tyweed

I closed down those user and pass until i fix these embarrassing flaws. And to think i'm a experienced programmer this is bad bad!

Ok i think have pinned down what it was. I think a sql injection into the table has somehow got in so when the browser prints out table it's letting a javascript redirect happen. I'm trying to get access into mysql now so i can have a look at the tables. as of right now the only way i was editing the table info was through php and this won't work! I guess i should have programmed a bit better!

someone must have done something to the site. It has to do with the javascript redirect i use when you get logged in i think? What is wierd is it goes to main for a second then jumps to that youtube video? Wow I must have a biug whole in my security? var result = oReq.responseText; if(result == "redirect") window.location.href="main.php"; else $("error").innerHTML = result; This is called on successfull login any ideas how someone could have linked the site without changing source in my files? i'm very curious

Thanks, yeah I meant to say that the site is just in development stage. So a lot of it is still broken. I was more curious about what you thought of the idea, and interfaces, and overall look within the site.

it should have unobtrusive javascript. What didnt work?

I have started to develop a betting website/social network site where groups of individuals can keep track of all their bets, talk trash, etc. a lot of the social networking features have not yet been implemented. However, I have all of the betting statistic and table features implemented at this time. I would like to get some opinions on features I should add, the overall layout, and any other opinion you might have from your initial look at the website. I'm open for any ideas and all criticism! I hope to hear from you, http://www.voodoowebman.com/youbetyourass/ajax/Login.php email: test@demo.com pass: demo

I have a goal to be a php developer. I have a cs degree and 0 work experience. Do you think it is worth while to learn the zend framework? I have been playing around with it and it is very frustrating. I just don't want to be pulling my hair out for nothing. Just wanted other php users opinion.

I'm curious and would like a few peoples opinions on a small problem. I have created a friendly betting site. One where a group of individuals can make bets and it stores them into mysql table and helps keep track of the stats. At this point in time it has the user signup,login,bet making,stuff complete. I wanted to add a blog like thing so people could talk trash to eachother, maybe avatars,some other stuff. You think i'd be better trying to integrate my existing stuff into a cms like joomla or drupal. just get seperate blog open soure application. Or write my own. Please all opinions open I eagerly await your advice php freaks!

boy am i stupid thanks!

I'm completely confused as to why this is not working? I have a comma seperated list of variables i check using the in shortcut vs having to list multiple or's. ============== table example query================ id user_id groupname 1 1 test 2 3 test 3 2 test 23 1 thisisnew 22 10 test ============================================= Select user_id from user_id_groupname where groupname in ('test,thisisnew') is returning zero? but Select user_id from user_id_groupname where groupname='test' or groupname='thisisnew' returns: The corret response user_id 1 3 2 1 10 I have no idea what is heppening I though in is just a shorthand for testing multiple or's? whats going on?

I can't seem to figure out to more effectively use ajax so that i do not have to keep repeating code in separate files. So, here is an example of what i'm talking about. Let's say you have a login page written in php. <html> <body> <div id="main"> <img src="logo.gif" alt="You bet your ass logo" width="212" height="120"> <?php include_once("./classes/MysqlManager.php"); include_once("./classes/UserFunctions.php"); if(isset($_POST['submit']) ) { if(get_magic_quotes_gpc()) { $email = trim($_POST['email']); $password = trim($_POST['password']); } else { $email = mysql_real_escape_string(trim($_POST['email'] ) ); $password = mysql_real_escape_string( trim($_POST['password'] )); } $mysqlmanager = new MysqlManager(); $query ="SELECT * FROM users WHERE email = '$email' AND password = '$password'"; if(!$r = $mysqlmanager->executeQuery($query))//bad sql command { $mysqlmanager->printSqlError(); printLogin(); } //check for error input empty password or userID else if( $email == "" || $password == "") { print "<p class='warning'> You forgot to enter in either your email or password.</p>"; printLogin(); } //check for error input incorrect password or userID else if(mysql_num_rows($r) == 1) { $userFunc = new UserFunctions(); $row = mysql_fetch_array($r); $_SESSION['name'] = $row['username']; $_SESSION['email'] = $email; $_SESSION['password'] = $password; $_SESSION['user_id'] = $row['user_id']; // no longer need this thus far $_SESSION['grouplist'] = $userFunc->getGroupList($row['user_id']); if($email == "admin") header("Location:admin.php"); else header("Location:main.php"); } else { print "<p class='warning'> Incorrect Login or Password!</p>"; printLogin(); } } else { printLogin(); } function printLogin() { print <<< HTMLBLOCK <center> <div id="error" > </div> <form method = "post" action="login.php" id="form"> <table> <tr> <td align = left> <fieldset> <legend> Login</legend> <label for="email">Email :</label> <br/> <input type = 'text' name = 'email' class="required" size = '40'/> <br/> <label for="password">Password :</label> <br/> <input type = 'password' name = 'password' class="required" size = '25'/> <br/> <br/> <input type = 'submit' name = 'submit' id='submit' value = 'submit'/> <br/> <br/> <a href='LostPassword.php'> Forgot Password?</a> | <a href="Signup.php"> Add New Group </a> <br/> </fieldset> </td> </tr> </table> <br> <br> HTMLBLOCK; } ?> </div> </body> </html> So this was a fully working php login page now i'd like to use ajax to make it better. The problem is i can't seem to figure out how to call this same page with ajax to use the existing code. Instead i create a new file that copies almost exactly the php chunk of code. Here is the example ajax php file called <?php session_start(); include_once("./classes/MysqlManager.php"); include_once("./classes/UserFunctions.php"); //validate all form fields were filled in header('Content-Type:text\xml'); $mysqlmanager = new MysqlManager(); $email = trim($_POST['email']); $password = trim($_POST['password']); $query ="SELECT * FROM users WHERE email = '$email' AND password = '$password'"; if(!$r = $mysqlmanager->executeQuery($query))//bad sql command { $mysqlmanager->printSqlError(); } else if(mysql_num_rows($r) == 1) { $userFunc = new UserFunctions(); $row = mysql_fetch_array($r); $_SESSION['name'] = $row['username']; $_SESSION['email'] = $email; $_SESSION['password'] = $password; $_SESSION['user_id'] = $row['user_id']; print "redirect"; } else { print "<p class='warning'> Incorrect Login or Password!</p>"; } ?> you see how that test.php class is just a cut n paste of code from the login.php class. It just seems so inefficient to code this way. I'd like to use my existing php code that calls itself in the ajax request. It just does not seem correct.Does my problem make any sense? It seems to be a common dilemma for me?

thats what i'v tried the code above shows i tried var row = result.documentElement.getElementsByTagName("row"); where result is the responseXML. I noticed most load the xml into a method i have not. I just assume that it's already loaded into the responseXML

So I have this xml which was created in php file by concatenating a string to create the xml myself: <table> <row> <nameBet> will Mike puke San Luis Obispo weekend party! Steve (No) Kenny (yes) </nameBet> <betBetween> 2 </betBetween> <amount> 5 </amount> <winner> 1 </winner> <betId> 24 </betId> <betCreator> 1 </betCreator> <dateOfBet> 24-Apr-2008 </dateOfBet> </row> <row> <nameBet> Sharks (Ken) vs Flames (Steve) game 7 </nameBet> <betBetween> 2 </betBetween> <amount> 5 </amount> <winner> 2 </winner> <betId> 23 </betId> <betCreator> 1 </betCreator> <dateOfBet> 23-Apr-2008 </dateOfBet> </row> </table> This is the php that creates the xml echo "<?xml version=\"1.0\" encoding=\"utf-8\"?>"; $this->grid .= "<table>\n"; while($row = mysql_fetch_assoc($r)) { $this->grid .= "<row>\n"; foreach($row as $name => $value) { //print "foreach: " . $name . " " . $value . "</br>"; $this->grid .= "\t<". $name. ">\n". $value . "\t</". $name . ">\n"; if($filter == "myBets") { if( ($name == "betCreator") && ($value == $user_id)) { $this->grid .= "\t<editDelete>\n". //<a href=\'EditBet.php?id=\".$row['betId']."'>Edit Bet</a> // | <a href='DeleteBet.php?id=".$row['betId']."'> Delete Bet</a> . "\t</editDelete>\n"; } } } $this->grid .= "</row>\n"; }//end while $this->grid .= "</table>\n"; return $this->grid; } And finally the javascript i'm having the trouble with function ajaxRequest(url,params) { var aj = new Ajax.Request( url, { method:"post", parameters: params, onComplete: getResponse } ); } /* ajax.Response */ function getResponse(oReq) { //var result = oReq.responseText; var result = oReq.responseXML; var row = result.documentElement.getElementsByTagName("row"); alert(row); <=== undefined So the problem is i'm unable to figure out how to grab the data from this xml. I have tried everything and searched everywhere. If i print result it shows [object xmldocument] . But anything else gives me undefined any ideas why? I tried formating the headers in php that did not seem to help. If i do responseText it prints the xml formated file? If i write my xml to a file and open in ie and mozilla it opens fine like an xml file? Forgot to mention i'm using prototype for ajax call for ease of use. but i don't think its a prototype problem...... I'm so lost and frustrated!

So i'm including a class DBInfo that has a few static variables that i'm using to connect to my database. This include is in the MysqlManager class. Then i'm using the scope resolution operator to access those static variables in DBInfo: <?php include("DBManager.php"); include("DBInfo.php"); <================ included here class MysqlManager extends DBManager { function MysqlManager() { $startTime = $this->getMicroTime(); <============== see below this line my call to those static variables using scope resolution operator if (!$this->connection = @mysql_connect(DBInfo::$host,DBInfo::$user,DBInfo::$pass,true)){ $this->errorCode = mysql_errno(); DBInfo looks like: class DBInfo { static $host = 'localhost'; static $user = 'root'; static $pass = ''; static $db = 'bets'; } So on my local i'm using php5 and i gert no errors. On my host its php4 and i'm gettiong this error and i have no idea why? Parse error: parse error, unexpected ',', expecting '(' in /www/vo/youbetyourass/MysqlManager.php on line 13

Ok I have this query Select Distinct b.*,g.groupname,g.user_id from betstable as b, user_id_groupname as g WHERE betCreator in (1,2,4,6,'Open') AND betBetween in (1,2,4,6,'Open') and it is returning : dateBet nameBet BetBetween|BetCreator Amount Winner Groupname 11-24-2008 test again jon | ken 4 jon test 11-24-2008 test again jon | ken 4 jon test2 11-24-2008 test again jon | ken 4 jon test 11-24-2008 test again jon | ken 4 jon test 11-24-2008 test again jon | ken 4 jon test 02-Apr-2008 test1 tyweed | ken 4 ken test 02-Apr-2008 test1 tyweed | ken 4 ken test2 02-Apr-2008 test1 tyweed | ken 4 ken test 02-Apr-2008 test1 tyweed | ken 4 ken test 02-Apr-2008 test1 tyweed | ken 4 ken test tables look like the following --------------Betstable------------------------------ nameBet betBetween amount winner betId betCreator dateOfBet test Open 5 1 5 24-Apr-2008 test again 2 4 4 6 4 11-24-2008 test1 2 4 2 2 1 02-Apr-2008 test 2 2 4 1 3 1 02-Apr-2008 testy Open 45 4 2 02-Apr-2008 fffffffffffffffffffffffffffffffffff 1 23456 5 2 05-Apr-2008 --------user_id_groupname------------------- id user_id groupname 1 1 test 2 1 test2 3 2 test 10 4 test 18 6 test ------------------------------------------ The query is suppose to return all bets in the betstable where a user_id of betBetween,betCreator are in the same group. essentially only show bets where users are in the same group as the user which in this case was 1,2,4,6, open Open is a bet anyone can view. I kinda understand why it is repeating but i'm unsure how to get these same results but only showing 1 unique row for every bet. It seems to repeat every bet the number of results were found. So if six fit the query logic it repeats every find six times?

jd307 i have a question for you. I would need to do this for winner_id,betcreator_id,and betbetween_id. What if i run through the table once creating a map of the user_id to username. Then i could just check the map to the user_id's returned with php function versus having to convert with sql statements evertime i need the user_id's converted to usernames. array['jon'] =0 array['lisa'] = 1 etc ......... Is this a bad way to go about it?

I have a quick question for you if you don't mind after implementing this new database design i realized every time i print out the betstable it is printing the betBetween_user_id , winner_user_id, betCreator_user_id just as your table shows ---- BETS ------------ --------------------------------------------------------------------- bet_id | description | date | amount | between_user_id | winner_user_id | creator_user_id | -------------------------------------------------------------------------------------------- problem is the user_id's are just numbers so the table ends up looking like nameBet betBetween amount winner betId (pk) betCreator dateOfBet test Open 5 2 1 1 24-Apr-2008 test1 1 4 1 2 1 02-Apr-2008 test 2 14 1 3 2 02-Apr-2008 testy Open 45 1 4 2 02-Apr-2008 instead of nameBet betBetween amount winner betId (pk) betCreator dateOfBet test Open 5 steve 1 ken 24-Apr-2008 test1 ken 4 ken 2 steve 02-Apr-2008 test 2 ken 4 steve 3 steve 02-Apr-2008 testy Open 45 ken 4 steve 02-Apr-2008 so it would require me to re translate everything from user_id to username. Do you think if i put there usernames in the betstable that would be poor design vs the user_id?

Hey thanks for your input I'm not getting very many responses to this question. To answer your questions: 1. I believe it would be best that a user could be assigned to many groupnames. 2. betcreator,betbetween,and winner are representing users. However i'm filling them with the username instead of email. Both will be unique to the tables. So what you think is the revised tables where i seperate betbetween ,winner,and betcreator from betstable necessary? It makes my job a little harder if i remove them each into their own tables. My concern is when they are in the same table you get a table like the following. nameBet betBetween amount winner betId (pk) betCreator dateOfBet test Open 5 steve 1 ken 24-Apr-2008 test1 ken 4 ken 2 steve 02-Apr-2008 test 2 ken 4 steve 3 steve 02-Apr-2008 testy Open 45 ken 4 steve 02-Apr-2008 you see how with winnner , betcreator, and betbetween you get repetitive data. For example winner betbetween could both be Steve in the same row. And in addition steve could be in multiple columns. Is this a problem? This is why i thought of removing from the table and making their own table.

Ok, so I have designed a website so that my buddies and I can keep track of all our friendly bets online. I'm trying to learn relational database structures in the process. So, here was my first design. 2 tables ---- USERS---------------------------------------------- EMAIL(key) | password | username | groupname | notify | ---------------------------------------------------------- groupname is so only users with the same groupname are displayed on the table views notify - value of yes or no whether they want email notifications ----------------betsTable ----------------------------------------------------- bet description | bet between | amount | winner | betId (key)| betCreator | date of bet -------------------------------------------------------------------------------- So, after doing my homework I found issues with users and 2 normal form with groupname and notify having repeated values on different rows so i fixed like so ---- USERS---------------------------------------------- EMAIL(key) | password | username | notify | ---------------------------------------------------------- -----groupnames -------- group_id(key) | groupname ------------------------- -------group_email--------------- <====== this is suppose to tie the two to users groupname | email (key) ----------------------------- So if this is correct the tables for users should now be in 2 normal form. Now the hard one betstable problem is that in 1st normal form betbetween and winner could be the same per row and same goes for betcreator and winner. So, i'm kinda stuck. ----------------betsTable ----------------------------------------------------- bet description | bet between | amount | winner | betId | betCreator | date of bet -------------------------------------------------------------------------------- i'm trying to seperate the winner from table -----------betId_winner---------------- betId | winner -------------------------------------- Am i going about this correctly? This seems like alot of seperating and i'm concerned updating these tables is going to be a pain! Please i'm up for all opinions friendly and mean!

yes you were right it was that magic quotes was on. I have a quick question though on when these strings are escaped and placed into the database. When they are placed into the database they are escaped now anytime you try to access anything in the database i need to add slashes? Seems kinda of a pain. Is there a better way?

So, I have a login page and i'm trying to avoid sql injections. I'm trying to use the mysql_real_escape_string() but for whatever reason when it checks the value in the database with using mysql_real_escape_string it is not finding the password. So i printed what the password looks like to screen and lets assume i entered the password: test's its printed as test\\\'s and when it looks for it in the database it is not finding test's. Should this method just be adding a single escape. I thought it would look like test\'s after using mysql_real_escape_string any ideas whats going on? $email = mysql_real_escape_string($_POST['email'] ); $password = mysql_real_escape_string( $_POST['password'] ); print $email . " : " . $password;