gizmola

This is a huge question, but I'll take a quick stab at a few items: If the design of the application is such that the base datatypes of the rdbms are not sufficient to support what you want, then an object database might be the solution for you. The problem is that compared with the FOSS offerings for relational databases or nosql databases, there are very few offerings with any sort of substantial support. The other issue with OODB's is that they are by definition non-standard although the same could be argued of nosql databases. There is no one-size fits all. With that said, you can certainly do wonderful things with PHP+Ajax+CSS+MySQL+HTML5+etc. There's not much advantage to writing our own MVC when so many already exist. Ditto for an ORM if you choose to use one. If you're going to use PHP there are a number of excellent framework choices out there, some that have extensive libraries that can also be of substantial help. I currently recommend Symfony and the Zend Framework both of which have state of the php-art rewrites this past year. If you don't know php you're going to have a learning curve, but each has a great community and documentation. This the subject of entire books (for example, search: scalable website architecture, see books like: http://www.amazon.com/Scalable-Internet-Architectures-Theo-Schlossnagle/dp/067232699X). One final and practical suggestion in terms of generating visual aids from your application is to look at http://graphviz.org/

You can use a Between query based on NOW(). See http://www.gizmola.com/blog/archives/51-Exploring-Mysql-CURDATE-and-NOW.-The-same-but-different..html as the technique needed to determine how to get the past 36 hours is illustrated there. Rather than days, use HOURS (-36 HOURS). So it would be between that and NOW().

Did you look in your error log? Your code has several obvious syntax errors. The syntax for accessing arrays is to use [] not (). Also $_POST is the name of the superglobal array... all caps. $Name = $_POST['Name']; Also, php supports interpolation when you use double quotes. The values of variables will be inserted into the string, so your code will be alot easier to read if you utilize it rather than concatenation. $query ="INSERT INTO users (Name, Age, Sex, Address_1) VALUES ('$Name', '$Age', '$Sex', '$Address_1')"; What database type is the Age column? If it's not a string you would not include the single quotes around it in the values section of the query.

Again -- read the link in my signature named: "My PHP script with MySQL doesn't work?" and implement the recommendations there.

Your code does not check to see if the queries are valid, it simply assumes that they are. Clearly in certain cases the queries are not valid, and you have errors. There is a link in my signature that describes how to approach this properly.

It does work, that is why I provided the jsfiddle. Did you look at it? I started with your code and made adjustments, but the adjustments are important ones. The main thing I omitted was the php string, but that can be re-added without consequence. I added an event listener to the entire form, so that changes in any of the fields start the calculation. You will see that there are issues with the minutes code that produces NAN problems with the minutes values.

Where is the rest of the code? I'm guessing you want to hook onto onkeypress. Here's a jsfiddle with a few adjustments that also illustrates where you have issues with your code. Hopefully it will put you on the right track: http://jsfiddle.net/Bf4S7/15/

Here's an excellent summary of possible solutoins: http://www.queness.com/post/212/10-jquery-and-non-jquery-javascript-rich-text-editors

I always advise people to avoid shared hosting. There are plenty of reputable vps vendors like linode that are only marginally more expensive.

Don't use magic_quotes. Addslashes/stripslashes is not character set aware. Thus it can be fooled into allowing sql injections with the insertion of multibyte characters. The only thing you need to keep in mind wiht mysql_real_escape_string() is that you already need to have instantiated a mysql connection before you call it. This is because it uses the mysql client connection information to intelligently handle the data it receives as input.

That indicates that you are running in fastcgi mode... but you did say it's a shared host so that is what I'd expect. The key information is who is the owner of the files/directories in question? Just to close the loop on your own understanding, make sure you look at the ownership and perms of the files the script is creating.

What I would do is have the javascript clock based on the timestamp of the section row you create in the database, that indicates the user has started the form. Once the clock is running there is no reason to worry about checking it -- it should keep time acceptably. When a question is submitted you simply need to check if the allowed time has expired, and handle that accordingly. Return a result that indicates the time has expired, and close out the section of the test. That same routine should be fired when the javascript clock expires. If someone is sneaky enough to figure out how to modify the runtime value of your original variable, the serverside script will still catch them. That is all you are really concerned about.

You can't chmod things you don't own.

Check to see what the value of $character is after you make the api call using var_dump($character);

Yes, for folders where you are not going to write to them, you don't want them to have a 7 permission. You install the scripts and remove the "write" permission, so that they can not be overwritten. This is probably what your shared host meant. You want all your script directores *other than the ones you need to be able to read/write files to" to be 755. That way if you have a rogue script or exploit, it can not go and update your other scripts and css/javascript files with malicious code. The other question you had in regards to "other" permissions, is that if you have path where I give you 7 perms to a particular directory, and from there the script creates a directory, then the owner of that directory is going to be the user that created it. So, if the script creates its own directories, then use those directories to store the image files, and you don't need to give "other" the 7 permission, because it already owns the directory. There has to be at some point, the full set of RWX perms given to the user that php will be running as --- there is again, no way around that fact if your script needs to write files.

You can use javascript to implement an onscreen countdown timer based on the same date/time. To do this with any level of competency, you will need to use ajax, so that you can accept answers immediately without having to do a complete form refresh. I would highly recommend learning how to use jquery, which can facilitate the ajax and provide you functions that can help insure the clock will work across different browsers and versions. The important thing to keep in mind is that the javascript timer has to be for display purposes only -- you can not depend on it, as it runs in the user's browser. The serverside scripts will need to check to make sure that time has expired everytime it is called to accept answer data. This is a non-trivial question, and I can only provide you general answers. You'll have to research the specifics.

You used a prepared statement at the top. This is a good way to prevent sql injections -- use that technique in all your queries. Don't use stripslashes -- you are using mysq. Use mysql_real_escape_string For xss, i'd suggest using htmlentities(). That just changes everything that could be html tags that would cause code to be run, to be turned into harmless html entity codes.

if ($character = $armory->getCharacter($charname)) { // character was found } else { // character was not found... redirect }

I would personally have a database structure where I had rows that indicated the start time of a section of an exam. You can store the time easily using a datetime or timestamp column. When a section is begun, you set the value of this column in a query to NOW(). When a new answer is submitted, you can utilize date arithmetic to determine if they have passed the allocated amount of time, and decide if the answer should be accepted or not. You can also use session variables and in recent versions of php there is the datetime object that is very useful and has many functions that facilitate an elapsed time calculation.

Exactly -- there is no purpose to that. You should not use it, as it can be tampered with. Furthermore, based on your reply, there is no purpose to trying to update the information on logout. I would just remove all that code. It has no benefit, and as I said before, people rarely logout -- they just close the browser or go to another tab and forget about your site.

Sure -- this is a minor addition to your login script. if(mysql_num_rows($getLoginInfoQuery)==1) { session_start();//NB: Start session BEFORE doing any session stuff! // Update the last login time $result = mysql_query("UPDATE users SET lastSession WHERE userName='$attemptedUsername'"); 2 quick notes about your code -1st, you need to use mysql_real_escape_string() on your input. As it is now, your login code is sql injectable via the username column. -2nd, on your attempt to update things on disconnect. There is no way you should be using a hidden form variable for that. This is exactly what session variables are for. When the user does a login, you should set a session variable that contains the username. You can then use this on disconnect, or for that matter in any other script. Because session variables exist only on the server, they can be depended on whereas user input of any form can not. Form data can be easily tampered with, and can not be depended on. If I want to screw with your site, and i figure out what you're doing with hidden fields i can easily start causing your site to set logouts for arbitrary users. There is no need for that, once you create the session variable. All you need to to update information on logout is read the user from the session variable.

If this is your own structure, you can define the valid structure for the document, by defining a DTD for it. This is a nice tutorial that takes you through the process: http://www.xmlfiles.com/dtd/dtd_intro.asp You may not want to create your own DTD, but the point is, that if you are writing parsing code, then the documents need to follow a convention, and based on your example, if you wrote something using simplexml for example that parsed those files, you would not be happy if you could not depend on using: $xml->email->to to get access to the to value, were it present.

You're wasting your time, people just don't bother to logout from most web applications. If they do logout, you simply need to run in our logout script an UPDATE query that sets your logout_time or whatever you called it to NOW() and mysql will set the logout time. Login is something they *need* to do, assuming authentication is important so you're better off, updating the table to indicate their last login.

This topic often confuses people, although it doesn't need to. Here are the numbers associated with each permission: Read ® - 4 Write (W) - 2 Execute (X) - 1 You can see that adding these numbers up in different ways, gives you a number of numeric combinations: RWX = 7 RX = 5 There are also 3 groups that permissions pertain to: User that owns the directory (U) Group that owns the directory (G) Everyone else (aka Other) (O) When you talk about a listing of permissions as a 3 digit number like 777, what you're really talking about is: User/Owner = 7 Group = 7 Others = 7 What often confuses people is that the combinations for directories and files is the same, however, the meaning is entirely different in the context of a Directory. Here's a description of what the flags mean for a directory: Read - List the directories contents. Write - Write a file to the directory Execute - CD (Change directory) and "enter" the directory. To DWilliams point, you can't examine these questions in a vaccum. You need to know: -Who owns the director(ies) in question. Each directory has an owner/group combination. -How is apache configured to run php He described the typical configuration where php is essentially a part of apache, via mod_php. I do have to point out that most shared hosts use fastcgi so they can control permissions of individual directories securely. With fastcgi php runs as a separate process, where the permissions become those of an individual user/group combination -- usually this is an individual user account set up and configured by the host for each request. In other words, rather than the apache process owning a file, or needing permissions to rwx a directory, it will be whatever the specific user running that request happens to be, and there will be a user for every different site that exists on the shared server. You need to determine your configuration before you look at these questions. If running as an apache module, then the permissions are relative to the user apache is running as, which could be apache or nobody, or any user the sysadmin desires. Users also have 1 or more groups associated with them, so With that said let's look at 777 vs. 755 for a directory. What is the difference? The only thing different with 755 is that the user/group is missing the WRITE permission. So what that tells you is, that the directory in question where you are trying to write the files, does not allow the user (probably apache) to be able to write them because apache is neither the owner of the directory nor a member of the group that owns the directory. When you say that 777 has "security problems" I think you need to question/understand what that means. Probably it does not mean what you think it does. Chances are the reason the script works is that the owner of the directory is some user other than apache, and thus falls in the "Other" category. It needs the 7 permission to be able to write a file into it. No other permission will do. There is no getting around having a user that needs to write a file and read it later in this context, that doesn't have a RWX permission. Now for files, that is another story. For a file the Execute permission is exactly what it says it is -- It allows you to "Execute" (run) a program or script. If your script has a hole in it, that lets someone write a file into the directory that is meant to be an image, but instead, they are able to fill the file with code, and then name the file myimage.php, AND the script allows the file to have the execute permission set, then you have a real problem on your hands. I'm starting to write a chapter of a book here, so I'm going to wrap this up, and state that umask and chmod are two related permission commands/features that should help you complete your understanding of this topic. Umask is important to understand, because the umask is what effects the permissions a newly created file will have in a directory. Hopefully it is apparent that for a file that is suppossed to contain images, having the directory be 777 may be the only way you can allow apache to write image files into the directory. That doesn't need to be a problem if the permission for the image file is 666. The "Other" permission of 6 will allow php to read/write/delete that image file. What could be a problem is that the file gets the 7 permission! This is not a directory permission problem -- it's a file permission problem, and the permissions on the directory are not going to rectify it. Insure a umask is in place, or having code that CHMOD's the file to only have RW for apache is most likely what you need to insure. One last concept that sometimes comes into play is the "sticky bit" which is an "advanced linux file permission" which you can google and read up on, although it is probably not an issue you need to be concerned about.

You'll have to be more specific -- provide some context, or a description of the problem you are trying to solve, or the code you're working on and how nodes figure into it.