jdlev

The principles of santization are pretty straight forward, but I guess I was wrong about how much sanitizing wordpress does on your behalf. I though a lot of the wpdb functions actually took care of that for you? I agree 100% with your opinion on wordpress. It's great out of the gate if you want to do some dynamic stuff like manage user profiles, build forms, etc...but all of these stupid caveats it has when you won't to build something or customize something are really starting to get on my nerves. Where you from in NC, I'm actually from Charlotte (small world!)

Since your submitting the form to itself, why not just use an if-then statement based on available post variables? Shouldn't be too hard to implement: Something simple like this should do the trick: if (!isset($_POST['com_firstname']){ //show form } else { //hide form } Also, I'm not sure you actually need to sanitize the data. I remember reading that certain methods used by wpdb like $wpdb->insert, etc are sanitized automatically by the $wpdb class (someone who's a bit more familiar with the wpdb class in wordpress, feel free to correct me if I'm wrong, but I think that's the case)

Thanks for the tip requinix. I use the chrome tools all the time and didn't know you could see the request/response headers. Good idea, I'll give it a shot

I'm running it through wordpress's wpdb function, so basically, I click a button to delete the record and nothing happens beyond the alert. It's also not the variable 'id', as I just updated it to 'deleteID' and it had no effect To be honest, I'm thinking about just ditching wordpress, but I'm hoping that once I get a handle on the numerous functions coupled with the various plugins it provides...it'll eventually make development easier. But so far, all it seems to do is slow me down lol. I found this example and it's functionality is exactly what I'm looking for...I just need to do it using wordpress's protocols: http://phppot.com/demo/ajax-add-edit-delete-records-in-database-using-php-and-jquery/

I'm not sure what is wrong with my code, but I basically have a dynamic table with a delete button at the end of each row. A person clicks the row, I'd like the table to update and drop the row. Should be easy enough, but I can't get it. Here's where I'm at: jQuery(document).ready(function($) { jQuery(document).on('click', "#delete", function() { var deleteID = $(this).val(); alert("ID to Delete: " + deleteID); // script works fine to here an alerts me with the proper ID to delete. $.ajax({ type: 'POST', url: '../admin/del.php', data: {"action": "del", "element_id": id}, success: function(data) { alert("Question Deleted"); } }); }); Something has to be wrong with the above script, because I can handle post requests and db manipulation from php scripts just fine. Any ideas where I went astray? TIA for your help

If I understand what you're asking, it sounds like you have an issue with including custom plugins you created -or- you're downloading other peoples plugins and they're not working... A) If they're other people plugins, you're activating the plugins after you download them, correct? B) If you made custom plugins, are you saving your custom plugins under the /wp-content/plugins folder? Are you including the header information on your plugins so wordpress knows where to find your plugin...like this: <?php /* * Plugin Name: xyz plugin * Author: Barak Obama * Description: My first plugin */ Once you have the correct header information on your custom plugin, you still have to activate it. Go to your plugins menu, and click activate underneath the plugin name. C) WP has a peculiar way of handling javascript and css. If you don't want to deal with the code, you can always use some plugins that are meant just for editing your css or using shortcodes to insert your javascript. For the coding purist, it's all about the hooks and where the files are located. If you have a custom plugin, wp has a lot of custom hooks to make adding your js/css easier. Here's an example of how to include a javascript file: Let's say you have the following file and folder structure: /wp-content/plugins/your-plugin/ my-plugin.php (this is your primary file where your plugin header info listed above would go) /js/ my_script.js You need to use a wordpress function called wp_enqueue_scripts() that imports your javascript so it appears on your main page. What you do is 'queue' your scripts - it's similar to 'include' or 'require' with php. You'll soon discover the wordpress codex is your best friend: http://codex.wordpress.org where all of these things like wp_enqueue_scripts() are detailed. First things first, we need an action hook to tell wordpress where to look for the functions: add_action('admin_enqueue_scripts', 'your_js_function'); // if you want to make the scripts available to admins only add_action('wp_enqueue_scripts', 'your_js_function'); // if you want your scripts available on the viewer side Next, we setup the function from the above add_action call, not the lack of the 's' on the 'wp_enqueue_script' - it's because it's a different function than the one we mentioned above: function(your_js_function) { wp_enqueue_script('script name', (plugins_url('/js/my_script.js',__FILE__))); } So here, the function 'your_js_function' is referenced by both of the add_action calls above. The wp_enqueue_script function calls the name of your js file. From there you see where the file is located. The plugins_url function gives wp the path to your plugin directory - in this case it's the 'your-plugin' folder we referenced earlier. From here, we insert the full path from the plugin base directory to your js file. __FILE__ is basically a way of referencing the current page. To test and make sure you JS is included in your homepage - go to the admin panel (if you used admin_enqueue_scripts) or your home page (if you used wp_enqueue_scripts), open the page source, and in the head of the page, you should see you JS file referenced. Hope this helps

I just ended up using the $_Server['DOCUMENT_ROOT'] global to get things working. Seems like gotten rid of the funky error I was getting before and after I logged in. Thanks everyone for the help. I really do appreciate it Good grief, I'd ask a question over on the wordpress forums and they were totally worthless.

Thanks Kevin

Hi Guys, Thanks for the help. I wasn't sure if wordpress was using PEAR already, and if I removed the include_path to the PEAR file from php.ini if that would screw up wordpress's functionality. For that matter, I can't even figure out why php isn't writing to the php_error log. I think I've properly setup everything in the php.ini file, but when I update it nothing happens. I have the path to the log file correct. I made sure a blank log file exists and that it's writable to the windows system user account - which I 'think' is what apache runs on. There was some weird file in there named NOEMPTY or some such thing which I don't understand. As for what was happening with the required() issues...It was weird. I'm building my first custom plugin for wordpress. When I would go to the index page, I'd get the required error - the 'Can't find required('xyz.php') directory' etc. So I'd change it to something like ../xyz.php, and it'd find it. Then as soon as I'd login and go to the wordpress admin menu, I'd get the 'can't find it' error again. So I'd go back into the file and remove the ../ and just go back to xyz.php, and it'd find it again. I have no idea what was causing the issue. I'll check out wordpress's plugin_dir_path() function and see if that may be a better solution.

Hi Guys, I've got xampp running on my machine with wordpress, and had 2 security related questions: A) I was constantly running into issues with wordpress and trying to find includes. I'm building a plugin, so on the plugin's main file, I just added a 'set_include_path' function equal to the root directory of my website. Then, the require_once, and include functions that are also on that page seem to have stopped having issues. Are there any security issues with using the set_include_path, and setting it to say 'C:/htdocs/home'? B) I used Xampp to install apache, mysql, and php. Until recently, I had no idea what PEAR was. I'm curious though...is PEAR installed by default with PHP or Xampp? Thanks for any help guys

I'm trying to decide how to setup user access to account information. So you have a universal table for user login information that associates that user with an account. That user only has access to that particular accounts information. Now lets say that user has a company address. Should I have another universal table where every account's company address is saved to the same table, but they can only access/edit their own address My_Database -Universal_Address_Table ---Address Company A record(only company A can see) ---Address Company B record (only company B can see) -OR- Should each account have it's own table for the addresses associated with it, so every account would have multiple iterations of the same structured table. My_Database ---Company_A_Address_Table ---Company_B_Address_Table So is one method more secure than the other? Is there a limitation on how much information MySQL can handle, because I'm hoping for a few hundred if not thousand accounts?

I'm looking for the most efficient way to do this: 1) User enters number of days to see sales (ex. 30) 2) Database holds day (ex. 2013-07-08) & total sales for that day. 3) Data is sent to an array (or would a text or xml file be better to access the data?) 4) Data is extracted from array/file/xml and inserted into a graph to display data. So I suppose I could just run a for loop that looks at the database for 30 days, and returns all data, and the for loop packs the info into an array. Another way I guess I could do it is to give the SQL query an argument that says any days for today minus thirty days, add that information to an array. How would you guys go about doing it to maximize efficiency?

If you use DEFINE to declare a variable, that is not visible to the end user is it? Would using the DEFINE function be the preferred method for declaring the connection variables for a database to ensure there isn't tampering if you have varying levels of MySQL access?

I'm a dumbass. I can't believe I couldn't figure that out. Thanks for the help, I appreciate it

So you can't call multiple variables from a function within a class? You need to make a function for each variable you want, and just call the function itself?

Let's say I wanted to pull the host & address variables out of the function "ip" and echo them outside of the class. How would I go about doing that? I tried in the code below and failed miserably <?php //Returns information on the User's IP Address, Hostname, Port, and Username class getIP { public function ip() { $this->address = $_SERVER['REMOTE_ADDR']; $this->host = $_SERVER['REMOTE_HOST']; } } $addy = new getEm; echo $addy->ip(this->address) . "</br>"; ?>

I know...but I'm a complete moron. It's like i'm dyslexic sometimes when it comes to understanding what is in the manual. These are just some things I read through in the manual that I didn't understand 100% and was looking for some clarification.

The two functions seem very similar. What is really the difference between the two? Is there any reason to use both, or does say, session_destroy do everything session_unset does and then some? Is the only way to destroy the session server side to use setcookie("","",time()-3600) to change the cookie expiration time to some point in the past? Is it correct that neither of the two functions deletes the session cookie at the client? Is there a way to do that? When you logout a user, do you have to use session_start() at the beginning of the page? That seems to be the only way I've gotten it to work? Now for my really, really dumb, uber noob question. On my server, I can open up a session text file in notepad and see all the corresponding variables. In chrome, using inspect element, I can see the name of the cookie and the cookie ID. Am I correct in saying that the cookie name/id are the only things the end user can see, or do they see all of the information that is stored on my server in the cookie text file? I assume the cookie ID just acts as a reference to the information server side...cookies seem pretty worthless if they don't hide the information from the end user. Here's something else I'm not getting. In the code below, why would it treat that statement as false (not having a session)? I thought: if($_SESSION) and if(isset($_SESSION)) were essentially the same thing? // Let's say we have an active session session_start(); //Why is this false? if($_SESSION) {false} else {true} //And this statement is true? if (isset($_SESSION)) {true} else {false}

I've never understood what this means: -> For instance, I'll see it used, and I think it typically references functions (maybe?) for instance $this->my_variable I know it's also used alot in perl. Does it provide the same function in perl? Can anyone explain this to me in layman's terms? I guess I also need to under what "$this" does? The php manual defines it as a "pseudo-variable", and I have no idea what that means?

Great thanks...that's so simple, I can't believe I couldn't wrap my mind around it. Is there any security vulnerabilities in using that method? How would you store the account type as a session variable? If I had two account types, and one type was 'user' and the other was 'admin' wouldn't it make the site vulnerable to someone manipulating session data? Maybe a unique identifier for the admin account encrypted with sha or something like that would work?

For whatever I can't conceptualize the idea behind this simple funeral home application - or at least the best way to build it. I have two versions I'm rolling out. Anything marked v2 I plan to add later on. I work for a call center. We have a lot of customers that are funeral homes, and are developing a new service for them. It's a simple yet uber secure user interface app to update our call center on the upcoming memorial services. I'm not sure how I should go about designing these platform. It should have 2 or 3 types of users with the following responsibilities: Administrator Account: This will be used by any of our operators to update accounts. Here are some of the key features: Ability to search all funeral home memorial services from multiple funeral homes Add/Update/Delete memorial service records associated with any funeral home Funeral Home Account: This will be used by any funeral home that is a customer of ours: Add/Update/Delete ONLY their memorial services & memorial designation information. Can not view other funeral home account information (opposite of the admin account) v2 - Website insert code to allow them to display a 'table of contents' of who they have for upcoming services on their own website. Visitors will be able to view information on the services offered by clicking the name and a template on our site will describe all the services. v2 - Condolenses section. Visitors to their website will be able to post condolences to the family and/or purchase flowers/gifts/etc for the person. I guess my biggest question is on user authentication and access level. Do I just need to design a completely separate intranet that the operators will use for access, and then have only the funeral homes acct use the primary website? My head has been spinning on this dumb project for the last month

So I've read through the IIS6 help literature, and it is still clear as much, so I was hoping one of you guys would explain the different web site access permissions that I should use for a secure php/mysql user interface application. When you setup a sit in IIS6 is gives you the web site access permissions to check off for the anonymous (IUSR_machine) account. "Read" is easy enough to understand - IUSR can view directory or file content and properties...basically...they can load a web page and view it. "Write" is also kind of easy to understand. IUSR can do everything read can do, but it can also change directory or file content and properties. "Script Source Access" is confusing. What scripts are they referring to? Does that allow the user to see server side coding - like the actual php code? I'm totally confused on this permission. "Directory Browsing" I think I have a handle on. Users are only able to view files in the directory. I assume at a minimum this options must be selected with the "Read" option. If the "Write" permission is also selected, they can do practically anything someone sitting at the computer would be able to do (edit/delete/etc files and directories). "Log Visits" I know nothing about this resource. What does it log? Client IP? Which pages they visit? If they've made any changes to the site? And where are the log files typically located? "Index this resource" I have no clue what indexing does. Executing Permissions - Again they refer to scripts. I'm not sure what that's referring to. Are they talking about the scripts in my php folder? Are these scripts I've developed that are apart of my site? "None" easy enough...you can't run or see any scripts or executables on the server - but what scripts or executables is it referring to? "Scripts Only" It states that it only runs scripts on the server. Again...no idea what that means. "Scripts & Executable" I guess this is the same thing as "Scripts Only", only now, IUSR can run ".exe" files. Anyone who can help me better understand this stuff has no idea how grateful I would be. I owe ya a giant beer

I've been at this for 8 hours trying to do something that is probably elementary in nature. I have a drop down list that query's my database for all unique companies, and populates the drop down list with those company's names. Each company has services associated with it that are supposed to appear when one of the companies from the drop down list is selected so you can add/edit/delete the services. So *instantly* when we select a company, I want all service records to come up for that individual company. No hitting submit or anything...just select the company and boom, the services are filled in below. Here's the rub. If they change the company name, I want it to instantly change the company, and update the services form with all of the new companies services. I've tried javascript to no avail (because I have no idea what I'm doing with js probably). So, to sum it up, I want a simple drop down list that when an item is clicked, populates the service fields below it. If the company name in the drop down is changed, the service records will also change. Thanks a ton to anybody who can help with this. I've been pulling my hair out. >:?(

Our call center software has the ability to preload web addresses if the operator hits a hot key Ctrl+w....so if I can preload the user information into the URI...the operators can go straight to the users account to view information. Right now, there is only the post authentication on the action page, so I'm guessing the get uri transfer wouldn't work. Security is much more important than ease of design, so I'll probably just add an admin account to access all the accounts. Thanks for the tips

So here's the deal. I've got a user authenticated website using php w/ a post login form. We run a call center, and if I can preload a user's account information to view information about their company directly into a get uri, it would save me from having to develop an admin interface for the software. So, if I know the user login action form, and the relevent login variables, can I get into a users account using the get method instead of having our operators log in every time? TIA