webmaster1

My second problem can obviously be solved as follows: SELECT recordid, result, MAX( inputdate ) as latestinputdate FROM notations GROUP BY recordid ORDER BY latestinputdate I just can't get my head around bringing the whole query together. My minds wants to do an if/else statement.

I have two tables: I have an interface that displays one record from a table at a time. The selection process is automatic and based on the following conditions: It must have the soonest record.closedate: SELECT * FROM record WHERE agent = 'Bob Dole' /*only records assigned to current end-user*/ AND life = 'active' /*only records that are 'turned-on'*/ order by closedate asc LIMIT 0,1 If a record has corresponding notations, select the notation with the most recent notations.inputdate (but if it doesn’t satisfy the where conditions, exlude it). SELECT * FROM record JOIN notations ON record.id = notations.recordid WHERE notations.result = 'Non-connect' /*but only those where notations.inputdate > 24hrs from current time*/ AND (opportunities.stage <> '08' OR opportunities.stage <> '09') ORDER BY notations.inputdate desc My obvious problem is that I don’t know how to combine or nest the above queries. My second problem is that I don’t know how to limit the first WHERE condition of the second query to records with an notations.inputdate > 24hrs from current time. Any guidance or suggestions would be greatly appreciated.

Does turning off indexing of my site directories make a whole lot of difference in terms of security (aside from not listing the contents)?

For anyone using the tutsplus ACL... The pages requiring exit(); for header redirects: [*]/acl/index.php [*]/acl/admin/index.php [*]/acl/admin/perms.php [*]/acl/admin/roles.php [*]/acl/admin/users.php The pages requiring the repositioning of the security check: [*]/acl/admin/perms.php [*]/acl/admin/roles.php [*]/acl/admin/users.php

What prevents hackers from directly accessing the source code in my php files? e.g. dbinfo.php If a page does not consist of any code to be parsed as html do I need to apply a session check to it à la ACL?

I came across this on stackoverflow: if (!isset($_SESSION['CREATED'])) { $_SESSION['CREATED'] = time(); } else if (time() - $_SESSION['CREATED'] > 1800) { // session started more than 30 minates ago session_destroy(); $_SESSION = array(); } Apparently, session.gc_maxlifetime is not reliable for the following reasons:

Cheers. The explanations are useful. I don't exactly understand the probability calculation but so long as the three lines will destroy the session then I'm good. Will these three lines apply to just the sessions started on the page or all sessions? Does the 30 mins count down from the session start or the last activity for that session?

The second and third lines were just used in an example I found. I won't need them. @Ken: By cancel, I mean destroy the session. Its just a basic security measure to log users out after 30 mins of idle activity.

I want to limit certain sessions to a certain length. I've found the following example: ini_set('session.gc_maxlifetime',1800); ini_set('session.gc_probability',1); ini_set('session.gc_divisor',1); Can anyone clear up the following?: [1] Do I place this before or after the session start? [2] Do I need the second and third lines? [3] What happens when the maxlifetime is reached? Could the session be cancelled even if the user is in the middle of something?

Cheers, D.

If I switch an integer field to UNSIGNED ZEROFILL can it have undesirable effects on my pages that have existing queries based on this field?

@Nightslyr: Thanks for the fantastic ASP 101. It's a lot clearer in my mind now. Is there a way of generating the structural code of a mysql table to quickly create a copy of that table in another database. i.e. I want the code that was used to create any given table.

Seems straight forward enough. As long as the author didn't have a specific reason for the positioning of the security check code it should just be a cut and paste job then. Fortunately, I'm relatively comfortable with these areas. I like the concept of ACL because I can manage my entire site without having to reiterate the same login and security check pages/tables for different sections of the site. I'll definitely look into Zend once I have a little more free time.

Thanks for pointing out a second insecurity. Can this be (easily) remedied or is the tutsplus acl a no-go?

Ooh, yeah! I solved it using the following test: page1.php: <html> <form action="/page2.php" method="post" enctype="multipart/form-data" name="form"> <ol> <li> <input type="text" name="userID" id="userID"> </li> <li> <input type="submit" value="SEND userID" name="senduserid"> </li> </ol> </form> </html> page2.php: <?php // Begin session. session_start(); $userID=$_POST['userID']; // this sets variables in the session $_SESSION['userID']=$userID; header("location:/acl"); ?> (I replaced the beginning of the admin index.php with the regular check.)

I'm using the following form to test the security check on the admin index page: <form method="post" action="/acl"> <ol> <li> <input type="text" name="userID" id="userID"> </li> <li> <input type="submit" value="SEND userID"> </li> </ol> </form> I've posted '1' through the form hoping to trigger the permissions for userID 1 (admin access). Unfortunately, I'm being redirected to the error page. Am I missing a step?

I've gotten the following to work: <?php include("assets/php/database.php"); include("assets/php/class.acl.php"); $userID = $_GET['userID']; $_SESSION['userID'] = $userID; $myACL = new ACL(); if ($myACL->hasPermission('access_admin') != true) { header("location: insufficientPermission.php"); } ?> I swapped out the '1' for the variable and added the condition. It's redirecting to insufficientPermission.php for starters. I just need to test posting an input/session.

Should I simply replace the '1' with the $userID variable (as below)? <?php include("assets/php/database.php"); include("assets/php/class.acl.php"); $userID = $_GET['userID']; //$_SESSION['userID'] = 1; $_SESSION['userID'] = $userID; $myACL = new ACL(); ?>

Thanks for spotting that.I'll exit(); following my headers. @all: I've installed the ACL and now want to implement it. The index of my admin panel starts with: <?php include("assets/php/database.php"); include("assets/php/class.acl.php"); $userID = $_GET['userID']; $_SESSION['userID'] = 1; $myACL = new ACL(); ?> As it stands, the page is publicly accesible. The tutorial explains that I need to add the following to make it private: <?php include("assets/php/database.php"); include("assets/php/class.acl.php"); $myACL = new ACL(); if ($myACL->hasPermission('access_admin') != true) { header("location: insufficientPermission.php"); } ?> How do I combine these two blocks of to make it work? I've tried adding the condition beneath the included files but the page isn't redirected to the insufficientPermission.php. Also, in terms of implementing this with a log-in form, are the above blocks of code recieving the posts of my log-in form or the posts defined as a session variables?

One ACL it is then.

One more question: Let's say two different companies use different sections of the one site. Should I use an ACL per section of the site or should I only ever have the one ACL to manage the entire site? i.e. should the ACL tables have their own database or do I have a set of ACL tables for each database that requires it?

Thanks, Jay!

Would you reccomend Zend or this ACL on tutsplus?

There's a lot of code involved with some of the acl tutorials/demo I've come across. Can anyone reccomend a simple and light ACL tutorial? Note: I'm currently looking into Zend if anyone has any thoughts on their framework. I've also found a straight forward tutorial for anyone starting out with ACL: http://net.tutsplus.com/tutorials/php/a-better-login-system/