wintallo

I have almost no experience with PHP cookies. Can I get a nudge in the right direction? Thanks for the reply!

Oh, and I don't have cookies implemented as a remember me function. Should I use cookies?

Hey, Right now, I'm working on a user authentication system. My problem is with an "online status" element. So far, I have that when the user logs in, a field in my members MySQL table, called loggedinstatus is set to 1. This means that that certain user is currently logged in. The problem is, is that the only way that loggedinstatus is set to 0 (the user is not logged in) is when the user clicks the logout link. If the user just goes to another website or closes his or her browser, the loggedinstatus is left at 1. How would I get around this problem?

Good start! I like it alot! I'm not too sure how it could be used but I'm sure there's an application for it!

After you register, I would suggest no outputting the user's password in plain text. Just as a security issue and I kinda gives a bad impression of the security of your site (at least in my opinion).

Obsidian: I changed around the code so I doesn't do anything with the password. I added $_SESSION['loggedin'] (it's set to TRUE when the user logs in) so that on protected pages, if it's false, I doesn't redirect. Instead would display a message telling the user to log in. If the $_SESSION['loggedin'] is set to TRUE it displays the normal contents of the page. Does the $_SESSION['loggedin'] again compromise the security of this script. new code if ( isset($_SESSION['username']) ) { $username = $_SESSION['username']; $query = "SELECT * FROM members WHERE username = '".addslashes($username)."'"; $result = mysql_query($query); $check = mysql_num_rows($result); if ( $check == 0 ) { $message = "You must be logged in to view the contents of this page. Click <a href=\"login.php\">here</a> to login."; $_SESSION['loggedin'] = false; } } else { $message = "You must be logged in to view the contents of this page. Click <a href=\"login.php\">here</a> to login."; $_SESSION['loggedin'] = false; } -Joel http://www.wintallo.com

redarrow: Would I have to use the stripslashes when outputting anything that had mysql_real_escape_string used on it or a different command? -Joel http://www.wintallo.com

I'm writing my own login script and have the following bit of code to check whether or not the users are logged or not. The script works, I'm just wondering if there are any security problems with it. if ( isset($_SESSION['username']) ) { $username = $_SESSION['username']; $password = $_SESSION['password']; $query = "SELECT * FROM members WHERE username = '".addslashes($username)."'"; $result = mysql_query($query); $memberinfo = mysql_fetch_array($result); if ( $password != $memberinfo['password'] ) { header("Location: login.php"); } } else { header("Location: login.php"); } Thanks in advance -Joel http://www.wintallo.com

Hip Hip Hooray! I found the problem. BUt thanks for all you help. For future notice, this is my code. <?php include 'greatmovies_categorycount.php'; sort($animations); for ( $counter = 0; $counter <= ( ${ $category . '_count' } - 1 ); $counter++ ) { $title = ${$category}[$counter]; $image = ereg_replace(' ', '_', ${$category}[$counter]); $image = ereg_replace('\:', '', $image); $image = ereg_replace('\.', '', $image); $image = ereg_replace('\,', '', $image); $image = ereg_replace('\;', '', $image); $image = ereg_replace('\?', '', $image); $image = ereg_replace('\'', '', $image); $image = "images/game-movie_pictures/".strtolower($image)."_pic_small.png"; $url = ereg_replace(' ', '', ${$category}[$counter]); $url = ereg_replace('\:', '', $url); $url = ereg_replace('\.', '', $url); $url = ereg_replace('\,', '', $url); $url = ereg_replace('\;', '', $url); $url = ereg_replace('\?', '', $url); $url = ereg_replace('\'', '', $url); $url = "game-movie_pages/".strtolower($url).".php"; if ( $new_movie == $title ) { ${$category . "_done"}[$counter] = '<img alt="New!" src="images/new_button.png" /><br /><a href="'.$url.'"><img alt="'.$title.'" src="'.$image.'" /></a> <a href="'.$url.'">'.$title.'</a>'; } else { ${$category . "_done"}[$counter] = '<a href="'.$url.'"><img alt="'.$title.'" src="'.$image.'" /></a> <a href="'.$url.'">'.$title.'</a>'; } echo ${$category . "_done"}[$counter]; echo "<p> </p>"; } echo "if this doesn't display then the codes broken!"; ?>

Ok the success message comes up but I added a bit of code to see if the generated html doesn't come up. When I look in the source of the generated page, the only this that was there was "if this doesn't display then the codes broken!" Not any of the genrated code here's my code <?php $category = "animations"; include 'greatmovies_categorycount.php'; sort($animations); $length = $category.'_count'; for ( $counter = 0; $counter <= ( $length - 1); $counter++ ) { $title = ${$category}[$counter]; $image = ereg_replace(' ', '_', ${$category}[$counter]); $image = ereg_replace('\:', '', $image); $image = ereg_replace('\.', '', $image); $image = ereg_replace('\,', '', $image); $image = ereg_replace('\;', '', $image); $image = ereg_replace('\?', '', $image); $image = ereg_replace('\'', '', $image); $image = "images/game-movie_pictures/".strtolower($image)."_pic_small.png"; $url = ereg_replace(' ', '', ${$category}[$counter]); $url = ereg_replace('\:', '', $url); $url = ereg_replace('\.', '', $url); $url = ereg_replace('\,', '', $url); $url = ereg_replace('\;', '', $url); $url = ereg_replace('\?', '', $url); $url = ereg_replace('\'', '', $url); $url = "game-movie_pages/".strtolower($url).".php"; if ( $new_movie == $title ) { ${$category . "_done"}[$counter] = '<img alt="New!" src="images/new_button.png" /><br /><a href="'.$url.'"><img alt="'.$title.'" src="'.$image.'" /></a> <a href="'.$url.'">'.$title.'</a>'; } else { ${$category . "_done"}[$counter] = '<a href="'.$url.'"><img alt="'.$title.'" src="'.$image.'" /></a> <a href="'.$url.'">'.$title.'</a>'; } echo ${$category . "_done"}[$counter]; echo "<p> </p>"; } echo "if this doesn't display then the codes broken!"; ?>

Yah, I though of that, but the problem is, is that I need the multiple length variables co-existing. I'll give the code for both greatmovies_categorycount.php and greatmovies_include.php (the code I been revising). greatmovies_categorycount.php <?php $animations = array("Animator vs. Animation","Black Dude Falling","Over the Rainbow","United Airlines: Dragon","Motion"); $clever = array("Banned Xbox 360 Commercial","Instant Kiwi Exam","What Old People Do For Fun"); $first_rate_films = array("Big Ad","Christmas Lights Show","Honda Rube Goldberg Commercial","Kiwi","Ryan vs Dorkman","Gnarls Barkley CRAZY"); $heart_stoppers = array("Ghostly Car","Pumpkin Carve"); $pure_irony = array("Ameriquest Cat Commerical","Antidote for Workaholics","Car Bait","German Coast Guard","Ice Scraping","Oh, Mama","Wow Satellite Dish","Acupuncture Insurance Commercial","Smoking Kills"); $parodies = array("Got Milk?","iPod Flea","Numa Numa Man","Small Ad","They're Taking the Hobbits to Isengard","White and Nerdy"); $short_clips = array("Blonde Antelope","Hamster Wheel Gone Wrong","How to Park a Dirt Bike","Ice Fishing","Pool Jump","Road Rage Granny"); $self_produced = array("The Random Adventures of Aaron","Three for All, and None for Us"); $slapstick = array("Cubicle War","Funny Toyota Spot","Horse and Sleigh","Man vs. Bear"); $super_bowl = array("FedEx: Stick","Sierra Mist","Vault: Scarecrow"); $weird = array("Nintendo 64 Kid Goes Crazy","Indian Rollerskater"); $wicked_skills = array("Matrix Ping Pong","Ok Go","Nintendo Accapella","Peugeot Style","Robot Dance","Pepsi Super People"); $new_movie = "Motion"; $self_produced_count = count($self_produced); $animations_count = count($animations); $clever_count = count($clever); $first_rate_films_count = count($first_rate_films); $heart_stoppers_count = count($heart_stoppers); $parodies_count = count($pure_irony); $pure_irony_count = count($parodies); $short_clips_count = count($short_clips); $slapstick_count = count($slapstick); $super_bowl_count = count($super_bowl); $weird_count = count($weird); $wicked_skills_count = count($wicked_skills); //$new_category = "self_produced"; $new_category = "animations"; //$new_category = "clever"; //$new_category = "first_rate_films"; //$new_category = "heart_stoppers"; //$new_category = "parodies"; //$new_category = "pure_irony"; //$new_category = "short_clips"; //$new_category = "slapstick"; //$new_category = "super_bowl"; //$new_category = "weird"; //$new_category = "wicked_skills"; ?> greatmovies_include.php <?php $category = "animations"; include 'greatmovies_categorycount.php'; sort($animations); for ( $counter = 0; $counter <= ( $($category)_count - 1); $counter++ ) { $title = ${$category}[$counter]; $image = ereg_replace(' ', '_', ${$category}[$counter]); $image = ereg_replace('\:', '', $image); $image = ereg_replace('\.', '', $image); $image = ereg_replace('\,', '', $image); $image = ereg_replace('\;', '', $image); $image = ereg_replace('\?', '', $image); $image = ereg_replace('\'', '', $image); $image = "images/game-movie_pictures/".strtolower($image)."_pic_small.png"; $url = ereg_replace(' ', '', ${$category}[$counter]); $url = ereg_replace('\:', '', $url); $url = ereg_replace('\.', '', $url); $url = ereg_replace('\,', '', $url); $url = ereg_replace('\;', '', $url); $url = ereg_replace('\?', '', $url); $url = ereg_replace('\'', '', $url); $url = "game-movie_pages/".strtolower($url).".php"; if ( $new_movie == $title ) { ${$category . "_done"}[$counter] = '<img alt="New!" src="images/new_button.png" /><br /><a href="'.$url.'"><img alt="'.$title.'" src="'.$image.'" /></a> <a href="'.$url.'">'.$title.'</a>'; } else { ${$category . "_done"}[$counter] = '<a href="'.$url.'"><img alt="'.$title.'" src="'.$image.'" /></a> <a href="'.$url.'">'.$title.'</a>'; } } echo "if this doesn't display then the codes broken!"; ?>

currently, this is what my code is <?php $category = "animations"; include 'greatmovies_categorycount.php'; sort($animations); $($category)_length = count(($category)); for ( $counter = 0; $counter <= ( $($category)_length - 1); $counter++ ) { $title = ${$category}[$counter]; $image = ereg_replace(' ', '_', ${$category}[$counter]); // stuff $image = "images/game-movie_pictures/".strtolower($image)."_pic_small.png"; $url = ereg_replace(' ', '', ${$category}[$counter]); // stuff $url = "game-movie_pages/".strtolower($url).".php"; if ( $new_movie == $title ) { ${$category . "_done"}[$counter] = '<img alt="New!" src="images/new_button.png" /><br /><a href="'.$url.'"><img alt="'.$title.'" src="'.$image.'" /></a> <a href="'.$url.'">'.$title.'</a>'; } else { ${$category . "_done"}[$counter] = '<a href="'.$url.'"><img alt="'.$title.'" src="'.$image.'" /></a> <a href="'.$url.'">'.$title.'</a>'; } } echo "if this doesn't display then the codes broken!"; ?> Thanks for all of you guy's help so far!

Crayon Violent: First, yes include 'greatmovies_categorycount.php'; is where $animations is being set. It's being set to $animations = array("Animator vs. Animation","Black Dude Falling","Over the Rainbow","United Airlines: Dragon","Motion"); Second, when it test it out, it spits out a blank page, when it should output "if this doesn't display then the codes broken!" because off the third to last line in my code. Corbin: Yes $category is declared correctly, (3rd line of my code) <?php $category = "animations"; // right here include 'greatmovies_categorycount.php'; And what I said to Crayon Violent explains that $animations is set correctly

Ok, I tried that and it still doesn't work! This is my revised (non-functional ) code. <?php $category = "animations"; include 'greatmovies_categorycount.php'; sort($animations); $($category)_length = count(($category)); for ( $counter = 0; $counter <= ( $($category)_length - 1); $counter++ ) { $title = $$category[$counter]; $image = ereg_replace(' ', '_', $$category[$counter]); ... $image = "images/game-movie_pictures/".strtolower($image)."_pic_small.png"; $url = ereg_replace(' ', '', $$category[$counter]); ... $url = "game-movie_pages/".strtolower($url).".php"; if ( $new_movie == $title ) { ${$category . "_done"}[$counter] = '<img alt="New!" src="images/new_button.png" /><br /><a href="'.$url.'"><img alt="'.$title.'" src="'.$image.'" /></a> <a href="'.$url.'">'.$title.'</a>'; } else { ${$category . "_done"}[$counter] = '<a href="'.$url.'"><img alt="'.$title.'" src="'.$image.'" /></a> <a href="'.$url.'">'.$title.'</a>'; } } echo "if this doesn't display then the codes broken!"; ?>

Well, I'm kind of unsure on how to implement that knowledge in my case. This is what I tried, but it doesn't work. <?php $category = "animations"; include 'greatmovies_categorycount.php'; sort($animations); $($category)_length = count(($category)); for ( $counter = 0; $counter <= ( $($category)_length - 1); $counter++ ) { $title = ${$category}[$counter]; $image = ereg_replace(' ', '_', ${$category}[$counter]); $image = ereg_replace('\:', '', $image); $image = ereg_replace('\.', '', $image); $image = ereg_replace('\,', '', $image); $image = ereg_replace('\;', '', $image); $image = ereg_replace('\?', '', $image); $image = ereg_replace('\'', '', $image); $image = "images/game-movie_pictures/".strtolower($image)."_pic_small.png"; $url = ereg_replace(' ', '', ${$category}[$counter]); $url = ereg_replace('\:', '', $url); $url = ereg_replace('\.', '', $url); $url = ereg_replace('\,', '', $url); $url = ereg_replace('\;', '', $url); $url = ereg_replace('\?', '', $url); $url = ereg_replace('\'', '', $url); $url = "game-movie_pages/".strtolower($url).".php"; if ( $new_movie == $title ) { ${$category . "_done"}[$counter] = '<img alt="New!" src="images/new_button.png" /><br /><a href="'.$url.'"><img alt="'.$title.'" src="'.$image.'" /></a> <a href="'.$url.'">'.$title.'</a>'; } else { ${$category . "_done"}[$counter] = '<a href="'.$url.'"><img alt="'.$title.'" src="'.$image.'" /></a> <a href="'.$url.'">'.$title.'</a>'; } } echo "if this doesn't display then the codes broken!"; ?> Thanks for the replies too!

Hey, First, thanks for the read. Second, I need help using the contents of PHP variable ( in my case it's called $category ) to call another variable. In other words I want to call an variable called "$(whatever the contents of the $category is)_count". The category variable varies widely in its contents so I want to do it this way so I don't have to manually type in $whatever_count on every page is used this method. If you don't get what I'm sayings please feel free to ask questions. Again, thanks for the read. -Joel [email protected]

Hey, How can I make it so full HTML code (with quotes and everything) can be stored in a PHP variable. This is the kind of HTML i will be storing is [code] <object height="525" width="700"><param name="movie" value="../game-movie/motion.swf" /> <embed src="../game-movie/motion.swf" height="525" width="700"></object> [/code] or maybe [code] <embed style="width: 400px; height: 326px;" id="VideoPlayback" type="application/x-shockwave-flash" src="http://video.google.com/googleplayer.swf?docId=4092819850988013212" quality="best" bgcolor="#ffffff" scale="noScale" salign="TL" flashvars="playerMode=embedded" align="center"> [/code] I tried this [code] <?php $moviehtml = addslashes( "<object height="525" width="700"><param name="movie" value="../game-movie/motion.swf" /> <embed src="../game-movie/motion.swf" height="525" width="700"></object>" ); echo $moviehtml; echo "testing..."; ?> [/code] But it doesn't even output the "testing..." Thanks for the read and if you don't get what I'm saying, please reply. -Joel

Thanks for the Reply! I just want the user to be able to send text only. No attachments, no html, no pictures, etc...

I am writing a simple PHP emailer script and I was wondering if there was any security measures I should take to check the user's input for an email [b]message[/b] and [b]subject[/b]. Here's my code. [code] <?php if ( isset($_POST['submit']) ) { if( !eregi("^[[:alnum:]][a-z0-9_.-]*@[a-z0-9.-]+\.[a-z]{2,4}$", $_POST['sender'])) { $message = "The sender email you entered is not valid."; } else { if( !eregi("^[[:alnum:]][a-z0-9_.-]*@[a-z0-9.-]+\.[a-z]{2,4}$", $_POST['recipient'])) { $message = "The recipient email you entered is not valid."; } else { // check message $_POST['message'] and subject $_POST['subject'] validity // if okay, then send the email and set variable $end to "Your message has been sent." } } } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>Simple Emailer - By [..]</title> <meta name="keywords" content="encrypt, cipher, hash, input, md5, sha1, php, encrypter, encryptor, encryption" /> </head> <body> <p style="font-size: large; font-weight: bold;">Simple Emailer - By [..]</p> <p>  <strong><?php echo $message; ?></strong> <br /> </p> <form name="encrypt" method="post" action="">   <p>     <label>Sender     <input type="text" name="sender" />     </label>   </p>   <p>     <label>Recipient     <input type="text" name="recipient" />     </label>   </p>   <p>     <label>Subject     <input type="text" name="subject" />     </label>   </p>   <p>     <label>Message     <textarea name="textarea" cols="30" rows="3"></textarea>     </label>   </p>   <p>     <input type="submit" name="submit" value="Send" />   </p> </form> <br /> <?php echo $end; ?> <p></p> Copyright &copy; <?php echo date(Y); ?> [..]. All Rights Reserved. </body> </html> [/code] Also, what is the best way to clear (or make un-meaningfull) an email's headers, using PHP. I want to do this so the email set is relativeley anonymous.

Thanks a ton for the help! [quote author=mjdamato link=topic=120099.msg492451#msg492451 date=1167286794] this also assumes the "login" column is a uniqu field. Otherwise you should pull the user's record by login and password. [/quote] Yes, my script that allows the users to register checks if the username is already used. So all usernames are unique.  I have one question: Is there an security problems with this script, for example, can a hacker use this form to do any malicious things to my site? I'm asking this because I just finished re-building another one of my sites after a hacking scenario. I'm just want to be really cautious about my scripts. Thanks! -Joel

Hi, today I wrote a PHP script that would allow the users to change their password. When I tested it out, all that happened was the screen flashed like it was reloading and nothing changed. When I tried to log in using my login script, the old password was still active. Here's the code. [code] <?php if ( isset($_POST['submit']) ) { if ( $_POST['oldpassword'] != "" || $_POST['newpassword1'] != "" || $_POST['newpassword2'] != "" ) { ///////////////////////////////// $dbhost = 'localhost'; $dbuser = '*******'; $dbpass = '*******'; $dbname = '*******'; $conn = mysql_connect($dbhost, $dbuser, $dbpass) or die ('Error connecting to mysql'); mysql_select_db($dbname); ///////////////////////////////// $user = "testuser"; // I'll add a function to this so that 4user is equal to the current user. $query  = "SELECT password FROM users WHERE login = '$user'"; $result = mysql_query($query); $row = mysql_fetch_array($result); $encuserpassword = $row['password']; $encuserinput = sha1($_POST['oldpassword']); mysql_close($conn); if ( $encuserinput == $encuserpassword ) { if ( $_POST['newpassword1'] == $_POST['newpassword2'] ) { ///////////////////////////////// $dbhost = 'localhost'; $dbuser = '*******'; $dbpass = '*******'; $dbname = '*******'; $conn = mysql_connect($dbhost, $dbuser, $dbpass) or die ('Error connecting to mysql'); mysql_select_db($dbname); ///////////////////////////////// $user = "testuser"; // I'll add a function to this so that 4user is equal to the current user. ///////////////////////////////// $encnewpassword = sha1($_POST['newpassword1']); $query = "UPDATE users SET password = '$encnewpassword' WHERE login = '$user'"; $result = mysql_query($query); echo "Your password has been changed."; mysql_close($conn); } else { $errormessage = "The two new passwords don't match."; } } else { $errormessage = "Your old password isn't valid."; } } else { $errormessage = "Please fill in all fields."; } } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>Change Password</title> </head> <body> <br /> <?php echo $errormessage; ?> <form name="password_change" method="post" action=""> <table width="350" border="0">   <tr>     <td>Enter Old Password: </td>     <td><input name="oldpassword" type="password" size="20" maxlength="15" /></td>   </tr>   <tr>     <td width="220">Enter New Password: </td>     <td width="120"><input name="newpassword1" type="password" size="20" maxlength="15" /></td>   </tr>   <tr>     <td>Re-Enter New Password: </td>     <td><input name="newpassword2" type="password" size="20" maxlength="15" /></td>   </tr>   <tr>     <td>&nbsp;</td>     <td><input type="submit" name="Submit" value="Submit" /></td>   </tr> </table> </form> </body> </html> [/code] Thanks for reading! Hope you guys can help! -Joel

Thanks for the reply, but I need a PHP script to do this. -Joel

Hey, First, thanks for reading! Second, I'm looking for a PHP script that bans IP addresses that [u]don't[/u] have the first octet of 69. For example, the script would block the IP address 23.34.21.255, but it wouldn't block the ip address 69.93.147.82. I already know that to get the user's ip address you use the getenv("REMOTE_ADDR") command. I just don't know how to split the IP address up so the script can just test the first octet. Again, thanks for reading! Joel

Hey, I was wondering if anybody knows of a PHP script that generates numbers that have the same value whether you look at them upside down or right side up. If there's no such thing, I was wondering if someone could help me make one. Thanks for reading. Joel

Hmmm... it looks like it should work, but an error comes up saying Parse error: parse error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in /home/wintallo/public_html/sandbox/tetris_highscores_score_d.php on line 53 just so yah know, line 53 is [code] $sql1 = mysql_query("INSERT INTO tetris_hs(name,score,date) VALUES ('$row[name]','$row[score]','$row['date']')"); [/code] Thanks for helping though! Joel wintallo.com