sKunKbad

frost110, Thanks for helping me so far. I need some time to study the code, because I'd like to understand it more before proceeding (and right now I'm at work and probably shouldn't be working on this!). My goal is to display products from Amazon on my website, and have a shopping cart, and a search. There are other scripts out there to do this, but I just want to make my own. I've wanted to become an experienced php programmer for a long time, but it just seems so hard to learn for me. How did you learn php? thanks again, brian

This array works, however, one thing I noticed with both the array and non-array, is that if an element is listed more than once, there is an error "XML Error:no element found on line 9" which is the line in the XML where the element is listed the second time. <?xml version="1.0" encoding="ISO-8859-1"?> <note> <to>Tove</to> <target>no print</target> // <-- this is the first instance of <target/>, which is removed along with it's character data "no print". <from>Jani</from> <heading>Reminder</heading> <body>Don't forget me this weekend!</body> <to>Tove</to> <target>no print</target> // <-- this is the second instance of <target/>, on line 9, which would also need to be removed. <from>Jani</from> <heading>Reminder</heading> <body>Don't forget me this weekend!</body> <whatever>yes</whatever> </note>

actually, thanks! I did some shifting around of code, and this worked: while ($data=fread($fp,4096)) { list($before, $after) = spliti("<target>", $data); list(, $after) = spliti("</target>", $after); $data = $before . $after; list($before, $after) = spliti("<whatever>", $data); list(, $after) = spliti("</whatever>", $after); $data = $before . $after; xml_parse($parser,$data,feof($fp)) or //feof tests for end-of-file on the file pointer die (sprintf("XML Error: %s at line %d", xml_error_string(xml_get_error_code($parser)), xml_get_current_line_number($parser))); } it would be great if there was some sort of array that would list the elements i dont want included, but this is a good lesson for me tonight.

i cant get it to work...

frost110, thats doesn't change the output. What I'm trying to achieve is to not have the character data of what is between the <target> element and <whatever> element tags (and possibly more). jitesh, im trying to learn php, and my code is already hard enough to understand!!!

This script I got from w3schools parses XML, but i dont want it to output the character data from one of the elements. For instance, if element "target" is included in the XML file, the script outputs "no print". Is there a simple change to the code so that I can specify that I dont want the character data of certain elements to be output? Id like to be able to declare that multiple elements character data not be output. The script: <?php //Initialize the XML parser $parser=xml_parser_create(); //Function to use at the start of an element function start($parser,$element_name,$element_attrs) { switch($element_name) { case "NOTE": echo "-- Note --<br />"; break; case "TARGET": echo ""; break; case "TO": echo "To: "; break; case "FROM": echo "From: "; break; case "HEADING": echo "Heading: "; break; case "BODY": echo "Message: "; } } //Function to use at the end of an element function stop($parser,$element_name) { echo "<br />"; } //Function to use when finding character data function char($parser,$data) { echo $data; } //Specify element handler xml_set_element_handler($parser,"start","stop"); //Specify data handler xml_set_character_data_handler($parser,"char"); //Open XML file $fp=fopen("test.xml","r"); //the R means "read only" //Read data while ($data=fread($fp,4096)) { xml_parse($parser,$data,feof($fp)) or //feof tests for end of file on the file pointer die (sprintf("XML Error: %s at line %d", xml_error_string(xml_get_error_code($parser)), xml_get_current_line_number($parser))); } //Free the XML parser xml_parser_free($parser); ?> The XML: <?xml version="1.0" encoding="ISO-8859-1"?> <note> <to>Tove</to> <target>no print</target> <from>Jani</from> <heading>Reminder</heading> <body>Don't forget me this weekend!</body> <to>Tove</to> <from>Jani</from> <heading>Reminder</heading> <body>Don't forget me this weekend!</body> <whatever>yes</whatever> </note>

Well, I'm obviously no professional when it comes to php, but i put a link in the page to another page that I copy and pasted the same php password protection code as above, and it didn't make me type in the password again when i tested it, so im assuming that its going to work perfectly for what i had in mind. I do a website for free for some dood that smuggles Bibles into China, and he wants a secure area of his website so he can post special pics and message to donors and such. I don't know how 100% secure this is the way i have it, but I'm willing to listen if you have any better suggestions. I guess he might be paranoid about the Chinese govt ya know. Thanks for your time!

Thanks btherl, what you suggested worked perfectly. I might need more help on this project. Specifically, I want to link multiple pages together, and have them all secured in this sort of way. Maybe there is a better way? I don't want people to have to log in every page though. Once they pass the login, it would be nice if they stayed logged in until they close their browser.

With register globals off, this doesn't work: <? /* Check for values in $PHP_AUTH_USER and $PHP_AUTH_PW */ if ((!isset($PHP_AUTH_USER)) || (!isset($PHP_AUTH_PW))) { /* No values: send headers causing dialog box to appear */ header('WWW-Authenticate: Basic realm="My Private Stuff"'); header('HTTP/1.0 401 Unauthorized'); echo 'Authorization Required.'; exit; } else if ((isset($PHP_AUTH_USER)) && (isset($PHP_AUTH_PW))){ /* Values contain some values, so check to see if they're correct */ if (($PHP_AUTH_USER != "revelation") || ($PHP_AUTH_PW != "genesis")) { /* If either the username entered is incorrect, or the password entered is incorrect, send the headers causing dialog box to appear */ header('WWW-Authenticate: Basic realm="The test of security page"'); header('HTTP/1.0 401 Unauthorized'); echo 'Authorization Required.'; exit; } else if (($PHP_AUTH_USER == "revelation") || ($PHP_AUTH_PW == "genesis")) { /* if both values are correct, print success message */ echo "<P>You're authorized!</p>"; } } ?> If I turn register globals on, it works fine, but I see that having it on is some kinda security risk or something, so what can i do? Does anyone have a basic way to password protect a file using php that doesn't need register globals on? Thanks for your help.

well, as long as the interceptor isn't the government of the country he is smuggling bibles into, I think he is going to be OK. Thanks for your time Daniel0.

without the SSL, is this mostly secure? I just looked in this guys hosting control panel, and SSL isn't an option. His host really bites if you ask me, but I wont name any names. I don't think he is going to want to pay for SSL. He's a bible smuggling missionary, so kinda on a low budget.

hmm... well its not an encrypted connection. I don't even know how to do that.....

I am working on a website for a friend who wants to be able to have a secret message page for contributors. I found this script, which is working great, but I'm wondering if it is truly secure, and if not, how can I make it more solid. [code]<?php if ( ( !isset( $PHP_AUTH_USER )) || (!isset($PHP_AUTH_PW))     || ( $PHP_AUTH_USER != 'Us3rn4M367' ) || ( $PHP_AUTH_PW != 'Tx56g$30o0' ) ) {     header( 'WWW-Authenticate: Basic realm="Private"' );     header( 'HTTP/1.0 401 Unauthorized' );     echo 'Authorization Required.';     exit; } ?> <html>     <head>     <title>Special Access Page</title>     </head>     <body>     <h1>User Authenticated!</h1>     <p>This is the message.</p>     <p>Hello agents,<br/> Please let the monkey feed itself. There are no room for dice in my bag.</p>     </body> </html>[/code] Thanks for your help, sKunKbad

just create an .htaccess file in your images folder with: Options -Indexes in it, and people will no longer have access to your images folder in list view.

[!--quoteo(post=371561:date=May 5 2006, 07:57 AM:name=Steady_Eddie)--][div class=\'quotetop\']QUOTE(Steady_Eddie @ May 5 2006, 07:57 AM) [snapback]371561[/snapback][/div][div class=\'quotemain\'][!--quotec--] is there some way i can store files somewhere that will stop someone running something to steal my source code of my php files. or a way of having a validation script in each file to find out where it was run from and exit if its not the right place? [/quote] You can use CHMOD or .htaccess. You should not name your includes with a .inc file extension unless your server is set to process .inc as .php. Store your db connection include above root, and require it. I used a "deny from all" .htaccess file in my includes folder, but then after I changed the location to above root, I use a CHMOD of 001 on that folder.

keeping it simple, for a basic deny from all type permission for an include folder, if the folder is CHMODed to 001, is there any difference between that and inserting a .htaccess file with deny from all into the folder? I've run into a situation where .htaccess files are not allowed in a particular area, but CHMOD changes are.

Being new to php, I'm reading about security risks and such. I just want to be safe. I do back-up everything, but I don't want any down time.

I have a folder to put my includes in. I have been using CHMOD setting 001 on that folder, and the actual includes are set to 644. I was just playing around with the CHMOD permissions and came up with those numbers for the folder, because it was the minimum required to keep things working right. Do those numbers sound normal? I was protecting via .htaccess, but after moving files above root, I was no longer able to use an .htaccess file. What do you think about CHMOD compared to .htaccess? Am I safe with this 001 folder and 644 include?

[!--quoteo(post=365726:date=Apr 17 2006, 03:49 PM:name=businessman332211)--][div class=\'quotetop\']QUOTE(businessman332211 @ Apr 17 2006, 03:49 PM) [snapback]365726[/snapback][/div][div class=\'quotemain\'][!--quotec--] now the comparison to javascript and css external files really cleared that up, because I always use external css, and have started learning javascript with external files, so that does help a lot, thank you. [/quote] A nice reason to use an include file to connect to your database is that you can .htaccess protect the include folder for better security, or even better place the include file above the root.

I know in my case it was suggested that I use isset() to make sure that variables weren't being changed in the browser address bar by a malicious user. You should familiarize yourself with SQL injection, and other vulnerabilities.

I just wanted to ask if anyone uses PHP Designer 2006, and if so, have you ever tried opening a javascript file in it? When I open up a javascript file in it, it is adding some wierd characters before the script: [!--sizeo:4--][span style=\"font-size:14pt;line-height:100%\"][!--/sizeo--][b][/b][!--sizec--][/span][!--/sizec--] Then in the script it is replacing some characters like a dash (-) with ([!--sizeo:4--][span style=\"font-size:14pt;line-height:100%\"][!--/sizeo--][b]—[/b][!--sizec--][/span][!--/sizec--]). There are other replacements being done too, but this oughta be enough info for anyone that knows what's up to tell me what's going on. Does anyone know what is going on here?

[!--quoteo(post=361861:date=Apr 4 2006, 11:28 PM:name=khendar)--][div class=\'quotetop\']QUOTE(khendar @ Apr 4 2006, 11:28 PM) [snapback]361861[/snapback][/div][div class=\'quotemain\'][!--quotec--] Thats a good start. However it doesn't end here. You will need to make sure that what has been entered is valid, not just not null. For example: If you are accepting variables passed through the url eg www.something.com/index.php?page=2 and page 2 actually exists, then this is fine. However I can go www.something.com/index.php?page=142231455233 and unless you verify that page 142231455233 exists then it may cause an error. [/quote] Can you give me a little mini tutorial on that using the code above?

[!--quoteo(post=361852:date=Apr 4 2006, 10:03 PM:name=khendar)--][div class=\'quotetop\']QUOTE(khendar @ Apr 4 2006, 10:03 PM) [snapback]361852[/snapback][/div][div class=\'quotemain\'][!--quotec--] Security is more than just protecting users data. Its also used for protecting your site. For example if you are using your $_GET variables to get information from a database, malicious users can use SQL Injection attacks to bypass your logon code and do damage to your database, even delete it. Variable checking is a good habit to get into anyway. If the data which is send via GET is not what your code expected, its better to handle it properly rather than have it break the page. [/quote] Thanks for the info khendar. I immediately made those changes! Is the following safe? [code]if (!isset($_GET['page'])){            $page = 1;            } ELSE {            $page = $_GET['page'];         }[/code]

Actually, I had many errors that I have worked out on this page in the last couple of hours. I think my problem is that I am staring at code for like 16 hour a day, and sometimes my brain is just fried. That and I am new to php doesn't help. The main issue here was that I was trying to call a field from the database that didn't even exist. *kicks self for you guys* So yeah, I am an idiot. Right now everything is working pretty smoothly, except for a specific search type, specifically searches where the business type not equaling "All businesses" but equaling "All cities". Also, I have a business type called "Sewing, Quilting, & Embroidery", and it isn't working at all. I think it has something to do with the commas and the amp character, but unless somebody has a quick fix for that it's gonna have to wait till tomorrow. Let me show you what I have now: [code]<?php $value1 = isSet ($_GET['subType']) ? $_GET['subType'] : NULL; $value2 = isSet ($_GET['city']) ? $_GET['city'] : NULL; echo "<h2>$subType in $city</h2>"; if (!isset($_GET['page'])){            $page = 1;            } ELSE {            $page = $_GET['page'];         }                  $max_results = 1; //HERE IS WHERE YOU SAY HOW MANY ROWS OF RESULTS PER PAGE YOU WANT         $from = (($page * $max_results) - $max_results);          //BEGIN RESULTS QUERIES if ($value1 != "All Christian Businesses" && $value2 != "All Cities") {$sql = mysql_query("SELECT * FROM localdirectory WHERE subType = '$value1' && city = '$value2' ORDER BY name LIMIT $from, $max_results"); } if ($value1 == "All Christian Businesses" && $value2 != "All Cities") {$sql = mysql_query("SELECT * FROM localdirectory WHERE type = 'business' && city = '$value2' ORDER BY name LIMIT $from, $max_results"); } if ($value1 != "All Christian Businesses" && $value2 == "All Cities") {$sql = mysql_query("SELECT * FROM localdirectory WHERE subType = '$value1' ORDER BY name LIMIT $from, $max_results"); } if ($value1 == "All Christian Businesses" && $value2 == "All Cities") {$sql = mysql_query("SELECT * FROM localdirectory WHERE type = 'business' ORDER BY name LIMIT $from, $max_results");} if ($value1 == "All Christian Businesses" && $value2 == "Riverside County") {$sql = mysql_query("SELECT * FROM localdirectory WHERE type = 'business' ORDER BY name LIMIT $from, $max_results" );} if ($value1 != "All Christian Businesses" && $value2 == "Riverside County") {$sql = mysql_query("SELECT * FROM localdirectory WHERE subtype = '$value1' ORDER BY name LIMIT $from, $max_results");} //END RESULTS QUERIES //COUNT RESULTS AND OUTPUT NO MATCH MESSAGE IF NONE FOUND $num_rows = mysql_num_rows ($sql); if ($num_rows == 0)     {     echo "<p id=\"warning\">There are currently no matches for your search in the database.<br/>\nPlease try widening your search by choosing \"All Cities\" or \"Riverside County\"<br/>\n<a href=\"http://www.iamsent.com/directory.php\">Go Back</a></p>";     }ELSE{                                               while ($row = mysql_fetch_array($sql))  //OUTPUT MATCHES FOR COUNT NOT ZERO             {                                       extract ($row);                                                                       if($type == "business") { //This is where the business listings get called up by the if statement             echo "<div class=\"sponsor\">";}             if($sponsorStatus == "yes"){echo "<img src=\"images/sponsor.jpg\" alt=\"this Christian owned business is a site sponsor\"/>";} else {echo " ";}             echo "</div>";             echo "<div class=\"listing\">";             echo "<strong>$name</strong>";             if($address != ""){echo "<br/>\n$address";}             if($city != ""){echo "<br/>\n$city",", ";}             if($st != ""){echo "$st"," ";}             if($zip != ""){echo "$zip";}             if($teleNumber != ""){echo "<br/>\n$teleNumber";}             if($webAddress != ""){echo "<br/>\nwebsite: <a href=\"$webAddress\">$webAddress</a>";}             if($email != ""){echo "<br/>\nemail: <a href=\"mailto:$email\">$email</a>";}             echo "</div>\n";?><div class="hrule76"> </div><?php             echo "\n";             }          } //COUNT TOTAL RESULTS FOR PAGINATION if ($value1 == "All Christian Businesses" && ($value2 == "All Cities" OR $value2 == "Riverside County")) {     $total_results = mysql_result(mysql_query("SELECT COUNT(*) as Num FROM localdirectory WHERE type = 'business' "),0); } elseif ($value1 != "All Christian Businesses" && ($value2 != "All Cities" OR $value2 != "Riverside County")) {     $total_results = mysql_result(mysql_query("SELECT COUNT(*) as Num FROM localdirectory WHERE subType ='$value1' AND city = '$value2' "),0); } elseif ($value1 != "All Christian Businesses" && ($value2 == "All Cities" OR $value2 == "Riverside County")) {     $total_results = mysql_result(mysql_query("SELECT COUNT(*) as Num FROM localdirectory WHERE subType = '$value1' "),0); } elseif ($value1 == "All Christian Businesses" && ($value2 != "All Cities" OR $value2 != "Riverside County")) {     $total_results = mysql_result(mysql_query("SELECT COUNT(*) as Num FROM localdirectory WHERE type = 'business' AND city ='$value2' "),0); } //DIVIDE TOTAL RESULTS BY MAX RESULTS PER PAGE TO DETERMINE ACTUAL NUMBER OF PAGES TO BE MADE $total_pages = ceil($total_results / $max_results); //NOW THAT ACTUAL NUMBER OF PAGES IS KNOWN - NEXT, PREVIOUS, AND INDIVIDUAL PAGE LINKS CAN BE MADE           echo "<center><br/><strong>Page<br />"; if($page > 1){     $prev = ($page - 1);     echo "<a href=\"".$_SERVER['PHP_SELF']."?page=$prev&subType=$value1&city=$value2\"><<Previous</a> "; }   for($i = 1; $i <= $total_pages; $i++)     {     if(($page) == $i)         {         echo "$i ";         }else{         echo "<a href=\"".$_SERVER['PHP_SELF']."?page=$i&subType=$value1&city=$value2\">$i</a> ";         }     }     if($page < $total_pages)         {         $next = ($page + 1);         echo "<a href=\"".$_SERVER['PHP_SELF']."?page=$next&subType=$value1&city=$value2\">Next>></a>";         } echo "</strong></center>"; echo "<p><a href=\"http://www.iamsent.com/directory.php\">Back To Directory Home</a></p>"; ?>[/code] PS. I have max results set to 1 for testing purposes. Thanks!!

[!--quoteo(post=361832:date=Apr 4 2006, 09:01 PM:name=cunoodle2)--][div class=\'quotetop\']QUOTE(cunoodle2 @ Apr 4 2006, 09:01 PM) [snapback]361832[/snapback][/div][div class=\'quotemain\'][!--quotec--] For the highest level of security write your get statements like this... [code]<?php $var_1= isSet($_GET['city']) ? $_GET['city'] : NULL; ?>[/code] That basically says that if $_GET['city'] is set then assign it to the variable `var_1`.....otherwise assign `NULL` to that variable. Make sense? [/quote] I got it working, but I have a question for you cunoodle2. If the data in my database is not sensitive personal info, do I need to worry about this security you speak of?