Jump to content

Jessica

Staff Alumni
  • Posts

    8,968
  • Joined

  • Last visited

  • Days Won

    41

Everything posted by Jessica

  1. Look at the first example on mysql_query $result = mysql_query('SELECT * WHERE 1=1'); if (!$result) { die('Invalid query: ' . mysql_error()); } Add this, do you get an error?
  2. That just sounds like a design flaw. When you reset your password you should have to enter the email on the account you have forgotten the password to. If the email doesn't exist, it should tell you as such. Usually password resets are based off of account names, not email accounts. I've seen both. The email account can be frustrating to users who know they have an account but not what email they used to register with. So now if we don't let them know the username they tried doesn't exist, and make them supply what email they used, you can run into the same problem I described but with email accounts. I actually have an account on a website I lost access to because they want me to tell them what email I used to register, and I have no clue because it was about 12 years ago. I know my password, and if they would just send it to the email on file it would likely get forwarded through to my new email address. Again, there's a risk of shutting out your users too much - and stuff like this leads to people writing down usernames and passwords or storing that info plaintext IN their email account.
  3. It's also a matter of how much security does the feature provide? On a site like this forum, none. You can find any number of valid usernames just by looking at the site. On every project I have worked on, you can find valid usernames without trying to login as a user. The only site that would have security through this feature would not ever display any usernames anywhere outside of being logged in. Look at sites like facebook, twitter, etc. Any site which has any public data submitted by users displays usernames. Many wordpress themes display author username, etc. Obviously there are lots of types that don't, IE a banking website. For sites like those, you could also add security back into it by limiting the number of login attempts before a lock out. That's really much more secure IMO than not allowing people to find out if their username is correct. Once you have a valid username, you still have to do a lot to get in with it if you don't know the password. I can't imagine the amount of security added by not telling a user their name is incorrect is that much. YMMV.
  4. I forgot it was closing. I wonder if the new service on Google won't be available until the day it closes? I always loved Picnik, I hope the google version is as good. You could also use a free download program like gimp but IMO that's much harder to use than a web based one :/ The upside is a program on his computer won't have file limits whereas the google version of picnik may ALSO limit file upload sizes.
  5. Seems I misread your post and overlooked the part where you mentioned getting the difference between a mismatched password and a user not existing. For that you're right, it would require 2 statements. However that said, doing that is a security risk. It allows users to find out valid usernames. You shouldn't ever do that. Of course you should! Sometimes you have to choose between security and usability. Most users will use the same username on multiple websites, and sometimes have to choose a different one. For example, I use this username on almost everything. On a few websites I choose a different one for whatever reason. If I go to login as jesirose on those sites, and I get told I have the wrong password, then I have to spend time doing a reset password dance with a nonexistent account, and since you're not letting me know that my account doesn't exist, I'll end up checking multiple email accounts for a password reset link, which never arrives, and I have no idea why. eventually I'll either get frustrated and give up, or somehow remember this site uses a different password (yes, I should be using a password safe like keepass but in this example I'm the average user, not a SMART user). If the site instead tells me that my username doesn't exist, it's a much faster process for me to determine what my correct username is. Don't piss off your users over something so small.
  6. Can you show me an example of how you can do this? Where you can tell the difference between a mismatched password and a user not existing, and only do one query?
  7. Why would you need to SQL selects? You simply encrypt the password before running any query and then compare that with the one in the database. There's no need for any second SQL select. I used the wrong word then, Query not select. You're still hitting the DB.
  8. I'm just curious what problem you think there would be with loading an encyrpted password (I'm talking a one way hash). There's many ways you can do a login, but if you're not pulling out the password you have to do at minimum 2 SQL selects (unless of course you don't want to differentiate between user not found, and user/password mismatch, which you might but users would hate). If you pull it you can limit it to one. Obviously 1 query doesn't make a huge difference but it just seems easier to me then selecting for the username, then selecting for a match on username and password. If it's encyrpted, why does it matter?
  9. If you have your passwords encrypted, sure there is. To compare against the encrypted version of the submitted password. Because we KNOW you're not storing passwords plain text, right?
  10. I also prefer the second way, and I find it easier to match. I think it just depends on what you first saw when learning.
  11. You'll probably want to use a templating system, I like Smarty, and tokens. This is a complex project, but google can help you find many tutorials.
  12. What I would do in your situation is create a step by step tutorial for how he can resize his images using something free like Piknik, and give him that.
  13. The immediate problem is you never run that query, you just assign it to a string value. You will need to add in a lot of error checking and data sanitation as well but that's the first problem, you never run it.
  14. Ever been entering your phone number into 3 text fields, and the focus moves to the next one after 3 digits? I believe to do this you use javascript to set which element has focus. Unless you're talking about the mouse pointer, not the text cursor.
  15. the project I was working on required the user to be logged in, perhaps that was why I had to use cURL. Thanks for the correction.
  16. Ah I may have been incorrect on the first point then. I know cURL is the functionality you SHOULD use for this. Anyway it seems like the problem at this point is your preg_match and I fail at regex. Hope someone else can help, sorry.
  17. file_get_contents does not work that way, it's only for files on your server. try printing $content to the screen to see what you get. What you're trying to do will need a function which my mind has completely blanked on now, but I have used in the past...and it's driving me nuts that I can't recall the term for it. Hopefully someone else knows the functionality I'm thinking off... grrr.
  18. Your example will still print each image twice, as he described in the original problem. OP, can you post your new code to demonstrate the solution?
  19. In the above example, I don't see $row ever defined. It is not going to be easy to do it while you're selecting the data, you want to select the data then loop through it.
  20. For each result, you are outputting that result and the next one. You are also being redundant with the do/while loop, you end up selecting the data multiple times. You will want to get all of the results into an array *(you've already done that) and then loop through it (using for), that way you can increment the iterator manually. You could also use foreach but it might be trickier given what you're trying to do.
  21. Yes. And it needs to be able to connect to MySQL to do so. If that page doesn't know your MySQL username and password, how would MySQL trust it?
  22. *headdesk*. I feel sort of justified in my question now. good luck.
  23. Are you asking me if I saved and uploaded the file? Really? No, you're imagining it. Why do YOU think if you comment out a section of code it would still execute?
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.