MmmVomit
-
Posts
319 -
Joined
-
Last visited
Never
Posts posted by MmmVomit
-
-
I'm putting together a simple HTML form with a PHP back end. The user submitted data will be compiled and sent as an email to a hard coded email address. One mantra I've learned for programming secure applications is "filter input, escape output". In this case, my output is an email message. Is there any type of escaping I need to worry about when compiling the email? Are there other security concerns I need to be aware of when sending an email using PHP?
I'll be using the mail function.
-
All the right files seem to be in the right place, so I'm just as confused as you are.
I didn't do the initial setup on the server. One of our IT guys did. Pretty much all of his experience is using Windows, so he went with what he knew. I could uninstall IIS and install Apache instead, but then I would be the only person who knew how the hell it worked. Since I'm not part of IT, that probably wouldn't be the best thing.
-
Okay, I tried that, rebooted the server, and no change.
I gave the IUSR_machinename account read and execute privileges on C:\PHP and its subdirectories.
-
I rebooted the machine after trying everything suggested in this thread. The last time I rebooted it was about 15 minutes ago.
This is @#$%ing frustrating.
-
Make sur php_mysql.dll that came with PHP are of the same build (version) as php.exe.
If they are the same build, Then I think you may have an older libmysql.dll (or php_mysql.dll maybe) laying about somewhere on your hardrive which is maybe stopping the mysql extension from loading. Got to Start > Search and search for a file called libmysql.dll let is scan the whole of you computer.
Windows should only return two results, which are:
- libmysql.dll in the root of your PHP folder
- libmySQL.dll located in your MySQL bin folder.
If Windows finds any others either delete them or rename them. Repeat the process for php_mysql.dll too only one result should be returned.
PHP, MySql and IIS were all installed for the first time on this server last week. There are no other copies of libmysql.dll or php_mysql.dll lying around anywhere on the hard drive, and the only version I have is the one that came with the newly installed version of PHP.
-
What errors or other symptoms are you getting that makes you think it is not working? Posting your actual errors might give someone a clue as to what might be wrong.
Have you checked your web server log for errors (in IIS I believe it is the Windows system event log.)
This is just a page I have to test whether the MySql extension is working.
Source code:
<html> <head> <title> </title> </head> <body> <pre> Grrr. Work! <?php echo "test\n"; echo "moo\n"; echo $a; // reference an undefined variable to make sure display_errors is on print_r($_GET); $connection = mysql_connect('localhost', 'root', '***'); // password obfuscated $db = mysql_select_db('test', $connection); $sql = "SELECT * FROM waste;"; $result = mysql_query($sql); while($row = mysql_fetch_assoc($result)) { print_r($row); } ?> </pre> </body> </html>
Output:
Grrr. Work!
test
moo
Notice: Undefined variable: a in C:\Inetpub\wwwroot\sqltest.php on line 20
Array
(
[foo] => bar
)
Fatal error: Call to undefined function mysql_connect() in C:\Inetpub\wwwroot\sqltest.php on line 24
-
Okay. I wasn't sure about that in PHP. The manual did make mention of it, but it looked like that may have been only in earlier versions.
-
You're missing the HTML tags that define table rows.
Change this:
echo "<td>".$a['Num']."</td> <td>".$a['Amount']."</td>";
To this:
echo "<tr><td>".$a['Num']."</td> <td>".$a['Amount']."</td></tr>";
Also:
for ($x=0; $x < mysql_num_rows($query); $x++) { $a = mysql_fetch_array($query); $a['Num']; \\ this line of code does nothing $a['Amount']; \\ this line of code does nothing $b = mysql_fetch_array($query2); $b['Amount']; \\ this line of code does nothing $c = mysql_fetch_array($query3); $c['Amount']; \\ this line of code does nothing echo "<td>".$a['Num']."</td> <td>".$a['Amount']."</td>"; }
-
You might try changing the order of the functions in the code. This might make a difference.
You essentially have:
function disp_query_results_HTML($data) { //... disp_fld_names_HTML($fld_names); //... } function disp_fld_names_HTML($header_list, $bgcolor = "#ffffdd") { /... }
You should try this instead:
function disp_fld_names_HTML($header_list, $bgcolor = "#ffffdd") { /... } function disp_query_results_HTML($data) { //... disp_fld_names_HTML($fld_names); //... }
-
I'm trying to get the MySql extension working on a Windows machine using IIS.
I've looked at numerous tutorials, including several threads on these forums already, and can't get the $%#!@ing thing to work.
Here's what I've done so far.
1. In php.ini, I've set the extension_dir variable to "C:\php\ext"
2. I've added extension = "php_mysql.dll" to php.ini
3. I've added "C:\php" to the PATH environment variable so that the computer should be able to find libmysql.dll
3a. I also tried copying libmysql.dll to "C:\WINDOW\System32", but that didn't work either
4. Restarted both IIS and the server numerous times.
I know that I'm editing the right php.ini file, because other changes I've made have been working just fine. For example, turning on display_errors (this is a test server).
It's still not working, and I don't know what the deal is. Have I missed anything blazingly obvious?
-
In the SESSION array.
-
Some other problems with your script.
What is this line supposed to do?
$_POST["repsName"] . $_POST["clientsName"]. $_POST["clientsPhone"]. $_POST["clientsUrl"]. $_POST["shortDescroption"]. $_POST["longDescription"];
Here you potentially give access to any file on your server. Pretend I entere a clientsName of "../../etc".
$folder = "./files/".$_POST["clientsName"]."/";
-
First, code tags are your friend. Please use them.
Here's a quick and dirty solution.
<?php ///my flash variables $_POST["repsName"] . $_POST["clientsName"]. $_POST["clientsPhone"]. $_POST["clientsUrl"]. $_POST["shortDescroption"]. $_POST["longDescription"]; $folder = "./files/".$_POST["clientsName"]."/"; if(!is_dir($folder)) mkdir($folder, 0755); $mode = file_exists($folder.'user_input.txt')?'a':'w'; // append if file exists otherwise create it $fp = fopen($folder.'user_input.txt',$mode); // open file foreach($_POST as $K=>$V) { if($K != '_searchKey') { fwrite($fp, "$K = $V\r\n"); // dump the contents of the $_POST array to the file } } fclose($fp); ?>
-
Actually, this should do it
<?php if ($town == 1) { if (($co_ord_y != 14 || $co_ord_x != 20) && ($co_ord_y != 19 || $co_ord_x != 15)) { echo "You are no longer near a river."; DIE(); } } ?>
-
I'm assuming you have a user table that looks something like this.
User
-------------
ID
Username
etc.
You want to add a table that looks like this
Friends
----------------
ID
UserID => User.ID
FriendID => User.ID
-
Try this.
<?php if ($town == 1) { if (($co_ord_y != 14 && $co_ord_x != 20) || ($co_ord_y != 19 && $co_ord_x != 15)) { echo "You are no longer near a river."; DIE(); } } ?>
-
Is there a specific field in the table that is supposed to be unique?
-
-
Here's something interesting. Try it and see if it works.
-
From the manual.
NotesNote: A MySQL connection is required before using mysql_real_escape_string() otherwise an error of level E_WARNING is generated, and FALSE is returned. If link_identifier isn't defined, the last MySQL connection is used.
A comment from the online manual at php.net
James at thetallfamily dot com21-Jun-2007 12:36
MSSQL doesn't have a real_escape_string function like MYSQL does, which can lead to error when inserting or updating data that contains a ' (single quote).
To prevent this, replace all ' (single quotes) by TWO ' (single quotes) '' which SQL server will interpret as an escaped '.
Also you may want to remove any \' \" escape sequences that are translated from any FORM output into the PHP $_POST variables.
Hope this helps someone.
James
-
Get rid of Username2 from the userdata table. Add a second table called Buddies. It should have the following columns.
ID Autonumber
UserID Integer
BuddyID Integer
-
Try this instead.
include("include.php"); $GetLetters = mysql_query("SELECT * FROM messages WHERE reciever='$_SESSION[Current_User]'"); $row = mysql_fetch_assoc($GetLetters) or die(mysql_error()); include("energybarinclude.php"); $Subject = $row['Subject']; $From = $row['Sender']; $SentOn = $row['Senttime']; $MessageOne = $row['MessageText']; $FindUser1 = mysql_query("SELECT * FROM userregistration WHERE UserID='$From'"); //Fetch the row from the database $rowuser = mysql_fetch_assoc($FindUser1); $UserName1 = $rowuser['UserName'];
-
this error message tells you that } is not a prob
Parse error: syntax error, unexpected '{' in C:\Program Files\Apache Group\Apache2\htdocs\hypotenuse.php on line 470
you should aware of those error message LOL
That's because the parser quit and never even got to the extra closing curly brace. Once the missing parenthesis was fixed, that would have probably been the error the next time through.
-
You could also use a GROUP BY clause and a MAX function on the date field.
[SOLVED] PHP, email and security
in PHP Coding Help
Posted
Perfect. Thank you.
I've got the PHP security book by Chris Shiflett. He doesn't mention email anywhere in the book, which made me think it wouldn't be a big concern.