Search the Community

Hello - sincerely hoping someone out there will be able to help with this, or at least have a good idea on what's going on. I have created a 'Single Page Application' (SPA) type website, and have used PHP on the server-side. At present, nearly all my content files (XML, JPEGs, XSLT, CSS) are generated from PHP scripts. My design uses many source files, and some pages have many small images, so file caching by the client browser is very important. I have set HTTP Cache-Control response headers on everything, to inform the browser that it can and should cache everything. (Content changes get picked up when a version number changes in the URL.) So far, so good - or so I thought. My problem is that both Safari and Chrome on iOS do fresh requests of EVERYTHING that's come from PHP, every time the user opens the phone from screen-lock. So the site is fast and slick with everything loaded into cache, until a 20 second pause with the phone locked, and then everything is dog slow again the first time content is viewed. For my use-case, this is a huge usability (and server load) problem. I've noticed that this refreshing of content DOESN'T happen for regular static files. (I have a folder of static file PNG images, and these never get re-requested.) How can I make all the PHP-generated content appear to the browser to be static files, so that the browser's heuristics don't mistrust them and assume they will be changing despite the HTTP headers?????! I can't believe I'm having this problem, honestly. Never seen anything like it before, with browsers ignoring these Cache-Control directives. There's something really messed up with the logic on mobile devices....

if you use a cookie or the session to hold this data, it can be bypassed by simply deleting the cookie or not propagating the cookie or session id cookie between requests. you must store this data persistently on the server, in a database table. next, you are not trying to lock the account, you are preventing login attempts for an account, from a device (client type) and its location (ip). if you actually lock the account, it will allow someone to log out and lock out a legitimate user, by just making a bunch of bad login attempts for an account. once you have stored the data in a database table, on each login attempt, you would query to find if, how many, and how long ago the bad login attempts were for the account, for the device (client type) and its location (ip). If the current time is greater than the time limit you have chosen from the last bad attempt, you would process the login attempt.

the reason for unusual operation is the ternary operator without a middle term, that the input is probably not what you expect, and php's type casting. when you leave out the middle term in the ternary operator, when the first term evaluates to true, the value used is whatever the first term is, which will be a boolean true due to the empty() statement. instead, your post method form processing code should - detect if a post method form was submitted before referencing any of the form data. detect if there is $_POST data (in case the post_max_size setting has been exceeded.) keep the form data as a set in a php array variable, then operate on elements in this array variable throughout the rest of the code. trim all the input data, mainly so that you can detect if all white-space characters were entered. validate all inputs, storing user/validation errors in an array using the field name as the array index. after the end of the validation logic, if there are no user/validation errors, use the form data. after using the form data, if there are no user/validation errors, perform a redirect to the exact same url of the current page to cause a get request for that page. this will prevent the browser from trying to resubmit the form data should that page get browsed back to or reloaded. if you want to display a one-time success message, store it or a flag value in a session variable, then test for, display the success message, and clear the session variable at the appropriate location in the html document. if there are user/validation errors, the code will continue on to display the html document, where you will test for and display any errors, redisplay the form, populating fields with existing data, so that the user only needs to correct the invalid input(s) and can resubmit the form.

The problem is as follow. 1. This is some old code thats been around for ages. 2. Mobile devices have different screen sizes. 3. Setting the session of the screen size lets me manipulate the various page width and image sizes to display on a mobile device based on the width. If a device has a screen width of x I want to make sure the image is set for that screen width. with different device screens, the image can be too big or small. 4. Setting the session also let me access that stores screen size of other functions on the page like resizing pop up boxes and so on. Hope that explains it

Absolutely, user's often don't logout intentionally, so you can't depend on that event being recorded. In general, you should be interested in any attempted change to their profile or other "escalation of privilege" or change to the core authentication mechanisms (password reset, password change). Many systems will also include and require a 2nd factor authentication at registration, which unless it's a mobile app, will typically be email. So that's another couple of event types you want to log (email authentication failure, email authentication re-request, email authentication success). Even if you are not prepared to make use of IP logging initially, I'd recommend creating the column in the table as analysis of most events you want to be concerned with (like brute force attacks) will necessitate IP logging if you want to understand where the attacks or coming from, or building in automatic countermeasures like time based IP bans.

here are some implementation practices - the form processing code and form should be on the same page. by putting them on separate pages, you are creating a lot of extra code. by only validating one input at a time and not having the form fields 'sticky', you are providing a poor User eXperience (UX). by storing the 'login_attempts' and 'lockout_time' in session variables, a nefarious user/bot can get unlimited new login attempts by simply not propagating the session id cookie between requests. you must store this data persistently on the server in a database table. the only user related value you should store in a session variable upon successful login is the user id (autoincrement primary index.) you should query on each page request to get any other user data, so that any changes made to the user data will take effect on the very next page request, without requiring the user to log out and back in again. the way a 'remember me' operation should be implemented is that if the remember me checkbox is checked, at the point of successfully verifying the user's credentials, generate a unique token, store that in a cookie and in a database 'remember me' table that also includes the user id, and the current datatime, for a determining token expiration. on any page request, if the remember me token cookie is set, query to find a matching row in the remember me table. if there is a row and the token is not timed out, use the user id from that row to set the session variable that identifies who the logged in user is. the rest of the code then uses this value in the session variable, just like it was set in the login form processing code. the registration process, unless being performed by an administrator, which your code is not doing, should not include the role. the role should not be something that the user can decide when they register. modern php (8+) uses exceptions for database statement errors by default - connection, query, prepare, and execute. any discrete logic you currently have testing the result of these statements should be removed since it will never get executed upon an error. both the username and email must be unique or you should only use the email and forget about a separate username. the correct way of determining if a unique value already exists in a database table is to define the column(s) as a unique index, just attempt to insert the data, and detect in the exception catch logic for the insert query if a duplicate index error (number) occurred. any form processing code should keep for the form data as a set, in an array variable, then operate on elements in this array variable throughout the rest of the code. i.e. don't write out a line of code copying every $_POST variable to a discrete variable. you need to trim ALL the user supplied inputs, mainly so that you can detect if all white-space characters were entered, before validating the data. you need to use an array to hold user/validation errors, and validate all the inputs at once, storing the errors in the array using the field name as the array index. after the end of the validation logic, if there are no errors (the array will be empty), use the submitted form data. in the login validation logic, all you really care about is that the required inputs are are not empty strings, after being trimmed. by providing additional feedback to a nefarious user/bot, you are helping narrow down the values they need to try.

@gizmola it would seem that the Software as a Service model would be more in line with my thinking (since I fear my code being co-opted). How is this best implemented? In simple terms, if the customer wants users to complete a form, would I just re-direct them to a form on MY server? Wouldn't that seem a bit suspicious if detected?

The "Problems" tab is a list of problems detected by the IDE and/or various extensions. You clear the list by fixing the problems, or somehow otherwise turning off the error reporting. You can hide the tab entirely through the right-click menu on the tab area, and similarly for the problems list in the status bar.

the most common reason for a password_hash()/password_verify() to fail is because the database column is not long enough to hold the hashed value. another common reason are programming mistakes in the form/form processing code and a lack of server-side validation that results in the hash value not actually being from the password that was submitted in the registration code, or the value being used in the login code not being what you think it is. your post method form processing code should always trim the input data, mainly so that you can detect if all white-space characters were entered, then validate all inputs before using them.

PhpMailer is not sending html emails even with isHTML set to true $mail->Body = $message; $mail->isHTML(true); $mail->isHTML = true; if(!$mail->Send()) { return $mail->ErrorInfo; } Here is the html message <!doctype html> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>Site Title</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> </head> I've tried to find a solution by searching but all everyone is saying is add $mail->isHTML(true); or $mail->isHTML = true; i have commented each out individually but still doesn't send html emails Any help at all would be much appreciated

for the posted information, the requested date range of 2025-05-06 to 2025-05-22 doesn't match any of the $seasonPrices data. It starts one day after the end of the May Day range and ends one day before the start of the Summer half-term range. it should use the base/default price for every day. since you are using a standard date format, you can directly perform date comparisons by order, as mentioned in the previous thread. you can directly compare a date to the $seasonPrices SeasonStart and SeasonEnd values to find if it is between a date range. i would write a function/class-method that accepts a date input, loops over the $seasonPrices data, returns the first price that is between the SeasonStart and SeasonEnd values, or returns zero (or some other easily detected value) if it reaches the end without finding a match. as a procedural function, something like - function get_price($date,$seasonPrices) { foreach($seasonPrices as $row) { // date between start and end if($row->SeasonStart <= $date && $date <= $row->SeasonEnd) { return $row->SeasonPrice; } } // no match return 0; }

telling us that something doesn't work is pointless. we are not sitting next to you and didn't see what symptom or error you got that leads you to believe something didn't work. you must tell or show us what result you got and what the expected result should be. do you have php's error_reporting set to E_ALL and display_errors set to ON, preferably in the php.ini on your system, so that php will help you by reporting and displaying all the errors it detects? have you checked in the browser's developer tools, console tab for errors? you should use 'require' for things your code must have. require/include are not functions. the () around the path/filename do nothing and should be removed. $_GET['email'] is an input to your code. it may not exist. you need to use isset() to prevent errors when it doesn't exist and you must trim, then validate it before using it, when it does exist. the two session variables are also inputs to your code. they may not exist. you need to use isset() to prevent errors when they don't exist.

You've got three basic options for storage: a string, a number, or as binary A string is the obvious choice because human beings think of IP addresses as strings. You can support IPv4 and IPv6 easily because it's just a string. You can do exact searches because it's just a string, but CIDR-ranged searches are hard. A number is another choice, as an IP address is essentially a number. That's fine for IPv4 addresses, but the IPv6 is too large to support. Exact and CIDR searches are easy. There's also binary, which is probably the least convenient form to work with. It has the strengths of strings (variable-width) but its own disadvantages (binary data, inefficient ranged searches), as well as the strength of numbers (efficient storage) as well as their disadvantages (need to convert to/from string format). If you don't need ranged searches then use strings, if you think you need ranged searches then think again because you probably don't. Because this is one of those times where you can get lost overthinking the problem. Besides that, Don't store just the last IP address. Store all of them. Since you're dealing with user accounts you'll also have a session, and in there you can remember the IP address, and that means you can know if it changes (which would mostly mean a mobile device switching networks, but even that isn't especially common these days). Fun side effect of this is that you're more likely to think about session security, like how you should reauthenticate a user if a request comes from the "wrong" IP address...

Techanic Infotech is a versatile software development company renowned for its comprehensive service offerings. Specializing in web development, mobile app development, ewallet app development company, and custom software solutions, the company leverages modern technologies and agile methodologies to deliver top-notch products that align closely with client needs.With a strong emphasis on quality and client satisfaction, Techanic Infotech serves a wide array of industries including healthcare, finance, e-commerce, and education. Their solutions are tailored to address specific business challenges, showcasing their adaptability and expertise in crafting innovative software solutions.Backed by a team of seasoned developers, Techanic Infotech positions itself as a dependable partner for businesses seeking cutting-edge software development solutions. Their commitment to delivering value-driven outcomes underscores their reputation as a reliable and forward-thinking industry player.

Hi CBG, @mac_gyver actually posted the solution that you have chosen. And i want to say that mac_gyver and maxxd are better programmers and they have more experience than i do in this field. However, i disagree with any solutions that create a bunch of if branches because every step that a program takes can really slow it down. I definitely disagree that you cannot check it all at once. Personally, i recommend using the tools in the PHP toolbox to your advantage. I would do the following and be done with it: <?php $p = 'Yes'; $d = 'No'; $c = 'No'; $o = 'No'; $pinary = [$p] === ['Yes']; $nerror = [$d, $c, $o] === ['No','No','No']; if ($p && $nerror) { echo 'error'; exit; } echo 'No errors detected'; ?> then i would unset $pinary and $nerror to spare memory (even though 100% of coders would tell you not to do that). My point, is that you can check it all at once but you could do it differently. I would define an error and simply check if it is true.

Hi. I have an exsisting table Bank_Reason. I want to add an extra columb 'Colour' to it. I am getting an error when I try to change it. I have done a drop table and recreate. Can any help with this extra columb please. I worked fine before. P.S. I have noticed that i was missing a (`). NEW line INSERT INTO `Bank_Reason` (`ID`, `ReasonID`, `Reason`,`Colour`) VALUES. Makes no diffrence. DROP TABLE IF EXISTS `Bank_Reason`; CREATE TABLE IF NOT EXISTS `Bank_Reason` ( `ID` int(11) NOT NULL, `ReasonID` int(11) DEFAULT NULL, `Reason` varchar(20) DEFAULT NULL, `Colour` varchar(8) DEFAULT '#000000' ) ENGINE=MyISAM DEFAULT CHARSET=latin1; -- -- Dumping data for table `Bank_Reason` -- INSERT INTO `Bank_Reason` (`ID`, `ReasonID`, `Reason`,Colour') VALUES (1, 0, '---SELECT','#000000'), (2, 1, 'Other',','#0000ff'), (3, 2, 'Virgin Bank','#000000'), (4, 3, '_Spare_2','#000000'), (5, 4, 'CT','#ff00ff'), (6, 5, 'Energy','#c51010'), (7, 6, 'Mobile','#27b30b'), (8, 7, 'Virgin_BB','#06b8b6'), (9, 8, 'MNOPF','#00aa00'), (10, 9, 'Water','#aa7700'), (11, 10, '@Shops','#ff0000'), (12, 11, 'Online','#7777ff'), (13, 12, 'Cash','#000000'), (14, 13, 'Pablo','#000000'), (15, 14, 'Amazon Prime','#000000'), (16, 15, 'Ebay/Paypal','#7a061c'), (17, 16, 'Argos/Store cards','#000000'), (18, 17, 'Alexa Music','#000000'), (19, 18, 'HSBC','#aa00aa'), (20, 19, 'Amazon Orders','#aa7700'), (21, 20, 'State Pension','#301de8'), (22, 21, 'Home Insurance','#000000'), (23, 22, 'Lottery','#000000'), (24, 23, 'Rent','#000000'), (25, 24, 'Private Health','#000000'), (26, 25, 'Credit card **','#000000'), (27, 26, '_Spare_1','#000000');

the file system path/filename must be to where the file is located on the disk, either using a relative path (relative to the file with the include/require starting in it) or an absolute path. a leading / refers to the root of the current disk, which is doubtful where that file is located, and which will be producing a php error about a non-existent path/file. you must get php to help you by reporting and displaying all the errors it detects. you can temporarily set php's error_reporting/display_errors in your code (you will want to remove the settings when you are done learning, developing, and debugging). you can add the following immediately after the first opening <?php tag in the main file - ini_set('display_errors', '1'); error_reporting(-1);

We are Webslavery IT Services, a freelance web designing company who specializes in web design, web development and SEO. Webuild websites that are intuitive, adaptive to different devices, and stunning in design. We enjoy browsing through numerous designs and thematic styles from different websites and products for inspiration and find the evolving state of interactive websites particularly fascinating as we try our best to emulate them. Freelance Web Designing in Hyderabad For more Details Contact : Contact No: India:+91 8897931177,+91 9030361564 Web:http://www.webslavery.com/

what does the data look like? is there only one row of data or is there a set of rows of data? modern php no longer assumes that unquoted associative array indexes, that are not defined constants, are strings. you must use quotes around associate array indexes. if you tried the above code, did it produce php errors? do you have php's error_reporting set to E_ALL (it should always be this value) and display_errors set to ON, so that php will help you by reporting and displaying all the errors it detects?

I fixed the wrong quote but there is still an error. When I put the code into Notepad++ Line 8 is a blank line under create table section. MySQL said: Documentation #1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '(3, 2, 'Virgin Bank','#000000'), (4, 3, '_Spare_2','#000000'), (5, 4, 'CT','#f' at line 8 DROP TABLE IF EXISTS `Bank_Reason`; CREATE TABLE IF NOT EXISTS `Bank_Reason` ( `ID` int(11) NOT NULL, `ReasonID` int(11) DEFAULT NULL, `Reason` varchar(20) DEFAULT NULL, `Colour` varchar(8) DEFAULT '#000000' ) ENGINE=MyISAM DEFAULT CHARSET=latin1; -- -- Dumping data for table `Bank_Reason` -- INSERT INTO `Bank_Reason` (`ID`, `ReasonID`, `Reason`,`Colour`) VALUES (1, 0, '---SELECT','#000000'), (2, 1, 'Other',','#0000ff'), (3, 2, 'Virgin Bank','#000000'), (4, 3, '_Spare_2','#000000'), (5, 4, 'CT','#ff00ff'), (6, 5, 'Energy','#c51010'), (7, 6, 'Mobile','#27b30b'), (8, 7, 'Virgin_BB','#06b8b6'), (9, 8, 'MNOPF','#00aa00'), (10, 9, 'Water','#aa7700'), (11, 10, '@Shops','#ff0000'), (12, 11, 'Online','#7777ff'), (13, 12, 'Cash','#000000'), (14, 13, 'Pablo','#000000'), (15, 14, 'Amazon Prime','#000000'), (16, 15, 'Ebay/Paypal','#7a061c'), (17, 16, 'Argos/Store cards','#000000'), (18, 17, 'Alexa Music','#000000'), (19, 18, 'HSBC','#aa00aa'), (20, 19, 'Amazon Orders','#aa7700'), (21, 20, 'State Pension','#301de8'), (22, 21, 'Home Insurance','#000000'), (23, 22, 'Lottery','#000000'), (24, 23, 'Rent','#000000'), (25, 24, 'Private Health','#000000'), (26, 25, 'Credit card **','#000000'), (27, 26, '_Spare_1','#000000');

my usage of htmlspecialchars is to protect you from someone trying, for example, JavaScript code in place of a name. Atleast htmlspecialchars would prevent the execution of code. You shouldn't use it on a username, email address, password etc. You will instead need to employ some sort of validation, such as regex to check names and numbers. ENT_QUOTES just converts quotations (&quot;). session_destroy: i do not know what you are creating/developing but a login/logout process will be a good idea. However, the session will be lost whenever the user closes the browser unless you are maintaining state with cookies. You could add a logout or destroy session button, which is a post to the test-sesh2.php page. Then in test-sesh2.php, detect a post with your destroy session input and implemement a session_destroy command: if isset $POST 'destroy' then session_destroy(); let us know if you need help implementing session_destroy or validating input...

I am 100% in agreement with @jodunno on this. Media Queries is the right way to handle your problem. He provided some great links to look at. I understand that working with old code bases can be challenging. One way to work your way into it is to use a sandbox like codepen or jsfiddle and make a small proof of concept version that has a subset of the overall css and some markup, and just addresses the things you want to change in the UI. Chrome dev tools have a built in way of setting the client dimensions of the browser, to simulate a particular screen size, and there are also some extensions that do the same thing and make it a little simpler. When you first open the developer tools in chrome (using inspect) the first 2 icons let you turn on/off the device toolbar. With it on, you can set the dimesions so it simulates the dimensions of a device or you can manually set the dimensions. Then move those changes over into the new code. Hopefully it wasn't a huge mess of 100 scripts with the html markup copy/pasted everywhere, but even in a case like that, you can add a header.php and footer.php and start require_once() as you remove all the duplicate code. Last but not least, this is why a lot of css frameworks going back to bootstrap got popular fast, as they alll for the most part provide support for making your markup responsive.

I'm not clear on what account you have an issue with. In general, if it's anything you really care about, then take the time to set up 2 factor authentication. Emails that claim your account is locked and prompt you to re-authenticate are often Phishing attacks, where you never actually hit the site you thought it was, and for that reason, any emails like that should be ignored, not clicked on. You might want to inspect the original email and see if it was forged. Looking at the email headers and the src of any links usually tells you the story there. Pretty much all sites have now gone to informational messages if they detect changes to an account, or unusual activity. They never prompt you to "login" or to click some link. Email is unfortunately untrustworthy and all emails needs to be viewed with suspicion.

a bunch of points - three ... in a relative file system path is invalid. you should be learning, developing, and debugging code on a localhost development system, such xampp. do you have php's error_reporting set to E_ALL and display_errors set to ON, preferably in the php.ini on your development system, so that php will help you by reporting and displaying all the errors it detects? is the main page a .php page? what does the 'view source' of the resulting web page show in the browser? you should use 'require' for things your code must have. your goal is to produce ONE valid web page. the file that you require is not a complete web page, it is only the code/content that you want to be required at that point in the web page. you need to validate the resulting web pages at validator.w3.org all the navigation links you have shown are all the same. you should be dynamically building the web pages using a Content Management System (CMS), in which case the navigation links would be dynamically built too, based on the defined pages, instead of manually creating and managing a bunch of pages yourself.

You can always check to see if session is started: <?php // Include the configuration file and autoload file from the composer. require_once __DIR__ . '/../config/clearwebconfig.php'; require_once "vendor/autoload.php"; // Import the ErrorHandler and Database classes from the PhotoTech namespace. use clearwebconcepts\{ ErrorHandler, Database, LoginRepository as Login }; // Create an ErrorHandler instance $errorHandler = new ErrorHandler(); // Set the exception handler to use the ErrorHandler instance set_exception_handler([$errorHandler, 'handleException']); // Create a Database instance and establish a connection $database = new Database(); $pdo = $database->createPDO(); // Create a LoginRepository instance with the database connection $login = new Login($pdo); $checkStatus = new Login($pdo); // Start session if not already started if (session_status() == PHP_SESSION_NONE) { session_start(); } // Redirect to dashboard if the user is already logged in if ($login->check_login_token()) { header('Location: dashboard.php'); exit(); } // Generate a CSRF token if it doesn't exist and store it in the session if (!isset($_SESSION['csrf_token'])) { $_SESSION['csrf_token'] = bin2hex(random_bytes(32)); } // Detect environment $isLocal = in_array($_SERVER['REMOTE_ADDR'], ['127.0.0.1', '::1']); $cookieDomain = $isLocal ? '' : DOMAIN; $cookieSecure = !$isLocal; // Set to true on remote server // Process the login form submission if ($_SERVER['REQUEST_METHOD'] === 'POST') { // Check if the submitted CSRF token matches the one stored in the session if (hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) { // Sanitize the username and password input $username = strip_tags($_POST['username']); $password = $_POST['password']; // Verify the user's credentials if ($login->verify_credentials($username, $password)) { // Generate a secure login token $token = bin2hex(random_bytes(32)); // Store the login token in the database $login->store_token_in_database($_SESSION['user_id'], $token); // Set a secure cookie with the login token setcookie('login_token', $token, [ 'expires' => strtotime('+6 months'), 'path' => '/', 'domain' => $cookieDomain, // Adjusted for environment 'secure' => $cookieSecure, // Adjusted for environment 'httponly' => true, 'samesite' => 'Lax' ]); // Store the login token in the session $_SESSION['login_token'] = $token; // Redirect the user to the dashboard header('Location: dashboard.php'); exit; } else { // Log error message for invalid username or password $error = 'Invalid username or password'; error_log("Login error: " . $error); } } else { // Display an error message $error = 'Invalid CSRF token'; error_log("Login error: " . $error); $error = 'An error occurred. Please try again.'; } } // Generate a random nonce value $nonce = base64_encode(random_bytes(16)); ?> You can also make sessions persistent in your configuration and it's always best to start you session in your configuration file: session_set_cookie_params([ 'lifetime' => strtotime('+6 months'), 'path' => '/', 'domain' => 'localhost', 'secure' => false, // Since it's not HTTPS, set this to false 'httponly' => true, 'samesite' => 'Lax' ]); session_start(); ob_start(); // turn on output buffering if (empty($_SESSION['token'])) { try { $_SESSION['token'] = bin2hex(random_bytes(32)); } catch (Exception $e) { } } if (preg_match('/\.js$/', $_SERVER['REQUEST_URI'])) { return false; // Let the webserver handle JavaScript files }