control on a VPS is fun! However, being able to view server access logs is scary! I didn't realize that every single minute (especially at night) there are dozens of probes and attempted logins happening all the time.... is this normal?

ahhhhh, if only........ 😀