NotionCommotion

Because it might allow you to write, test, and maintain your script in less time.

I didn't think of that. Good point. It wouldn't necessarily log the good guy out since he has a session granting him access, but just prevent him from logging in, right? Seems like a good idea to query the failed log on table for a given IP and any username to block a script which is using random usernames and passwords. Think it is better to put a time restriction on excessive failed attempts, or just require to pass a captcha?

I wish to lockout the user for (3) minutes if they get (4) wrong username/password attempts in (5) minutes. Is this typically tied to a single IP using $_SERVER['REMOTE_ADDR']? Is it a good ideal to also check for a given username but from any IP? I might be wrong, but I assume the value in $_SERVER['REMOTE_ADDR'] is under the user's control. Obviously, a session wouldn't be ideal as the associated cookie is under the user's control. Do I need to use the database or is there a better way? Any thoughts or advise would be appreciated.

Yea, you are probably right. I've never used error_log() and have only used syslog(). Do you recommend using error_log()? Below is what I am doing. Any recommendations? Thanks <?php abstract class base { public function __construct($domain) { ini_set('display_errors', 1); error_reporting(E_ALL); set_error_handler(array($this,"my_error_handler")); //Log all to LOG_LOCAL0 which is in turn /var/messages/php.log openlog('custom_log', LOG_NDELAY, LOG_LOCAL0); //otherStuff } public function my_error_handler($e_number, $e_message, $e_file, $e_line, $e_vars) { $message = "An error occurred in script '$e_file' on line $e_line: $e_message (error no: $e_number)"; if (true || in_array(substr($_SERVER['HTTP_HOST'], 0, 5), array('local', '127.0', '192.1'))) { echo $message; } else { syslog(LOG_INFO,'my_error_handler: '.$message); // Or should I be using something like: error_log ($message, 1, 'errors@gmail.com'); if ( ($e_number != E_NOTICE) && ($e_number < 2048)) { echo '<div class="error">A system error occurred. We apologize for the inconvenience.</div>'; } } } //Called from try/catch public function sql_error($e,$sql) { syslog(LOG_INFO,'SQL Error '.$sql.', '.$e->getMessage().', file:'.$e->getFile().' line:'.$e->getLine()); //deal with displaying as applicable } //Called when the application gets some unexpected results public static function application_error($msg,$file,$line) { syslog(LOG_INFO,'Application Error - Application - '.$msg.', file:'.$file.' line:'.$line); //deal with displaying as applicable } public function otherMethods() { echo('Hello'); } } ?>

Display all errors and notices. Do you get any errors? Are $tbl_name and $active defined? Do you really want if($banres)? Escape your user inputs. Use PDO.

Do you have common things you need to do to all products? For instance, computeProduct, orderProduct, buildProduct, etc? By creating a separate class for each product which extends a generic product, your outer application does not need to worry about the specific method names of each product type, and your individual product classes do not need to duplicate the script in the generic product class. Whether you should do so is based on your specific requirements, and there is no absolute answer, however, I expect you should do so. Also, you might want to look into factory method pattern.

I am looking to save the user's access of an application. For instance, when they log in, I create a record in the "track_login" table which includes information such as the requesting IP, the user's ID, the date, (not the user's password), etc. And then for every page they visit, I store a record in the "track_page_viewed" table which includes a FK to the "track_login" table and also includes additional information about their request. Both the track_login and track_page_viewed tables are currently in the same database as used by the primary application. So far, so good. Next, I want to start tracking when a user does special tasks such as when they forget their password and request that a new one be emailed to them. Or maybe when they attempt to login with an invalid username and password. Currently, I just included another table called "track_special" which includes the data, the type of special request, etc. Now, I am thinking of adding three other things to track: General PHP errors MySQL errors Try/Catch errors which I did not expect to happen One option is just to add these to my "track_special" table or maybe make one or three new tables in the same database. But is this a good idea? If I have a SQL error, do I really want to store the error in the same database? Maybe I should use a separate database called "myTrackerDB", and include all the above tables in that database? Or maybe I should just write the data to a flat file, and parse the file on a regular basis, and then store the information in the database? Please provide any recommendations, guidance, suggestions, criticism, etc. Thank you

Thanks ChOcu3r, Much nicer! Wish I didn't waste the time trying to use regex, but then again, I need the experience!

I have possible HTTP_REFERER values such as the following: [HTTP_REFERER] => http://www.example.com/lib/index.php?cid=components&controller=data&id=17&roles_id=15 [HTTP_REFERER] => http://www.example.com/lib/index.php?cid=createhelp I am just trying to get the value of "cid" Note that this applies to a TinyMCE plugin, and my $_GET variable does not include "cid". Looking at my $_SERVER array, HTTP_REFERER is the only element that includes "cid". I am also not concerned about spoofing HTTP_REFERER. I am getting the value of "cid" as follows. Is this the right way to do so? $RegExp = '/index\.php\?cid=([^&]+)/'; preg_match($RegExp, $_SERVER['HTTP_REFERER'], $matches); exit($matches[1]);

So, it the best approach to not include the action attribute?

And it validates

Yes, this is what I get. You get something different? Line 7, Column 38: Bad value for attribute action on element form: Must be non-empty. <form method='post' action=''> Syntax of URL: Any URL. For example: /hello, #canvas, or http://example.org/. Characters should be represented in NFC and spaces should be escaped as %20. <!DOCTYPE html> <html> <head> <title>xxx</title> </head> <body> <form method='post' action=''> <input type='submit' value='Save'> </form> </body> </html>

I've heard multiple recommendations when a form needs to post to itself. Some say use PHP_SELF, others say leave it blank (even though it doesn't validate), etc. Please provide the best practice, and reasons why. Thank you echo("<form method='post' action='{$_SERVER['PHP_SELF']}'>"); echo("<form method='post' action=''>");

Good news is usually PHP provides more guidance regarding errors. Bad news is when you are just starting off, you will get a bunch of these. At first, try to keep your echo's small and don't mix single and double quotes. I always "just because" put parenthesis around the stuff I want to echo. Know that a semicolon is "mostly" end of command, and keep an eye out for them. Use a dot (.) to join stuff. <?php $myname = 'Noxin'; echo '<p>This is PHP</p>'. "<p>My name is $myname</p>". '<p>My name in another notation is still '.$myname.'</p>'; ?> PS. See http://php.net/manual/en/language.types.string.php Also, I would probably use the following even though the curly brackets are not required: echo("<p>This is PHP</p><p>My name is {$myname}</p><p>My name in another notation is still {$myname}</p>");

What might allow this to happen? You mean not to use the user-provided filename to store it on the server, or not to display this name when someone wants to download it? If the former, why pick an extension at all, and just use a random name without an extension (and revert to the applicable filename with extension when downloaded via headers)? If the later, way? Again, what might make the webserver execute one of these file/scripts? Proper PHP extensions? I don't, but of course use escapeshellarg() and the like. Please explain.

My server is Linux/Apache/PHP. When a file is uploaded, I use PHP's finfo_open to confirm that the file have the correct file extension matches and delete them if it doesn't match. I also which file mimi types and size could be uploaded. Things I do with the files include: Upload user's files and store them in some public directory (/var/www/html/users_public_directory/), and allow other users to directly download them. Upload user's files and store them in some private directory (/var/www/users_private_directory/), and allow other users to download them using X-Sendfile. Upload user's ZIP files and convert them to PDF files (unzip the ZIP file, and uses Libreoffice and Imagemagick's convert to convert them to PDFs). From the server's prospective, what are the risks of allowing users to upload files? Are there some file types which are more dangerous to the server? Could they be executed on the server, and if so, how could this be prevented?

Thaanks kicken, makes sense.

Maybe Libreoffice? I currently use it headless to convert word/excel/powerpoint to PDF.

Other than downloading the file, editing it on the local PC, saving it, and uploading it back to the server using some applicable script, any ideas?

Various development and configuration tools. Currently, I have a bunch of scripts such as delete the database and rebuild it from scratch. Once in production, I will obviously not want that one! Other scrips are to modify the database to add a new page to the application. Currently, I have the scripts located in a non-public directory, and have a publicly accessible directory protected with an Apache password with contains PHP files with a single require('/var/www/private/some_file.php'). I want to clean it up and have one location to access all of them. Yes, I cold move them out of the web root, but don't want to currently. And I agree it should be robust enough so no one could do anything with it even if they found it, but what if I miss something? Adding a little to hiding it just seemed like an easy way to add some extra insurance.

Definitely quick and easy, however, it doesn't hide the page.

I have a particular PHP file which is publicly located, however, I don't want anyone but me to access. Below are my thoughts how to do so. Please comment. Use an uncommon name, and definitely not index.php. Either include a file called index.html in the same directory, or set up Apache not to show them using Options -Indexes, or maybe both for good measure. Require some variable to be set to a given value in either the GET or POST array, and if not set, throw a 404 header and display the 404 missing file HTML. If user accesses page and is not logged on as determined by a session value, display a log-on page. Prevent indexing by either putting <meta name="robots" content="none" /> in the HTML, and using header("X-Robots-Tag: noindex, nofollow", true); in the PHP, or maybe both for good measure. Seem reasonable? Anything else? Thanks

Set it to what? A serialized GET or something? I am not concerned whether they have ever been there, only that it was the last page.

This seems to work if(($_SERVER['REQUEST_METHOD']==='POST') || !isset($_SERVER['HTTP_CACHE_CONTROL']) || $_SERVER['HTTP_CACHE_CONTROL'] !== 'max-age=0'){ //store }

I have a class that uses sessions to remember the browsers immediate previous state. I use it to validate when JS is not available (no, I do not validate using JS, but POST the data using Ajax and if no errors, redirect client side to the next page). Upon a non-ajax post request, I validate data, and if an error, store the error and redirect the page back to the form page. Going to another page will clear the history as desired, but I don't wish to clear it if it is just refreshed with F5 or equal.