Jump to content

Psycho

Moderators
  • Posts

    12,159
  • Joined

  • Last visited

  • Days Won

    130

Everything posted by Psycho

  1. Maybe you were writing your post before I added my last comment. Look at the two characters I highlighted in red. They are being used to encapsulate a variable that the PHP code should evaluate in the string. but the first character is a paren and the second is a curly brace. The BOTH need to be curly braces () - parens {} - curly braces
  2. Here's your problem: echo "<a href='www.aa.co.uk/Newdirectory/video.php?category={$videos['category']}'>($videos['category']}</a>"; The first red character should be a left curly brace - not a paren
  3. It looks to me like the Last ID is defined in the first block of code when looping through the object $list. Here is one methods I can think of to get the last three values. Set the value for last id and the other two IDs on each iteration of the loop. I'll give an example in PHP but you will have to modify for your specific framework $lastID = false; $secondLastID = false; $thirdLastID = false; foreach($list as $item) { $thirdLastID = $secondLastID; $secondLastID = $lastID; $lastID = $item->id; }
  4. I see the problem. Within the small block that closes a row (i.e. </TR>) the code is changing the value of $current_col to 1, but then it is immediately increased by 1 after that block (2). Change this //Close row if last column if($current_col==$max_col) { echo "<tr>\n"; $current_col = 1; } $current_col++; To this: //Close row if last column if($current_col==$max_col) { echo "<tr>\n"; $current_col = 0; //<---Changed } $current_col++; The value will be set to 0, but then immediately increased to 1 (which is correct since the next item will be the first column.
  5. Use this code and run a test. Then post the text displayed <?php include("config.php"); // connect to the mysql server $link = mysql_connect($server, $db_user, $db_pass) or die ("Could not connect to mysql because ".mysql_error()); // select the database mysql_select_db($database) or die ("Could not select database because ".mysql_error()); include ("function.php"); //$match = "select id from $table where username = '".$_POST['username']."' //and password = '".hashPW($_POST['password'],$_POST['username'])."';"; //Test Query $match = "select password from $table where username = '".$_POST['username']."'"; $qry = mysql_query($match) or die ("Could not match data because ".mysql_error()); //----BEGIN TEST CODE $result = mysql_fetch_assoc($qry); echo "QUERY: {$match}<br /> POSTED VALUES:<br /> - Username: {$_POST['username']}<br /> - Password: {$_POST['password']}<br /> - Hashed Password: " . hashPW($_POST['password'], $_POST['username']) . "<br />"; echo "Database Password: {$_result['password']}"; exit(); //-----END TEST CODE $num_rows = mysql_num_rows($qry); if ($num_rows <= 0) { echo "Sorry, there is no username, {$_POST['username']}, with the specified password.<br/>"; echo "<a href=user_login.php>Try again</a>"; exit; } else { setcookie("loggedin", "TRUE", time()+(3600 * 24)); setcookie("mysite_username", "{$_POST['username']}"); header('Location:http://mythscape.freezoka.com/'); die(); } ?>
  6. I'm not suggesting you define the POST values, that was only a test. And, post values do not come from the database, they come from a form post. are you even sure of what your code does? No. you pass the values to the function and they are defined within the function. Echo the value of $match to the page to see if the query is being generated as you expect.
  7. You need to be more specific. What is the EXACT error message and what line is it giving the error on? In the first block of code above, why are you defining $password & $username? I did a test and it outputs exactly what I would expect $_POST['username'] = 'mjdamato'; $_POST['password'] = 'notmyrealpassword'; $table = 'tableName'; function hashPW($password, $username) { return sha1($password.$username); } $match = "select id from $table where username = '".$_POST['username']."' and password = '".hashPW($_POST['password'],$_POST['username'])."';"; echo $match; // Output: // select id // from tableName // where username = 'mjdamato' // and password = '032aefab39a2f2ee2b90891d62fd19edcd220802';
  8. doing that will mean that it shows 1 database record per line. i want it to show 4. seany123, Did you even "read" the code provided above? As SaurabhAgarwal suggested it is the process that is important here. If you don't understand what the code is doing you shouldn't be using it. We tried to show a single query is more efficient for this purpose. I don't know anything about the database class you are using in order to properly implement that, but I have to believe it can work with a simple JOIN. But, you will have to figure that out yourself since you decided to use that class. I could have simply rewrote your "looping queries" code above, but that would only reenforce bad programming habits. Heck, if you were to try and understand the code provided you should be able to do that yourself. I did try and help you in my last post by asking you to check some things to see if we could narrow down the problem, but you failed to respond to any of those questions. I am more than happy to help, but for this problem to be solved will take participation on your part.
  9. Cetanu, I am more than happy to help provide guidance. But, I am not going to test your code for you. YOU need to test the code against your database to ensure it is working correctly. And, noone can categorically state that your code will work with any certainty. I already stated that I didn't see a problem with what you had. Just follow the steps I posted above. But, as I stated you will want to back up your database first before running the process to update current passwords. Then I would test logging in using an existing account to ensure that update process worked. Then lastly test the process of creating a new account and logging in.
  10. You mean except for the fact that you editor deletes code for no reason whatsoever? If Word just randomly droped content whenever you created a document would that be acceptable? I'm not going to say use another editor, but let's be honest. You are using FrontPage as a crutch. Although changing an editor is not a seamless experience, if you understand the code you are creating it is not thar difficult. You are relying upon FrontPage so you don't have to really understand/pay attention to the code. This is readily apparent by the fact that you did not state any tests you did to isolate the problem. Anyway, I have never used FrontPage as it generates seriously bloated code. So, I can only offer some "shots in the dark" type suggestions based upon what I see. First - as a test - try replacing the PHP code in that block with some dummy values to check and see if it is the php code that is causing the problem. If not, then it is something to do with the HTML. If that is the cae I would guess there is something about the table structure that is a problem. If it is the PHP coed, then I would try two things. 1) Reformt the php code. Although it should run fine, I would use lowercase 'php' for the opening tag and put a semi-colon at the end of the code. 2) Create a php variables for the second value instead of doing the calculation for the index within the index identifier. Again, making an assumption that the PHP code is to blame, this is what I would try <?php $index = $i*5; $village = $villages_array[$index]; ?> <TD align="center"> <input type="button" onclick="show_confirm('<?php echo $message; ?>', 'village_remove', '<?php echo $village; ?>')" Value="Remove Village"> </TD> Also, you should use another editor (ok, I lied before when I stated I wouldn't say that)
  11. You could only do this (with PHP) if the server can access the user's machine (i.e. the user's machine IS the web server or the web server is on the same network as the user). PHP/JavaScript cannot access local resources on a remote user's PC. This is by design. It would be a very bad thing if a web site could run executables on a user's machine. If this is needed for external users then you could probably do it by creating a custom Java clinet (NOT JavaScript). Not sure what the purpose of your app is, but many people are not willing to install these types of "plug-ins" as they can be very harmful.
  12. Of course you can! You can write anything that would be a complete page to be received by the browser: HTML, CSS, JavaScript, etc. Have you checked the rendered HTML code to see if the JavaScript is generated as expected? There might be a quote mark out of place. The manner in which you are echoing the code makes it difficult to follow. I do notice that you have a parameter in the onkeypress() trigger - event. has that variable been declared? Also, are you getting JavaScript errors? here is a rewrite of your code that's a little easier to follow for me: echo "<table class=\"currencyTransferTable\" cellspacing=\"10\" cellpadding=\"10\">\n"; echo " <tr>\n"; echo " <td><label for=\"amount\" class=\"label\">Amount: </label></td>\n"; echo " <td> echo " <input id=\"amount\" name=\"amount\" value=\"$amount\" class=\"input\" type=\"text\" />\n" echo " <img src=\"images/asterisk.gif\" height=\"7\" class=\"img\" alt=\"required\" onkeypress=\"javascript:return numbersonly(event)\" /><br>\n"; echo " </td>\n"; echo " </tr>\n"; global $error;
  13. I don't see where you have included the hashing function on the login or registration scripts. That is why I created a function - it will ensure you are slating/hashing the values exactly the same every time. You should put it in an external file and include() it on those pages - never copy and paste a function into multiple pages. You will eventually update one and not the other some day.
  14. Simply change this $match = "select id from $table where username = '".$_POST['username']."' and password = '".$_POST['password']."';"; To this $match = "select id from $table where username = '".$_POST['username']."' and password = '".hashPW($_POST['password'],$_POST['username'])."';"; Again, you REALLY need to be using mysql_real_escape_string() on user submitted values used within a query. I cannot stress this enough. All it would take is one "proplem" input, intentional or accidental, to destroy your database.
  15. OK, let's break down what you need into actionable steps. As premiso stated I would suggest using a salted hash so if someone was able to get your hashed values they can't use a lookup table to determine the passwords. A salt is just some manner of modifying the value in a consistent manner before hashing. By creating a value that is not 'common' it makes it significantly less likely that someone would have the value in a lookup table. You can salt a value by appending a value (such as the username), reversing the string, or anything that you can consistently replicate. So, here are the steps I would take: 1) Create a function to generate a salted hashed password. 2) Create a simple PHP page to run that function on all the current passwords (see caution below) 3) Modify the user creation script to hash the password (using the above function) before doing the SQL Insert 4) Modify the login script to hash to provided password (using the above function) before comparing it against the value in the database. Example hashing function: appends the username to the passoword before hashing to prevent the use of lookup tables if someone got a hold of the value. You could also do something such as reverse the characters of the string or anything that you can consistently reproduce but will result in a value that would not be 'common'. function hashPW($password, $username) { return sha1($password.$username); } Sample function to update current records (note this may take a while if you have a LOT of records) //Be sure to include the hash function! $query = "SELECT id, username, password FROM users"; $result = mysql_query($query); $values = array(); while ($record = mysql_fetch_assoc($result)) { $query = "UPDATE users SET password ='" . hashPW($record['password'], $record['username']) . "' WHERE id = {$record['id']}"; mysql_query($query); } You should test this to ensure it works before running. Plus, you might want to backup your database first. It would be bad news if the script fails and you could not return the values to their original values. You could also insert the hashed value into a temporary column. Update the login script to hash entered password before comparing against the db value. --No code provided Update the Registration script to hash the password -Change this // insert the data $insert = mysql_query("insert into $table values ('NULL', '".$_POST['username']."', '".$_POST['password']."', '".$_POST['email']."')") or die("Could not insert data because ".mysql_error()); -To this $password = hashPW($_POST['password'], $_POST['username']); // insert the data $insert = mysql_query("insert into $table values ('NULL', '{$_POST['username']}', '{$password}', '{$_POST['email']}')") or die("Could not insert data because ".mysql_error()); Lastly, you do not need to worry about protecting the password against sql injection since you are hashing the value - but you definitly want to use mysql_real_escape_string() for the username and email.
  16. I give no guarantee that my code will work, especially since I am trying to write it against your database. I merely have provided the framework for a solution. I leave it to you to properly implement. Did you do ANY debugging AT ALL? (Plus I did state that I had to make some assumptions because of the class you are using). The first step would be to check the HTML created. If there is simply an opening and closing table tag, that would imply the query is not generating any results. If that's the case, then you should echo the query to the page to see that it is being created correctly and then to test it in the back end.
  17. Well, you are doing something wrong. I installed the symfony framework and modified the example project to add the test above and it works perfectly. Might I suggest NOT using a framework until you have mastered PHP.
  18. I agree with DanielO, why not rawurlencod()? That's what it is there for. But assuming you have a good reason (which I can't think of one) a solution would be to replace plus signs with an alternative character (that isn't used in emails) before passing on the query string. Then replace it back to plus signs on the receiving page before using. But, again, there's no logical reason not to use rawurlencode().
  19. I see several issues: 1. The variable $url_path is not defined. Although it may be defined in the include file at the top - why are you using that it access the file? You used $uploadfile to copy the file to a new location/name, why not use that variable to access it? Assuming $url_path is a url it makes no sense to try and access the file via the web when you already have it in your accesible directory structure. Plus, unless you have a bullet proof method of ensuring the user cannot upload any type of malicious content you are asking for bad things to happen by uploading user files to a web accessible directory. I would change yur approach, but for now, try using $uploadfile on the line in error.
  20. If you go with flyhoney's code, there is an error that needs to be fixed. This $percentage = ($width > $height) ? ($max_width / $width) : ($max_height / $height); Should be this $percentage = ( ($width/$height) > ($max_width/$max_height) ) ? ($max_width / $width) : ($max_height / $height); Determining which direction to scale on needs to be on the relative difference between the image ratio and the maximum size ratio.
  21. Here's the rest of the comments for the function //===================================================== // Function: is_email ( string $email ) // // Description: Finds whether the given string variable // is a properly formatted email. // // Parameters: $email the string being evaluated // // Return Values: Returns TRUE if $email is valid email // format, FALSE otherwise. //===================================================== The function DOES return a true or false. Why would youwant to use an if/else when it is not needed.
  22. Here's the email format validation I use: function is_email($email) { $formatTest = '/^[-\w+]+(\.[-\w+]+)*@[-a-z\d]{2,}(\.[-a-z\d]{2,})*\.[a-z]{2,6}$/i'; $lengthTest = '/^(.{1,64})@(.{4,255})$/'; return (preg_match($formatTest, $email) && preg_match($lengthTest, $email)); } // NOTES: // // Format test // - Username accepts: 'a-z', 'A-Z', '0-9', '_' (underscore), '-' (dash), '+' (plus), & '.' (period) // Note: cannot start or end with a period (and connot be in succession) // - Domain accepts: 'a-z', 'A-Z', '0-9', '-' (dash), & '.' (period) // Note: cannot start or end with a period (and connot be in succession) // - TLD accepts: 'a-z', 'A-Z', & '0-9' // // Length test // - Username: 1 to 64 characters // - Domain: 4 to 255 character Also, I notice your functions starts out with the assumption the $isValid value is true. When doing validations I think it is better practice to assume it is not valid until proven otherwise.
  23. If you want the image to "fill" a specific boundry such that it will crop the side that is relatively too big for the boundry, I wrote a function just a couple days ago for someone on this forum: http://www.phpfreaks.com/forums/index.php/topic,258146.msg1214847.html#msg1214847 Or if you want the image to be scaled down such that it completely "fits" into the designated boundry such that the longest relative size fits (and the short side is smaller than the boundry) then you can retrofit that accordingly.
  24. Then there is your answer. The value of 'e' being returned from the database is 2 so the correct result of the condition if($rows['e'] >= $do) is being run. To get the other result youwill need to change the value of $username to that of a record where the value of 'e' is 1 or change the value of an existing record to 1.
  25. Hmm... The way you explain it, I am not sure what you are checking. When you state "If they have more than one in the 'e' column" do you mean if the VALUE for the record is greater then the number 1 or do you mean if there are more than one record for that user with different values in that column. I will assume the former. In that case I don't see why the condition is not working. Have you tested to see what the values are by using some simple debugging? Add this before the IF statment and see what is returned: echo "do = {$do}; e = {$rows['e']}"; however, your function doSmiley will not work. You are passing it a value into the variable $msg, but then you attempt to modify the variable $word. Corrected: <?php require '/home/username/public_html/folder/config.php'; $username = mysql_real_escape_string($_SESSION['username']); $sql="SELECT * FROM users WHERE username='$username'"; $result=mysql_query($sql) or die(mysql_error()); $rows=mysql_fetch_array($result); $do = 1; echo "do = {$do}; e = {$rows['e']}<br />\n"; function doSmily($msg) //Fix eMail { $search = array('@', '.'); $replace = array(' [AT] ', ' [DOT] '); return str_ireplace($search, $replace, $msg); } if($rows['e'] >= $do) { // Check if user has 2 echo doSmily($row['email']); } else { echo "This user chose not to show their eMail."; } ?>
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.