NotionCommotion

Offset needs to be zero or positive. ChOcu3r response told you why it was negative.

Try the following. I am expecting you will see "OFFSET -10". Is this what you want? echo("SELECT records.*, categories.* FROM records LEFT JOIN categories ON records.category_id = categories.category_id WHERE records.category_id = :category_id ORDER BY record_id DESC LIMIT {$limit} OFFSET ".$offset);

Maybe I have Apache running as root? Yikes, that wouldn't be good... drwx------. 4 root root 4096 Dec 14 03:06 httpd drwxr-xr-x. 2 root root 4096 Dec 16 13:20 test

Please elaborate.

But I am. To be extra sure, I emptied the file using vi. At first it wouldn't log errors, but I restarted Apache which resulted in a "[warn] RSA server certificate CommonName (CN)" error, and then they are being logged here. Maybe the file can't be empty? I did the same with syslog, and at first it wasn't being written to, but after restarting rsyslog, it too is being written to. I guess this one makes more sense because I think PHP is just invoking the roots syslog. And, no I am not running as root. I tested that with get_current_user(), and am running as phped. [root@devserver test]# pwd /var/log/httpd/test [root@devserver test]# ls -l total 455756 -rw-r--r--. 1 root root 54859022 Dec 16 12:13 access.log -rw-r--r--. 1 root root 1097 Dec 16 12:16 error.log -rw-r--r--. 1 root root 24027750 Dec 16 12:13 forwarded.log -rw-r--r--. 1 root root 54859022 Dec 16 12:13 log -rw-r--r--. 1 root root 332912008 Dec 16 12:13 rewrite -rw-------. 1 root root 1514 Dec 16 12:13 syslog.log [root@devserver test]# vi error.log [root@devserver test]# vi syslog.log [root@devserver test]# ls -l total 455748 -rw-r--r--. 1 root root 54859022 Dec 16 12:13 access.log -rw-r--r--. 1 root root 0 Dec 16 12:18 error.log -rw-r--r--. 1 root root 24027750 Dec 16 12:13 forwarded.log -rw-r--r--. 1 root root 54859022 Dec 16 12:13 log -rw-r--r--. 1 root root 332912008 Dec 16 12:13 rewrite -rw-------. 1 root root 0 Dec 16 12:18 syslog.log [root@devserver test]# # Use PHP [root@devserver test]# ls -l total 455748 -rw-r--r--. 1 root root 54859195 Dec 16 12:19 access.log -rw-r--r--. 1 root root 0 Dec 16 12:18 error.log -rw-r--r--. 1 root root 24027834 Dec 16 12:19 forwarded.log -rw-r--r--. 1 root root 54859195 Dec 16 12:19 log -rw-r--r--. 1 root root 332913148 Dec 16 12:19 rewrite -rw-------. 1 root root 0 Dec 16 12:18 syslog.log [root@devserver test]# service httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ] [root@devserver test]# service rsyslog restart Shutting down system logger: [ OK ] Starting system logger: [ OK ] [root@devserver test]# # Use PHP [root@devserver test]# ls -l total 455756 -rw-r--r--. 1 root root 54859368 Dec 16 12:19 access.log -rw-r--r--. 1 root root 856 Dec 16 12:19 error.log -rw-r--r--. 1 root root 24027918 Dec 16 12:19 forwarded.log -rw-r--r--. 1 root root 54859368 Dec 16 12:19 log -rw-r--r--. 1 root root 332914288 Dec 16 12:19 rewrite -rw-------. 1 root root 133 Dec 16 12:19 syslog.log [root@devserver test]# cat error.log [Tue Dec 16 12:19:33 2014] [warn] RSA server certificate CommonName (CN) `www.mysite.com' does NOT match server name!? [Tue Dec 16 12:19:34 2014] [warn] RSA server certificate CommonName (CN) `www.mysite.com' does NOT match server name!? [Tue Dec 16 12:19:48 2014] [error] [client 192.168.1.1] An error occurred in script '/var/www/test/html/testing/errors.php' on line 11: Undefined variable: divisor (error no: [Tue Dec 16 12:19:48 2014] [error] [client 192.168.1.1] An error occurred in script '/var/www/test/html/testing/errors.php' on line 17: Cannot divide by zero (error no: 256) [Tue Dec 16 12:19:48 2014] [error] [client 192.168.1.1] An error occurred in script '/var/www/test/html/testing/errors.php' on line 23: error_log(/var/log/httpd/test/validation.log): failed to open stream: Permission denied (error no: 2) [root@devserver test]# cat syslog.log Dec 16 12:19:48 devserver custom_log: Use this for troubleshooting and not errors? Dec 16 12:19:48 devserver custom_log: Some error? [root@devserver test]#

Ah, I see. But why can I write to error.log which is in the same directory? PS. Sorry about that earlier post and thank you for deleting it. Curious, though, why it showed zero views....

I am trying to learn how to properly log errors. While not my primary topic of this post, I would appreciate any comments on the below script and whether I am doing it "right". Specifically, I am trying to write error_log to a file. I run the below code, and get the following response. The first two were expected, but I cannot open validation.log to write to it. I've even made it 0777 but still cannot do so (see the bottom of this post). I've noticed that all the other log files are owned by root with limited permissions, so I would think that I shouldn't have even needed to change the permissions. What am I doing wrong? Thank you An error occurred in script '/var/www/test/html/testing/errors.php' on line 8: Undefined variable: divisor (error no: An error occurred in script '/var/www/test/html/testing/errors.php' on line 14: Cannot divide by zero (error no: 256) An error occurred in script '/var/www/test/html/testing/errors.php' on line 19: error_log(/var/log/httpd/test/validation.log): failed to open stream: Permission denied (error no: 2) <?php class test extends base_class { public function testError() { syslog(LOG_INFO,'Use this for troubleshooting and not errors?'); $x=$divisor; } public function testTrigger() { $divisor=0; if ($divisor == 0) { trigger_error("Cannot divide by zero", E_USER_ERROR); } } public function customErrorLogs() { error_log("Some validation error.", 3, "/var/log/httpd/test/validation.log"); } } abstract class base_class { public function __construct() { //Should this be setup in httpd.conf? ini_set('display_errors', 1); error_reporting(E_ALL); set_error_handler(array($this,"my_error_handler")); //Log all to LOG_LOCAL0 which /etc/rsyslog.conf will send to /var/log/test/syslog.log openlog('custom_log', LOG_NDELAY, LOG_LOCAL0); } public function my_error_handler($errno, $errstr, $errfile, $errline, $errcontext) { $message = "An error occurred in script '$errfile' on line $errline: $errstr (error no: $errno)"; if (true || in_array(substr($_SERVER['HTTP_HOST'], 0, 5), array('local', '127.0', '192.1'))) { echo $message.'<hr>'; } else { error_log ($message); if ( ($errno != E_NOTICE) && ($errno < 2048)) { exit('<div class="error">A system error occurred. We apologize for the inconvenience.</div>'); } } } } $test=new test(); $test->testError(); $test->testTrigger(); $test->customErrorLogs(); ?> [root@devserver test]# pwd /var/log/httpd/test [root@devserver test]# ls -l total 456828 -rw-r--r--. 1 root root 54840026 Dec 16 08:29 access.log -rw-r--r--. 1 root root 2606759 Dec 16 07:13 error.log -rw-r--r--. 1 root root 24020851 Dec 16 08:29 forwarded.log -rw-r--r--. 1 root root 54840026 Dec 16 08:29 log -rw-r--r--. 1 root root 331450147 Dec 16 08:29 rewrite -rw-------. 1 root root 332 Dec 16 08:29 syslog.log -rwxrwxrwx. 1 Michael www 0 Dec 16 08:27 validation.log [root@devserver test]#

I think this is what I will do. It is strongly based on Jacques http://forums.phpfreaks.com/topic/293061-validate-username-and-password/?p=1499458 solution, however, also is modified as follows: Restrict 40 wrong passwords for given username ever (i.e. a flood of attempts over time), and must be reset by the administrator Restrict 20 wrong usernames or passwords in past hour from given IP. Maybe eliminate since there can be multiple users behind a common proxy. Restrict 3 wrong passwords in past hour for given username from given IP Restrict 4 wrong passwords in past hour for given username from any IP An extra column is added to the users table: login_attempts_long_term INT UNSIGNED NOT NULL DEFAULT 0 One additional table is required. CREATE TABLE IF NOT EXISTS bad_logins ( username VARCHAR(50) NOT NULL, ip CHAR(15) NOT NULL, last_login_attempt DATETIME NOT NULL, login_attempts INT UNSIGNED NOT NULL DEFAULT 0, PRIMARY KEY (username, ip)) ENGINE = InnoDB; require_once __DIR__ . '/database.php'; $database = get_database_connection(); $stmt = $database->prepare('SELECT login_attempts_long_term FROM users WHERE username=?'); $stmt->execute(array($_POST['username'])); if($stmt->fetchColumn()>40) { echo('The account is perminately locked because of more than 40 failed log-in attemps. Contact the sites administrator to reset.'); } else { $stmt = $database->prepare('SELECT login_attempts FROM bad_logins WHERE ip=? AND NOW() < last_login_attempt + INTERVAL 1 HOUR'); $stmt->execute(array($_SERVER['REMOTE_ADDR'])); if($stmt->fetchColumn()>20) { echo('The account is temporarily locked because of more than twenty failed log-in attemps within one hour from this IP.'); } else { $stmt = $database->prepare('SELECT login_attempts FROM bad_logins WHERE username=? AND ip=? AND NOW() < last_login_attempt + INTERVAL 1 HOUR'); $stmt->execute(array($_POST['username'],$_SERVER['REMOTE_ADDR'])); if($stmt->fetchColumn()>3) { echo('The account is temporarily locked because of more than three failed log-in attemps within one hour for this username at this IP.'); } else { /* * Increment the log-in attempts counter and fetch the new value with a single atomic operation * to prevent race conditions. * * If the last log-in attempt was more than 1 hour ago, the counter is reset. */ $loginAttemptsCheck = $database->prepare('UPDATE users SET login_attempts = LAST_INSERT_ID(IF(NOW() > last_login_attempt + INTERVAL 1 HOUR, 1, login_attempts + 1)), last_login_attempt = NOW() WHERE username = :username '); $loginAttemptsCheck->execute(array('username' => $_POST['username'])); $loginAttempts = $database->lastInsertID(); if ($loginAttempts <= 4) { if(validPassword()) { //Set logon session //Set login_attempts and login_attempts to zero $stmt = $database->prepare('UPDATE users SET login_attempts=0 WHERE username=?'); $stmt->execute(array($_POST['username'])); $stmt = $database->prepare('INSERT INTO bad_logins(username,ip,login_attempts) VALUES (?,?,0) ON DUPLICATE KEY UPDATE login_attempts=0'); $stmt->execute(array($_POST['username'],$_SERVER['REMOTE_ADDR'])); } else { echo('invalid password'); //Increment login_attempts $stmt = $database->prepare('INSERT INTO bad_logins(username,ip,login_attempts) VALUES (?,?,1) ON DUPLICATE KEY UPDATE login_attempts=login_attempts+1'); $stmt->execute(array($_POST['username'],$_SERVER['REMOTE_ADDR'])); $stmt = $database->prepare('UPDATE users SET login_attempts_long_term=login_attempts_long_term+1 WHERE username=?'); $stmt->execute(array($_POST['username'])); } } else { echo 'The account is temporarily locked because of more than three (actually four, but do not tell user because it gives too much information?) failed log-in attemps within one hour.'; } } } }

Also, I just stumbled upon trigger_error() (http://php.net/manual/en/function.trigger-error.php). Is this what you had in mind?

Sorry, I should have reviewed the December 12th related post before making my post. Based on the specific objectives of the application, I still think that using IP addresses has some merit. Not to deter the professional hacker, but some stupid hooligan who uses his home PC to lock out another individual (especially vulnerable if emails are used as usernames). It would still need need to roll back to some more robust checking as you described under your other post. Unfortunately, doing so goes in the opposite direction of super-simple.

Nice approach. login_attempts = LAST_INSERT_ID(IF(NOW() > last_login_attempt + INTERVAL 1 MINUTE, 1, login_attempts + 1)), Should be login_attempts = LAST_INSERT_ID(IF(NOW() > last_login_attempt + INTERVAL 1 HOUR, 1, login_attempts + 1)),

Nice post Jacques, Don't know whether I will abandon some sort of log-in check, but good post regardless.

Because it might allow you to write, test, and maintain your script in less time.

I didn't think of that. Good point. It wouldn't necessarily log the good guy out since he has a session granting him access, but just prevent him from logging in, right? Seems like a good idea to query the failed log on table for a given IP and any username to block a script which is using random usernames and passwords. Think it is better to put a time restriction on excessive failed attempts, or just require to pass a captcha?

I wish to lockout the user for (3) minutes if they get (4) wrong username/password attempts in (5) minutes. Is this typically tied to a single IP using $_SERVER['REMOTE_ADDR']? Is it a good ideal to also check for a given username but from any IP? I might be wrong, but I assume the value in $_SERVER['REMOTE_ADDR'] is under the user's control. Obviously, a session wouldn't be ideal as the associated cookie is under the user's control. Do I need to use the database or is there a better way? Any thoughts or advise would be appreciated.

Yea, you are probably right. I've never used error_log() and have only used syslog(). Do you recommend using error_log()? Below is what I am doing. Any recommendations? Thanks <?php abstract class base { public function __construct($domain) { ini_set('display_errors', 1); error_reporting(E_ALL); set_error_handler(array($this,"my_error_handler")); //Log all to LOG_LOCAL0 which is in turn /var/messages/php.log openlog('custom_log', LOG_NDELAY, LOG_LOCAL0); //otherStuff } public function my_error_handler($e_number, $e_message, $e_file, $e_line, $e_vars) { $message = "An error occurred in script '$e_file' on line $e_line: $e_message (error no: $e_number)"; if (true || in_array(substr($_SERVER['HTTP_HOST'], 0, 5), array('local', '127.0', '192.1'))) { echo $message; } else { syslog(LOG_INFO,'my_error_handler: '.$message); // Or should I be using something like: error_log ($message, 1, 'errors@gmail.com'); if ( ($e_number != E_NOTICE) && ($e_number < 2048)) { echo '<div class="error">A system error occurred. We apologize for the inconvenience.</div>'; } } } //Called from try/catch public function sql_error($e,$sql) { syslog(LOG_INFO,'SQL Error '.$sql.', '.$e->getMessage().', file:'.$e->getFile().' line:'.$e->getLine()); //deal with displaying as applicable } //Called when the application gets some unexpected results public static function application_error($msg,$file,$line) { syslog(LOG_INFO,'Application Error - Application - '.$msg.', file:'.$file.' line:'.$line); //deal with displaying as applicable } public function otherMethods() { echo('Hello'); } } ?>

Display all errors and notices. Do you get any errors? Are $tbl_name and $active defined? Do you really want if($banres)? Escape your user inputs. Use PDO.

Do you have common things you need to do to all products? For instance, computeProduct, orderProduct, buildProduct, etc? By creating a separate class for each product which extends a generic product, your outer application does not need to worry about the specific method names of each product type, and your individual product classes do not need to duplicate the script in the generic product class. Whether you should do so is based on your specific requirements, and there is no absolute answer, however, I expect you should do so. Also, you might want to look into factory method pattern.

I am looking to save the user's access of an application. For instance, when they log in, I create a record in the "track_login" table which includes information such as the requesting IP, the user's ID, the date, (not the user's password), etc. And then for every page they visit, I store a record in the "track_page_viewed" table which includes a FK to the "track_login" table and also includes additional information about their request. Both the track_login and track_page_viewed tables are currently in the same database as used by the primary application. So far, so good. Next, I want to start tracking when a user does special tasks such as when they forget their password and request that a new one be emailed to them. Or maybe when they attempt to login with an invalid username and password. Currently, I just included another table called "track_special" which includes the data, the type of special request, etc. Now, I am thinking of adding three other things to track: General PHP errors MySQL errors Try/Catch errors which I did not expect to happen One option is just to add these to my "track_special" table or maybe make one or three new tables in the same database. But is this a good idea? If I have a SQL error, do I really want to store the error in the same database? Maybe I should use a separate database called "myTrackerDB", and include all the above tables in that database? Or maybe I should just write the data to a flat file, and parse the file on a regular basis, and then store the information in the database? Please provide any recommendations, guidance, suggestions, criticism, etc. Thank you

Thanks ChOcu3r, Much nicer! Wish I didn't waste the time trying to use regex, but then again, I need the experience!

I have possible HTTP_REFERER values such as the following: [HTTP_REFERER] => http://www.example.com/lib/index.php?cid=components&controller=data&id=17&roles_id=15 [HTTP_REFERER] => http://www.example.com/lib/index.php?cid=createhelp I am just trying to get the value of "cid" Note that this applies to a TinyMCE plugin, and my $_GET variable does not include "cid". Looking at my $_SERVER array, HTTP_REFERER is the only element that includes "cid". I am also not concerned about spoofing HTTP_REFERER. I am getting the value of "cid" as follows. Is this the right way to do so? $RegExp = '/index\.php\?cid=([^&]+)/'; preg_match($RegExp, $_SERVER['HTTP_REFERER'], $matches); exit($matches[1]);

So, it the best approach to not include the action attribute?

And it validates

Yes, this is what I get. You get something different? Line 7, Column 38: Bad value for attribute action on element form: Must be non-empty. <form method='post' action=''> Syntax of URL: Any URL. For example: /hello, #canvas, or http://example.org/. Characters should be represented in NFC and spaces should be escaped as %20. <!DOCTYPE html> <html> <head> <title>xxx</title> </head> <body> <form method='post' action=''> <input type='submit' value='Save'> </form> </body> </html>

I've heard multiple recommendations when a form needs to post to itself. Some say use PHP_SELF, others say leave it blank (even though it doesn't validate), etc. Please provide the best practice, and reasons why. Thank you echo("<form method='post' action='{$_SERVER['PHP_SELF']}'>"); echo("<form method='post' action=''>");