NotionCommotion

Please keep replies on topic. I am aware of the XY debate and sure Barand is as well, but would appreciate if you please assume I really want only Y.

Thanks Psycho, Per the documentation, using them might not be secure. Probably okay for my needs, but worth considering. More so, form a UX prospective, I wonder if doing so will bring more difficultly to the user. I see that Microsoft using something like MWX42-DF8S1-4FR8G-FSDF3-FDSD1 as the software key. It appears that confusing letters have been removed, and by using the full range of letters, it is slightly shorter. If used, just store them as CHAR(36) with the hyphens?

I have database records owned and maintained by different individuals. I wish to allow one user the ability to synchronize to another user's data. I don't wish to make the PK public, and thus am asking how to best come up with a second "public" identifier.

You should be fine. After looking at your original script, I see you have is_numeric($_POST['id']) in your IF statement, so technically you might not have needed to escaped it. That being said, you are almost always better off doing so just so you don't change the code and forget. I still think PDO is an easier to maintain solution as well.

Your danger is WHERE `id` = " . $_POST['id'] . " Your best bet is using PDO's prepared statements. If not, using something like http://php.net/manual/en/mysqli.real-escape-string.php.

I would like to add a second unique identifier for each record in a database table which is independent of the table's PK and offers the following: Very difficult to guess. Almost zero possibilities of duplicates. Appears similar to other unique identifiers (such as software keys, etc) seen by typical users. As easy as possible for someone to give the identifier to another person. My objectives 1 and 2 appear to be met by using something like 54b7ac997faf29b772827ff10f6128eb generated by bin2hex(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)). Agree, or something different? Objective's 3 and 4 still need some work. I would like to shorten it by using the full alphabet and zero to 9. Should I limit alphabet characters to uppercase only? Which characters should be excluded? 0 (zero) and O (letter o) seem confusing. Should they both be excluded? 1 (one) and l (letter L) seem confusing, but maybe only if I don't limit to uppercase only. Is U and V a problem? Any other characters? How should I implement this? I am thinking of something like the following using https://github.com/ademarre/binary-to-text-php. Agree, or something different? Should I use base 5, or something different? $encoder = new Base2n(5, '23456789ABCDEFGHJKMNPQRSTUVWXYZ'); $raw_token = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM); $activation_code = $encoder->encode($raw_token); What should be stored in the database? The encoded or pre-encoded version? Seems to me the encoded version should as it will make future queries easier, but would like other opinions. If I store the encoded version, what will be the maximum size of the string? How should it be formatted? For instance, maybe each 4 characters separated by a hyphen? Are there other important factors which I did not address above? Thank you

I ended up going with the following for a while: From Email: myaccount@mydomain.tld From Name: theirname <theiremail@theirdomain.tld> User's were confused as it appears it was sent by or would be returned to both addresses as typical email clients will show both emails in list view (both are shown in detail view, but I think people have been accustom to not noticing). I've since gone to: From Email: myaccount@mydomain.tld From Name: theirname While maybe not perfect, I think it is the best compromise to meet user expectations and pass through email servers.

Solved by using $message = mb_convert_encoding($message, 'HTML-ENTITIES', 'UTF-8'); Note that $message= str_replace(' ', ' ', $message); is also no longer needed.

Any reason this shows zero views? Any help would be appreciated. Thank you

Which of the three methods are you having problems with?

??? SELECT Name, Town, Category FROM customer1 WHERE Name = "Bob" AND Town="San Francisco";

Starting with some user provided HTML, I wish to purify it as best as I reasonably can, then use DOMDocument() to replace some tags, and finally email it. To do so, I created the following script: <?php //The following message is generated when the user cuts-and-pastes something from an outlook email into a TinyMCE editor. $message = <<<EOT <div>Start</div> <div> </div> <div>foo bar</div> <div> </div> <p> </p> <p>bla bla bla: “something in quotes” bla bla bla</p> <div>End</div> EOT; echo("Raw message: $message\n\n"); //$message= str_replace(' ', ' ', $message); //Hack to prevent line spaces <p> </p> to be converted to <p> </p> and then to <p> </p> require('../../../application/classes_3rd/htmlpurifier/library/HTMLPurifier.auto.php'); $config = HTMLPurifier_Config::createDefault(); $purifier = new HTMLPurifier($config); $message=$purifier->purify($message); echo("Purified message: $message\n\n"); //While not shown, I use DOMDocument to replace some tags. $doc = new DOMDocument(); $doc->loadHTML($message); $body = $doc->getElementsByTagName('body')->item(0); $message=$doc->saveHTML($body); echo("Modified message: $message\n\n"); //email the message (not shown) The output is as follows. Notice the  and â symbols. When emailed, they cause even more havoc. Raw message: <div>Start</div> <div> </div> <div>foo bar</div> <div> </div> <p> </p> <p>bla bla bla: “something in quotes” bla bla bla</p> <div>End</div> Purified message: <div>Start</div> <div> </div> <div>foo bar</div> <div> </div> <p> </p> <p>bla bla bla: “something in quotes” bla bla bla</p> <div>End</div> Modified message: <body> <div>Start</div> <div> </div> <div>foo bar</div> <div> </div> <p> </p> <p>bla bla bla: âsomething in quotesâ bla bla bla</p> <div>End</div> </body> I could make some progress by un-commenting line 15 and replacing with a blank space, and now get the following output which doesn't have the  symbols but still has the and â symbols. What is the best way to deal with this? Thanks Raw message: <div>Start</div> <div> </div> <div>foo bar</div> <div> </div> <p> </p> <p>bla bla bla: “something in quotes” bla bla bla</p> <div>End</div> Purified message: <div>Start</div> <div> </div> <div>foo bar</div> <div> </div> <p> </p> <p>bla bla bla: “something in quotes” bla bla bla</p> <div>End</div> Modified message: <body> <div>Start</div> <div> </div> <div>foo bar</div> <div> </div> <p> </p> <p>bla bla bla: âsomething in quotesâ bla bla bla</p> <div>End</div> </body>

Once you echo anything, you cannot set any headers or sessions. Do all your work first, and then display content. Even a simple empty space is too much. PS. You are not escaping your SQL. Recommend using prepared statements all the time until you know when you can do differently

Hi, I have a layout with a sidebar and image background. Please see https://output.jsbin.com/gujonedije. If the amount of content in #custom-content exceeds a given amount, I either need a scrollbar or need the total height of the page to increase. As seen, I have added a scrollbar, but it looks a little odd as it is centered in the page. Given the sidebar, is it possible to put it on the far right of the page? Or can I modify the script to allow the total height of the page to increase? Not sure how to do this given the full page image background. Thanks <!DOCTYPE html> <html> <head> <meta http-equiv="content-type" content="text/html; charset=UTF-8"> <title>Testing template</title> <link rel="stylesheet" type="text/css" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/3.0.3/normalize.css"> <link rel="stylesheet" type="text/css" href="main.css"> </head> <body class="metal"> <div id="header"> </div> <div id="middle"> <div id="sidebar"><p>My Sidebar</p></div> <div id="content"> <ul id="mainMenu"></ul> <div id="wrapper"> <div style="height:400px;">Stuff goes here. Keep height fixed.</div> <div id="custom-content"> <p>Page should adapt to this content.</p> <p>bla</p><p>bla</p><p>bla</p><p>bla</p><p>bla</p><p>bla</p><p>bla</p><p>bla</p><p>bla</p><p>bla</p><p>bla</p><p>bla</p><p>bla</p><p>bla</p><p>bla</p><p>bla</p><p>bla</p><p>bla</p> </div> </div> </div> </div> <div id="footer"> <div class="footer-block"> <div class="footer-bottom"> <ul id="subMenu" class="submenu"></ul> </div> </div> </div> </body> </html> #custom-content{height:400px;overflow-y:auto;} body { font-family:Arial, Helvetica, sans-serif; background-color: #CECECE } .right{float:right;} .left{float:left;} .clear { clear:both; } #header { height:60px; background:url(http://i.imgur.com/sihSa9h.png) repeat-x #e2e2e2; } #middle { /* DONE LATER: background-image: url("../images/background3.jpg "); */ background-repeat: no-repeat; background-size: cover; background-position: center; height:900px; min-width: 1015px;/*960px(content)+50px(sidebar) plus a little extra for good measures */ } #sidebar { /*background-color: #FFFFFF; opacity: 0.30;*/ background: rgba(255, 255, 255, .3); filter: alpha(opacity=30); /*ie8*/ border-right: 4px solid #f15a29; height:100%; width:50px; float:left; } #sidebar p { -webkit-transform: rotate(-90deg); -moz-transform: rotate(-90deg); -o-transform: rotate(-90deg); -ms-transform: rotate(-90deg); transform: rotate(-90deg); position: relative; top: 50%; font-size:30px; white-space: nowrap; } #content {margin:0 auto; width: 960px;padding-top:45px;overflow-x:auto;height:100%} #wrapper{padding-top:20px;} #footer { height:60px; background:url(http://i.imgur.com/juPqbXY.png) repeat-x #e2e2e2; } #footer .footer-block { width:960px; margin:0 auto; } #footer .footer-bottom { clear:both; margin-top:3px; } body.metal #middle { background-image:url(http://i.imgur.com/UlDBmPh.jpg); } #middle div { color:#FFF; }

Thank you gizmola. I appreciate your and requinix's and ginerjm's help. Regarding setting the "text name" portion to be the same for both, do I understand you to mean: From Email: myaccount@mydomain.tld From Name: theirname <theiremail@theirdomain.tld>

For the record, ginerjm, I don't want to allow people to send out fake emails and generate spam. While I had been setting the SetFrom address as the user's email, I stated in my response to gizmola that I no longer think it is a good idea. It has nothing to do with ethics as feel in an ideal world it is more appropriate to display identifying email of the individual who authored and sent the communication, and only to do with how to feasible deliver well intended emails. I agree requinix there are many legitimate use cases. To see how Evite does it, I just signed up. They use the recipricant’s name and reply email, but an Evite from email. I think this is what I will do. My problem with the SPF/DKIM option is it would be too much work for some small individual in a big organization to get IT to make the changes (or am I missing something?). Thanks gizmola. Bigcorporation.com is only a possible recipricant. The headers I showed you came from my site, and went to my gmail account. I think I am benefiting from mywebhosting.com’s whitelisting, and while I am not sending out spam, I should not take it for granted. Agree an email from my site as the FROM email, the user’s name, and the user’s email as reply only makes sense?

Hi gizmola, Thank you for your comprehensive response. I learned a new word today: “nefarious”. Well used I have had almost 100% delivery success when using both gmail smtp servers as well as my hosting companies smtp servers. The one issue I have witnessed is when sending an email where the FROM email belonged to a large company and the recipient belonged to that same domain, the email wasn’t delivered. That being said, it appears that I have been relaying and you have me convinced that negative consequences will likely arise in the future. A typical email header when sent to a gmail account looks like the following (if I send it to a corporate email, there is much more). Relaying? Do you mind explaining any other implications gleamed from these headers? Delivered-To: jane.recipient@gmail.com Received: by 10.27.231.134 with SMTP id e124asp2784405wlh; Mon, 30 Nov 2015 07:02:42 -0800 (PST) X-Received: by 10.50.18.114 with SMTP id v18xr418453asd.91.1448895762159; Mon, 30 Nov 2015 07:02:42 -0800 (PST) Return-Path: <john.sender@bigcorporation.com> Received: from smtp1.mywebhosting.com (smtp1.mywebhosting.com. [987.654.32.109]) by mx.google.com with SMTP id 88si11073401ioi.168.2015.11.30.07.02.41 for <jane.recipient@gmail.com>; Mon, 30 Nov 2015 07:02:42 -0800 (PST) Received-SPF: neutral (google.com: 987.654.32.109 is neither permitted nor denied by best guess record for domain of john.sender@bigcorporation.com) client-ip=987.654.32.109; Authentication-Results: mx.google.com; spf=neutral (google.com: 987.654.32.109 is neither permitted nor denied by best guess record for domain of john.sender@bigcorporation.com) smtp.mailfrom=john.sender@bigcorporation.com Received: (qmail 30248 invoked from network); 30 Nov 2015 15:05:52 -0000 Received: from unknown (HELO subdomain.mysite.com) (outgoing@mysite.com@123.456.789.01) by smtp1.mywebhosting.com with (DHE-RSA-AES256-SHA encrypted) SMTP; Mon, 30 Nov 2015 10:05:52 -0500 Date: Mon, 30 Nov 2015 07:02:40 -0800 To: Jane Doe <jane.recipient@gmail.com> From: John Doe <john.sender@bigcorporation.com> Subject: Request for Bid - My Subject Message-ID: <d8513dfb2385467256e7684c6913fef8@subdomain.mysite.com> X-Mailer: PHPMailer 5.2.12 (https://github.com/PHPMailer/PHPMailer/) MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="b1_d8513dfb2385467256e7684c6913fef8" Content-Transfer-Encoding: 8bit The trick of using a valid FROM email address and the email author’s email address for the REPLY TO doesn’t seem that bad. You stated “I know that's not what you're trying to do…”. Are there many shortcomings of this approach? If the email author’s email address is john.sender@bigcorporation.com, would it work to use a fictional FROM email of john.sender@mysite.com and a REPLY email of john.sender@bigcorporation.com. Thanks again!

Wow, I didn't know I was guilty of all that. Think they will let me into Heaven?

Thanks ginerjm, You mean send it from my email client (i.e. Outlook, etc)? Or send it from my website using FROM notioncommotion@mysite.com, and using the email's author's REPLY email only?

Thanks requinix, I currently have some notice at the bottom of the email stating that the email was sent by mysite.com. Yes, bigcorporation.com is the domain I am claiming to send as. In response to your three options: Maybe it will be viable if I give the user the ability to either use their own email service, or if they don't know it or wish to share it, use mine at the risk of having emails to their intended recipients be blocked. If I worked at bigcorporation.com, however, I would likely be wary of doing so as I might get in trouble. For DKIM and SPF, will the IT manager of bigcorporation.com need to alter the companies email policies? If so, probably not going to happen. Maybe. At a minimum, the most email clients would display the recipient's name, true? Using their email as the reply email will never be blocked, right? Maybe adding something to the effect of "Sent in behalf" as the send email address will make it more clear?

I can think of one good reason. If I, as a user, use some application to send someone an email, I want them to know it is from me so they take the time to open it. As a recipient, I often will not even look at an email if I do not know who it is coming from.

I have a website which allows users to send emails in their behalf. I am using PHPMailer with smtp using the mailserver provided by my hosting company, and setting SetFrom as the user's email. As the user is generating the email, I don't think I am doing anything unethical or illegal. If you disagree, please advise why. Recently I noticed Gmail displayed the following warning when receiving such an email: Upon clicking "Learn more", multiple content was displayed, however, it appears that the following applied. Is this what is causing this warning? Is there anything that can be done to prevent it? If need be, an acceptable solution is to have the user provide such authentication data, store it in a DB, and include it with all emails initiated by him or her.

Not worried about ON DELETE CASCADE not being perfect, only my memory not being perfect. Typically I use RESTRICT 90% of the time and SET NULL the rest of the time. I will sometimes attempt to delete a record and catch it and respond if it fails an integrity constraint. Not good I if forgot that I have it to cascade! I also have a problem with viewing some script, and not seeing the other functionality such as CASCADE’s or triggers (not saying I never use triggers, I just don’t make a habit of doing so). I expect better documentation by me may mitigate both of these concerns.

Or maybe instead of basing the decision to use ON DELETE CASCADE on the trust of the user who makes the change, it should also be based on the type of record deleted. For instance, is a many-to-many cross table a good canidate to always use it on?

I wish to remove all the data that depends on the parent record. So, do you use CASCADE for this need, or do you use RESTRICT or NO ACTION on the dependent records, use the application first delete the dependent records, and then have the application delete the parent records? Why?