[mysql security ?]

Wow, I didn't know it could be that easy. Now I'm starting to worry about the form action field .  I used to use echo $_SERVER['PHP_SELF'] but started just leaving the action field blank. I guess that's another place a hacker can get to.   

 

[mysql security ?]

mysql_real_escape_string() would still be fine for a number, intval() is just a common quick alternative for numeric parameters like IDs. It won't prevent anyone from submitting a non-numerical value, you would have to do that validation separately if you want to check for it.

Thanks,

I'm just trying to ad some protection to the databases for right now until I learn how to do prepared statements .  I haven't been able to comprehend them yet.  After reading about sql injection I got a little nervous knowing my databases were totally unprotected until now. So for now I used mysql_real_escape_string() on any input that is used in any mysql_query, even dropdown menu inputs. I don't know how anyone could alter a drop down menu input but i heard it is possible.

 

 

 

[mysql security ?]

mysql_real_escape_string() is for string data. Based upon your usage, the user provided value is an ID. If that ID is an integer, then use intval(). Always use the right method of escaping data.

Does that mean mysql_real_escape_string() will not be secure or just that it will not prevent someone from entering a non number? I was thinking of using javascript to check for valid numbers & pop up a warning before the form is entered. The page will not work correctly without javascript enabled so my only concern is some malicious hacker turning off javascript and doing some damage to the database.   

 

[mysql security ?]

I'm trying to understand this stuff. It's funny how easy it is once you understand it but getting to that point isn't always easy.

For now what I've done is just use mysql_real_escape_string on every possible input on every mysql_query command.

[mysql security ?]

I have a few questions regarding mainly sql injection. 

 I have three basic queries on my database :

$table1="first_table";
$input1=$_POST['input1 '];  
$input2=$_POST['input2 '];
$result= msql_query ("select * from $table1 where id='$input1' ");
$result_array=mysql_fectch_array($result);
$answer=$result_array[$input2]; 

I run the same query on about 12 different tables and I have about 50 to a hundred different inputs all together.

I'm not worried about if the user inputs incorrect data as much as I am any harmful sql injection.

I've done a little research on mysql_real_escape_string and I saw this idea but I'm not sure how to implement it: 

 

Any ideas welcome

$input_data = array_map('mysql_real_escape_string', $_POST); 

 

 

 

 

[Weird results from hit counter file]

Your code could be improved quite a bit. For instance there is no need to execute the tail command, and you can streamline your processing into less code.

<?php

//First we read in all lines
$lines = file('counter.txt', FILE_IGNORE_NEW_LINES);

//Then get the last line from the array of lines
$last = $lines[count($lines)-1];

//Split the line into the interesting parts.
list($day, ,$hits) = explode(' ', $last);

//If the day matches today, increase hits and overwrite, otherwise add a new entry
$today = date("D-m/d/Y");
if ($day == $today){
   $hits++;
   $lines[count($lines)-1] = "{$day} hits {$hits}";
}
else {
   $lines[] = "{$today} hits 1";
}

//Re-write the file
file_put_contents('counter.txt', implode(PHP_EOL, $lines));

You'll need to add your own validations/error handling such as what to do if the file doesn't exist or is empty.

 

 

As for your large count, have you checked your server's access log? You might just be getting hit by a bot or two that day causing a large number of hits.

 

Thanks for the ideas,

I hadn't thought about getting hit by a bot but that makes a lot of sense because I use the same counter file on another page of my site & never have any problems. It just produces a different .txt file so i can see how many users go to my home page & then follow through to another page on my site.

I'm on a shared server & don't know how to check the access log or to be honest, what it even is.   

[Weird results from hit counter file]

I have this php counter file that is included in my website index page to check how many hits I get &  put it into a separate file. It works fine for about a week or so and then it looks like the number gets multiplied by 10. Below is the code and the resulting file it produces. Any ideas why this is happening?

 

  $tailer=`tail -n 1 counter.txt `; /* gets a string of only the last line of the file */
$today= date("D-m/d/Y"); /* gets todays date */
$my_array=explode(" ",$tailer); /* puts the string into an array */
$old_day= $my_array[0]; /* original date from the last line of the file */
$old_hits=$my_array[2]; /* original amount of hits from last line */
$new_hits=$old_hits +1; /* add one to the hit counter */
$my_new_array=array("$old_day","hits","$new_hits"); /* makes the new array */
$newstr=implode(" ",$my_new_array); /* puts array back into a string */  
$filename="counter.txt";
/* If the date is the same then the adjusted line will overwrite the last line */
 if ($today == $old_day) {
$lines = file($filename); /* get the contents of the file into an array */
$all_lines = implode('',$lines);  /* puts the array into a string */
$fp=fopen($filename,"w");   /* opens file for writing */
$entry=str_replace("$tailer","$newstr",$all_lines);  /* the command to search & replace */  
$fw=fwrite($fp,$entry); /* writes to the file */
fclose($fp);  /* closes the file */
}
else {
/* Or else the date changed so it needs to start a new line   */
$newline="\n"; 
$new_day_array=array("$today","hits","1"); 
$new_day=implode(" ",$new_day_array); /* Puts the new day and first hit on a line */ 
$fp=fopen($filename,"a");
$fw=fwrite($fp,$newline); /* needed to change line when date changes */
$fw=fwrite($fp,$new_day);
fclose($fp);
}
 

 

Here is the resulting file it produces:

 

 

Tue-12/24/2013 hits 204

Wed-12/25/2013 hits 197

Thu-12/26/2013 hits 241

Fri-12/27/2013 hits 262

Sat-12/28/2013 hits 230

Sun-12/29/2013 hits 2043

Sun-12/29/2013 hits 204

Mon-12/30/2013 hits 326

Tue-12/31/2013 hits 251

Wed-01/01/2014 hits 229

Thu-01/02/2014 hits 355

Fri-01/03/2014 hits 2500

Fri-01/03/2014 hits 250

Sat-01/04/2014 hits 299

Sun-01/05/2014 hits 252

Mon-01/06/2014 hits 358

Tue-01/07/2014 hits 401

Wed-01/08/2014 hits 427

Thu-01/09/2014 hits 408

Fri-01/10/2014 hits 1509

Fri-01/10/2014 hits 15

Sat-01/11/2014 hits 276

Sun-01/12/2014 hits 52

[moving id numbers in a table?]

I found a way to do it in a few steps. First you have to get rid of the primary key & then its easy.

 

The table name is "first2" and the field name is "id".

 

I used these  commands:

alter table first2 modify id INT NOT Null;
alter table first2 drop primary key;
update first2 set id = id+1 where id > 32;
update first2 set id = 33 where id =102; 

It raised all the numbers from 33 up 1 so I could change 102 which was the new record that I added  to 33.

Now I can sort them to display in the order I want. 

[moving id numbers in a table?]

Your sort order should be another field, not based on the ID field. Then you can adjust the order of your records however you want without having to mess around with the IDs.

 

Add a column named SortOrder to your table, make it an INT column and number the records in the order you want them to appear. Alter your SELECT for those records to add ORDER BY SortOrder so it will properly order them.

I understand how to do that but I'm just amazed there isn't a simple command line that will do what I want to do instead of numbering every record. What if you had 10,000 records and you you just wanted to add one record to be sorted a certain way? It doesn't make sense that there isn't a better way. Isn't there a command that would move every id number up +1 at a certain point?

[moving id numbers in a table?]

An id is a unique identifier for a record. It should retain that same id for the whole lifetime of the record. The id should not be reused.

 

What is there about that record that says it must be no 33?

 

I use the database to populate a drop down menu and the record needs to be in that particular spot because it was one that I overlooked when creating the database.  It has nothing to do with alphabetical order so there's no other way to sort the order unless I add another field and number every record again.  I would think there is an easier way.

 

 

[moving id numbers in a table?]

I have a table with an id incremented from 1 to 100. I want to add a new record and have its id number to be 33 and move all the numbers from 33 up one.  How can I do that without manually editing every record from 33 up? 

[post to more than one page?]

 

Instead of calling the function each time:

 Door : <select name="door"  >
  <option>----</option> <option value="white" <?php if(get_value('door') == "white") { echo 'selected="selected"'; } ?> >white  </option>
  <option value="red" <?php if(get_value('door') == "red") { echo 'selected="selected"'; } ?> >red  </option>
 </select>

you can call it once and use the return value multiple times which will be more efficient:

 Door : <select name="door"  >
<?php $door_val=get_value('door')?>
  <option>----</option> <option value="white" <?php if($door_value == "white") { echo 'selected="selected"'; } ?> >white  </option>
  <option value="red" <?php if($door_value == "red") { echo 'selected="selected"'; } ?> >red  </option>
 </select>

another strategy is to store the values of the colors in an array and then loop through it to create the select. That way, if you want to add 20 more colors you just add them once and don;t have a ton of code:

 Door : <select name="door"  >
<?php $door_val=get_value('door');
$door_colors=Array ('blue','green','red');
?>
  <option>----</option> 
<?php
foreach ($door_colors as $color){
echo '<option value="'.$color.'" ';
if ($color == $door_val) echo "selected=\"selected\"";
echo ">$color </option>";
}

That's an interesting way to do it.

I used the code that I posted to test before I changed the code on the actual site. It's got multiple dropdowns with tons of choices that are all populated from a mysql database.

Thanks again to everyone for all the help. 

[post to more than one page?]

Does that mean the forms work as you expect now?

 

Side note: I would recommend using the <label> tag for your form labels. For more information, visit http://www.cyberscorpion.com/2012-02/making-html-forms-more-accessible-and-improving-usability-with-the-label-tag/

Yes it does.

I'm assume it's not the correct way to do it but it works perfectly now.

[post to more than one page?]

I also see now that I didn't need to use hidden inputs. I could have just called the functions for each variable i wanted to keep when I opened page2.php.

[post to more than one page?]

Thanks everyone for the input,

It seems like everything i tried didn't work & I'm sure it was because I couldn't understand how to use Curl correctly or the database thing so I figured out a simple way that works for my situation. Since I'm using session variables all I had to do was use hidden inputs on the second page for the variables from the first page. I got some help here earlier with a session function that I use on both pages. It's not very pretty but here it is:

Page1.php

<?php 
session_start();
function get_value($var)
{
if ($_POST[$var]!="" || (!empty($_SESSION[$var]) && $_POST[$var] === '')) { 
    $_SESSION[$var]=$_POST[$var];
}
if (isset($_SESSION[$var])){ return $_SESSION[$var];}else{ return $_POST[$var];} 
} 
?>
<br>
<form method="POST" action="page2.php">
 Wall type : <select name="wall"  >
  <option>----</option> <option value="green" <?php if(get_value('wall') == "green") { echo 'selected="selected"'; } ?> >green  </option>
 <option value="blue" <?php if(get_value('wall') == "blue") { echo 'selected="selected"'; } ?> >blue  </option>
 </select>
<input type="submit" value="Submit">
 </form>

Page2.php

<?php 
session_start();
function get_value($var)
{
if ($_POST[$var]!="" || (!empty($_SESSION[$var]) && $_POST[$var] === '')) { 
    $_SESSION[$var]=$_POST[$var];
}
if (isset($_SESSION[$var])){ return $_SESSION[$var];}else{ return $_POST[$var];} 
} 
?>
<br>
<form method="POST" action="">
 Door : <select name="door"  >
  <option>----</option> <option value="white" <?php if(get_value('door') == "white") { echo 'selected="selected"'; } ?> >white  </option>
  <option value="red" <?php if(get_value('door') == "red") { echo 'selected="selected"'; } ?> >red  </option>
 </select>
<input type="hidden" value="<?php get_value('wall'); ?>" >
<input type="submit" value="Submit">
 </form>

Thanks again for all the help

 

[posting data?]

This might sound stupid but I was wondering when two are more people are using the site posting the same form at the same time & post data from the form goes to another php page, can that cause the data to get crossed?

Also when using Curl to post data to another php page are the possibilities any different? 

[post to more than one page?]

What I'm trying to do is this:

 

I've written a calculation program that the user chooses some dropdown menu items & a few other inputs in a form from the page. When the form is submitted it takes them to another page where all the data from the first page is posted into variables on the second page & used for further calculations with other inputs. I'm using session variables on both pages. When they leave the first page the only way I know to get the session variables to the first page is to use a form on the second page that posts back to the first page. If they leave the second page without submitting the form then all the data on the first page will be lost. The reason I'm using separate pages is to keep the pages from getting too cluttered since there is so much data that the user inputs. So what I'm trying to do is figure a way that when the user submits the form on the first page the variables get posted onto that page & then takes the user to the second page where the same variables will be posted too.      

[post to more than one page?]

Is there any other ways besides using CURL?

If so I'd appreciate any other ideas so I can try to see what way works best for my situation. 

 

[post to more than one page?]

If I was to create something like this I would use CURL to post the data that was posted to the first form.

 

http://php.net/manual/en/book.curl.php

Doing some reading up on CURL, if I understand it right.

The first page would just do a standard SUBMIT on the form & POST to the second page.

Then I would use CURL on the second page so when it loaded, it would open the first page & post the data back into the first page.

Does that sound right? 

[post to more than one page?]

Is it possible to post the input of a form to the existing php page & at the same time post it to a new php page you want the user to go to when they submit the form?

[mysql_connect()?]

I have a typical php file(logger.php)  with username,password...etc that uses mysql_connect() to open my database.

I include the file in my php pages & It works fine but my question is how often do I need to use it  under these conditions.

 

I have a four page session where the first page posts to the second then the second to the third & then the third to the fourth in consecutive order to complete correctly.  Each page uses the same database & some of the pages also include other files that use the same database. Right now I'm including the logger.php file in all the pages to be safe.

I'm not using mysql_close() anywhere so I'm wondering if I only need to use the logger.php file on the first page & if I'm slowing things down by using it on all the pages.    

[can't get rid of session variable?]

I want to thank everyone for the help which has not only solved my problem but given me a lot of ideas to learn from.

I may try some different options as a learning experience to see if i can get a better understanding. 

I did use a return value of the function & echoed the function instead of using echo in the function.

It works either way but is that considered better technique or does it really matter?

<?php 
session_start();
function get_value($var)
{
if ($_POST[$var]!="" || (!empty($_SESSION[$var]) && $_POST[$var] === '')) { 
    $_SESSION[$var]=$_POST[$var];
}
if (isset($_SESSION[$var])){ return $_SESSION[$var];}else{ return $_POST[$var];} 
} 
?>
<form method="POST" action="">
<table> <tbody>
<tr>
  <td style="text-align: right;">
 Windows: </td>
     <td><input name="windows" style="background-color:#FFFFCC;width:60px;"  maxlength="10" value="<?php echo get_value('windows'); ?>"type="text"> 
 </td> </tr>
 <tr><td> <input type="submit" value="Calculate"></td></tr> </tbody></table>
 </form>

[can't get rid of session variable?]

 

Because of this code

if ($_POST[$var]!="") { $_SESSION[$var]=$_POST[$var];}

Whenever you input nothing("") the condition will be false thus your session will not change

 

Try something like

// this will check your session if it's not empty and you send an empty post
if ($_POST[$var]!="" || (!empty($_SESSION[$var]) && $_POST[$var] === '')) { 
    $_SESSION[$var]=$_POST[$var];
}

That did the trick,

Thanks a lot

[can't get rid of session variable?]

your get_value() function should do one thing, what its name implies. it should get the value from the correct $_SESSION variable.

 

all the values should either be in session variables or they don't exists at all at the point where you are building the form and if they do exist they should have been stored in the session variables at one point, where you detected that the form was submitted, in your form processing code.

 

you should have specific and distinct code that process the form data and specific and distinct code that builds the form.

Thanks for the reply,

I've never used sessions before so I need to learn a good bit more before I'll be able to understand how to implement the things you suggested.

I was hoping I was missing a simple line or phrase to solve my problem but it sounds a lot more involved.

[can't get rid of session variable?]

Delete the sessions when you are done using them? I dont really understand why you are using sessions in this form... You check if the $_POST is not empty ( You couldve used if(!empty($_POST[$var]) herre as well, but okay) and if it isnt empty, you set it to a session and you then check the session and return either echo the session of the post variable (which will always have the same value?!). Why are you using sessions for this?

 

Also, its good practise to make the function return something, rather than echoing it.

Thanks for the help,

The reason I'm using sessions is because I have about 50 inputs on the page & the biggest complaint I have is that people have to leave the page some times to change other factors on another page, return back to the page & then all their data is lost. The way I've got it now If they want to delete any of their inputs they have to change the number to "0" but just deleting the input & leaving nothing doesn't work.  I'm obviously not very good at this stuff so some of what you are saying is probably over my head. I really need to see some sort of coded explanation of how to do this.