cbassett03

Is there a code library out there that can read the exif data from image files, without the use of the php exif extension? I have a Windows hosting package and am noticing that several hosts don't (and won't) enable the exif extension for PHP for some reason. I need Windows for one of my sites which requires MS SQL access, so I can't use a Unix/Linux host because of that. But all of them support PHP on Windows. Suggestions?

So far, my company has been using Apache (Linux)-based web hosts for our hosting needs. Ever since the Heartbleed bug was found in OpenSSL, which is common to open source software, including Apache HTTP Server, I was wondering if Microsoft's IIS was any more secure than Apache. Opinions? My arguement is that although IIS is a closed-source system, it is also a widely targeted platform (Windows) so that may be of concern. My argument for Apache is that it is open source, so exploits can be implemented using the source code as well, which is available for free download. So, the question really is which HTTP server platform is more secure?

Does anyone know how I can go about downloading a specific build of PHP on a Raspberry Pi running Raspbian? I want to try to create a development/testing webserver using the Pi, but I want it to have the same versions of PHP and MySQL that are on my actual production server (which is shared hosting using a web host). So far, using apt-get, all it does is install the latest version available, which I don't want to do. I want a specific version to closely imitate the actual production server. Ideas?

How can I create a PHP script that will trigger a download? For example, if I have a database of files and file IDs, and have a hyperlink like this in an HTML page: getfile.php?FileID=1001 How can I code the getfile.php file so that no matter what type the file is (ZIP, EXE, JPG, AVI, etc), it will cause the browser to prompt the user to download the file? (Not entirely sure if this is more a PHP question or an HTML question because of how I'm approaching it...) (The purpose of me using the getfile.php file is so that files can be physically moved around without me having to update all of the hyperlinks in the HTML files, but rather just update the paths in the SQL database instead.)

How can I get the names and values from an HTML form using PHP when the form is submitted using a Submit button? I think this may involve using a foreach loop (since the form will be dynamically created each time depending on other factors). But I need to be able to capture the form control's name and its value when it is submitted.

I ended up using suggestion #3. But my problem now is that in most cases I may have 3 or more drop down menus. But the right most drop down menu depends on the previous drop down menu to the left of it (they show up progressively from L to R). Anyone want to suggest how I can delete or removed any "down stream" drop down lists when a "parent" list is changed. The lists are all chained and as you work through the lists, they narrow down based on particular characteristic or class type. Here's an example using cars: Car > Ford > 2000 > Taurus > SEL Let's say I want to change it to a 2002 Taurus. I would chang ethe value in the "year" list from 2000 to 2002, but I want the dynamically created lists that contain the model and trim level to be removed so that when the year is changed, the model list would be repopulated with models that were available in that year.

So there isn't just a "return" keyword I can use to return the text value or variable?

Here is a segment of code that I'm using in a PHP script, which is called as part of an AJAX HTTP Request: <?php $result = $user_conn->execQuery($sql_query); while ($row = $result->fetch_array(MYSQLI_ASSOC)) { $resultText .= '<option value="'.$row['id'].'">'.$row['display_text'].'</option><br />'."\n"; } echo $resultText; ?> NOTE: I created a MySQL class with custom functions, so execQuery() is a custom function I created that actually runs the query() command for SQL. Anyway, as you can see, to get the results back to the JavaSCript calling request function, I used ECHO. Is there an alternative so that if someone where to run just this PHP script directly, it wouldn't output any text (because right now it will)? (I asked this a few weeks ago but seem to have "lost" the post.)

I'm working on an AJAX based site (which also involves PHP and MySQL) and I'm trying to create a product selection system, where someone can start with a dropdown list of very generic items, and slowly (through additional drop down menus) "narrow" down to the specific item or class of items they are looking for. My problem is this: I'm not sure how to go about the dynamic portion of it. Should I just create a bunch of drop down lists, and then through Javascript, hide or show them as needed, or should I create them dynamically as I need them? My other issue is that for some items, the lists may be only 2 or 3 levels deep, whereas for others, it may be 4-6 levels deep. I'm trying to minimize the amount of HTML code, so I can decrease the page size and browser processing time, so any advice would be helpful. I am quite experienced in Javascript, HTML, PHP and MySQL. Lastly, I DON'T want to use any third-party libraries, such as jQuery--it needs to be hand-coded by me.

Does anyone know how you can install specific versions of Apache, MySQL and PHP on Linux? Specifically, I'm using a Raspberry Pi (which I'm running Raspbian Wheezy, which is based on Debian but for the ARM architecture) and it uses the apt (or apt-get, not sure which one its called) package manager. I can install whatever version is found in the catalog simply by issuing the install command, but I want to use specific versions of at least PHP and MySQL (to match the versions used on the web server I host my site on). Anyone have any advice? I tried visiting PHP's site and the MySQL site, but can't find the versions I need for this distro and architecture. Will any debian version work, even though its an ARM processor?

The information that is being sent isn't anything confidential. But what I've been doing is using an ECHO statement to return the result from the PHP processing script back to calling javascript function that invokes the script (as part of AJAX). Could i use "RETURN" instead of ECHO? I'm storing the result in a PHP variable, so couldn't I just say "return $variableName;" in my PHP script?

Is there a way that I can execute PHP and HTML that is stored within a field/column from a MySQL table result row? For example, if in a column named "page_code" I have the following text: <html><head><title>Sample</title></head><?php echo "This is a test"; ?></html> Is there a way that I can have a PHP script file execute the above statement. (I'm trying to put multiple web pages with HTML and PHP mixed, into a MySQL table but can't get PHP to execute the code before sending the results to the browser.)

This may be more of an Apache or Mysql question than PHP, but I've heard many suggest that when using AES encryption/decryption with MySQL, they say to store the key in a file not in your "htdocs" folder. Does anyone know how this can be done so it can still be accessed by PHP scripts, but not directly (ie. by someone typing the path into the address bar of a browser).

This is probably a broad question, but is there a way that I can prevent (or greatly reduce) code injection via someone typing in "parameters" into their address bar against a PHP script? For example, preventing something like the known "1=1" injection that causes MySQL to return all values in a table. Should I explicity check each variable to make sure it doesn't include "1=1" or something similar that would cause the database to return everything? I'm aware of htmlentities() function in PHP. Just as an FYI, I generally send most of my data from HTML forms using the POST method, partially so the data and parameters are not shown to the user during transmission. Any suggestions, or sites, that discuss PHP security? (I'd consider myself an intermediate PHP programmer at this point--I know my way around the language, but am getting more concerned with security as I move away from personal projects and into more "real-world" projects.)

Problem is that I'm on a shared hosting system, and I don't think I can modify the PHP.INI settings (especially when it comes to autoloading files). My concern with using require() over and over again is that doesn't that start to consume more memory after being dozens of times or does PHP "recover" memory when a page is not actively being used. I am considering using the SESSION, but think I'm limited to 128MB total for SESSION variables, which this wizard wouldn't require that much, even with user data and my config settings being stored in the session, but from what I'd know of, you can't nest arrays in the $_SESSION variable. What about require_once(). Can you use that on each page or would that not work. Up until now, I've developed sites mainly by hard-coding in filenames and path, but want to to take a different approach to this wizard since I may or may not be updating it in the future (someone else may take over the project in the future, so I'm trying to make it as easy to update/change as possible).

Is there a way that I can create a "configuration" script for a PHP-driven site, and have that page load first (to get the needed data and variables loaded), and not have to load it on each page using require() or include()? Basically, I'm creating a 5-step wizard system, and I have it right now that the config.php file (which needs to be loaded before the wizard starts) defines and specifies the file locations and scripts in the wizard and in which order they are used. the config file also specifies how many steps are in the wizard, the name of the wizard, and other information. Here is a little of what I"m putting in this config script file: // the paths below specify where certain script files are located // each page will dynamically create the HTML Form element's ACTION URL based on // the "paths" given below and using the $pageIndex array elements to link files, // // A complete path would be coded as: $root_Path . $process_path . $pageIndex[0][1] (for the first page) // which equates to: /wizard/process/firstpage-process.php $root_Path = "/wizard"; // Location of the wizard main files $process_path = "process"; // Location where page processing scripts are stored $conn_path = "conn"; // location where DB connection scripts are stored $ui_path = "ui"; // Location of User-Interface script files $pageIndex = array( array("firstpage.php","firstpage-process.php"), array("secondpage.php","secondpage-process.php")); $pageCount = count($pageIndex); $currentPage = 0; NOTES: 1. I'm using a nested array so that it can be counted so that the wizard can calculate the total number of pages in the wizard on the go. 2. $currentPage is set by each page in the wizard, so it initially is set to 0 here, but the first page will set it to 1, etc. 3. I use the "path" definition idea so that pages can be moved and llayou have to do is modify this script and not have to go through each file and change them. Each file in the wizard will use these paths and will dynamically construct the FORM ACTION URL from this data in this snippet of code. I'm doing this mainly so that the wizard can be updated at a later time (add pages, remove or rename pages, etc). I want to make it so that you only have to edit the configuration in one place and not have to go through each page and update it if you decide to add a step (page) in the middle of the wizard. But I'd like to load this config.php file once, and not have to load it on each page. Is there a way to do this? I don't think that register_globals is turned on, nor do I care to use global vars simply because I feel it's sort of a bad way of writing code. Should I just use a session? Right now, I'm just including the config.php file in every file that is used in the wizard. Suggestions...

I've got a concern for a project I'm working on... I don't want external sites to be able to run/trigger one of the PHP scripts on the site I'm doing. Can I use the PHP_SELF variable to check where the calling file is located, and then if it's not on the web server the site is being hosted on, then it won't run? What's the best way to do this? I'm just concerned about people tapping in "externally" by having their scripts / web pages call the scripts in the site I'm writing.

Is there any good books or sites that anyone would like to suggest on writing secure PHP scripts? Most books that I've read on PHP only touch the surface with PHP security and don't really get into too much detail (because they were all mostly introductory-level books). (I'd probably consider myself an "intermediate" level with PHP--quite familiar with the language now, and how to interact with databases, etc, but just need to read a little on security measures and practices, standards, etc.)

When storing and retrieving data using sessions in PHP, is it OK to do something like this: $_SESSION['person']['lastname'] Or should I just stick to something like: $_SESSION['person_lastName'] I personally like the first example better for ease of reading and interpreting, but want to make sure that it can be traversed (using an array) and is "safe" to use (and that won't crash a PHP script).

Does anyone know how (or if) you can store an array a value into a $_SESSION variable? I want to try to store a 2-dimensional array into a session variable named "configurations" that will be stored in the $_SESSION superglobal. The "configurations" array will have two values. I'm trying to do this for simplicity and easy parsing. Any suggestions would be helpful.

When using statements such as ECHO, or when setting a variable equal to a text value (Such as $name = "Joe") Should you use double quotes or a single quote? Is one better (or more secure) than the other? I've seen it done both ways in books and online (code examples). What is the standard (or generally accepted standard, if there is one) regarding this?

Sorry if this is the wrong place to post this.... I'm in the process of working on a new website for a company I work for. I am pretty fluent in PHP, but haven't had any "official" training or education in it (only from me reading books and trial and error). Anyway, are there any good books that are written regarding writing secure PHP code? I have a few beginner books, but they really don't get into too much detail on writing secure code (they mainly focus on the basics with a bit here and there about basic security relating to PHP scripts but that isn't their main focus). My biggest concern is dealing with (and preventing) code injection when working with MySQL. I'm aware of the "html encodes" functions that will encode a character so that it cannot really be used to inject into MySQL (for example), but I want a more concise guide (book) that also covers over areas of writing secure PHP code (I'm sure there many many other security flaws out there that can be avoided if you know about them.) Any suggestions? Again, I'm pretty fluent in PHP so I'd say that I'm an Intermediate PHP programmer (not a beginner, but definately not an advanced PHP programmer either). I guess I'd also take suggestions for online sites that talk about PHP security (I know a google search would yield plenty, but I'm looking for more of a structured sequence that covers all sorts of security pitfalls and how to overcome them--in a logical fashion, rather than me just doing "site hopping."

Is there a performance or security issue when embedding HTML code to be written to a page using a series of ECHO statements within PHP? Here's two examples: <?php // Some PHP code echo "<p>Hello, World</p>\n"; // More php code ?> versus: <?php> // Some PHP script commands ?> <p>Hello World\n"; <?php // More PHP code ?> Is there a performance issue or potential security flaw that would make the first example any worse/better than the second? (Is one method more "secure" than the other method, I guess is what I'm asking?) I like the ease of just throwing in HTML within a PHP script without having toe escape quote marks, etc. But, I'm a bit concerned about security since whatever technique I use will be incorporated into a "commercial" production website.

Got a question regarding user profiles in CMS systems... I'm looking to build a custom home-made CMS system for myself (my website) but want to be able to add users and have various privilage levels (such as Admin, Moderator, General User, and guest). Now, since each level will have different access to the MySQL database (such as Admin will have full access, Moderator will be able to add/remove records, but not modify database structure, General User will be able to post to certain areas of the database, but not alter other people's submissions, and a guest will only be able to read the database), is it best to handle the security via PHP code, or should I allow the system to create a user with appropriate privilages directly on the MySQL database server? I'm thinking that writing the security system myself is more work, but might be the better way. How is this generally handled in other CMS systems? Basically, I want to know if I should have the system add users to the MySQL server, or should i embed the security in the PHP scripts themselves (for example, to check to see if a person is am admin--which would be able to make modifications--versus a guest--who will not be able to make any modifications to the database).

Which methods is generally accepted as the standard when putting PHP and HTML in the same file? <?php echo "<html>\n"; echo "<head>\n"; echo "<body>\n"; echo "<p>Hello, you are ".$age." year(s) old!</p>\n"; echo "</body>\n"; echo "</hjtml>\n"; ?> ...versus... <html> <head> <body> <?php echo "<p>Hello, You are ".$age." year(s) old!</p>\n"; ?> </body> </html> Is it preferred to have the script ECHO the HTML tags to the page, or should I just embedd them (the tags that do not require any PHP manipulation, such as the HTML, HEAD, BODY, etc. Is one faster than the other? Which is more secure? I know with the first example, you would have to escape any quaotation marks, which makes it a bit trickier to do with certain HTML, but I'm more concerned about standards and security than coding complexity. My previous programming experience tells me that the second would be faster, since PHP simply spits out the extra stuff (the HTML, HEAD, BODY tags) rather than using ECHO to send them to the pa ge, which thus reduces processing time, right?