StevenOliver

Not to be a debbie downer, but the specific login script you mention uses MD5. If your website's password security is important, to you, please read "no one should be using MD5 anymore" at https://en.wikipedia.org/wiki/MD5 (MD5 is broken). From what I understand, php's built in "password_hash" function is much, much better than MD5. If you please read the question and answer about the "password_hash" function here. you might be inclined to go ahead and use mySQL. There are some pre-written login scripts on the net using "password_hash" that even I (a total PHP dumbo) can understand (just google "simple password_hash login scripts"). Just a thought.

Still terrible code but safer: <?php $dubious_query_string_values = explode('&',$_SERVER['QUERY_STRING']); foreach ($dubious_query_string_values as $var => $val) { $val = preg_replace('/[^\d=]/','',$val); $parts = explode('=',$val); echo 'SELECT * FROM table WHERE sub="'.$parts[0].'" AND pro = "'.$parts[1].'";'; echo '<BR>'; } ?>

I agree with the answers given. However, I'm happy to provide a dubious 1990's-style PHP answer to your dubious question 😀 <?php $dubious_query_string_values = explode('&',$_SERVER['QUERY_STRING']); foreach ($dubious_query_string_values as $var => $val) { $parts = explode('=',$val); echo 'SELECT * FROM table WHERE sub="'.substr($parts[0],3).'" AND pro = "'.substr($parts[1],3).'";'; echo '<BR>'; } ?> If your URL looks like this: www.example.com/dubious.html?sub2=pro73&sub2=pro76&sub2=pro79&sub2=pro90&sub2=pro92&sub3=pro73&sub3=pro74&sub3=pro87&sub3=pro90, the above code will give you: SELECT * FROM table WHERE sub="2" AND pro = "73"; SELECT * FROM table WHERE sub="2" AND pro = "76"; SELECT * FROM table WHERE sub="2" AND pro = "79"; SELECT * FROM table WHERE sub="2" AND pro = "90"; SELECT * FROM table WHERE sub="2" AND pro = "92"; SELECT * FROM table WHERE sub="3" AND pro = "73"; SELECT * FROM table WHERE sub="3" AND pro = "74"; SELECT * FROM table WHERE sub="3" AND pro = "87"; SELECT * FROM table WHERE sub="3" AND pro = "90"; Again, this is PHP from the 80's before hacking got invented. Please heed gw1500se's and Barand's advice: never ever put raw input into mysql queries, etc.!

Aside from the "column not found" error, would it be worth trying wrapping the string values in quotes in your SQL query? Or, for example, converting the IP addresses to integers before using comparison operators (using inet-ntop function)?

Kicken, thank you. I added your line of code and removed the "sub(new DateInterval('PT8H'))" portion. It now gives the correct time! 😀 date_default_timezone_set('America/Los_Angeles'); $date = new DateTime(); $currentTime = $date->format('F j, Y \a\t g:ia'); echo $currentTime; I guess that means I never have to monkey with it again, adding and subtracting for daylight time, server location, etc. Thank you again!!

Question: For a website on a shared server (regardless of server location), is there such a thing as PHP code that will consistently produce my own time zone's time without having to adjust every few months? Background: No matter how much I "adjust" the code, time zones, etc., things like daylight saving time, or server location throws it off by 1, 2, sometimes 3 hours. Example: This is my code: $date = new DateTime(); $currentTime = $date->sub(new DateInterval('PT8H'))->format('F j, Y \a\t g:ia'); The Pacific ("Los Angeles") time right now is 7:58pm, but my code says it's 6:58pm. So now I have to go in and correct the "PT8H" portion. I'm wondering if there is some code I can use whereby I can simply "set it and forget it." Thank you!

Both answers make sense. May I ask another question in this same thread (probably not important enough for a new thread): When I open "Browser Console" in Firefox, it appers my "jquery.js" file loads twice: 12:47:10.544 GET example.com/ [HTTP/1.0 200 OK 0ms] 12:47:10.568 GET example.com/jquery-3.3.1.min.js [HTTP/1.0 200 OK 0ms] 12:47:10.605 GET example.com/jquery-3.3.1.min.js [HTTP/1.0 200 OK 0ms] 12:47:10.621 GET example.com/favicon.ico [HTTP/1.0 200 OK 0ms] It even loads twice when I strip my html to the bare minimum: <html><head><script src="jquery-3.3.1.min.js"></head><body></body></html> I've restarted my browser, cleared cache, etc., and it still always shows up twice in the console. Why?

General "best practices" question: If my page already loads jquery, is it best to use a jquery function versus using a simple plain javascript? For example, to change a table row's appearance, this simple javascript works: function changeQuantity() { document.getElementById('id_of_element').style.background = "#FFF"; document.form1.inputname.value=1; } Does it matter? I'll take a guess at the answer... For simple javascript, it doesn't matter in the slightest. In fact, it's better to use plain javascript because it saves me the days of work reading the internet finding the corresponding jquery function. But for more complex javascript, jquery is better because there is probably lots of "cross browser support."

Turn error reporting on! Begin your php code with ini_set('display_errors', 1); ini_set('display_startup_errors', 1); error_reporting(E_ALL); Catch errors in PDO with 'try' and 'catch' (google this) example: try { $db = new PDO blah blah blah your stuff goes here } catch(Exception $e) { echo 'Exception -> '; var_dump($e->getMessage()); } I don't know anything about PDF... so I'm not reading your pdf code :-)

You have an extra parentheses -- there should only be 2 parentheses after deneme.com <?php echo hash("sha1", md5(base64_decode(deneme.com))) . "YSXVkxG3-U"); p.s. both sha1 and md5 are really '90's -- and they're "broken" and collisions can be generated.

Instead of "what's the most secure hash," your real question is "What's the best way to enforce a limit of 'n' customers per credit card." Most of the top people in this forum are geniuses, and you would have gotten (and hopefully will still get) some really good answers! (Even the largest companies want to know the answer to this.) I had some more thoughts on this, here are the 'facts' I came up with: 1.) You have no control over how many people are in a household, using the same credit card (picture a close-knit family of 12). 2.) Individuals may have several credit cards (as Requinix said) companies offer virtual credit cards (google "online virtual cards" and you'll see ads for "unlimited card numbers.") 3.) You don't want to make your customers feel like they have to give blood and jump through hoops (you want signup to be easy-peezy). 4.) You don't know how your business is going to do yet (hopefully it'll do so well you won't care about how many people share, you'll be making so much money!). That being said, when someone signs up and pays (3rd Party Billing Company takes care of the logistics for you), you'll have a Customer ID number, as well as the customer's email address and phone number. Your website could say "Welcome to our service and we're thrilled you're a customer! For the best service, please provide a phone number we can send a one-time 6 digit security pin." Then, when they type that PIN into their browser, they can choose whether to store it as a cookie so they don't have to enter it each time. Voila! Now you can monitor visitor's usage based on IP Location, user_agent, phone number, PIN, and their email -- all without having to store (or even know) part or all of their credit card number. Then, you can watch that info as your business builds. You may end up not really caring about a little 'sharing' here and there. But if you find one of your customers is up to something suspicious (e.g. simultaneous logins from different IP locations), you can do the "Due to unusual activity, we need to send you a new PIN to your phone" thing. Given there are a zillion workarounds to thwart all the above, I think this is as best as you can get. I would definitely have liability insurance that covers data breaches, and I would still definitely have a bonded security company build the up-to-date secure code to encrypt what needs to be encrypted, and hash what needs to be hashed (e.g. passwords only get hashed, they never NEVER should be encrypted and stored). Even if the business doesn't work out, it would still be fun to read and reverse engineer the state-of-the-art encryption code they build for you. And, at the very least, you'll be able to put all your coding skills to work: php, databases, mailing pin codes to phone numbers (making sure the PINs are single use and don't get duplicated), cookies, debugging, layout and design, etc., etc., all the stuff that makes life fun -- especially these days!!!

PHPFreaks DID have a data breach! (https://www.cyberinsurance.com/breaches/phpfreaks/) I had an afterthought.... if I absolutely HAD to store some encrypted customer data, I would lean towards storing their phone number over storing their credit card details. And it would be easy to assign a random "code" via a text message. Nowadays a lot of sites that "want to prove it's really you" will send you a text message with a 6 digit code. You could probably still do a good job at enforcing your 2 people per credit card limit this way (most people have only one or two phone numbers), without having to store (or even see) their card info. Their phone number should still be encrypted properly though, but it looks less catastrophic if phone numbers got revealed rather than credit card numbers :-)

SaranacLake, even though I am probably the worst PHP person on this whole forum, I was fascinated with encryption and hashes, and a few months ago, I spent almost a full month studying PHP encryption! I don't need it for my own site, I just studied it for the same reason I read this forum -- it is fascinating! I learned how to do lots and lots of encryption, very secure encryption, but I also learned that with ONE little mistake, one slip of the code, ONE server misconfiguration, and you might open yourself up to some big lawsuit (ook at all the big multibazillion dollar companies that have been IN THE NEWS for their stupid data breaches! And they TEAMS of encryption geniuses, working for them, and they STILL couldn't get it right. So, it is a fascinating topic! It's fun to learn! But in my opinion, just my opinion, it would be better to hire a reputable first rate security company to do the credit card portion of the code you require. Then, if worse came to worse, and for whatever reason you had a data breach, you won't be in the awkward position of having to say, "well, I proudly did all the security coding myself, all the forums said my algorithm was secure..." :-) Again, just my opinion.

gizmola, thank you! I didn't realize I could just type it without the ob_start prefix. I'll try it just like this: <?php ob_gzhandler(); // etc. etc. But I'll try the ifModule mod_deflate in my .htaccess. The first and second lines of my .htaccess are: Options -Indexes RewriteEngine On Does it matter where the <IfModule mod_deflate goes? I would think it wouldn't matter, but with PHP I'm wrong 99% of the time so that means it does matter :-)

If I were in your shoes, and were going to proceed, no matter what, in spite of this thread's recommendations against it, I would DEFINITELY 1.) Hire a licensed bonded and insured security firm to do the "limit 2 people per card," coding you require, and 2.) have a darn good liability insurance policy for yourself that covers data breaches!

It's a loop like this: while ($sku = $query->fetch_assoc()) { // a hundred results echo '<textarea name="'.$sku["product_name"].' ..... etc. And that produces a huge amount of html. I meant that if I added an id tag to that, it would almost double the amount of html sent to the browser: echo '<textarea name="'.$sku["product_name"].' id="'.$sku["product_name"].'"... etc. //

requinix, thank you! In days of searching, I never found the brackets suggestion. Also, I'll give more attention to the correct forum topic (or, at least I should have put <?php echo..." on top LOL ) Barand, thank you! The html is a result of a PHP loop through 100+ mySQL records, and since I already have "<textarea name=sku<?=$number?>...." at least 100+ times, I thought it would "bog down the html page size" if I additionally added id="sku<?=$number?>" to all 100+ textareas. (I still think in terms of the 1990's browsers where you had to keep an eye on each extra unnecessary byte...

Requinix, I applaud your "not knowing what your code is doing is not 'proper" -- good point, and very witty! I'm going to hit up the manual this afternoon. Gizmola, you said 'why not use ob_gzhander()," but I thought that's what I was doing with the "ob_start("ob_gzhandler");" line of code? I will definitely read up on your suggestion about mod_deflate... Does it make a difference if mod_deflate is done in Apache vs .htaccess?

This hardcoded "999" works fine: function changeAmount(a){ document.form1.sku999.value="44"; } But since the number is a php variable, I need this to work. It does not work: function changeAmount(a){ document.form1.'sku'+a.value="44"; } In the html below, I "hardcoded" the php variable below to "999" just to try and make the simple javascript above to work.... but it doesn't. <input onClick="changeAmount('999');" type="button"> <input type="text" name="sku999"> I've spent days trying to learn javascript concatenation, but even this doesn't work: function changeAmount(a){ var conc = 'sku'+a; document.form1.conc.value="44"; } If you would please let me know what I've done wrong. Thank you.

Same thing when I tried it, too. If you don't like blank lines, you could try var_export($array) instead of print_r($array)

You have 3 pages. What is the exact code on top of each page? If all of your pages have "$name = $_POST['name']; $_SESSION['name']= $name;" on top, but you're posting the name only on the first page, then $_POST["name"] will be null on your 3rd page, and thus $_SESSION['name'] will also be null. If you put this line of code on top of your pages, you'll see your errors: error_reporting(E_ALL); ini_set('display_errors', 1); My guess is on that 3rd page, you are having "undefinied index" error because of the above.

Which of these is the "best coding practice" for the proper order of "ob_start," "sessions," and "require?" (my "require" files are usually just mySQL login stuff): a.) <?php ob_start("ob_gzhandler"); session_start(); require("some_required_files"); echo '<html>'; // etc. etc. b.) <?php session_start(); ob_start("ob_gzhandler"); require("some_required_files"); echo '<html>'; // etc. etc. And also, instead of just plain "session_start()" isn't it more proper to ALWAYS use if(!isset($_SESSION)) { session_start(); } Thank you in advance.

The "ORDER BY submit_time DESC LIMIT 1" requires mySQL to do a full pass of the entire table just to get the most recent submit_time. You might try indexing the column(s) you require, and then use "select MAX(submit_time)" and benchmark it to see if it's faster. At the very minimum, a fun experiment.

Oh geeez......... the error was MY goofup! I was running a file_get_contents/file_put_contents script which sanitized/pre-processed the .csv file before running the fgetcsv script, and, let's just say I unwittingly "sanitized" a whole bunch of commas... Recently almost every line of code I type has a typo (too many hours staring at the computer), I think I need a vacation 😀

Sometimes my 3 column .csv file has commas within quotes: fruit , cherry , red vegetables , "celery, carrots" , green flowers , rose , fresh When I use this code, I need the data count to stay the same "3" for each row: while (($data = fgetcsv($handle,2000,',')) !== FALSE) { print count($data); // prints "3" ... then prints "4" .... then prints "3" } How do I get fgetcsv to see that "celery, carrots" is just one unit of data? Thank you.