php-general Digest 19 Feb 2010 10:37:57 -0000 Issue 6598
php-general Digest 19 Feb 2010 10:37:57 - Issue 6598 Topics (messages 302183 through 302195): Magnetic Stripe Reader or Barcode to PHP 302183 by: Daevid Vincent 302184 by: Matt Neimeyer 302185 by: Phpster 302186 by: Williams, Dewey 302188 by: Nathan Nobbe 302195 by: Richard Quadling Re: Export/Write rows from DBF to CSV 302187 by: Paul M Foster array conversion 302189 by: Dasn 302190 by: Paul M Foster 302191 by: Larry Garfield 302192 by: Adam Richardson Login Script: mysql_num_rows(): supplied argument is not a valid MySQL result resource 302193 by: David Hutto 302194 by: David Hutto Administrivia: To subscribe to the digest, e-mail: php-general-digest-subscr...@lists.php.net To unsubscribe from the digest, e-mail: php-general-digest-unsubscr...@lists.php.net To post to the list, e-mail: php-gene...@lists.php.net -- ---BeginMessage--- I'll confess that I've done almost zero research on this topic as of right now aside from pricing readers and blank cards. So we're opening a new super-club here in Seattle. One of the ideas we'd like to pursue is that people are assigned a card. This can be a magstripe card or something with a barcode. Not really sure at the moment which way to go. The idea being that when they enter, we swipe/scan their card and we can log stats (# of visits, # guests, favorite drink so the bar has it ready, enter into contest, etc.) I was thinking we setup a simple netbook with a USB reader at the front door when they pay. Then we have another back at the bar. Connect via WiFi. Have a notebook somewhere behind the scenes that runs LAMP (or a VM thereof). No internet needed. The backend database and even web/GUI stuff is of course trivial with any LAMP stack. What I don't know is how do I interface _to_ PHP from say a magstripe reader. They're dirt cheap ($50), but I assume come with zero software. http://www.kanecal.net/mag-stripe-reader-scanner.html . And there are hundreds of these gadgets out there all the same basically. I guess what I'm hoping for is some pointers, from someone who's done this sort of thing. My gut thought is something so simple, where there is some XP software (or Linux I suppose) that reads the card (and generally they only have a number encoded on them) and this is sent via a URL we define, such as http://192.168.10.100/door.php?id=123456 or http://192.168.10.100/bar.php?id=123456 etc. (ignore the security issues and all that. It's trivial to encode the parameters, plus it's a closed system with WEP/WPA/WTF). But does anyone know of such a key piece of code? Like I said, I'm not locked into magcards. It could be a barcode reader just as easily. Or fingerprint scanner, or facial recognition. In the end it's just a unique thing that maps to a unique number. I just need the FM (F*ckin' Magic -- it's a programmer term -- look it up!) that goes in between PHP and the hardware. http://daevid.com Some people, when confronted with a problem, think 'I know, I'll use XML.' Now they have two problems. ---End Message--- ---BeginMessage--- If the scanning device hooks into the keyboard somehow it should be easy. I believe that's called a keyboard wedge. Basically, you scan and it types. My only exposure to this is using one of the old CueCat scanners to index my personal library into a php app I cobbled together. The CueCat hooked in line with the keyboard. You'd bring up the scanning page and an onload Javascript would place the cursor into the Scan ISBN Here text box. Scan the book and the input went where it was needed. I believe it also sent an enter keystroke which submitted the form. It's been a couple years since I played with it so there might have been some additional software that kicked the enter. Then you process the data as you would for any other text field submission. It worked well enough to catalog a couple thousand books in a single evening. Hope this helps Matt On Thu, Feb 18, 2010 at 5:42 PM, Daevid Vincent dae...@daevid.com wrote: So we're opening a new super-club here in Seattle. One of the ideas we'd like to pursue is that people are assigned a card. This can be a magstripe card or something with a barcode. Not really sure at the moment which way to go. ---End Message--- ---BeginMessage--- The inputs are simple client side devices, lime th keyboard. I used as wasp brand barcode reader and it was configured to input the value and the tab to send it to te next field. They work well and easy to set up. Bastien Sent from my iPod On Feb 18, 2010, at 5:42 PM, Daevid Vincent dae...@daevid.com wrote: I'll confess that I've done almost zero research on this topic as of right now aside from pricing readers and blank cards. So we're opening a new super-club here in Seattle. One of the ideas we'd like to pursue is that
[PHP] Login Script: mysql_num_rows(): supplied argument is not a valid MySQL result resource
The following script is supposed to validate a username and password in a mysql
db. When entering the username and password of a preregistered user, I get the
following errors:
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result
resource in /var/www/login.php on line 24
Warning: Cannot modify header information - headers already sent by (output
started at /var/www/login.php:24) in /var/www/login.php on line 26
On line 24 is:
if(!mysql_num_rows($login)) //if the username and pass are wrong
--The supplied argument is $login, which is previously defined as:
$login = mysql_query(SELECT * FROM 'userinfo' WHERE `user` = '$user' AND
`pass` = '$pass`);
--which is further defined above it as these values:
$user = $_POST['user']; //pulls the username from the form
$pw = $_POST['pass']; //pulls the pass from the form
$pass = md5($pw); //makes our password an md
So why is the sum of those previous definitions an invalid argument for the
mysql_query() to test for whether the username and md5 password values are
true/equivalent to each other?
Thanks for any help you may be able to provide, below is the full login.php
page.
David
This is the full login.php script, I'm pretty sure no other portions are needed
to show at this point for the current problem:
?php
$act = $_GET['act']; //retrives the page action
if(empty($act)) //if there is no action
{
echo('form action=login.php?act=auth method=post name=loginform
id=loginform
pUsername
input type=text name=user
/p
pPassword
input type=password name=pass
/p
p
input type=submit name=Submit value=Login
/p
/form');
}
elseif($act == auth) //if our page action = auth
{
$user = $_POST['user']; //pulls the username from the form
$pw = $_POST['pass']; //pulls the pass from the form
$pass = md5($pw); //makes our password an md5
include(connect.php); //connects to our mysql database
$login = mysql_query(SELECT * FROM `userinfo` WHERE `user` = '$user' AND
`pass` = '$pass`); //selects info from our table if the row has the same user
and pass that our form does
if(!mysql_num_rows($login)) //if the username and pass are wrong
{
header(Location: login.php); //redirects to our login page
die(); //stops the page from going any further
}
else
{
setcookie(user, $user, time()+3600);//sets our user cookie
setcookie(pass, $pass, time()+3600);//sets our pass cookie
header(Location: memprar.php);//instead of yourpage.php it
would be your protected page
}
}
?
[PHP] Re: Login Script: mysql_num_rows(): supplied argument is not a valid MySQL result resource
--- On Fri, 2/19/10, David Hutto dwightdhu...@yahoo.com wrote:
From: David Hutto dwightdhu...@yahoo.com
Subject: Login Script: mysql_num_rows(): supplied argument is not a valid MySQL
result resource
To: php-general@lists.php.net
Date: Friday, February 19, 2010, 3:30 AM
The following script is supposed to validate a username and password in a mysql
db. When entering the username and password of a preregistered user, I get the
following errors:
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result
resource in /var/www/login.php on line 24
Warning: Cannot modify header information - headers already sent by (output
started at /var/www/login.php:24) in /var/www/login.php on line 26
On line 24 is:
if(!mysql_num_rows($login)) //if the username and pass are wrong
--The supplied argument is $login, which is previously defined as:
$login = mysql_query(SELECT * FROM 'userinfo' WHERE `user` = '$user' AND
`pass` = '$pass`);
--which is further defined above it as these values:
$user = $_POST['user']; //pulls the username from the form
$pw = $_POST['pass']; //pulls the pass from the form
$pass = md5($pw); //makes our password an md
So why is the sum of those previous definitions an invalid argument for the
mysql_query() to test for whether the username and md5 password values are
true/equivalent to each other?
Because basically !mysql_num_rows($login) is just if'ing the lack of a
user/pass match, else it continues to set cookie and session variables.
If I'm looking at this wrong let me know.
Thanks for any help you may be able to provide, below is the
full login.php page.
David
This is the full login.php script, I'm pretty sure no other portions are needed
to show at this point for the current problem:
?php
$act = $_GET['act']; //retrives the page action
if(empty($act)) //if there is no action
{
echo('form action=login.php?act=auth method=post name=loginform
id=loginform
pUsername
input type=text name=user
/p
pPassword
input type=password name=pass
/p
p
input type=submit name=Submit value=Login
/p
/form');
}
elseif($act == auth) //if our page action = auth
{
$user = $_POST['user']; //pulls the username from the form
$pw = $_POST['pass']; //pulls the pass from
the form
$pass = md5($pw); //makes our password an md5
include(connect.php); //connects to our mysql database
$login = mysql_query(SELECT * FROM `userinfo` WHERE `user` = '$user' AND
`pass` = '$pass`); //selects info from our table if the row has the same user
and pass that our form does
if(!mysql_num_rows($login)) //if the username and pass are wrong
{
header(Location: login.php); //redirects to our login page
die(); //stops the page from going any further
}
else
{
setcookie(user, $user, time()+3600);//sets our user cookie
setcookie(pass, $pass, time()+3600);//sets our pass
cookie
header(Location: memprar.php);//instead of yourpage.php it
would be your protected page
}
}
?
Re: [PHP] Magnetic Stripe Reader or Barcode to PHP
On 18 February 2010 22:42, Daevid Vincent dae...@daevid.com wrote: I'll confess that I've done almost zero research on this topic as of right now aside from pricing readers and blank cards. So we're opening a new super-club here in Seattle. One of the ideas we'd like to pursue is that people are assigned a card. This can be a magstripe card or something with a barcode. Not really sure at the moment which way to go. The idea being that when they enter, we swipe/scan their card and we can log stats (# of visits, # guests, favorite drink so the bar has it ready, enter into contest, etc.) I was thinking we setup a simple netbook with a USB reader at the front door when they pay. Then we have another back at the bar. Connect via WiFi. Have a notebook somewhere behind the scenes that runs LAMP (or a VM thereof). No internet needed. The backend database and even web/GUI stuff is of course trivial with any LAMP stack. What I don't know is how do I interface _to_ PHP from say a magstripe reader. They're dirt cheap ($50), but I assume come with zero software. http://www.kanecal.net/mag-stripe-reader-scanner.html . And there are hundreds of these gadgets out there all the same basically. I guess what I'm hoping for is some pointers, from someone who's done this sort of thing. My gut thought is something so simple, where there is some XP software (or Linux I suppose) that reads the card (and generally they only have a number encoded on them) and this is sent via a URL we define, such as http://192.168.10.100/door.php?id=123456 or http://192.168.10.100/bar.php?id=123456 etc. (ignore the security issues and all that. It's trivial to encode the parameters, plus it's a closed system with WEP/WPA/WTF). But does anyone know of such a key piece of code? Like I said, I'm not locked into magcards. It could be a barcode reader just as easily. Or fingerprint scanner, or facial recognition. In the end it's just a unique thing that maps to a unique number. I just need the FM (F*ckin' Magic -- it's a programmer term -- look it up!) that goes in between PHP and the hardware. http://daevid.com Some people, when confronted with a problem, think 'I know, I'll use XML.' Now they have two problems. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php I used to develop EPOS (Electronic Point of Sale) s/w. As already mentioned, most scanners (barcode and magswipe) connect via the keyboard. As far as the app is concerned, the data is coming from the keyboard. You can normally program the barcode scanner to provide a prefix and a suffix to the data from the scan. This allows you to provide a source to the data. For example, if you have a web page watching for keypresses, then you want to know when the data is coming from the scanner rather than the keyboard. This allows you to do out of order processing. So, you scan 10 items, item 3 requires some additional data, but the next 7 items aren't lost because you didn't deal with item 3. The webpage can push the barcode data (AJAX maybe) to the server so they are all logged and fed back as part of the basket logic. If you have a prefix, you'll also need a suffix to tell the app that the data has finished. A similar situation exists with mag cards. A normal mag card (like your credit cards) can have up to 3 tracks of data. Normally track 2 is the interesting one and will normally consist of the following data. Start Sentinel Card Number Mid Sentinel Expiry Date Possibly other data (it was a LONG time ago since I was writing EPOS systems, so ... memory currently giving me a 404.) End Sentinel The sentinels aren't full characters, but are signals to the reader. The reader can be programmed to issue a specific character for each sentinel. So again, you can read from the mag card out of order. E.g. you can scan your club card or your credit card at the beginning of the sale and then add your items. All without touching the keyboard to change the focus of the input. This was a major enhancement for usability for our customers when I introduced this. And that was for a DOS app, not GUI or Web! If you have an account on Experts Exchange, take a look at http://www.experts-exchange.com/Internet/Web_Development/Q_24179189.html?sfQueryTermInfo=1+barcod+javascript+rquadling which was a question on using a barcode reader in a web app and I gave JS code allowing for the out of order processing I mentioned here. If you are generating your own cards, then the quickest/cheapest way is to get blank cardboard cards, print a barcode on them and then laminate them. That way you can build your own layout relatively cheaply. You also don't have to use black/white bars. For one our systems (Access control to buildings), we used infra-red detectable ink. When it was printed, we could only just see it in the right light. The scanners use a red laser and picked up the code easily. And the barcode was
Re: [PHP] Login Script: mysql_num_rows(): supplied argument is not a valid MySQL result resource
On Fri, 2010-02-19 at 00:30 -0800, David Hutto wrote:
The following script is supposed to validate a username and password in a
mysql db. When entering the username and password of a preregistered user, I
get the following errors:
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result
resource in /var/www/login.php on line 24
Warning: Cannot modify header information - headers already sent by (output
started at /var/www/login.php:24) in /var/www/login.php on line 26
On line 24 is:
if(!mysql_num_rows($login)) //if the username and pass are wrong
--The supplied argument is $login, which is previously defined as:
$login = mysql_query(SELECT * FROM 'userinfo' WHERE `user` = '$user' AND
`pass` = '$pass`);
--which is further defined above it as these values:
$user = $_POST['user']; //pulls the username from the form
$pw = $_POST['pass']; //pulls the pass from the form
$pass = md5($pw); //makes our password an md
So why is the sum of those previous definitions an invalid argument for the
mysql_query() to test for whether the username and md5 password values are
true/equivalent to each other?
Thanks for any help you may be able to provide, below is the full login.php
page.
David
This is the full login.php script, I'm pretty sure no other portions are
needed to show at this point for the current problem:
?php
$act = $_GET['act']; //retrives the page action
if(empty($act)) //if there is no action
{
echo('form action=login.php?act=auth method=post name=loginform
id=loginform
pUsername
input type=text name=user
/p
pPassword
input type=password name=pass
/p
p
input type=submit name=Submit value=Login
/p
/form');
}
elseif($act == auth) //if our page action = auth
{
$user = $_POST['user']; //pulls the username from the form
$pw = $_POST['pass']; //pulls the pass from the form
$pass = md5($pw); //makes our password an md5
include(connect.php); //connects to our mysql database
$login = mysql_query(SELECT * FROM `userinfo` WHERE `user` = '$user' AND
`pass` = '$pass`); //selects info from our table if the row has the same
user and pass that our form does
if(!mysql_num_rows($login)) //if the username and pass are wrong
{
header(Location: login.php); //redirects to our login page
die(); //stops the page from going any further
}
else
{
setcookie(user, $user, time()+3600);//sets our user cookie
setcookie(pass, $pass, time()+3600);//sets our pass cookie
header(Location: memprar.php);//instead of yourpage.php it
would be your protected page
}
}
?
First, please create a new email when sending to the list and don't just
reply to the last one, as those of us with email clients that group by
threads get confused when the subject line appears to change mid-thread!
On to your question, you've got an error with your query, so it will
never work:
SELECT * FROM `userinfo` WHERE `user` = '$user' AND `pass` =
'$pass`// change that last back tick after $pass!
Lastly; protect your queries! That $user variable is open to injection.
Replacing it with something like $user =
mysql_real_escape_string($_POST['user']); Your $pass is protected (I
believe) because of what you're doing with the hash, but I'm not an
expert in these things, so it could be that this may not be enough.
Thanks,
Ash
http://www.ashleysheridan.co.uk
Re: [PHP] array conversion
On 19 February 2010 07:26, Adam Richardson simples...@gmail.com wrote:
Or,
function new_arr(array $arr)
{
$count = count($arr);
if ($count % 2 != 0) throw new Exception('The new_arr() function
requires an even number of elements.');
for ($i = 0; $i $count; $i += 2)
{
$new_arr[$arr[$i]] = $arr[$i + 1];
}
return $new_arr;
}
$test = new_arr(array('k1', 'v1', 'k2', 'v2', 'k3', 'v3'));
exit(var_dump($test));
On Fri, Feb 19, 2010 at 1:19 AM, Larry Garfield la...@garfieldtech.comwrote:
On Thursday 18 February 2010 11:58:28 pm Paul M Foster wrote:
On Fri, Feb 19, 2010 at 01:20:12PM +0800, Dasn wrote:
Hi guys. How to convert an array like:
Array
(
[0] = key1
[1] = value1
[2] = key2
[3] = value2
)
to
Array
(
[key1] = value1
[key2] = value2
)
Is there a built-in function to do this?
Please Cc me. :)
Thank you in advance.
I don't believe so, but rolling your own should not be too hard:
$a = array($key1, $value1, $key2, $value2);
$b = array();
$numitems = count($a);
for ($i = 0; $i $numitems; $i++) {
if ($i % 2 == 0) {
$saved_key = $a[$i];
}
elseif ($i % 2 == 1) {
$b[$saved_key] = $a[$i];
}
}
Code is crude and untested, but you get the idea.
Paul
This would be even shorter, I think:
foreach ($items as $i = $value) {
$temp[$i % 2][] = $value;
}
$done = array_combine($temp[0], $temp[1]);
(Also untested, just off the cuff...)
--Larry Garfield
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
I'd say that this cat is well and truly skinned!
--
Nephtali: PHP web framework that functions beautifully
http://nephtaliproject.com
--
-
Richard Quadling
Standing on the shoulders of some very clever giants!
EE : http://www.experts-exchange.com/M_248814.html
EE4Free : http://www.experts-exchange.com/becomeAnExpert.jsp
Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498r=213474731
ZOPA : http://uk.zopa.com/member/RQuadling
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login Script: mysql_num_rows(): supplied argument is not a valid MySQL result resource
--- On Fri, 2/19/10, Ashley Sheridan a...@ashleysheridan.co.uk wrote:
From: Ashley Sheridan a...@ashleysheridan.co.uk
Subject: Re: [PHP] Login Script: mysql_num_rows(): supplied argument is not a
valid MySQL result resource
To: David Hutto dwightdhu...@yahoo.com
Cc: php-general@lists.php.net
Date: Friday, February 19, 2010, 5:34 AM
On Fri, 2010-02-19 at 00:30 -0800, David Hutto wrote:
The following script is supposed to validate a username and password in a mysql
db. When entering the username and password of a preregistered user, I get the
following errors:
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result
resource in /var/www/login.php on line 24
Warning: Cannot modify header information - headers already sent by (output
started at /var/www/login.php:24) in /var/www/login.php on line 26
On line 24 is:
if(!mysql_num_rows($login)) //if the username and pass are wrong
--The supplied argument is $login, which is previously defined as:
$login = mysql_query(SELECT * FROM 'userinfo' WHERE `user` = '$user' AND
`pass` = '$pass`);
--which is further defined above it as these values:
$user = $_POST['user']; //pulls the username from the form
$pw = $_POST['pass']; //pulls the pass from the form
$pass = md5($pw); //makes our password an md
So why is the sum of those previous definitions an invalid argument for the
mysql_query() to test for whether the username and md5 password values are
true/equivalent to each other?
Thanks for any help you may be able to provide, below is the full login.php
page.
David
This is the full login.php script, I'm pretty sure no other portions are needed
to show at this point for the current problem:
?php
$act = $_GET['act']; //retrives the page action
if(empty($act)) //if there is no action
{
echo('form action=login.php?act=auth method=post name=loginform
id=loginform
pUsername
input type=text name=user
/p
pPassword
input type=password name=pass
/p
p
input type=submit name=Submit value=Login
/p
/form');
}
elseif($act == auth) //if our page action = auth
{
$user = $_POST['user']; //pulls the username from the form
$pw = $_POST['pass']; //pulls the pass from the form
$pass = md5($pw); //makes our password an md5
include(connect.php); //connects to our mysql database
$login = mysql_query(SELECT * FROM `userinfo` WHERE `user` = '$user' AND
`pass` = '$pass`); //selects info from our table if the row has the same user
and pass that our form does
if(!mysql_num_rows($login)) //if the username and pass are wrong
{
header(Location: login.php); //redirects to our login page
die(); //stops the page from going any further
}
else
{
setcookie(user, $user, time()+3600);//sets our user cookie
setcookie(pass, $pass, time()+3600);//sets our pass cookie
header(Location: memprar.php);//instead of yourpage.php it
would be your protected page
}
}
?
First, please create a new email when sending to the list and don't just reply
to the last one, as those of us with email clients that group by threads get
confused when the subject line appears to change mid-thread!
On to your question, you've got an error with your query, so it will never work:
SELECT * FROM `userinfo` WHERE `user` = '$user' AND `pass` = '$pass` //
change that last back tick after $pass!
Lastly; protect your queries! That $user variable is open to injection.
Replacing it with something like $user =
mysql_real_escape_string($_POST['user']); Your $pass is protected (I believe)
because of what you're doing with the hash, but I'm not an expert in these
things, so it could be that this may not be enough.
Thanks,
Ash
http://www.ashleysheridan.co.uk
Apologies for hijacking the thread, I hit reply all in a randomly picked email
and deleted the info/subject line, guess that doesn't work.
Thanks for the advice, it's almost working right, all things considered.
David
[PHP] Using base64 encode and decode to store user data in database
In order to prevent SQL injection, can one simply base64 encode the data and store that? Then it can be decoded when I need to display it on a website. I understand that this means that the data will not be searchable, and that I still must sanitize it before printing it on the site. Are there any other drawbacks or things to be aware of? Thanks. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il Please CC me if you want to be sure that I read your message. I do not read all list mail. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using base64 encode and decode to store user data in database
On Fri, 2010-02-19 at 15:18 +0200, Dotan Cohen wrote: In order to prevent SQL injection, can one simply base64 encode the data and store that? Then it can be decoded when I need to display it on a website. I understand that this means that the data will not be searchable, and that I still must sanitize it before printing it on the site. Are there any other drawbacks or things to be aware of? Thanks. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il Please CC me if you want to be sure that I read your message. I do not read all list mail. I assume this would work. I always use mysql_real_escape_string(), although that would predetermine your choice of database. That would allow your content to be searchable though. Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Using base64 encode and decode to store user data in database
At 3:18 PM +0200 2/19/10, Dotan Cohen wrote: In order to prevent SQL injection, can one simply base64 encode the data and store that? Then it can be decoded when I need to display it on a website. I understand that this means that the data will not be searchable, and that I still must sanitize it before printing it on the site. Are there any other drawbacks or things to be aware of? Thanks. -- Dotan Cohen Dotan: You're a smart guy, why reinvent the wheel? The entire problem set has already been solved. Understand there are two issues here: 1) filtering input into a database; 2) escaping output to a browser. Use mysql_real_escape_string() to filter data before it's stored in a database (input). Use htmlentities() to retrieve data from the database to be displayed via a browser (output). That way whatever problems that might exist within the data will be rendered harmless. An excellent book on this (and much more) is Chris Shiflett's Essential PHP Security. You can pick it up on Amazon for less than $20 -- well worth the cost. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Export/Write rows from DBF to CSV
On Thu, Feb 18, 2010 at 5:31 PM, OBXer d...@therealouterbanks.com wrote: I'm trying to adopt this piece of code for my use. I fixed the csv_data .= trim error. Does anyone know how I can fix empty fields? Everything is dumping to a csv file but information is not matching up. I don't know if I can insert a space or something if field is blank? If you're trying to write csv data, why not use fputcsv($_fp, $row) to write each line rather than concatenating all the lines into a single value and then writing that string to a file? It will correctly handle empty values (as long as the key is still present in the array) and I've found it to be much faster at writing larger data sets than trying to concatenate the CSV in code. http://www.php.net/manual/en/function.fputcsv.php Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using base64 encode and decode to store user data in database
On Fri, Feb 19, 2010 at 8:18 AM, Dotan Cohen dotanco...@gmail.com wrote: In order to prevent SQL injection, can one simply base64 encode the data and store that? Then it can be decoded when I need to display it on a website. I understand that this means that the data will not be searchable, and that I still must sanitize it before printing it on the site. Are there any other drawbacks or things to be aware of? Thanks. -- Dotan Cohen One would be storage space, as base64 requires more space to store the same data. For a single data element that might not be much, but when multiplied over all the values stored in your table it makes a difference. Also, don't forget to validate/filter non-character data, which you can't do with base64. Something like this is still vulnerable to SQL injection even though it 'sanitizes' the expected character input: ?php // user_id expects an integer value $user_id = $_POST['user_id']; $comment = base64_encode($_POST['comment']); $sql = INSERT INTO `comments` (user_id, comment) VALUES ($user_id, '$comment'); ? Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using base64 encode and decode to store user data in database
On 19 February 2010 16:27, tedd tedd.sperl...@gmail.com wrote: At 3:18 PM +0200 2/19/10, Dotan Cohen wrote: In order to prevent SQL injection, can one simply base64 encode the data and store that? Then it can be decoded when I need to display it on a website. I understand that this means that the data will not be searchable, and that I still must sanitize it before printing it on the site. Are there any other drawbacks or things to be aware of? Thanks. -- Dotan Cohen Dotan: You're a smart guy, why reinvent the wheel? The entire problem set has already been solved. Understand there are two issues here: 1) filtering input into a database; 2) escaping output to a browser. Use mysql_real_escape_string() to filter data before it's stored in a database (input). I was under the impression that mysql_real_escape_string() was not a 100% solution. Is it? Note that I serve my pages as UTF-8 and also declare them as such in the header and meta tag, but that does not mean that a malicious entity won't return a request in a different encoding. Use htmlentities() to retrieve data from the database to be displayed via a browser (output). This I do. I'm not sure if it's enough, so I'd like some reassurance on the matter. :) An excellent book on this (and much more) is Chris Shiflett's Essential PHP Security. You can pick it up on Amazon for less than $20 -- well worth the cost. They don't ship to Israel! I have looked for it locally, but not found it. I'm sure that I could acquire a copy on some p2p service but I really don't like doing that. Maybe I could Paypal $20 to Chris himself if that remains my only option! Chris, what say you? (CCed) -- Dotan Cohen http://what-is-what.com http://gibberish.co.il -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using base64 encode and decode to store user data in database
One would be storage space, as base64 requires more space to store the same data. For a single data element that might not be much, but when multiplied over all the values stored in your table it makes a difference. That is a good point, thanks. Also, don't forget to validate/filter non-character data, which you can't do with base64. Something like this is still vulnerable to SQL injection even though it 'sanitizes' the expected character input: ?php // user_id expects an integer value $user_id = $_POST['user_id']; $comment = base64_encode($_POST['comment']); $sql = INSERT INTO `comments` (user_id, comment) VALUES ($user_id, '$comment'); ? I see what you mean. In fact, userIDs are stored, and indeed I ensure that they are integers! -- Dotan Cohen http://what-is-what.com http://gibberish.co.il Please CC me if you want to be sure that I read your message. I do not read all list mail. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] array conversion
At 10:48 AM + 2/19/10, Richard Quadling wrote: On 19 February 2010 07:26, Adam Richardson simples...@gmail.com wrote: Or, Code fight!!! http://www.webbytedd.com/ccc/array/ After reviewing the entries, mine does not provide any significant difference. I did it as a mental exercise after looking at several built-in array functions (array_flip(), array_combine(), etc. ) that I thought might solve the problem, but didn't. tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using base64 encode and decode to store user data in database
On Fri, Feb 19, 2010 at 05:43:15PM +0200, Dotan Cohen wrote: snip They don't ship to Israel! I have looked for it locally, but not found it. I'm sure that I could acquire a copy on some p2p service but I really don't like doing that. Maybe I could Paypal $20 to Chris himself if that remains my only option! Chris, what say you? (CCed) Wow, that sucks! This is an O'Reilly book. Perhaps they would ship to Israel? Paul -- Paul M. Foster -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using base64 encode and decode to store user data in database
On Fri, 2010-02-19 at 11:45 -0500, Paul M Foster wrote: On Fri, Feb 19, 2010 at 05:43:15PM +0200, Dotan Cohen wrote: They don't ship to Israel! I have looked for it locally, but not found it. I'm sure that I could acquire a copy on some p2p service but I really don't like doing that. Maybe I could Paypal $20 to Chris himself if that remains my only option! Chris, what say you? (CCed) Another idea: There are forwarding services for sale, e.g. on eBay. Order the book and have it sent it to an address in the USA, and this service forwards it to you anywhere. Yet another idea: There are file sharing services e.g. rapidshare.com which might serve the book. I thought this was legal since premium users pay for the service? Teus. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] array conversion
On 19 February 2010 15:52, tedd tedd.sperl...@gmail.com wrote: At 10:48 AM + 2/19/10, Richard Quadling wrote: On 19 February 2010 07:26, Adam Richardson simples...@gmail.com wrote: Or, Code fight!!! http://www.webbytedd.com/ccc/array/ After reviewing the entries, mine does not provide any significant difference. I did it as a mental exercise after looking at several built-in array functions (array_flip(), array_combine(), etc. ) that I thought might solve the problem, but didn't. tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com Just wanting to join in. ?php $array = array ( 'key1', 'value1', 'key2', 'value2', ); $result = array(); while(!is_null($result[array_shift($array)] = array_shift($array))); array_pop($result); print_r($result); ? outputs ... Array ( [key1] = value1 [key2] = value2 ) -- - Richard Quadling Standing on the shoulders of some very clever giants! EE : http://www.experts-exchange.com/M_248814.html EE4Free : http://www.experts-exchange.com/becomeAnExpert.jsp Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498r=213474731 ZOPA : http://uk.zopa.com/member/RQuadling -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using base64 encode and decode to store user data in database
At 5:43 PM +0200 2/19/10, Dotan Cohen wrote: On 19 February 2010 16:27, tedd tedd.sperl...@gmail.com wrote: An excellent book on this (and much more) is Chris Shiflett's Essential PHP Security. You can pick it up on Amazon for less than $20 -- well worth the cost. They don't ship to Israel! I have looked for it locally, but not found it. I'm sure that I could acquire a copy on some p2p service but I really don't like doing that. Maybe I could Paypal $20 to Chris himself if that remains my only option! Chris, what say you? (CCed) -- Dotan Cohen Dotan: What about eBook ($23.99)? http://oreilly.com/catalog/9780596006563 If you can get this, you can get that. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Login Script: mysql_num_rows(): supplied argument is not a valid MySQL result resource
David Hutto schreef:
--- On Fri, 2/19/10, David Hutto dwightdhu...@yahoo.com wrote:
From: David Hutto dwightdhu...@yahoo.com
Subject: Login Script: mysql_num_rows(): supplied argument is not a valid MySQL
result resource
To: php-general@lists.php.net
Date: Friday, February 19, 2010, 3:30 AM
The following script is supposed to validate a username and password in a mysql
db. When entering the username and password of a preregistered user, I get the
following errors:
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result
resource in /var/www/login.php on line 24
Warning: Cannot modify header information - headers already sent by (output
started at /var/www/login.php:24) in /var/www/login.php on line 26
On line 24 is:
if(!mysql_num_rows($login)) //if the username and pass are wrong
--The supplied argument is $login, which is previously defined as:
$login = mysql_query(SELECT * FROM 'userinfo' WHERE `user` = '$user' AND `pass` =
'$pass`);
--which is further defined above it as these values:
$user = $_POST['user']; //pulls the username from the form
$pw = $_POST['pass']; //pulls the pass from the form
$pass = md5($pw); //makes our password an md
So why is the sum of those previous definitions an invalid argument for the
mysql_query() to test for whether the username and md5 password values are
true/equivalent to each other?
Because basically !mysql_num_rows($login) is just if'ing the lack of a
user/pass match, else it continues to set cookie and session variables.
If I'm looking at this wrong let me know.
Thanks for any help you may be able to provide, below is the
full login.php page.
David
This is the full login.php script, I'm pretty sure no other portions are needed
to show at this point for the current problem:
?php
$act = $_GET['act']; //retrives the page action
if(empty($act)) //if there is no action
{
echo('form action=login.php?act=auth method=post name=loginform
id=loginform
pUsername
input type=text name=user
/p
pPassword
input type=password name=pass
/p
p
input type=submit name=Submit value=Login
/p
/form');
}
elseif($act == auth) //if our page action = auth
{
$user = $_POST['user']; //pulls the username from the form
$pw = $_POST['pass']; //pulls the pass from
the form
$pass = md5($pw); //makes our password an md5
include(connect.php); //connects to our mysql database
$login = mysql_query(SELECT * FROM `userinfo` WHERE `user` = '$user' AND `pass` =
'$pass`); //selects info from our table if the row has the same user and pass that
our form does
if(!mysql_num_rows($login)) //if the username and pass are wrong
{
header(Location: login.php); //redirects to our login page
die(); //stops the page from going any further
}
else
{
setcookie(user, $user, time()+3600);//sets our user cookie
setcookie(pass, $pass, time()+3600);//sets our pass
cookie
header(Location: memprar.php);//instead of yourpage.php it
would be your protected page
}
}
?
The query should be:
SELECT * FROM `userinfo` WHERE `user` = '$user' AND `pass` = '$pass'
Remember: ` for tables and columns, ' for strings.
Also, look up SQL Injection, as your script contains a huge vulnerability.
This can be fixed using mysql_real_escape_string, so it is this:
ELECT * FROM `userinfo` WHERE `user` =
'.mysql_real_escape_string($user).' AND `pass` =
'.mysql_real_escape_string($pass).'
--
Kind regards,
Mark Cilissen / Pixlism
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using base64 encode and decode to store user data in database
What about eBook ($23.99)? http://oreilly.com/catalog/9780596006563 If you can get this, you can get that. That may be a good idea. Certainly better than the pirate bay. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il Please CC me if you want to be sure that I read your message. I do not read all list mail. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Login Script: mysql_num_rows(): supplied argument is not a valid MySQL result resource
On Fri, 2010-02-19 at 18:30 +0100, Mark Cilissen wrote:
David Hutto schreef:
--- On Fri, 2/19/10, David Hutto dwightdhu...@yahoo.com wrote:
From: David Hutto dwightdhu...@yahoo.com
Subject: Login Script: mysql_num_rows(): supplied argument is not a valid
MySQL result resource
To: php-general@lists.php.net
Date: Friday, February 19, 2010, 3:30 AM
The following script is supposed to validate a username and password in a
mysql db. When entering the username and password of a preregistered user,
I get the following errors:
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result
resource in /var/www/login.php on line 24
Warning: Cannot modify header information - headers already sent by
(output started at /var/www/login.php:24) in /var/www/login.php on line 26
On line 24 is:
if(!mysql_num_rows($login)) //if the username and pass are wrong
--The supplied argument is $login, which is previously defined as:
$login = mysql_query(SELECT * FROM 'userinfo' WHERE `user` = '$user'
AND `pass` = '$pass`);
--which is further defined above it as these values:
$user = $_POST['user']; //pulls the username from the form
$pw = $_POST['pass']; //pulls the pass from the form
$pass = md5($pw); //makes our password an md
So why is the sum of those previous definitions an invalid argument for the
mysql_query() to test for whether the username and md5 password values are
true/equivalent to each other?
Because basically !mysql_num_rows($login) is just if'ing the lack of a
user/pass match, else it continues to set cookie and session variables.
If I'm looking at this wrong let me know.
Thanks for any help you may be able to provide, below is the
full login.php page.
David
This is the full login.php script, I'm pretty sure no other portions are
needed to show at this point for the current problem:
?php
$act = $_GET['act']; //retrives the page action
if(empty($act)) //if there is no action
{
echo('form action=login.php?act=auth method=post name=loginform
id=loginform
pUsername
input type=text name=user
/p
pPassword
input type=password name=pass
/p
p
input type=submit name=Submit value=Login
/p
/form');
}
elseif($act == auth) //if our page action = auth
{
$user = $_POST['user']; //pulls the username from the form
$pw = $_POST['pass']; //pulls the pass from
the form
$pass = md5($pw); //makes our password an md5
include(connect.php); //connects to our mysql database
$login = mysql_query(SELECT * FROM `userinfo` WHERE `user` = '$user' AND
`pass` = '$pass`); //selects info from our table if the row has the same
user and pass that our form does
if(!mysql_num_rows($login)) //if the username and pass are wrong
{
header(Location: login.php); //redirects to our login page
die(); //stops the page from going any further
}
else
{
setcookie(user, $user, time()+3600);//sets our user cookie
setcookie(pass, $pass, time()+3600);//sets our pass
cookie
header(Location: memprar.php);//instead of yourpage.php
it would be your protected page
}
}
?
The query should be:
SELECT * FROM `userinfo` WHERE `user` = '$user' AND `pass` = '$pass'
Remember: ` for tables and columns, ' for strings.
Also, look up SQL Injection, as your script contains a huge vulnerability.
This can be fixed using mysql_real_escape_string, so it is this:
ELECT * FROM `userinfo` WHERE `user` =
'.mysql_real_escape_string($user).' AND `pass` =
'.mysql_real_escape_string($pass).'
--
Kind regards,
Mark Cilissen / Pixlism
I did cover all of those points and give the same sanitisation
suggestion in the email I sent to this question earlier!
Thanks,
Ash
http://www.ashleysheridan.co.uk
[PHP] Advice on maintaining public and private files
I have a site I'm working on with some data that I want to be readable by anyone, but some files that I want to keep hidden from outside users. Here is an example of my file structure. /products/data1/item_1/data.txt /products/data2/item_2/data.txt I would like everything in data1 to be available by anyone who visits the site, but I want to keep items in the data2 folder to only be accessible through certain web page which I hope to eventually require logins. Some of these items I'd like to not only display but also allow people to download. My main concern is that I don't want people to be able to guess the names of the files and then be able to access the information on them. Every 'item' has an entry in a MySQL database which holds some information. I was thinking I could have randomly generated folder names to take the place of the things like 'item_2' such as /products/data2/kl23j42i/data.txt and then link the folder name through a database entry. But I'm not sure if there are more elegant or easier ways to deal with this. Plus someone could still just try randomly querying the site until they get a match. I'd first like to just create a web page where you can go to access the hidden files but would later like to add more control for other users using logins and passwords. Most of my files are just text files and images. Any suggestions? Thanks in advance! Michael -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Advice on maintaining public and private files
On Fri, Feb 19, 2010 at 1:19 PM, Michael Stroh st...@astroh.org wrote: I have a site I'm working on with some data that I want to be readable by anyone, but some files that I want to keep hidden from outside users. Here is an example of my file structure. /products/data1/item_1/data.txt /products/data2/item_2/data.txt I would like everything in data1 to be available by anyone who visits the site, but I want to keep items in the data2 folder to only be accessible through certain web page which I hope to eventually require logins. Some of these items I'd like to not only display but also allow people to download. My main concern is that I don't want people to be able to guess the names of the files and then be able to access the information on them. Every 'item' has an entry in a MySQL database which holds some information. I was thinking I could have randomly generated folder names to take the place of the things like 'item_2' such as /products/data2/kl23j42i/data.txt and then link the folder name through a database entry. But I'm not sure if there are more elegant or easier ways to deal with this. Plus someone could still just try randomly querying the site until they get a match. I'd first like to just create a web page where you can go to access the hidden files but would later like to add more control for other users using logins and passwords. Most of my files are just text files and images. Any suggestions? Thanks in advance! Michael -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Place all those files above the web root, the use php to read in the data from the files when display that data to the user. -- Bastien Cat, the other other white meat -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Magnetic Stripe Reader or Barcode to PHP
Daevid Vincent wrote: I'll confess that I've done almost zero research on this topic as of right now aside from pricing readers and blank cards. So we're opening a new super-club here in Seattle. One of the ideas we'd like to pursue is that people are assigned a card. This can be a magstripe card or something with a barcode. Not really sure at the moment which way to go. The idea being that when they enter, we swipe/scan their card and we can log stats (# of visits, # guests, favorite drink so the bar has it ready, enter into contest, etc.) I was thinking we setup a simple netbook with a USB reader at the front door when they pay. Then we have another back at the bar. Connect via WiFi. Have a notebook somewhere behind the scenes that runs LAMP (or a VM thereof). No internet needed. The backend database and even web/GUI stuff is of course trivial with any LAMP stack. What I don't know is how do I interface _to_ PHP from say a magstripe reader. They're dirt cheap ($50), but I assume come with zero software. http://www.kanecal.net/mag-stripe-reader-scanner.html . And there are hundreds of these gadgets out there all the same basically. I guess what I'm hoping for is some pointers, from someone who's done this sort of thing. My gut thought is something so simple, where there is some XP software (or Linux I suppose) that reads the card (and generally they only have a number encoded on them) and this is sent via a URL we define, such as http://192.168.10.100/door.php?id=123456 or http://192.168.10.100/bar.php?id=123456 etc. (ignore the security issues and all that. It's trivial to encode the parameters, plus it's a closed system with WEP/WPA/WTF). But does anyone know of such a key piece of code? Like I said, I'm not locked into magcards. It could be a barcode reader just as easily. Or fingerprint scanner, or facial recognition. In the end it's just a unique thing that maps to a unique number. I just need the FM (F*ckin' Magic -- it's a programmer term -- look it up!) that goes in between PHP and the hardware. http://daevid.com Some people, when confronted with a problem, think 'I know, I'll use XML.' Now they have two problems. As someone else pointed out, many of these readers come with software that automatically enters data into an input field (where the cursor is) when a card is swiped. So you have a PHP web app on your LAMP box that the other netbooks point to. When they swipe the card it inputs into the text field and uses an onchange() to submit the form and redisplay the form, or have other fields that need to be populated (guests, etc.). I haven't done it, but seems simple enough. You just need to figure out what you'll use. Maybe driver's license since you need that anyway at a club (at least in the U.S.). -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Advice on maintaining public and private files
the proper way i know of is not the easiest to implement..; 1) create a php script that accepts enough parameters to get at your data. eg: /products/view.php?dataNr=1itemNr=1 2) let that script compare the current user (visitor who's logged in) to authentication data that tells which it if the user can access the data requested. if it fails, you can route the user to a std page or to a custom page (store in auth-data under onFail) 3) use apache's RewriteRule in /products/.htaccess to point virtual urls to the view script; /products/data1/item_1/data.txt = /products/view.php?dataNr=1itemNr=1file=data.txt (or something like that). the main problem here is how to properly store authentication data. how far to go depends on your (future) requirements. for my cms i went all the way and copied the unix filesystem permission architecture (incl the concept of users in groups) to work from mysql on an object-cloud (mapped to any path(s) elsewhere). but you can just as easilly just map userIDs to array records containing the keys that view.php works on. sorta like: global $permissions; $permissions = array ( 100 = array( array ( dataNr = 1, itemNr = 1, fileID = 'data.txt', mayRead = true, mayWrite = false ), (...other objects user 100 has permissions for...) userID = permissionsList ); you could use username instead of userid even, but i recommend against that if you're going to store user-definition records in a db, of course. On Fri, Feb 19, 2010 at 7:19 PM, Michael Stroh st...@astroh.org wrote: I have a site I'm working on with some data that I want to be readable by anyone, but some files that I want to keep hidden from outside users. Here is an example of my file structure. /products/data1/item_1/data.txt /products/data2/item_2/data.txt I would like everything in data1 to be available by anyone who visits the site, but I want to keep items in the data2 folder to only be accessible through certain web page which I hope to eventually require logins. Some of these items I'd like to not only display but also allow people to download. My main concern is that I don't want people to be able to guess the names of the files and then be able to access the information on them. Every 'item' has an entry in a MySQL database which holds some information. I was thinking I could have randomly generated folder names to take the place of the things like 'item_2' such as /products/data2/kl23j42i/data.txt and then link the folder name through a database entry. But I'm not sure if there are more elegant or easier ways to deal with this. Plus someone could still just try randomly querying the site until they get a match. I'd first like to just create a web page where you can go to access the hidden files but would later like to add more control for other users using logins and passwords. Most of my files are just text files and images. Any suggestions? Thanks in advance! Michael -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Advice on maintaining public and private files
As far as storing the files, use a seperate subdirectory called rawData or something, and place all your files in there, aim for 10 - 5000 files per directory, and keep it logical. But since you want to stop guessers from accessing it, use a randomID() function that you create to generate a random subdirectory under rawData. You could also use just the -MM-DD HH-MM-SS of the submit/upload-date for the file or the last-modification date of the file. Then create something that maps IDs (dataNr, itemNr, fileID) to the relative path under rawData. Then let view.php readfile() and output the requested file, instead of sending any link to your rawData-subdirectory-location to the browser. It should be airtight then. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Advice on maintaining public and private files
1 more thing: doing this right isn't easy. at all. it took me more than a year to do it properly. you may wanna look around on sf.net for any package that can do this for you. On Fri, Feb 19, 2010 at 7:19 PM, Michael Stroh st...@astroh.org wrote: I have a site I'm working on with some data that I want to be readable by anyone, but some files that I want to keep hidden from outside users. Here is an example of my file structure. /products/data1/item_1/data.txt /products/data2/item_2/data.txt I would like everything in data1 to be available by anyone who visits the site, but I want to keep items in the data2 folder to only be accessible through certain web page which I hope to eventually require logins. Some of these items I'd like to not only display but also allow people to download. My main concern is that I don't want people to be able to guess the names of the files and then be able to access the information on them. Every 'item' has an entry in a MySQL database which holds some information. I was thinking I could have randomly generated folder names to take the place of the things like 'item_2' such as /products/data2/kl23j42i/data.txt and then link the folder name through a database entry. But I'm not sure if there are more elegant or easier ways to deal with this. Plus someone could still just try randomly querying the site until they get a match. I'd first like to just create a web page where you can go to access the hidden files but would later like to add more control for other users using logins and passwords. Most of my files are just text files and images. Any suggestions? Thanks in advance! Michael -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Max file size in fopen()
Hello, I need to open a file with more than 2GB but the following error occurs: failed to open stream: Value too large for defined data type in /srv/www/sandboxes/dev02/test.php on line 2 I'm running this php in a 32 bits system. Googling I found that with the option CFLAGS=-D_FILE_OFFSET_BITS=64 the problem can be solved. Will I have this issue in a 64 bits System? Is there some recognized solution for this issue? Thanks. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Max file size in fopen()
On Fri, 2010-02-19 at 17:42 -0200, Darvin Denmian wrote: Hello, I need to open a file with more than 2GB but the following error occurs: failed to open stream: Value too large for defined data type in /srv/www/sandboxes/dev02/test.php on line 2 I'm running this php in a 32 bits system. Googling I found that with the option CFLAGS=-D_FILE_OFFSET_BITS=64 the problem can be solved. Will I have this issue in a 64 bits System? Is there some recognized solution for this issue? Thanks. 32-bit PHP has quite a few problems with large files. I ran into an odd one where I couldn't even get the dates from a file that was over 2GB! I think you may be running into something similar here, where some value that is needed to work with the file is going over the maximum that 32-bit can handle. 64-bit should fix the problem, but if you're in doubt, you could try testing it on a VM first? Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Re: Login Script: mysql_num_rows(): supplied argument isnot a valid MySQL result resource
Ashley Sheridan schreef:
On Fri, 2010-02-19 at 18:30 +0100, Mark Cilissen wrote:
David Hutto schreef:
--- On Fri, 2/19/10, David Hutto dwightdhu...@yahoo.com wrote:
From: David Hutto dwightdhu...@yahoo.com
Subject: Login Script: mysql_num_rows(): supplied argument is not a valid MySQL
result resource
To: php-general@lists.php.net
Date: Friday, February 19, 2010, 3:30 AM
The following script is supposed to validate a username and password in a mysql
db. When entering the username and password of a preregistered user, I get the
following errors:
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result
resource in /var/www/login.php on line 24
Warning: Cannot modify header information - headers already sent by (output
started at /var/www/login.php:24) in /var/www/login.php on line 26
On line 24 is:
if(!mysql_num_rows($login)) //if the username and pass are wrong
--The supplied argument is $login, which is previously defined as:
$login = mysql_query(SELECT * FROM 'userinfo' WHERE `user` = '$user' AND `pass` =
'$pass`);
--which is further defined above it as these values:
$user = $_POST['user']; //pulls the username from the form
$pw = $_POST['pass']; //pulls the pass from the form
$pass = md5($pw); //makes our password an md
So why is the sum of those previous definitions an invalid argument for the
mysql_query() to test for whether the username and md5 password values are
true/equivalent to each other?
Because basically !mysql_num_rows($login) is just if'ing the lack of a
user/pass match, else it continues to set cookie and session variables.
If I'm looking at this wrong let me know.
Thanks for any help you may be able to provide, below is the
full login.php page.
David
This is the full login.php script, I'm pretty sure no other portions are needed
to show at this point for the current problem:
?php
$act = $_GET['act']; //retrives the page action
if(empty($act)) //if there is no action
{
echo('form action=login.php?act=auth method=post name=loginform
id=loginform
pUsername
input type=text name=user
/p
pPassword
input type=password name=pass
/p
p
input type=submit name=Submit value=Login
/p
/form');
}
elseif($act == auth) //if our page action = auth
{
$user = $_POST['user']; //pulls the username from the form
$pw = $_POST['pass']; //pulls the pass from
the form
$pass = md5($pw); //makes our password an md5
include(connect.php); //connects to our mysql database
$login = mysql_query(SELECT * FROM `userinfo` WHERE `user` = '$user' AND `pass` =
'$pass`); //selects info from our table if the row has the same user and pass that
our form does
if(!mysql_num_rows($login)) //if the username and pass are wrong
{
header(Location: login.php); //redirects to our login page
die(); //stops the page from going any further
}
else
{
setcookie(user, $user, time()+3600);//sets our user cookie
setcookie(pass, $pass, time()+3600);//sets our pass
cookie
header(Location: memprar.php);//instead of yourpage.php it
would be your protected page
}
}
?
The query should be:
SELECT * FROM `userinfo` WHERE `user` = '$user' AND `pass` = '$pass'
Remember: ` for tables and columns, ' for strings.
Also, look up SQL Injection, as your script contains a huge vulnerability.
This can be fixed using mysql_real_escape_string, so it is this:
ELECT * FROM `userinfo` WHERE `user` =
'.mysql_real_escape_string($user).' AND `pass` =
'.mysql_real_escape_string($pass).'
--
Kind regards,
Mark Cilissen / Pixlism
I did cover all of those points and give the same sanitisation
suggestion in the email I sent to this question earlier!
Thanks,
Ash
http://www.ashleysheridan.co.uk
Didn't see it, it was in another thread.
--
Kind regards,
Mark Cilissen / Pixlism
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Advice on maintaining public and private files
From: Rene Veerman the proper way i know of is not the easiest to implement..; 1) create a php script that accepts enough parameters to get at your data. eg: /products/view.php?dataNr=1itemNr=1 2) let that script compare the current user (visitor who's logged in) to authentication data that tells which it if the user can access the data requested. if it fails, you can route the user to a std page or to a custom page (store in auth-data under onFail) 3) use apache's RewriteRule in /products/.htaccess to point virtual urls to the view script; /products/data1/item_1/data.txt = /products/view.php?dataNr=1itemNr=1file=data.txt (or something like that). the main problem here is how to properly store authentication data. how far to go depends on your (future) requirements. There are some easier tricks, but still not simple. Only the wrapper script should be in the webroot space. Everything else should be outside of it, but accessible by the user that the web server runs under. The wrapper also manages the session and any other access controls necessary, such as connections to a DB server. Once you parse the parameters from the URL, use require() or require_once() to link in the specific pages you need from outside webroot. This way none of the files or paths are exposed to the browser and nobody can get to those pages without going through the authentication in the wrapper. You can even pull in more than one, so there could be one file for the banner, one for the menu tree on the left column, one for a header, one for the page specific content and one for the footer. It makes global updates relatively easy, but can be a pain to get started. Bob McConnell -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Excel Spreadsheets and PHP
Hello, everyone. Just a quick question. What are you using, if anything, to create Excel spreadsheets with PHP? Thank you in advance.
RE: [PHP] Excel Spreadsheets and PHP
From: Ian Robertson What are you using, if anything, to create Excel spreadsheets with PHP? Output CSV files with the correct MIME type. MS-Windows will open them in Excel by default in both IE and Firefox. Unfortunately, this happens even if you have Open Office installed and would prefer to use that. Bob McConnell -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Excel Spreadsheets and PHP
On Fri, 2010-02-19 at 15:36 -0500, Bob McConnell wrote: From: Ian Robertson What are you using, if anything, to create Excel spreadsheets with PHP? Output CSV files with the correct MIME type. MS-Windows will open them in Excel by default in both IE and Firefox. Unfortunately, this happens even if you have Open Office installed and would prefer to use that. Bob McConnell I believe there are pear classes to output these files, and the new xlsx format is XML-based so shouldnt be too difficult to output something simple. Also, the ods format is well documented, and again should be very easy to output to. Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Excel Spreadsheets and PHP
On Fri, Feb 19, 2010 at 3:36 PM, Bob McConnell r...@cbord.com wrote: From: Ian Robertson What are you using, if anything, to create Excel spreadsheets with PHP? Output CSV files with the correct MIME type. MS-Windows will open them in Excel by default in both IE and Firefox. Unfortunately, this happens even if you have Open Office installed and would prefer to use that. Bob McConnell -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php If you need more control over formatting, formulas, etc., there is an XML format that Microsoft supports. http://msdn.microsoft.com/en-us/library/aa140066%28office.10%29.aspx Then you can use DOM in PHP to build what you need. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Excel Spreadsheets and PHP
-Original Message- From: Ian Robertson [mailto:irobert...@americantextile.com] Sent: Friday, February 19, 2010 1:28 PM To: php-general@lists.php.net Subject: [PHP] Excel Spreadsheets and PHP Hello, everyone. Just a quick question. What are you using, if anything, to create Excel spreadsheets with PHP? Thank you in advance. Pear Spreadsheet Excel Writer. http://pear.php.net/package/Spreadsheet_Excel_Writer Mike -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Excel Spreadsheets and PHP
You can also create an htnl table and excel will happily handle that as well. The real trick is to get IE to accept the stream as a file download. I find that I need to save the file first and the push the file down. On 2/19/10, Hansen, Mike mike.han...@atmel.com wrote: -Original Message- From: Ian Robertson [mailto:irobert...@americantextile.com] Sent: Friday, February 19, 2010 1:28 PM To: php-general@lists.php.net Subject: [PHP] Excel Spreadsheets and PHP Hello, everyone. Just a quick question. What are you using, if anything, to create Excel spreadsheets with PHP? Thank you in advance. Pear Spreadsheet Excel Writer. http://pear.php.net/package/Spreadsheet_Excel_Writer Mike -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Sent from my mobile device Bastien Cat, the other other white meat -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Excel Spreadsheets and PHP
-Original Message-
From: Ian Robertson [mailto:irobert...@americantextile.com]
Sent: Friday, February 19, 2010 1:28 PM
To: php-general@lists.php.net
Subject: [PHP] Excel Spreadsheets and PHP
Hello, everyone.
Just a quick question.
What are you using, if anything, to create Excel spreadsheets
with PHP?
Thank you in advance.
Pear Spreadsheet Excel Writer.
http://pear.php.net/package/Spreadsheet_Excel_Writer
Related, here is a routine we use. Assuming you already have your data in a
multi-array.
/**
* Outputs an Excel .xls file
* Note: a row that starts with --- will be considered a separator row
and output any text following the --- as such.
*
* @param string $title_text The name of the title in the Excel .xls
document (gmdate('Y-m-d H:i') is auto appended)
* @param array $header_array an array of headers for each column
* @param array $data_array the data for each column and row
* @param string $file_name the name of the .xls file to save as
(gmdate('Y-m-d H:i') is auto appended), defaults to $title_text
* @author Daevid Vincent
* @date 10/29/2009
*/
function download_table_to_excel($title_text, $header_array, $data_array,
$file_name=null)
{
//require_once './includes/gui/gui_setup.inc.php';
if (!$file_name) $file_name = $title_text;
$file_name = str_replace( array('[', ']'), array('(',')'),
$file_name);
add_user_log('Action', 'Download '.$file_name.' Excel file');
set_include_path(get_include_path().PATH_SEPARATOR.ROOTPATH.'/includes/pear
');
require_once
ROOTPATH.'/includes/pear/Spreadsheet/Excel/Writer.php';
$excel_control_characters = array('@', '=');
$exceldoc = new Spreadsheet_Excel_Writer();
// Set version to 8 (BIFF8) so strings are not truncated to 255
chars
//$exceldoc-setVersion(8);
//http://pear.php.net/manual/en/package.fileformats.spreadsheet-excel-write
r.spreadsheet-excel-writer-workbook.setversion.php
//http://forum.openx.org/index.php?showtopic=503418353
//http://pear.php.net/bugs/bug.php?id=3384
$worksheet = $exceldoc-addWorksheet('Sheet 1'); //sheet name can
only be 31 chars, but we only use one sheet, so hard-code it
$format_data = $exceldoc-addFormat();
$format_data-setTextWrap();
// Create an array to track the value length per column, the
default width is 8.11
$max_column = count($header_array) - 1;
$max_len_by_column = array();
for ($col = 0; $col = $max_column; $col++)
$max_len_by_column[$col] = 8.11;
$row = -1;
// Optionally write table title
if ($title_text)
{
$format_title = $exceldoc-addFormat();
$format_title-setAlign('center');
$format_title-setAlign('vcenter');
$format_title-setBold();
$format_title-setTextWrap();
$title_text .= ' (created on '.gmdate('Y-m-d @ H:i').'
UTC)';
// adjust the row height from the number of lines in the
table title
$lines = substr_count($title_text, 'br') + 1;
$height = $lines * 14;
$row++;
$value =
html_entity_decode(trim(strip_tags(str_replace('br', \n,
$title_text;
if (is_string($value) in_array(substr($value,0,1),
$excel_control_characters)) $value = ' '.$value; // Add a space before
Excel control characters
$worksheet-write($row, 0, $value, $format_title);
$worksheet-setRow($row, $height);
$worksheet-mergeCells($row, 0, $row, $max_column);
}
// Write column headers
$format_header = $exceldoc-addFormat();
$format_header-setBold();
$format_header-setTextWrap();
$row++;
foreach ($header_array as $col = $header)
{
// remove html tags from values
$value =
html_entity_decode(trim(strip_tags(str_replace('br', \n,
is_array($header) ? $header[0] : $header;
if (is_string($value) and in_array(substr($value,0,1),
$excel_control_characters)) $value = .$value; // Add a space before
Excel control characters
$worksheet-write($row, $col, $value, $format_header);
if (is_array($header)) $worksheet-writeNote($row, $col,
$header[1]);
}
foreach ($data_array as $i = $data)
{
$row++;
$col = 0;
//check for magic separator rows
if ( substr($data,0,3) == '---' )
{
$separator_row = substr($data,3);
// adjust the row height from the number of lines
in the table title
$lines = substr_count($separator_row, 'br') + 1;
$height = $lines * 14;
$row++;
$value =
[PHP] Re: Advice on maintaining public and private files
On Fri, 19 Feb 2010 13:19:50 -0500, st...@astroh.org (Michael Stroh) wrote: I have a site I'm working on with some data that I want to be readable by anyone, but some files that I want to keep hidden from outside users. Here is an example of my file structure. /products/data1/item_1/data.txt /products/data2/item_2/data.txt I would like everything in data1 to be available by anyone who visits the site, but I want to keep items in the data2 folder to only be accessible through certain web page which I hope to eventually require logins. Some of these items I'd like to not only display but also allow people to download. My main concern is that I don't want people to be able to guess the names of the files and then be able to access the information on them. Every 'item' has an entry in a MySQL database which holds some information. I was thinking I could have randomly generated folder names to take the place of the things like 'item_2' such as /products/data2/kl23j42i/data.txt and then link the folder name through a database entry. But I'm not sure if there are more elegant or easier ways to deal with this. Plus someone could still just try randomly querying the site until they get a match. I'd first like to just create a web page where you can go to access the hidden files but would later like to add more control for other users using logins and passwords. Most of my files are just text files and images. Any suggestions? Thanks in advance! Michael I have been working on a website engine for some time, and have recently been addressing these problems. The website layout is specified by textbased data files, with a separate entry for each item on the page. These may be links to subdirectories or even other websites, links to further index pages or links to individual items. Users are divided into groups, e.g. Guest, Admin, or Manager, and each data file has a field specifying who is allowed to use it. Each entry has a similar field, and when a data file is being loaded the loader checks that the current user has permission to access it before allowing the file to be loaded, and then as it processes each item in the file it checks if the user has permission to view this item, and if not skips it. This means that the user only sees the items he is entitled to see. There is nothing to indicate that anything is being hidden from him. At present I only have one allowable group for each file or item, and permit individual users to belong to multiple groups (as set up by the administrator). On reflection it would probably be better to assign each user to a single group, and allow multiple groups to be given access to the file. At first I simply assigned each user a privilege level; 0, 1, 2, .. , but this prevented giving some user groups access to some areas of the website, and other user groups access to others. Each website has one area containing data, and a separate one containing the engine (which has all the code). The data area also contains a small file index.php, which sets up site dependent parameters, and then hands access to the engine. I have several different websites sharing the same engine, and this means both that the individual websites can specify different configuration files and security requirements. One website can be fully accessible, another only accessible after the user is logged in, and another can have some areas only accessible through a hidden log in. I use parameters to specify which page to be loaded, but I've recently realised that this is a significant security hole, as the parameters are readily visible, and convey a lot of information about the structure of the site. On second thoughts it would have been better to specify the various directories and files by numbers. The engine is in a separate directory which is not under the root, so it is not readily accessible, but I wanted the photos to be able to be bookmarked, which meant that they had to be under the root, and I put the data files with them for simplicity. However this means that they can also be downloaded, so I will have to move them to a different location, as some of them contain valuable information. Fortunately the way the engine is designed makes this reasonably simple to do. You can see a very simple demonstration website at http://www.cydalba.com/?new=1. At present this is set up so that part of the website is only accessible by hidden log in. If you access it via http://www.cydalba.com/?new=1action=log_in you will be asked to log in, which you can do as 'Guest', with password 'Mandy17'. Some more of the website will then be accessible. Clancy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
