teynon
Members-
Posts
898 -
Joined
-
Last visited
-
Days Won
1
teynon last won the day on March 3 2013
teynon had the most liked content!
Contact Methods
-
Website URL
http://www.thomaseynon.com
-
Yahoo
teynon1
Profile Information
-
Gender
Male
teynon's Achievements
Member (2/5)
12
Reputation
-
It appears you have switched to Laravel. That framework should take care of a lot of security vulnerabilities automatically for you as long as you don't circumvent their procedures. You can of course make your own security vulnerabilities with code, so you should still be mindful of that. I would argue that #5 and #6 of Master Coder's points are arguably not necessary to change. CDN's are pretty widely used and you are using some reasonably trustworthy sites. The one I might move into your domain specifically is bootstrap.min.js, although it's not a big deal either way. The point of #6 is to prevent other users from logging into their account while using that users computer. While this may be a security vulnerability, it is also a choice by the user. You should not be overriding the users preferences unless you have a very good reason to do so. If you were protecting sensitive information such as credit cards, bank account information, SSN's, etc, then maybe consider preventing that, but even in that case, this is a user preference and you are counteracting features built into a browser. That's just my 2 cents there. This link (http://stackoverflow.com/questions/2530/how-do-you-disable-browser-autocomplete-on-web-form-field-input-tag) has some useful information on stopping autocomplete. Although you'll notice that Firefox partially ignores the rules of the autocomplete="off" tag and asks the user if they want to autofill. With that, I will say you should make your own custom 500 page and put your Laravel installation into production mode / prevent error messages outputting to the user. Your 404 page could use some navigation back to the homepage as well.
-
You should consider using prepared statements. It's easy to tell your database is vulnerable to sql injection by trying to sign in with a username or password of something like test' OR 1 = 1;
-
I would mess with some of the string encodings. I've done this in C#, but not in PHP. Perhaps http://php.net/manual/en/function.utf8-encode.php.
-
Destramic, To further discuss this topic as requinix has stated, the reason you want to use prepared statements is that you prevent sql injection because the values being entered are not parsed. That is to say that if you had an SQL query like this: INSERT INTO myTable ({$myValue1}, 'monkeys') You have to worry about the quotes. You have to apply those functions because if you don't it's pretty easy for a user to attack your database. Now it's been about a year since I've done any PHP, but if I remember correctly, a user can send a certain character code that will turn into a quote and get around the stripslashes, etc. (I may be wrong or it may have been patched, I'm not sure.) Regardless, if you were to use a prepared statement, you don't have to worry about quotes at all. So for example: INSERT INTO myTable (?, 'monkeys') You can then call the query by passing the value. This sends the initial query to the database and then in a separate request, sends the parameters. So instead of parsing the values, it can simply insert them directly.
-
I've been maintaining my old site http://www.tomsfreelance.com even though it's kind of just a business card at this point. So I decided to implement some javascript stuff I had been working on for other reasons. So far it seems to I have some work to do in Firefox, but I think it's working pretty well otherwise. This is a bit of an oddball of a site and just about 99% javascript. Feedback is much appreciated!
-
Absolutely losing my mind over simple $_GET statement
teynon replied to Molson31's topic in PHP Coding Help
You need to post all the code. You also need to ensure that error reporting is on and you need to do some debugging. One typical thing I do for debugging is put little echo $myvar; die(); at a point. Then run the script and see what the variable is at that point (or see if it's getting into that block of code). I do this throughout various parts of the application and it saves me a lot of time. Without any other code or debugging, your post above will have moved you no closer to an answer. -
Phpexcel - Reading one excel sheet to write to another
teynon replied to Nell's topic in PHP Coding Help
You should autoload the main PHPExcel class as well. PHPExcel will set up an autoloader for the rest of the files. require_once 'PHPExcel/PHPExcel.php'; -
Phpexcel - Reading one excel sheet to write to another
teynon replied to Nell's topic in PHP Coding Help
Have you looked at the examples included with the library? You need to output that writer. $objWriter->save("phpCOLONSLASHSLASHoutput"); Found a bug with this post too... The code "phpCOLONSLASHSLASHoutput" causes the line to be erased. (guessing you did put it there and it got wiped as well...) I would suggest commenting out the header to see what the output is rather than exiting before the header. PHPExcel's writers are where most of the Excel conversion / actions take place. -
Look at doing a preg_match_all (http://php.net/manual/en/function.preg-match-all.php) with pattern (\w+)\s(\w+)\s(\w+)\s(\w+)\s(\w+)\s(\w+)\s(\w+)\s(\w+)\s(\w+)\s(\w+)\s(\w+)\s(\w+)\s(\w+)\s(\w+)\s(\w+)\s(\w+)\s(\w+)\s(\w+) preg_match_all("/(\w+)\s(\w+)\s(\w+)\s(\w+)\s(\w+)\s(\w+)\s(\w+)\s(\w+)\s(\w+)\s(\w+)\s(\w+)\s(\w+)\s(\w+)\s(\w+)\s(\w+)\s(\w+)\s(\w+)\s(\w+)/", $text_to_scan, $results); echo "<pre>" . print_r($results, true) . "</pre>";
-
http://www.w3schools.com/jquery/ajax_get.asp
-
On a browser, at least last time I checked, you don't get to choose "FTP" as an upload option. There are some Java Applet FTP upload options. However, I will not post links. Because once I do, this thread will continue with questions on how to implement that. As for File Uploads in PHP, i'll keep posting this library: http://blueimp.github.io/jQuery-File-Upload/
-
Now that there are some code tags... You have multiple issues in your code that need to be corrected, many of which could contribute to your boxes not showing. 1) Surround attributes of HTML tags in quotes. <input type=checkbox id=cbox name=cbox value=unselected onclick=show_hide(this.checked);> This code should look like this <input type="checkbox" id="cbox" name="cbox" value="unselected" onclick="show_hide(this.checked);"> You can add backslashes if you are outputting in a string (IE type=\"checkbox\") 2) You need to post the output of the HTML so we can see that your select boxes are named properly. 3) This select is not hidden from the beginning. I would imagine it would not "show up" after you click on it, since it's already visible. <select name="<?php echo "secondDD" .$c ?>" onchange="fillSelect(this,categories[this.value],'<?php echo "secondDD" .$counter1++ ?>')"><?php echo "<option selected>Please Choose</option>"; echo "<option value='DeviceID2'>DeviceID</option>"; echo "<option value='Product2'>Product</option>"; ?></select> 4) jQuery helps simplify this stuff a lot.
-
@Strider64: if ($errMsg) the way you are using it is identical to if (!empty($errMsg)) except that yours will throw an error if it isn't set and yours is less descriptive about what is happening. We want code to represent what is happening logically, if at all possible and if (!empty($errMsg)) presents the most descriptive here. Additionally, I don't know why you would initialize an array with NULL. You should initialize arrays the correct way: $errMsg = array(); @Joseph_R You need to look into some PHP tutorials, as you clearly haven't tried to learn / figure out how to do this on your own. But, as you are clearly looking for a quick fix, change echo "<div id='succsess_page'>"; echo "<em>Email Sent Successfully.</em>"; echo "<p>Thank you <strong>$name</strong>, your message has been submitted to us.</p>"; echo "</div>"; to $error .= "<div id='succsess_page'>"; $error .= "<em>Email Sent Successfully.</em>"; $error .= "<p>Thank you <strong>$name</strong>, your message has been submitted to us.</p>"; $error .= "</div>";
-
More context is probably necessary to fix all the follow up problems here, but the code posted shows what ginerjm was saying. You must surround the array indexes with quotes ($_POST['Name']', '$_POST['Phone No.']', '$_POST['Email Address']', '$_POST['Subject']', '$_POST['Message']')"; Once you do that, you will most likely get an error because you are using arrays in a string. To fix that, you can surround the variables with {} ('{$_POST['Name']}', '{$_POST['Phone No.']}', '{$_POST['Email Address']}', '{$_POST['Subject']}', '{$_POST['Message']}')"; Also note that you are missing the first quote on the $_POST['Name']. Additionally, since this is probably a mysql query string, you should look into sanitizing your input data or using PDO or MySQLi prepared statements. Once you read this, you'll probably say to yourself the same thing that 99% of new people here say, which is that's too complicated, i'm just going to use it like this for now. But, if you want to do yourself a favor, learn PDO or MySQLi now. mysql_blah is deprecated and you'll have to learn the new stuff eventually anyways, if you ever want to upgrade when the new stuff comes out.
-
As kicken said, you can and in my opinion, should change the button to something other than image. Input type = image with an array name freaks out IE as well. (Post's the Y value instead of the actual value.) http://stackoverflow.com/questions/2357184/input-type-image-name-and-value-not-being-sent-by-ie-and-opera#comment23771450_2357184
- 9 replies
-
- form
- age verification
-
(and 2 more)
Tagged with: