devxtec

I'm wondering what everyone uses for validating logged in sessions. Do you simply check for a variable to be defined in the session such as $_SESSION['username']? Do you set the IP of the user in the session and check against it upon form submissions? Really just curious as to what you all do for validating your sessions as I'm a bit undecided at this point at how I want to handle session validation. However I end up validating the session it needs to be consistent for all users and also provide little room for external factors. For instance a remote users IP address can be spoofed so I wouldn't want to solely validate on that. What would you consider secure for Enterprise level? This is more a discussion of practice I suppose. Anyway I'm looking forward to responses.

I am trying to figure out how I can get the number of rows returned by a fetch. Is there an equivalent of mysql_num_rows() that comes with PDO? I noticed PDOStatement->rowCount(), however; on select statements this is not a guaranteed way of getting back the number of rows returned by the statement as this behavior is not guaranteed for all databases. Anyone have any ideas on how to go about getting the number of rows?

Try what rhodesa said but do this as you are on Linux and not Windows so your path would be different. LoadModule php5_module modules/libphp5.so AddHandler application/x-httpd-php .php AddType application/x-httpd-php-source .phps PHPIniDir "/usr/local/apache/php/php.ini"

Silly question probably but is this the correct way to reference an associative array being returned by a class method? $tmp = linkObj->getLinkTargets(); echo $tmp['linkText'];

The books I'm referencing don't really have a good example. I was thinking about possibly implementing template files but my only concern then would be as I rewrite more an more code it'll end up being a template for each page. I'm trying to keep this as clean and simple as possible without crossing the HTML and PHP as much as possible. Separating Logic and Presentation/Display from one another, which will help making visual changes easier. Could you provide a link to the google example page? Oh and I've learned a lot and have already rewritten several files into 5 classes to simplify the site. It's just I've now run into an area that it seems is more personal preference in how people handle it. So if anyone can throw out ideas on how they would handle it then I could probably come up with something. I'm just having a thought block and unable to think up a way to handle the issue in the best way.

I'm in the process of converting a PHP application that was written in 4 to be written in 5 and use OOP. What is the best way to convert the code below to be a class method that is called if $linkObj-> edit is 1? I'm trying to avoid putting the HTML also inside the method. Any insight would be appreciated as I'm learning OOP as I go along, so the more examples the more I'll learn as I'm a visual learner. I'll be replacing all the mysql functions to use PDO as the new rewritten code will be interfacing with different databases. <?php else if( $linkObj->edit == "1" ) { ?> <html> <head> <title>Edit Link</title> </head> <script language="javascript"> function wrap_up() { var par = self.opener; par.location.reload(false); self.close(); } </script> <body> <?php $custId = $_GET['id']; $linkId = $_GET['link']; $qry = "select * from Links where CustomerNum = " . $custId . " and LinkIndex = " . $linkId; $res = mysql_query( $qry, $conn ); if( $res ) { ?> <form name="editlink" action="link.php" method="post"><input type="hidden" name="custId" value="<?php echo $custId?>" /> <input type="hidden" name="linkId" value="<?php echo $linkId?>" /> <input type="hidden" name="save" value="Yes" /> <table width="100%" border=0> <?php while( $row = mysql_fetch_assoc( $res ) ) { ?> <tr> <td align="right">Link Text:</td> <td align="left"><input type="text" name="linktext" value="<?php echo $row['LinkText'];?>" /></td> </tr> <tr> <td align="right">Link Target:</td> <td align="left"><select name="linktarget"> <?php $qry = "select PageName, BodyIndex from Body where CustomerNum = " . $custId . " and Active = 'Y' order by BodyIndex"; //echo $qry; $res2 = mysql_query( $qry, $conn ); if( $res2 ) { while( $row2 = mysql_fetch_assoc( $res2 ) ) { $tag = "<option value=\"".$row2['BodyIndex']."\""; if( $row2['BodyIndex'] == $row['BodyIndex'] ) { $tag .= " selected "; } $tag .= ">".$row2['PageName']."</option>"; echo $tag; } } ?> </select></td> </tr> <?php } ?> <tr> <td colspan="2" align="right"><input type="submit" name="but1" value="Save" /><input type="button" name="but2" value="Cancel" onclick="wrap_up();" /></td> </tr> </table> </form> <?php } ?> </body> </html> <?php }

Try catch code works. Now time to improve my error logging.

I see where you are coming from on this but I am wondering if this code would work as well. $sql = "select LinkIndex from Links where CustomerNum = ".$custId." and LinkOrder = ".$linkorder; try { foreach ($dbObj->query($sql) as $row) { try { $sql2 = "select LinkIndex from Links where CustomerNum = ".$custId." and LinkOrder = ".$newOrder; foreach ($dbObj->query($sql2) as $row2) { try { $sql3 = "update Links set LinkOrder = " . $linkorder . " where CustomerNum = ".$custId." and LinkIndex = ".$row2['LinkIndex']; $result = $dbObj->query($sql3); if( $result ) { try { $sql4 = "update Links set LinkOrder = " . $newOrder . " where CustomerNum = ".$custId." and LinkIndex = ".$row['LinkIndex']; $dbObj->query($sql4); } catch (PDOException $error){ echo 'PDO Exception Caught. '; echo 'Error with the database: <br />'; echo 'SQL Query: ', $sql4; echo 'Error: ' . $error->getMessage(); $errorMsg = $error->getMessage(); } } } catch (PDOException $error){ echo 'PDO Exception Caught. '; echo 'Error with the database: <br />'; echo 'SQL Query: ', $sql3; echo 'Error: ' . $error->getMessage(); $errorMsg = $error->getMessage(); } } } catch (PDOException $error){ echo 'PDO Exception Caught. '; echo 'Error with the database: <br />'; echo 'SQL Query: ', $sql2; echo 'Error: ' . $error->getMessage(); $errorMsg = $error->getMessage(); } } } catch(PDOException $error) { echo 'PDO Exception Caught. '; echo 'Error with the database: <br />'; echo 'SQL Query: ', $sql; echo 'Error: ' . $error->getMessage(); $errorMsg = $error->getMessage(); }

Wow that is dangerous stuff, you are not verifying a and you were using register_globals on (which is why it is not working now cause they are off like they should be) I would verify the input first and make sure that file exists. To access $a now it will be $_GET['a']; So, since the register_globals are off I can't do that anymore? With $_GET['a']; , would that replace include and with that would I have to add each individual .htm that I wanted to link to into a system before I could access them? Coding with register globals is bad practice and a security risk unless you are doing filtering for specific variables. Like premiso stated you can access $a now with $_GET['a'] as long as you are passing A via an HTTP Header with GET. If you are passing it via POST then it would be $_POST['a']. Your include statements would stay the same and would not be affected. If you reference variables being passed in by forms with POST or via URL using GET in other files then you will also need to reference them in the fashion of $_POST['var'] and $_GET['var'] respectively.

Does this look right? $sql = "select LinkIndex from Links where CustomerNum = ".$custId." and LinkOrder = ".$linkorder; foreach ($dbObj->query($sql) as $row) { $sql2 = "select LinkIndex from Links where CustomerNum = ".$custId." and LinkOrder = ".$newOrder; foreach ($dbObj->query($sql2) as $row2) { $sql3 = "update Links set LinkOrder = " . $linkorder . " where CustomerNum = ".$custId." and LinkIndex = ".$row2['LinkIndex']; $result = $dbObj->query($sql3); if( $result ) { $sql4 = "update Links set LinkOrder = " . $newOrder . " where CustomerNum = ".$custId." and LinkIndex = ".$row['LinkIndex']; $dbObj->query($sql4); } } } With this way is it possible to include some error checking? In my other methods I use a try catch format when running queries. I'd think this could be implemented some how.

How will this code work in a nested situation? In the code I pasted it runs through multiple sql queries. Does this replace all occurrences? Sorry if this seems like a silly question but I'm trying to teach myself as I go along. As far as initiating the PDO connection, that is all done in my __construct() of my class I'm building. I have done reading on PDO but in none of my reading does it give an example of how to handle this type of situation where PDO is handling nested queries. Maybe you could provide me some material that will show me? I guess worst case scenario if I can't accomplish this all in one method of a class I'll just split it up into multiple methods.

Alright I'm a bit stuck at the moment. I'm in the process of a rewrite of some code that was written for PHP4. I'm rewriting it to PHP5 standards with a class and using PDO for database connections. All the queries will need to be performed in the order which they are just need to change the code doing the queries to PDO. From what I heard PDO can't support nested queries? So my question is what would be the best way to convert the following code to use PDO and increase the efficiency at the same time and keeping it database independent? An example would help a lot as I'm faily new to classes and PDO. The code can be found here on this pastbin site. http://pasteninja.org/paste/299 (Note don't worry about the code starting with an else if this is just the lines of code out of a large file that I'm currently stuck on converting over.) Thanks for any help in advance

I have written my own function which will handle all error messages issues by my script. The current function output looks as follows. How can I get my function shown below to change the Error type to be (Critical, Fatal, Notice, etc)? Would I want to use a case statement? Here is my function and if anyone knows of something more efficient that could be done in my function I'm all ears. // function to handle all error messages // If a critical error is encountered an SMS message is sent. // Accepted Input: $type // $msg // $file // $line // Returned Values: none // usage: set_error_handler("errorMsg"); at the top of the php file function errorMsg($type, $msg, $file, $line) { $errorStr = "Date: " . date("d-m-Y H:i:s", mktime()) . "\n"; $errorStr .= "Error type: $type\n"; $errorStr .= "Error message: $msg\n"; $errorStr .= "Script: $file($line)\n"; $errorStr .= "Host: " . $_SERVER['HTTP_HOST'] . "\n"; $errorStr .= "Client: " . $_SERVER['HTTP_USER_AGENT'] . "\n"; $errorStr .= "Client IP: " .$_SERVER['REMOTE_ADDR'] . "\n"; $errorStr .= "Request URI: " . $_SERVER['REQUEST_URI'] . "\n\n"; $filename = "dn_error.log"; // Look for the word critical in the $type variable. Returns False if not found. $criticalError = stripos($type, "critical"); if(file_exists($filename)) { // Log the error to the file error_log($errorStr, 3, "$filename"); // If a critical error is detected send notification to cell phone if($criticalError !== false) { if(!mail("XXXXXXXXXX@messaging.spam.com", "Critical Error Log Addition for domain.com", "A critical error has been appended to the error log.")) { echo "Critical error has been detected. We were unable to contact the webmaster. Please email webmaster@domain.com"; break; } } else { // otherwise send an email to personal inbox for checking if(!mail("someguy@spam.com", "Error Log Addition for domain.com", "An error has been appended to the error log.")) { echo "Critical error has been detected. We were unable to contact the webmaster. Please email webmaster@domain.com"; break; } } } else { // IF UNABLE TO LOG INFORMATION THEN OUTPUT ERRORS TO SCREEN AND INCLUDE INFO IN THE EMAIL echo "Unable to log error."; break; } // STILL TO IMPLEMENT: // IF EMAIL FAILS HAVE MESSAGE STATE TO CONTACT A WEBMASTER WITH THE ERROR INFORMATION OUTPUTTED. }

We haven't fully upgraded all servers to PHP5 yet as not all of our code has been converted to be PHP5 compatible. So there is no way to do encryption without the use of mcrypt? I find that hard to believe.

Well I'm setting up a test box just like the production server. It's running the same PHP 4.3.9 and MySQL 4.x. How easy is it to compile mcrypt into the 4.3.9 version?