[PHP] Re: Advice on maintaining public and private files
On Fri, 19 Feb 2010 13:19:50 -0500, st...@astroh.org (Michael Stroh) wrote: >I have a site I'm working on with some data that I want to be readable by >anyone, but some files that I want to keep hidden from outside users. Here is >an example of my file structure. > >/products/data1/item_1/data.txt >/products/data2/item_2/data.txt > >I would like everything in data1 to be available by anyone who visits the >site, but I want to keep items in the data2 folder to only be accessible >through certain web page which I hope to eventually require logins. Some of >these items I'd like to not only display but also allow people to download. > >My main concern is that I don't want people to be able to guess the names of >the files and then be able to access the information on them. Every 'item' has >an entry in a MySQL database which holds some information. I was thinking I >could have randomly generated folder names to take the place of the things >like 'item_2' such as > >/products/data2/kl23j42i/data.txt > >and then link the folder name through a database entry. But I'm not sure if >there are more elegant or easier ways to deal with this. Plus someone could >still just try randomly querying the site until they get a match. I'd first >like to just create a web page where you can go to access the hidden files but >would later like to add more control for other users using logins and >passwords. > >Most of my files are just text files and images. Any suggestions? > >Thanks in advance! > >Michael I have been working on a website engine for some time, and have recently been addressing these problems. The website layout is specified by textbased data files, with a separate entry for each item on the page. These may be links to subdirectories or even other websites, links to further index pages or links to individual items. Users are divided into groups, e.g. Guest, Admin, or Manager, and each data file has a field specifying who is allowed to use it. Each entry has a similar field, and when a data file is being loaded the loader checks that the current user has permission to access it before allowing the file to be loaded, and then as it processes each item in the file it checks if the user has permission to view this item, and if not skips it. This means that the user only sees the items he is entitled to see. There is nothing to indicate that anything is being hidden from him. At present I only have one allowable group for each file or item, and permit individual users to belong to multiple groups (as set up by the administrator). On reflection it would probably be better to assign each user to a single group, and allow multiple groups to be given access to the file. At first I simply assigned each user a privilege level; 0, 1, 2, .. , but this prevented giving some user groups access to some areas of the website, and other user groups access to others. Each website has one area containing data, and a separate one containing the engine (which has all the code). The data area also contains a small file index.php, which sets up site dependent parameters, and then hands access to the engine. I have several different websites sharing the same engine, and this means both that the individual websites can specify different configuration files and security requirements. One website can be fully accessible, another only accessible after the user is logged in, and another can have some areas only accessible through a hidden log in. I use parameters to specify which page to be loaded, but I've recently realised that this is a significant security hole, as the parameters are readily visible, and convey a lot of information about the structure of the site. On second thoughts it would have been better to specify the various directories and files by numbers. The engine is in a separate directory which is not under the root, so it is not readily accessible, but I wanted the photos to be able to be bookmarked, which meant that they had to be under the root, and I put the data files with them for simplicity. However this means that they can also be downloaded, so I will have to move them to a different location, as some of them contain valuable information. Fortunately the way the engine is designed makes this reasonably simple to do. You can see a very simple demonstration website at http://www.cydalba.com/?new=1. At present this is set up so that part of the website is only accessible by hidden log in. If you access it via http://www.cydalba.com/?new=1&action=log_in you will be asked to log in, which you can do as 'Guest', with password 'Mandy17'. Some more of the website will then be accessible. Clancy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Excel Spreadsheets and PHP
> >> -Original Message- > >> From: Ian Robertson [mailto:irobert...@americantextile.com] > >> Sent: Friday, February 19, 2010 1:28 PM > >> To: php-general@lists.php.net > >> Subject: [PHP] Excel Spreadsheets and PHP > >> > >> Hello, everyone. > >> > >> Just a quick question. > >> > >> What are you using, if anything, to create Excel spreadsheets > >> with PHP? > >> > >> Thank you in advance. > >> > > > > Pear Spreadsheet Excel Writer. > > > > http://pear.php.net/package/Spreadsheet_Excel_Writer Related, here is a routine we use. Assuming you already have your data in a multi-array. /** * Outputs an Excel .xls file * Note: a row that starts with "---" will be considered a separator row and output any text following the "---" as such. * * @param string $title_text The name of the title in the Excel .xls document (gmdate('Y-m-d H:i') is auto appended) * @param array $header_array an array of headers for each column * @param array $data_array the data for each column and row * @param string $file_name the name of the .xls file to save as (gmdate('Y-m-d H:i') is auto appended), defaults to $title_text * @author Daevid Vincent * @date 10/29/2009 */ function download_table_to_excel($title_text, &$header_array, &$data_array, $file_name=null) { //require_once './includes/gui/gui_setup.inc.php'; if (!$file_name) $file_name = $title_text; $file_name = str_replace( array('[', ']'), array('(',')'), $file_name); add_user_log('Action', 'Download "'.$file_name.'" Excel file'); set_include_path(get_include_path().PATH_SEPARATOR.ROOTPATH.'/includes/pear '); require_once ROOTPATH.'/includes/pear/Spreadsheet/Excel/Writer.php'; $excel_control_characters = array('@', '='); $exceldoc = new Spreadsheet_Excel_Writer(); // Set version to 8 (BIFF8) so strings are not truncated to 255 chars //$exceldoc->setVersion(8); //http://pear.php.net/manual/en/package.fileformats.spreadsheet-excel-write r.spreadsheet-excel-writer-workbook.setversion.php //http://forum.openx.org/index.php?showtopic=503418353 //http://pear.php.net/bugs/bug.php?id=3384 $worksheet =& $exceldoc->addWorksheet('Sheet 1'); //sheet name can only be < 31 chars, but we only use one sheet, so hard-code it $format_data =& $exceldoc->addFormat(); $format_data->setTextWrap(); // Create an array to track the value length per column, the default width is 8.11 $max_column = count($header_array) - 1; $max_len_by_column = array(); for ($col = 0; $col <= $max_column; $col++) $max_len_by_column[$col] = 8.11; $row = -1; // Optionally write table title if ($title_text) { $format_title =& $exceldoc->addFormat(); $format_title->setAlign('center'); $format_title->setAlign('vcenter'); $format_title->setBold(); $format_title->setTextWrap(); $title_text .= ' (created on '.gmdate('Y-m-d @ H:i').' UTC)'; // adjust the row height from the number of lines in the table title $lines = substr_count($title_text, '') + 1; $height = $lines * 14; $row++; $value = html_entity_decode(trim(strip_tags(str_replace('', "\n", $title_text; if (is_string($value) && in_array(substr($value,0,1), $excel_control_characters)) $value = ' '.$value; // Add a space before Excel control characters $worksheet->write($row, 0, $value, $format_title); $worksheet->setRow($row, $height); $worksheet->mergeCells($row, 0, $row, $max_column); } // Write column headers $format_header =& $exceldoc->addFormat(); $format_header->setBold(); $format_header->setTextWrap(); $row++; foreach ($header_array as $col => $header) { // remove html tags from values $value = html_entity_decode(trim(strip_tags(str_replace('', "\n", is_array($header) ? $header[0] : $header; if (is_string($value) and in_array(substr($value,0,1), $excel_control_characters)) $value = " ".$value; // Add a space before Excel control characters $worksheet->write($row, $col, $value, $format_header); if (is_array($header)) $worksheet->writeNote($row, $col, $header[1]); } foreach ($data_array as $i => $data) { $row++; $col = 0; //check for magic separator rows if ( substr($data,0,3) == '---' ) { $separator_row = substr($data,3); // adjust the row height from the number of lines in the table title $lines = substr_count($separator_row, '') + 1; $height = $lines * 14;
Re: [PHP] Excel Spreadsheets and PHP
You can also create an htnl table and excel will happily handle that as well. The real trick is to get IE to accept the stream as a file download. I find that I need to save the file first and the push the file down. On 2/19/10, Hansen, Mike wrote: >> -Original Message- >> From: Ian Robertson [mailto:irobert...@americantextile.com] >> Sent: Friday, February 19, 2010 1:28 PM >> To: php-general@lists.php.net >> Subject: [PHP] Excel Spreadsheets and PHP >> >> Hello, everyone. >> >> Just a quick question. >> >> What are you using, if anything, to create Excel spreadsheets >> with PHP? >> >> Thank you in advance. >> > > Pear Spreadsheet Excel Writer. > > http://pear.php.net/package/Spreadsheet_Excel_Writer > > > Mike > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- Sent from my mobile device Bastien Cat, the other other white meat -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Excel Spreadsheets and PHP
> -Original Message- > From: Ian Robertson [mailto:irobert...@americantextile.com] > Sent: Friday, February 19, 2010 1:28 PM > To: php-general@lists.php.net > Subject: [PHP] Excel Spreadsheets and PHP > > Hello, everyone. > > Just a quick question. > > What are you using, if anything, to create Excel spreadsheets > with PHP? > > Thank you in advance. > Pear Spreadsheet Excel Writer. http://pear.php.net/package/Spreadsheet_Excel_Writer Mike -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Excel Spreadsheets and PHP
On Fri, Feb 19, 2010 at 3:36 PM, Bob McConnell wrote: > From: Ian Robertson > >> What are you using, if anything, to create Excel spreadsheets with > PHP? >> > > Output CSV files with the correct MIME type. MS-Windows will open them > in Excel by default in both IE and Firefox. > > Unfortunately, this happens even if you have Open Office installed and > would prefer to use that. > > Bob McConnell > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > If you need more control over formatting, formulas, etc., there is an XML format that Microsoft supports. http://msdn.microsoft.com/en-us/library/aa140066%28office.10%29.aspx Then you can use DOM in PHP to build what you need. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Excel Spreadsheets and PHP
On Fri, 2010-02-19 at 15:36 -0500, Bob McConnell wrote: > From: Ian Robertson > > > What are you using, if anything, to create Excel spreadsheets with > PHP? > > > > Output CSV files with the correct MIME type. MS-Windows will open them > in Excel by default in both IE and Firefox. > > Unfortunately, this happens even if you have Open Office installed and > would prefer to use that. > > Bob McConnell > I believe there are pear classes to output these files, and the new xlsx format is XML-based so shouldnt be too difficult to output something simple. Also, the ods format is well documented, and again should be very easy to output to. Thanks, Ash http://www.ashleysheridan.co.uk
RE: [PHP] Excel Spreadsheets and PHP
From: Ian Robertson > What are you using, if anything, to create Excel spreadsheets with PHP? > Output CSV files with the correct MIME type. MS-Windows will open them in Excel by default in both IE and Firefox. Unfortunately, this happens even if you have Open Office installed and would prefer to use that. Bob McConnell -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Excel Spreadsheets and PHP
Hello, everyone. Just a quick question. What are you using, if anything, to create Excel spreadsheets with PHP? Thank you in advance.
RE: [PHP] Advice on maintaining public and private files
From: Rene Veerman > the "proper way" i know of is not the easiest to implement..; > > 1) create a php script that accepts enough parameters to get at your data. > eg: /products/view.php?dataNr=1&itemNr=1 > 2) let that script compare the current user (visitor who's logged in) > to authentication data that tells which it if the user can access the > data requested. if it fails, you can route the user to a std page or > to a custom page (store in auth-data under "onFail") > 3) use apache's RewriteRule in /products/.htaccess to point virtual > urls to the view script; /products/data1/item_1/data.txt = > /products/view.php?dataNr=1&itemNr=1&file=data.txt (or something like > that). > > the main problem here is how to properly store authentication data. > how far to go depends on your (future) requirements. There are some easier tricks, but still not simple. Only the wrapper script should be in the webroot space. Everything else should be outside of it, but accessible by the user that the web server runs under. The wrapper also manages the session and any other access controls necessary, such as connections to a DB server. Once you parse the parameters from the URL, use require() or require_once() to link in the specific pages you need from outside webroot. This way none of the files or paths are exposed to the browser and nobody can get to those pages without going through the authentication in the wrapper. You can even pull in more than one, so there could be one file for the banner, one for the menu tree on the left column, one for a header, one for the page specific content and one for the footer. It makes global updates relatively easy, but can be a pain to get started. Bob McConnell -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Login Script: mysql_num_rows(): supplied argument isnot a valid MySQL result resource
Ashley Sheridan schreef: On Fri, 2010-02-19 at 18:30 +0100, Mark Cilissen wrote: David Hutto schreef: --- On Fri, 2/19/10, David Hutto wrote: From: David Hutto Subject: Login Script: mysql_num_rows(): supplied argument is not a valid MySQL result resource To: php-general@lists.php.net Date: Friday, February 19, 2010, 3:30 AM The following script is supposed to validate a username and password in a mysql db. When entering the username and password of a preregistered user, I get the following errors: Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /var/www/login.php on line 24 Warning: Cannot modify header information - headers already sent by (output started at /var/www/login.php:24) in /var/www/login.php on line 26 On line 24 is: if(!mysql_num_rows($login)) //if the username and pass are wrong --The supplied argument is $login, which is previously defined as: $login = mysql_query("SELECT * FROM 'userinfo' WHERE `user` = '$user' AND `pass` = '$pass`"); --which is further defined above it as these values: $user = $_POST['user']; //pulls the username from the form $pw = $_POST['pass']; //pulls the pass from the form $pass = md5($pw); //makes our password an md So why is the sum of those previous definitions an invalid argument for the mysql_query() to test for whether the username and md5 password values are true/equivalent to each other? Because basically !mysql_num_rows($login) is just if'ing the lack of a user/pass match, else it continues to set cookie and session variables. If I'm looking at this wrong let me know. Thanks for any help you may be able to provide, below is the full login.php page. David This is the full login.php script, I'm pretty sure no other portions are needed to show at this point for the current problem: Username Password '); } elseif($act == "auth") //if our page action = auth { $user = $_POST['user']; //pulls the username from the form $pw = $_POST['pass']; //pulls the pass from the form $pass = md5($pw); //makes our password an md5 include("connect.php"); //connects to our mysql database $login = mysql_query("SELECT * FROM `userinfo` WHERE `user` = '$user' AND `pass` = '$pass`"); //selects info from our table if the row has the same user and pass that our form does if(!mysql_num_rows($login)) //if the username and pass are wrong { header("Location: login.php"); //redirects to our login page die(); //stops the page from going any further } else { setcookie("user", $user, time()+3600);//sets our user cookie setcookie("pass", $pass, time()+3600);//sets our pass cookie header("Location: memprar.php");//instead of yourpage.php it would be your protected page } } ?> The query should be: SELECT * FROM `userinfo` WHERE `user` = '$user' AND `pass` = '$pass' Remember: ` for tables and columns, ' for strings. Also, look up SQL Injection, as your script contains a huge vulnerability. This can be fixed using mysql_real_escape_string, so it is this: ELECT * FROM `userinfo` WHERE `user` = '".mysql_real_escape_string($user)."' AND `pass` = '".mysql_real_escape_string($pass)."' -- Kind regards, Mark Cilissen / Pixlism I did cover all of those points and give the same sanitisation suggestion in the email I sent to this question earlier! Thanks, Ash http://www.ashleysheridan.co.uk Didn't see it, it was in another thread. -- Kind regards, Mark Cilissen / Pixlism -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Max file size in fopen()
On Fri, 2010-02-19 at 17:42 -0200, Darvin Denmian wrote: > Hello, > > I need to open a file with more than 2GB but the following error occurs: > > failed to open stream: Value too large for defined data type in > /srv/www/sandboxes/dev02/test.php on line 2 > > I'm running this php in a 32 bits system. > > Googling I found that with the option > "CFLAGS="-D_FILE_OFFSET_BITS=64"" the problem can be solved. > > Will I have this issue in a 64 bits System? > > Is there some recognized solution for this issue? > > Thanks. > 32-bit PHP has quite a few problems with large files. I ran into an odd one where I couldn't even get the dates from a file that was over 2GB! I think you may be running into something similar here, where some value that is needed to work with the file is going over the maximum that 32-bit can handle. 64-bit should fix the problem, but if you're in doubt, you could try testing it on a VM first? Thanks, Ash http://www.ashleysheridan.co.uk
[PHP] Max file size in fopen()
Hello, I need to open a file with more than 2GB but the following error occurs: failed to open stream: Value too large for defined data type in /srv/www/sandboxes/dev02/test.php on line 2 I'm running this php in a 32 bits system. Googling I found that with the option "CFLAGS="-D_FILE_OFFSET_BITS=64"" the problem can be solved. Will I have this issue in a 64 bits System? Is there some recognized solution for this issue? Thanks. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Advice on maintaining public and private files
1 more thing: doing this right isn't easy. at all. it took me more than a year to "do it properly". you may wanna look around on sf.net for any package that can do this for you. On Fri, Feb 19, 2010 at 7:19 PM, Michael Stroh wrote: > I have a site I'm working on with some data that I want to be readable by > anyone, but some files that I want to keep hidden from outside users. Here is > an example of my file structure. > > /products/data1/item_1/data.txt > /products/data2/item_2/data.txt > > I would like everything in data1 to be available by anyone who visits the > site, but I want to keep items in the data2 folder to only be accessible > through certain web page which I hope to eventually require logins. Some of > these items I'd like to not only display but also allow people to download. > > My main concern is that I don't want people to be able to guess the names of > the files and then be able to access the information on them. Every 'item' > has an entry in a MySQL database which holds some information. I was thinking > I could have randomly generated folder names to take the place of the things > like 'item_2' such as > > /products/data2/kl23j42i/data.txt > > and then link the folder name through a database entry. But I'm not sure if > there are more elegant or easier ways to deal with this. Plus someone could > still just try randomly querying the site until they get a match. I'd first > like to just create a web page where you can go to access the hidden files > but would later like to add more control for other users using logins and > passwords. > > Most of my files are just text files and images. Any suggestions? > > Thanks in advance! > > Michael > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Advice on maintaining public and private files
As far as storing the files, use a seperate subdirectory called "rawData" or something, and place all your files in there, aim for 10 - 5000 files per directory, and keep it logical. But since you want to stop guessers from accessing it, use a randomID() function that you create to generate a random subdirectory under "rawData". You could also use just the -MM-DD HH-MM-SS of the submit/upload-date for the file or the last-modification date of the file. Then create something that maps IDs (dataNr, itemNr, fileID) to the relative path under "rawData". Then let view.php readfile() and output the requested file, instead of sending any link to your "rawData"-subdirectory-location to the browser. It should be airtight then. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Advice on maintaining public and private files
the "proper way" i know of is not the easiest to implement..; 1) create a php script that accepts enough parameters to get at your data. eg: /products/view.php?dataNr=1&itemNr=1 2) let that script compare the current user (visitor who's logged in) to authentication data that tells which it if the user can access the data requested. if it fails, you can route the user to a std page or to a custom page (store in auth-data under "onFail") 3) use apache's RewriteRule in /products/.htaccess to point virtual urls to the view script; /products/data1/item_1/data.txt = /products/view.php?dataNr=1&itemNr=1&file=data.txt (or something like that). the main problem here is how to properly store authentication data. how far to go depends on your (future) requirements. for my cms i went all the way and copied the unix filesystem permission architecture (incl the concept of users in groups) to work from mysql on an object-cloud (mapped to any "path(s)" elsewhere). but you can just as easilly just map userIDs to array records containing the keys that view.php works on. sorta like: global $permissions; $permissions = array ( 100 => array( array ( dataNr => 1, itemNr => 1, fileID => 'data.txt', mayRead => true, mayWrite => false ), (...other objects user 100 has permissions for...) userID => permissionsList ); you could use username instead of userid even, but i recommend against that if you're going to store user-definition records in a db, of course. On Fri, Feb 19, 2010 at 7:19 PM, Michael Stroh wrote: > I have a site I'm working on with some data that I want to be readable by > anyone, but some files that I want to keep hidden from outside users. Here is > an example of my file structure. > > /products/data1/item_1/data.txt > /products/data2/item_2/data.txt > > I would like everything in data1 to be available by anyone who visits the > site, but I want to keep items in the data2 folder to only be accessible > through certain web page which I hope to eventually require logins. Some of > these items I'd like to not only display but also allow people to download. > > My main concern is that I don't want people to be able to guess the names of > the files and then be able to access the information on them. Every 'item' > has an entry in a MySQL database which holds some information. I was thinking > I could have randomly generated folder names to take the place of the things > like 'item_2' such as > > /products/data2/kl23j42i/data.txt > > and then link the folder name through a database entry. But I'm not sure if > there are more elegant or easier ways to deal with this. Plus someone could > still just try randomly querying the site until they get a match. I'd first > like to just create a web page where you can go to access the hidden files > but would later like to add more control for other users using logins and > passwords. > > Most of my files are just text files and images. Any suggestions? > > Thanks in advance! > > Michael > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Magnetic Stripe Reader or Barcode to PHP
Daevid Vincent wrote: > I'll confess that I've done almost zero research on this topic as of right > now aside from pricing readers and blank cards. > > So we're opening a new super-club here in Seattle. One of the ideas we'd > like to pursue is that people are assigned a card. This can be a magstripe > card or something with a barcode. Not really sure at the moment which way > to go. > > The idea being that when they enter, we "swipe/scan" their card and we can > log stats (# of visits, # guests, favorite drink so the bar has it ready, > enter into contest, etc.) I was thinking we setup a simple netbook with a > USB reader at the front door when they pay. Then we have another back at > the bar. Connect via WiFi. Have a notebook somewhere behind the scenes that > runs LAMP (or a VM thereof). No internet needed. The backend database and > even web/GUI stuff is of course trivial with any LAMP stack. > > What I don't know is how do I interface _to_ PHP from say a magstripe > reader. They're dirt cheap ($50), but I assume come with zero software. > http://www.kanecal.net/mag-stripe-reader-scanner.html . And there are > hundreds of these gadgets out there all the same basically. > > I guess what I'm hoping for is some pointers, from someone who's done this > sort of thing. > > My gut thought is something so simple, where there is some XP software (or > Linux I suppose) that reads the card (and generally they only have a number > encoded on them) and this is sent via a URL we define, such as > http://192.168.10.100/door.php?id=123456 or > http://192.168.10.100/bar.php?id=123456 etc. (ignore the security issues > and all that. It's trivial to encode the parameters, plus it's a closed > system with WEP/WPA/WTF). But does anyone know of such a key piece of code? > > Like I said, I'm not locked into magcards. It could be a barcode reader > just as easily. Or fingerprint scanner, or facial recognition. In the end > it's just a unique "thing" that maps to a unique number. I just need the > "FM" (F*ckin' Magic -- it's a programmer term -- look it up!) that goes in > between PHP and the hardware. > > http://daevid.com > > "Some people, when confronted with a problem, think 'I know, I'll use > XML.'" > Now they have two problems. > As someone else pointed out, many of these readers come with software that automatically enters data into an input field (where the cursor is) when a card is swiped. So you have a PHP web app on your LAMP box that the other netbooks point to. When they swipe the card it inputs into the text field and uses an onchange() to submit the form and redisplay the form, or have other fields that need to be populated (guests, etc.). I haven't done it, but seems simple enough. You just need to figure out what you'll use. Maybe driver's license since you need that anyway at a club (at least in the U.S.). -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Advice on maintaining public and private files
On Fri, Feb 19, 2010 at 1:19 PM, Michael Stroh wrote: > I have a site I'm working on with some data that I want to be readable by > anyone, but some files that I want to keep hidden from outside users. Here is > an example of my file structure. > > /products/data1/item_1/data.txt > /products/data2/item_2/data.txt > > I would like everything in data1 to be available by anyone who visits the > site, but I want to keep items in the data2 folder to only be accessible > through certain web page which I hope to eventually require logins. Some of > these items I'd like to not only display but also allow people to download. > > My main concern is that I don't want people to be able to guess the names of > the files and then be able to access the information on them. Every 'item' > has an entry in a MySQL database which holds some information. I was thinking > I could have randomly generated folder names to take the place of the things > like 'item_2' such as > > /products/data2/kl23j42i/data.txt > > and then link the folder name through a database entry. But I'm not sure if > there are more elegant or easier ways to deal with this. Plus someone could > still just try randomly querying the site until they get a match. I'd first > like to just create a web page where you can go to access the hidden files > but would later like to add more control for other users using logins and > passwords. > > Most of my files are just text files and images. Any suggestions? > > Thanks in advance! > > Michael > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > Place all those files above the web root, the use php to read in the data from the files when display that data to the user. -- Bastien Cat, the other other white meat -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Advice on maintaining public and private files
I have a site I'm working on with some data that I want to be readable by anyone, but some files that I want to keep hidden from outside users. Here is an example of my file structure. /products/data1/item_1/data.txt /products/data2/item_2/data.txt I would like everything in data1 to be available by anyone who visits the site, but I want to keep items in the data2 folder to only be accessible through certain web page which I hope to eventually require logins. Some of these items I'd like to not only display but also allow people to download. My main concern is that I don't want people to be able to guess the names of the files and then be able to access the information on them. Every 'item' has an entry in a MySQL database which holds some information. I was thinking I could have randomly generated folder names to take the place of the things like 'item_2' such as /products/data2/kl23j42i/data.txt and then link the folder name through a database entry. But I'm not sure if there are more elegant or easier ways to deal with this. Plus someone could still just try randomly querying the site until they get a match. I'd first like to just create a web page where you can go to access the hidden files but would later like to add more control for other users using logins and passwords. Most of my files are just text files and images. Any suggestions? Thanks in advance! Michael -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Login Script: mysql_num_rows(): supplied argument is not a valid MySQL result resource
On Fri, 2010-02-19 at 18:30 +0100, Mark Cilissen wrote: > David Hutto schreef: > > > > --- On Fri, 2/19/10, David Hutto wrote: > > > > From: David Hutto > > Subject: Login Script: mysql_num_rows(): supplied argument is not a valid > > MySQL result resource > > To: php-general@lists.php.net > > Date: Friday, February 19, 2010, 3:30 AM > > > > The following script is supposed to validate a username and password in a > > mysql db. When entering the username and password of a preregistered user, > > I get the following errors: > > > > Warning: mysql_num_rows(): supplied argument is not a valid MySQL result > > resource in /var/www/login.php on line 24 > > > > > > > > Warning: Cannot modify header information - headers already sent by > > (output started at /var/www/login.php:24) in /var/www/login.php on line 26 > > > > On line 24 is: > > > if(!mysql_num_rows($login)) //if the username and pass are wrong > > > > --The supplied argument is $login, which is previously defined as: > > > $login = mysql_query("SELECT * FROM 'userinfo' WHERE `user` = '$user' > AND `pass` = '$pass`"); > > > > --which is further defined above it as these values: > > > > $user = $_POST['user']; //pulls the username from the form > > $pw = $_POST['pass']; //pulls the pass from the form > > $pass = md5($pw); //makes our password an md > > > > So why is the sum of those previous definitions an invalid argument for the > > mysql_query() to test for whether the username and md5 password values are > > true/equivalent to each other? > > > > Because basically !mysql_num_rows($login) is just if'ing the lack of a > > user/pass match, else it continues to set cookie and session variables. > > > > If I'm looking at this wrong let me know. > > > > Thanks for any help you may be able to provide, below is the > > full login.php page. > > > > David > > > > > > This is the full login.php script, I'm pretty sure no other portions are > > needed to show at this point for the current problem: > > > > > $act = $_GET['act']; //retrives the page action > > if(empty($act)) //if there is no action > > { > > echo(' > id="loginform"> > > Username > > > > > > Password > > > > > > > > > > > > '); > > } > > elseif($act == "auth") //if our page action = auth > > { > > $user = $_POST['user']; //pulls the username from the form > > $pw = $_POST['pass']; //pulls the pass from > > the form > > $pass = md5($pw); //makes our password an md5 > > include("connect.php"); //connects to our mysql database > > $login = mysql_query("SELECT * FROM `userinfo` WHERE `user` = '$user' AND > > `pass` = '$pass`"); //selects info from our table if the row has the same > > user and pass that our form does > > if(!mysql_num_rows($login)) //if the username and pass are wrong > > { > > header("Location: login.php"); //redirects to our login page > > die(); //stops the page from going any further > > } > > else > > { > > setcookie("user", $user, time()+3600);//sets our user cookie > > setcookie("pass", $pass, time()+3600);//sets our pass > > cookie > > header("Location: memprar.php");//instead of yourpage.php > > it would be your protected page > > } > > } > > ?> > > > > > > > > > > > > > > > > > > > > The query should be: > SELECT * FROM `userinfo` WHERE `user` = '$user' AND `pass` = '$pass' > > Remember: ` for tables and columns, ' for strings. > Also, look up SQL Injection, as your script contains a huge vulnerability. > This can be fixed using mysql_real_escape_string, so it is this: > ELECT * FROM `userinfo` WHERE `user` = > '".mysql_real_escape_string($user)."' AND `pass` = > '".mysql_real_escape_string($pass)."' > > -- > Kind regards, > Mark Cilissen / Pixlism > I did cover all of those points and give the same sanitisation suggestion in the email I sent to this question earlier! Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Using base64 encode and decode to store user data in database
> What about eBook ($23.99)? > > http://oreilly.com/catalog/9780596006563 > > If you can get this, you can get that. > That may be a good idea. Certainly better than the pirate bay. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il Please CC me if you want to be sure that I read your message. I do not read all list mail. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Login Script: mysql_num_rows(): supplied argument is not a valid MySQL result resource
David Hutto schreef: --- On Fri, 2/19/10, David Hutto wrote: From: David Hutto Subject: Login Script: mysql_num_rows(): supplied argument is not a valid MySQL result resource To: php-general@lists.php.net Date: Friday, February 19, 2010, 3:30 AM The following script is supposed to validate a username and password in a mysql db. When entering the username and password of a preregistered user, I get the following errors: Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /var/www/login.php on line 24 Warning: Cannot modify header information - headers already sent by (output started at /var/www/login.php:24) in /var/www/login.php on line 26 On line 24 is: if(!mysql_num_rows($login)) //if the username and pass are wrong --The supplied argument is $login, which is previously defined as: $login = mysql_query("SELECT * FROM 'userinfo' WHERE `user` = '$user' AND `pass` = '$pass`"); --which is further defined above it as these values: $user = $_POST['user']; //pulls the username from the form $pw = $_POST['pass']; //pulls the pass from the form $pass = md5($pw); //makes our password an md So why is the sum of those previous definitions an invalid argument for the mysql_query() to test for whether the username and md5 password values are true/equivalent to each other? Because basically !mysql_num_rows($login) is just if'ing the lack of a user/pass match, else it continues to set cookie and session variables. If I'm looking at this wrong let me know. Thanks for any help you may be able to provide, below is the full login.php page. David This is the full login.php script, I'm pretty sure no other portions are needed to show at this point for the current problem: Username Password '); } elseif($act == "auth") //if our page action = auth { $user = $_POST['user']; //pulls the username from the form $pw = $_POST['pass']; //pulls the pass from the form $pass = md5($pw); //makes our password an md5 include("connect.php"); //connects to our mysql database $login = mysql_query("SELECT * FROM `userinfo` WHERE `user` = '$user' AND `pass` = '$pass`"); //selects info from our table if the row has the same user and pass that our form does if(!mysql_num_rows($login)) //if the username and pass are wrong { header("Location: login.php"); //redirects to our login page die(); //stops the page from going any further } else { setcookie("user", $user, time()+3600);//sets our user cookie setcookie("pass", $pass, time()+3600);//sets our pass cookie header("Location: memprar.php");//instead of yourpage.php it would be your protected page } } ?> The query should be: SELECT * FROM `userinfo` WHERE `user` = '$user' AND `pass` = '$pass' Remember: ` for tables and columns, ' for strings. Also, look up SQL Injection, as your script contains a huge vulnerability. This can be fixed using mysql_real_escape_string, so it is this: ELECT * FROM `userinfo` WHERE `user` = '".mysql_real_escape_string($user)."' AND `pass` = '".mysql_real_escape_string($pass)."' -- Kind regards, Mark Cilissen / Pixlism -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using base64 encode and decode to store user data in database
At 5:43 PM +0200 2/19/10, Dotan Cohen wrote: On 19 February 2010 16:27, tedd wrote: > An excellent book on this (and much more) is Chris Shiflett's Essential PHP Security. You can pick it up on Amazon for less than $20 -- well worth the cost. They don't ship to Israel! I have looked for it locally, but not found it. I'm sure that I could "acquire" a copy on some p2p service but I really don't like doing that. Maybe I could Paypal $20 to Chris himself if that remains my only option! Chris, what say you? (CCed) -- Dotan Cohen Dotan: What about eBook ($23.99)? http://oreilly.com/catalog/9780596006563 If you can get this, you can get that. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] array conversion
On 19 February 2010 15:52, tedd wrote: > At 10:48 AM + 2/19/10, Richard Quadling wrote: >> >> On 19 February 2010 07:26, Adam Richardson wrote: >> Or, > > Code fight!!! > > http://www.webbytedd.com/ccc/array/ > > After reviewing the entries, mine does not provide any significant > difference. I did it as a mental exercise after looking at several built-in > array functions (array_flip(), array_combine(), etc. ) that I thought might > solve the problem, but didn't. > > tedd > -- > --- > http://sperling.com http://ancientstones.com http://earthstones.com > Just wanting to join in. outputs ... Array ( [key1] => value1 [key2] => value2 ) -- - Richard Quadling "Standing on the shoulders of some very clever giants!" EE : http://www.experts-exchange.com/M_248814.html EE4Free : http://www.experts-exchange.com/becomeAnExpert.jsp Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498&r=213474731 ZOPA : http://uk.zopa.com/member/RQuadling -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using base64 encode and decode to store user data in database
On Fri, 2010-02-19 at 11:45 -0500, Paul M Foster wrote: > On Fri, Feb 19, 2010 at 05:43:15PM +0200, Dotan Cohen wrote: > > They don't ship to Israel! I have looked for it locally, but not found > > it. I'm sure that I could "acquire" a copy on some p2p service but I > > really don't like doing that. Maybe I could Paypal $20 to Chris > > himself if that remains my only option! Chris, what say you? (CCed) Another idea: There are forwarding services for sale, e.g. on eBay. Order the book and have it sent it to an address in the USA, and this service forwards it to you anywhere. Yet another idea: There are file sharing services e.g. rapidshare.com which might serve the book. I thought this was legal since premium users pay for the service? Teus. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using base64 encode and decode to store user data in database
On Fri, Feb 19, 2010 at 05:43:15PM +0200, Dotan Cohen wrote: > > They don't ship to Israel! I have looked for it locally, but not found > it. I'm sure that I could "acquire" a copy on some p2p service but I > really don't like doing that. Maybe I could Paypal $20 to Chris > himself if that remains my only option! Chris, what say you? (CCed) Wow, that sucks! This is an O'Reilly book. Perhaps they would ship to Israel? Paul -- Paul M. Foster -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] array conversion
At 10:48 AM + 2/19/10, Richard Quadling wrote: On 19 February 2010 07:26, Adam Richardson wrote: Or, Code fight!!! http://www.webbytedd.com/ccc/array/ After reviewing the entries, mine does not provide any significant difference. I did it as a mental exercise after looking at several built-in array functions (array_flip(), array_combine(), etc. ) that I thought might solve the problem, but didn't. tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using base64 encode and decode to store user data in database
> One would be storage space, as base64 requires more space to store the > same data. For a single data element that might not be much, but when > multiplied over all the values stored in your table it makes a > difference. > That is a good point, thanks. > Also, don't forget to validate/filter non-character data, which you > can't do with base64. Something like this is still vulnerable to SQL > injection even though it 'sanitizes' the expected character input: > > // user_id expects an integer value > $user_id = $_POST['user_id']; > > $comment = base64_encode($_POST['comment']); > > > $sql = "INSERT INTO `comments` (user_id, comment) VALUES ($user_id, > '$comment')"; > > ?> I see what you mean. In fact, userIDs are stored, and indeed I ensure that they are integers! -- Dotan Cohen http://what-is-what.com http://gibberish.co.il Please CC me if you want to be sure that I read your message. I do not read all list mail. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using base64 encode and decode to store user data in database
On 19 February 2010 16:27, tedd wrote: > At 3:18 PM +0200 2/19/10, Dotan Cohen wrote: >> >> In order to prevent SQL injection, can one simply base64 encode the >> data and store that? Then it can be decoded when I need to display it >> on a website. I understand that this means that the data will not be >> searchable, and that I still must sanitize it before printing it on >> the site. Are there any other drawbacks or things to be aware of? >> Thanks. >> >> -- >> Dotan Cohen > > > Dotan: > > You're a smart guy, why reinvent the wheel? The entire problem set has > already been solved. > > Understand there are two issues here: 1) filtering input into a database; 2) > escaping output to a browser. > > Use mysql_real_escape_string() to filter data before it's stored in a > database (input). > I was under the impression that mysql_real_escape_string() was not a 100% solution. Is it? Note that I serve my pages as UTF-8 and also declare them as such in the header and meta tag, but that does not mean that a malicious entity won't return a request in a different encoding. > Use htmlentities() to retrieve data from the database to be displayed via a > browser (output). > This I do. I'm not sure if it's enough, so I'd like some reassurance on the matter. :) > An excellent book on this (and much more) is Chris Shiflett's Essential PHP > Security. You can pick it up on Amazon for less than $20 -- well worth the > cost. > They don't ship to Israel! I have looked for it locally, but not found it. I'm sure that I could "acquire" a copy on some p2p service but I really don't like doing that. Maybe I could Paypal $20 to Chris himself if that remains my only option! Chris, what say you? (CCed) -- Dotan Cohen http://what-is-what.com http://gibberish.co.il -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using base64 encode and decode to store user data in database
On Fri, Feb 19, 2010 at 8:18 AM, Dotan Cohen wrote: > In order to prevent SQL injection, can one simply base64 encode the > data and store that? Then it can be decoded when I need to display it > on a website. I understand that this means that the data will not be > searchable, and that I still must sanitize it before printing it on > the site. Are there any other drawbacks or things to be aware of? > Thanks. > > -- > Dotan Cohen > One would be storage space, as base64 requires more space to store the same data. For a single data element that might not be much, but when multiplied over all the values stored in your table it makes a difference. Also, don't forget to validate/filter non-character data, which you can't do with base64. Something like this is still vulnerable to SQL injection even though it 'sanitizes' the expected character input: Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Export/Write rows from DBF to CSV
On Thu, Feb 18, 2010 at 5:31 PM, OBXer wrote: > > I'm trying to adopt this piece of code for my use. I fixed the csv_data .= > trim error. Does anyone know how I can fix empty fields? Everything is > dumping to a csv file but information is not matching up. I don't know if I > can insert a space or something if field is blank? > > If you're trying to write csv data, why not use fputcsv($_fp, $row) to write each line rather than concatenating all the lines into a single value and then writing that string to a file? It will correctly handle empty values (as long as the key is still present in the array) and I've found it to be much faster at writing larger data sets than trying to concatenate the CSV in code. http://www.php.net/manual/en/function.fputcsv.php Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using base64 encode and decode to store user data in database
At 3:18 PM +0200 2/19/10, Dotan Cohen wrote: In order to prevent SQL injection, can one simply base64 encode the data and store that? Then it can be decoded when I need to display it on a website. I understand that this means that the data will not be searchable, and that I still must sanitize it before printing it on the site. Are there any other drawbacks or things to be aware of? Thanks. -- Dotan Cohen Dotan: You're a smart guy, why reinvent the wheel? The entire problem set has already been solved. Understand there are two issues here: 1) filtering input into a database; 2) escaping output to a browser. Use mysql_real_escape_string() to filter data before it's stored in a database (input). Use htmlentities() to retrieve data from the database to be displayed via a browser (output). That way whatever problems that might exist within the data will be rendered harmless. An excellent book on this (and much more) is Chris Shiflett's Essential PHP Security. You can pick it up on Amazon for less than $20 -- well worth the cost. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using base64 encode and decode to store user data in database
On Fri, 2010-02-19 at 15:18 +0200, Dotan Cohen wrote: > In order to prevent SQL injection, can one simply base64 encode the > data and store that? Then it can be decoded when I need to display it > on a website. I understand that this means that the data will not be > searchable, and that I still must sanitize it before printing it on > the site. Are there any other drawbacks or things to be aware of? > Thanks. > > -- > Dotan Cohen > > http://what-is-what.com > http://gibberish.co.il > > Please CC me if you want to be sure that I read your message. I do not > read all list mail. > I assume this would work. I always use mysql_real_escape_string(), although that would predetermine your choice of database. That would allow your content to be searchable though. Thanks, Ash http://www.ashleysheridan.co.uk
[PHP] Using base64 encode and decode to store user data in database
In order to prevent SQL injection, can one simply base64 encode the data and store that? Then it can be decoded when I need to display it on a website. I understand that this means that the data will not be searchable, and that I still must sanitize it before printing it on the site. Are there any other drawbacks or things to be aware of? Thanks. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il Please CC me if you want to be sure that I read your message. I do not read all list mail. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login Script: mysql_num_rows(): supplied argument is not a valid MySQL result resource
--- On Fri, 2/19/10, Ashley Sheridan wrote: From: Ashley Sheridan Subject: Re: [PHP] Login Script: mysql_num_rows(): supplied argument is not a valid MySQL result resource To: "David Hutto" Cc: php-general@lists.php.net Date: Friday, February 19, 2010, 5:34 AM On Fri, 2010-02-19 at 00:30 -0800, David Hutto wrote: The following script is supposed to validate a username and password in a mysql db. When entering the username and password of a preregistered user, I get the following errors: Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /var/www/login.php on line 24 Warning: Cannot modify header information - headers already sent by (output started at /var/www/login.php:24) in /var/www/login.php on line 26 On line 24 is: >>>if(!mysql_num_rows($login)) //if the username and pass are wrong --The supplied argument is $login, which is previously defined as: >>>$login = mysql_query("SELECT * FROM 'userinfo' WHERE `user` = '$user' AND >>>`pass` = '$pass`"); --which is further defined above it as these values: $user = $_POST['user']; //pulls the username from the form $pw = $_POST['pass']; //pulls the pass from the form $pass = md5($pw); //makes our password an md So why is the sum of those previous definitions an invalid argument for the mysql_query() to test for whether the username and md5 password values are true/equivalent to each other? Thanks for any help you may be able to provide, below is the full login.php page. David This is the full login.php script, I'm pretty sure no other portions are needed to show at this point for the current problem: Username Password '); } elseif($act == "auth") //if our page action = auth { $user = $_POST['user']; //pulls the username from the form $pw = $_POST['pass']; //pulls the pass from the form $pass = md5($pw); //makes our password an md5 include("connect.php"); //connects to our mysql database $login = mysql_query("SELECT * FROM `userinfo` WHERE `user` = '$user' AND `pass` = '$pass`"); //selects info from our table if the row has the same user and pass that our form does if(!mysql_num_rows($login)) //if the username and pass are wrong { header("Location: login.php"); //redirects to our login page die(); //stops the page from going any further } else { setcookie("user", $user, time()+3600);//sets our user cookie setcookie("pass", $pass, time()+3600);//sets our pass cookie header("Location: memprar.php");//instead of yourpage.php it would be your protected page } } ?> First, please create a new email when sending to the list and don't just reply to the last one, as those of us with email clients that group by threads get confused when the subject line appears to change mid-thread! On to your question, you've got an error with your query, so it will never work: "SELECT * FROM `userinfo` WHERE `user` = '$user' AND `pass` = '$pass`" // change that last back tick after $pass! Lastly; protect your queries! That $user variable is open to injection. Replacing it with something like $user = mysql_real_escape_string($_POST['user']); Your $pass is protected (I believe) because of what you're doing with the hash, but I'm not an expert in these things, so it could be that this may not be enough. Thanks, Ash http://www.ashleysheridan.co.uk Apologies for hijacking the thread, I hit reply all in a randomly picked email and deleted the info/subject line, guess that doesn't work. Thanks for the advice, it's almost working right, all things considered. David
Re: [PHP] array conversion
On 19 February 2010 07:26, Adam Richardson wrote: > Or, > > function new_arr(array $arr) > { > $count = count($arr); > if ($count % 2 != 0) throw new Exception('The new_arr() function > requires an even number of elements.'); > for ($i = 0; $i < $count; $i += 2) > { > $new_arr[$arr[$i]] = $arr[$i + 1]; > } > return $new_arr; > } > > $test = new_arr(array('k1', 'v1', 'k2', 'v2', 'k3', 'v3')); > > exit(var_dump($test)); > > On Fri, Feb 19, 2010 at 1:19 AM, Larry Garfield wrote: > >> On Thursday 18 February 2010 11:58:28 pm Paul M Foster wrote: >> > On Fri, Feb 19, 2010 at 01:20:12PM +0800, Dasn wrote: >> > > Hi guys. How to convert an array like: >> > > >> > > Array >> > > ( >> > > [0] => key1 >> > > [1] => value1 >> > > [2] => key2 >> > > [3] => value2 >> > > ) >> > > >> > > to >> > > >> > > >> > > Array >> > > ( >> > > [key1] => value1 >> > > [key2] => value2 >> > > ) >> > > >> > > Is there a built-in function to do this? >> > > Please Cc me. :) >> > > Thank you in advance. >> > >> > I don't believe so, but rolling your own should not be too hard: >> > >> > $a = array($key1, $value1, $key2, $value2); >> > $b = array(); >> > $numitems = count($a); >> > >> > for ($i = 0; $i < $numitems; $i++) { >> > if ($i % 2 == 0) { >> > $saved_key = $a[$i]; >> > } >> > elseif ($i % 2 == 1) { >> > $b[$saved_key] = $a[$i]; >> > } >> > } >> > >> > Code is crude and untested, but you get the idea. >> > >> > Paul >> >> This would be even shorter, I think: >> >> foreach ($items as $i => $value) { >> $temp[$i % 2][] = $value; >> } >> $done = array_combine($temp[0], $temp[1]); >> >> (Also untested, just off the cuff...) >> >> --Larry Garfield >> >> -- >> PHP General Mailing List (http://www.php.net/) >> To unsubscribe, visit: http://www.php.net/unsub.php >> >> > I'd say that this cat is well and truly skinned! > > -- > Nephtali: PHP web framework that functions beautifully > http://nephtaliproject.com > -- - Richard Quadling "Standing on the shoulders of some very clever giants!" EE : http://www.experts-exchange.com/M_248814.html EE4Free : http://www.experts-exchange.com/becomeAnExpert.jsp Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498&r=213474731 ZOPA : http://uk.zopa.com/member/RQuadling -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login Script: mysql_num_rows(): supplied argument is not a valid MySQL result resource
On Fri, 2010-02-19 at 00:30 -0800, David Hutto wrote: > The following script is supposed to validate a username and password in a > mysql db. When entering the username and password of a preregistered user, I > get the following errors: > > Warning: mysql_num_rows(): supplied argument is not a valid MySQL result > resource in /var/www/login.php on line 24 > > > > Warning: Cannot modify header information - headers already sent by (output > started at /var/www/login.php:24) in /var/www/login.php on line 26 > > On line 24 is: > > >>>if(!mysql_num_rows($login)) //if the username and pass are wrong > > --The supplied argument is $login, which is previously defined as: > > >>>$login = mysql_query("SELECT * FROM 'userinfo' WHERE `user` = '$user' AND > >>>`pass` = '$pass`"); > > --which is further defined above it as these values: > > $user = $_POST['user']; //pulls the username from the form > $pw = $_POST['pass']; //pulls the pass from the form > $pass = md5($pw); //makes our password an md > > So why is the sum of those previous definitions an invalid argument for the > mysql_query() to test for whether the username and md5 password values are > true/equivalent to each other? > > Thanks for any help you may be able to provide, below is the full login.php > page. > > David > > > This is the full login.php script, I'm pretty sure no other portions are > needed to show at this point for the current problem: > > $act = $_GET['act']; //retrives the page action > if(empty($act)) //if there is no action > { > echo(' id="loginform"> > Username > > > Password > > > > > > '); > } > elseif($act == "auth") //if our page action = auth > { > $user = $_POST['user']; //pulls the username from the form > $pw = $_POST['pass']; //pulls the pass from the form > $pass = md5($pw); //makes our password an md5 > include("connect.php"); //connects to our mysql database > $login = mysql_query("SELECT * FROM `userinfo` WHERE `user` = '$user' AND > `pass` = '$pass`"); //selects info from our table if the row has the same > user and pass that our form does > if(!mysql_num_rows($login)) //if the username and pass are wrong > { > header("Location: login.php"); //redirects to our login page > die(); //stops the page from going any further > } > else > { > setcookie("user", $user, time()+3600);//sets our user cookie > setcookie("pass", $pass, time()+3600);//sets our pass cookie > header("Location: memprar.php");//instead of yourpage.php it > would be your protected page > } > } > ?> > > > > First, please create a new email when sending to the list and don't just reply to the last one, as those of us with email clients that group by threads get confused when the subject line appears to change mid-thread! On to your question, you've got an error with your query, so it will never work: "SELECT * FROM `userinfo` WHERE `user` = '$user' AND `pass` = '$pass`"// change that last back tick after $pass! Lastly; protect your queries! That $user variable is open to injection. Replacing it with something like $user = mysql_real_escape_string($_POST['user']); Your $pass is protected (I believe) because of what you're doing with the hash, but I'm not an expert in these things, so it could be that this may not be enough. Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Magnetic Stripe Reader or Barcode to PHP
On 18 February 2010 22:42, Daevid Vincent wrote: > I'll confess that I've done almost zero research on this topic as of right > now aside from pricing readers and blank cards. > > So we're opening a new super-club here in Seattle. One of the ideas we'd > like to pursue is that people are assigned a card. This can be a magstripe > card or something with a barcode. Not really sure at the moment which way > to go. > > The idea being that when they enter, we "swipe/scan" their card and we can > log stats (# of visits, # guests, favorite drink so the bar has it ready, > enter into contest, etc.) I was thinking we setup a simple netbook with a > USB reader at the front door when they pay. Then we have another back at > the bar. Connect via WiFi. Have a notebook somewhere behind the scenes that > runs LAMP (or a VM thereof). No internet needed. The backend database and > even web/GUI stuff is of course trivial with any LAMP stack. > > What I don't know is how do I interface _to_ PHP from say a magstripe > reader. They're dirt cheap ($50), but I assume come with zero software. > http://www.kanecal.net/mag-stripe-reader-scanner.html . And there are > hundreds of these gadgets out there all the same basically. > > I guess what I'm hoping for is some pointers, from someone who's done this > sort of thing. > > My gut thought is something so simple, where there is some XP software (or > Linux I suppose) that reads the card (and generally they only have a number > encoded on them) and this is sent via a URL we define, such as > http://192.168.10.100/door.php?id=123456 or > http://192.168.10.100/bar.php?id=123456 etc. (ignore the security issues > and all that. It's trivial to encode the parameters, plus it's a closed > system with WEP/WPA/WTF). But does anyone know of such a key piece of code? > > Like I said, I'm not locked into magcards. It could be a barcode reader > just as easily. Or fingerprint scanner, or facial recognition. In the end > it's just a unique "thing" that maps to a unique number. I just need the > "FM" (F*ckin' Magic -- it's a programmer term -- look it up!) that goes in > between PHP and the hardware. > > http://daevid.com > > "Some people, when confronted with a problem, think 'I know, I'll use > XML.'" > Now they have two problems. > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > I used to develop EPOS (Electronic Point of Sale) s/w. As already mentioned, most scanners (barcode and magswipe) connect via the keyboard. As far as the app is concerned, the data is coming from the keyboard. You can normally program the barcode scanner to provide a prefix and a suffix to the data from the scan. This allows you to provide a "source" to the data. For example, if you have a web page watching for keypresses, then you want to know when the data is coming from the scanner rather than the keyboard. This allows you to do "out of order" processing. So, you scan 10 items, item 3 requires some additional data, but the next 7 items aren't "lost" because you didn't deal with item 3. The webpage can push the barcode data (AJAX maybe) to the server so they are all logged and fed back as part of the "basket" logic. If you have a prefix, you'll also need a suffix to tell the app that the data has finished. A similar situation exists with mag cards. A normal mag card (like your credit cards) can have up to 3 "tracks" of data. Normally track 2 is the interesting one and will normally consist of the following data. Start Sentinel Card Number Mid Sentinel Expiry Date Possibly other data (it was a LONG time ago since I was writing EPOS systems, so ... memory currently giving me a 404.) End Sentinel The sentinels aren't full characters, but are "signals" to the reader. The reader can be programmed to issue a specific character for each sentinel. So again, you can read from the mag card "out of order". E.g. you can scan your club card or your credit card at the beginning of the sale and then add your items. All without touching the keyboard to change the "focus" of the input. This was a major enhancement for usability for our customers when I introduced this. And that was for a DOS app, not GUI or Web! If you have an account on Experts Exchange, take a look at http://www.experts-exchange.com/Internet/Web_Development/Q_24179189.html?sfQueryTermInfo=1+barcod+javascript+rquadling which was a question on using a barcode reader in a web app and I gave JS code allowing for the "out of order" processing I mentioned here. If you are generating your own cards, then the quickest/cheapest way is to get blank cardboard "cards", print a barcode on them and then laminate them. That way you can build your own layout relatively cheaply. You also don't have to use black/white bars. For one our systems (Access control to buildings), we used infra-red detectable ink. When it was printed, we could only just see it in the right light. The scanners use a red lase
[PHP] Re: Login Script: mysql_num_rows(): supplied argument is not a valid MySQL result resource
--- On Fri, 2/19/10, David Hutto wrote: From: David Hutto Subject: Login Script: mysql_num_rows(): supplied argument is not a valid MySQL result resource To: php-general@lists.php.net Date: Friday, February 19, 2010, 3:30 AM The following script is supposed to validate a username and password in a mysql db. When entering the username and password of a preregistered user, I get the following errors: Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /var/www/login.php on line 24 Warning: Cannot modify header information - headers already sent by (output started at /var/www/login.php:24) in /var/www/login.php on line 26 On line 24 is: >>>if(!mysql_num_rows($login)) //if the username and pass are wrong --The supplied argument is $login, which is previously defined as: >>>$login = mysql_query("SELECT * FROM 'userinfo' WHERE `user` = '$user' AND >>>`pass` = '$pass`"); --which is further defined above it as these values: $user = $_POST['user']; //pulls the username from the form $pw = $_POST['pass']; //pulls the pass from the form $pass = md5($pw); //makes our password an md So why is the sum of those previous definitions an invalid argument for the mysql_query() to test for whether the username and md5 password values are true/equivalent to each other? Because basically !mysql_num_rows($login) is just if'ing the lack of a user/pass match, else it continues to set cookie and session variables. If I'm looking at this wrong let me know. Thanks for any help you may be able to provide, below is the full login.php page. David This is the full login.php script, I'm pretty sure no other portions are needed to show at this point for the current problem: Username Password '); } elseif($act == "auth") //if our page action = auth { $user = $_POST['user']; //pulls the username from the form $pw = $_POST['pass']; //pulls the pass from the form $pass = md5($pw); //makes our password an md5 include("connect.php"); //connects to our mysql database $login = mysql_query("SELECT * FROM `userinfo` WHERE `user` = '$user' AND `pass` = '$pass`"); //selects info from our table if the row has the same user and pass that our form does if(!mysql_num_rows($login)) //if the username and pass are wrong { header("Location: login.php"); //redirects to our login page die(); //stops the page from going any further } else { setcookie("user", $user, time()+3600);//sets our user cookie setcookie("pass", $pass, time()+3600);//sets our pass cookie header("Location: memprar.php");//instead of yourpage.php it would be your protected page } } ?>
[PHP] Login Script: mysql_num_rows(): supplied argument is not a valid MySQL result resource
The following script is supposed to validate a username and password in a mysql db. When entering the username and password of a preregistered user, I get the following errors: Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /var/www/login.php on line 24 Warning: Cannot modify header information - headers already sent by (output started at /var/www/login.php:24) in /var/www/login.php on line 26 On line 24 is: >>>if(!mysql_num_rows($login)) //if the username and pass are wrong --The supplied argument is $login, which is previously defined as: >>>$login = mysql_query("SELECT * FROM 'userinfo' WHERE `user` = '$user' AND >>>`pass` = '$pass`"); --which is further defined above it as these values: $user = $_POST['user']; //pulls the username from the form $pw = $_POST['pass']; //pulls the pass from the form $pass = md5($pw); //makes our password an md So why is the sum of those previous definitions an invalid argument for the mysql_query() to test for whether the username and md5 password values are true/equivalent to each other? Thanks for any help you may be able to provide, below is the full login.php page. David This is the full login.php script, I'm pretty sure no other portions are needed to show at this point for the current problem: Username Password '); } elseif($act == "auth") //if our page action = auth { $user = $_POST['user']; //pulls the username from the form $pw = $_POST['pass']; //pulls the pass from the form $pass = md5($pw); //makes our password an md5 include("connect.php"); //connects to our mysql database $login = mysql_query("SELECT * FROM `userinfo` WHERE `user` = '$user' AND `pass` = '$pass`"); //selects info from our table if the row has the same user and pass that our form does if(!mysql_num_rows($login)) //if the username and pass are wrong { header("Location: login.php"); //redirects to our login page die(); //stops the page from going any further } else { setcookie("user", $user, time()+3600);//sets our user cookie setcookie("pass", $pass, time()+3600);//sets our pass cookie header("Location: memprar.php");//instead of yourpage.php it would be your protected page } } ?>