Jump to content

leesiulung

Members
  • Posts

    83
  • Joined

  • Last visited

    Never

Posts posted by leesiulung

  1. I'm starting a project that I want to be highly thought out and scalable. PHP is not my first choice, but seems to be the one with the most resources available. Unfortunately, PHP is also one of the languages that has the most security vulnerabilities due to bad coding.

     

    As an effort to balance this, I would need a good book on:

     

    - PHP security (I anticipate enough users that I will get attempted hacks from script kiddies & etc.)

    - Enterprise type implementations

    - Good code design (design patterns)

    - Focuses on potential performance issues/bottlenecks

     

    I consider myself a good programmer with enough knowledge of PHP to create smaller web sites (meaning not enterprise or large scale alas facebook or youtube), and have a Computer Science degree.

     

    Anyone can suggest me a book or two?

     

     

  2. To those trying with the same issue with GoDaddy hosting, my solution ended up being to use an ASP page and post the information to this page. On errors, I would send a GET message back to the original PHP script.

     

    As far as I know, PHP at GoDaddy is running on Safe Mode and is not officially supported on Windows platform. It also does not display errors in PHP scripts, even when you try to enable them in code.

  3. The key operation there is #3.  If #3 succeeds, then you've got your new key and no-one else can have it.  So you may be able to get away without transactions.

     

    From what I understand of ODBC (ref: http://msdn2.microsoft.com/en-us/library/aa198023(SQL.80).aspx ), you must switch autocommit off to start a transaction.  Then, when your work is finished, you call the odbc_commit() function.  So.

     

    odbc_autocommit($conn, false);
    # do your stuff
    odbc_commit($conn);

     

    But this is all pure speculation, I am by no means an odbc expert.  Test it first!

     

    This worked. Thanks! For those wondering this was with GoDaddy's Windows Deluxe hosting. I highy recommend AVOIDING GoDaddy if you need PHP on Windows hosting. They do not officially support PHP on Windows.

     

    I would test it with:

     

    odbc_autocommit($conn, false);

    # do an insert

    odbc_rollback($conn);

     

    If the insert is visible, then something is wrong.  Then try the same with odbc_commit().  The insert should be visible, but only after the commit.  You might want to add a sleep(10) before the commit (and check the db in another window), so you can verify that the insert only becomes visible after committed.

     

    While testing the code I found a bug and indeed the transaction was rolled back. Thanks!

  4. How about an xmlhttp request?

     

     

    That would work, but that means the client "can" know what I'm sending in the GET/POST since it would have the GET/POST data has to be sent to the client and then from the client back to the server.

     

    I might have to just use a different scripting language... It seems like this is an impossible challenge....

  5. Does fopen work for you?

     

    I do not see fopen in the list of disabled functions. Do you mind posting a little code to save me a few hours of reading the help file and trying it out?

     

    a good free host is igotfree.com if you have a domain

     

    I'm stuck with godaddy. I just did not realize that their Windows hosting was that limited.... Dedicated or even virtual dedicated server would be best.

  6. I'm not sure what socket function you are talking about?

     

    I do not see this socket function as part of the disabled list I provided. I grabbed this list of phpinfo();.

     

    Unfortunately, PHP hosting with Windows at GoDaddy leaves a lot to be desired. PHP on Linux does not support MS Access. MS Access support and PHP was a requirement....   :(>:(:(

  7. Is there a way to send a GET request via PHP code?

     

    I need to send it to a url as follows:

     

    http://www.mydomain.com/index.asp?email=emailaddress

     

    The following is disabled:

     

    getmyinode, getopt, getrusage, extension_loaded, dl, mysql_pconnect, crack_check, crack_closedict, crack_getlastmessage, crack_opendict, fsockopen, pfsockopen, mysql_list_dbs, mysql_stat, ini_get, ini_get_all, ini_alter, ini_set, get_current_user, get_defined_constants, get_include_path, php_ini_scanned_files, php_uname, phpcredits, restore_include_path, set_include_path, set_time_limit, version_compare, zend_version, getmypid, getmyuid, getmygid, assert_options, assert, fopen, fwrite, fread, file, fpassthru, file, mail, opendir, readdir, closedir

     

    I'm on PHP4 on Windows. I cannot use curl with the following code:

     

    <?php
    $ch = curl_init('http://www.mysite.com/index.php?option=com_content&task=blogcategory&id=24&Itemid=55');
    curl_exec ($ch);
    curl_close ($ch);
    ?>
    

     

    This suggest that I cannot use curl and is a limitation of my hosting company, GoDaddy....

     

    Any programmers want to take me on the challenge and help me out?

  8. Barand,

     

    I'm getting pretty frustrated with PHP. It is the bane of my existence as I cannot stand the language. It is a love hate relationship. I love the fact that there is so much support for it, unfortunately the language in my personal opinion is terrible.

     

    Anyhow, I have been unsuccessful in figuring out how to use stored procedures in MS Access using PHP. Can you or anyone help me out on how to sanitize the input for Access?

     

    It should have been as easy as applying a function to the argument... here I am spending hours digging up information.

     

    I would really appreciate it if anyone could help me. #!@$!@$@#%#@Q%#@TW$%^%&^%*$^#$#@%%@$!@

     

     

  9. So,

    - No email addresses allowed

    - Don't deal with any companies with names like "Marks & Spencer" , "Saachi & Saachi" or "Ford(UK) Ltd"

    - Don't have any Irish contacts with names like O'Brien, O'Reilly etc

    - Don't have any contact with those people like Tim Brooke-Taylor with hyphenated surnames

    - And never any mathematical equations

     

    To be honest, the reason I summarized those was that none of them seemed the correct way to handle it. In practice, one should not rely on a function intended for a different purpose be used for another purpose simply because it has the correct effect.

     

    Thus, I think if I can get stored procedures to work it would  solve all these issues in one go. I believe this is the proper way of handling SQL injections in general.

     

    It is just that PHP is a complete hack as a language and it isn't clear when and where you can use functions because frequently have caveats. Simply put, even after extensive testing I do not feel confident about my code.

  10. So to summarize:

     

    1. Remove all characters of the type:  * @ ! = & (){};'"`~/-+ or more accurately, only allow certain characters, but make sure those are not in the set of allowable characters

     

    2. use htmlentities() and html_entity_decode()

     

    3. use urlencoding() and urldecoding()

     

    I'm not sure I understand why 2) and 3) above prevents SQL injection attacks?

     

    Why do PHP not have something like mysql_real_escape_string() for Access? Certainly would be easier....

  11. It will work most of the time, but it could potentially mix up peoples' account. Thus, it is a good idea to fix it.

     

    Basically, I need to insert a new account and keep track of the primary key which is numeric.

     

    Since, I do not want autoincrement on in Access I do the following:

     

    1. start commit

     

    2. find new unused primark key (userid) by number of records + 1

     

    3. insert new record with userid

     

    4. commit

     

    5. insert additional records into other tables with using primary key as foreign key

     

    Any other suggestions?

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.