php-general Digest 5 Aug 2011 19:09:09 -0000 Issue 7430
php-general Digest 5 Aug 2011 19:09:09 - Issue 7430 Topics (messages 314370 through 314390): Re: Sending a message 314370 by: Negin Nickparsa 314371 by: wil prim 314372 by: Negin Nickparsa 314373 by: wil prim 314374 by: Negin Nickparsa 314375 by: Negin Nickparsa 314376 by: Negin Nickparsa 314377 by: David Holmes 314378 by: wil prim 314379 by: Negin Nickparsa 314380 by: Negin Nickparsa 314381 by: wil prim 314382 by: Negin Nickparsa 314383 by: Jim Lucas 314384 by: wil prim 314385 by: Negin Nickparsa Re: saving sessions 314386 by: Florian Müller 314389 by: Jen Rasmussen Re: testing 314387 by: David Robley Re: You can play with PHP 5.4.0 alpha3 on Windows, EasyPHP 5.4 alpha3 is out! 314388 by: Sharl.Jimh.Tsin using pg_query in a function not working 314390 by: Marc Fromm Administrivia: To subscribe to the digest, e-mail: php-general-digest-subscr...@lists.php.net To unsubscribe from the digest, e-mail: php-general-digest-unsubscr...@lists.php.net To post to the list, e-mail: php-gene...@lists.php.net -- ---BeginMessage--- in previous pages you must have a login page and in login page you must store the username and then in next steps you have username in $_SESSION['user'] now if it is not your problem then what is the problem? ---End Message--- ---BeginMessage--- Well my problem is when i click submit, the $_SESSION['user'] ('from' part of the table in my db) is blank, so im guessing the $_SESSION variable didnt pass through. On Aug 04, 2011, at 10:11 PM, Negin Nickparsa nickpa...@gmail.com wrote:in previous pages you must have a login page and in login page you must store the username and then in next steps you have username in $_SESSION['user'] now if it is not your problem then what is the problem? ---End Message--- ---BeginMessage--- you must check setting your session with this one: if(isset($_SESSION['user'])) { // Identifying the user $user = $_SESSION['user']; // Information for the user. } tell me what you have done in login page? ---End Message--- ---BeginMessage--- This is the login.php which checks the form on the login page.?phpsession_start();include('connect.php');$user=$_POST['user'];$pass=$_POST['pass'];$sql="SELECT * FROM members WHERE username='$_POST[user]' and password='$_POST[pass]'";$result=mysql_query($sql, $con);$count=mysql_num_rows($result);if ($count==1){ session_start(); $_SESSION['user'] = $user;}else{ echo 'Wrong Username or Password'; }?On Aug 04, 2011, at 10:23 PM, Negin Nickparsa nickpa...@gmail.com wrote:you must check setting your session with this one: if(isset($_SESSION['user'])) { // Identifying the user $user = $_SESSION['user']; // Information for the user. } tell me what you have done in login page? ---End Message--- ---BeginMessage--- did you set the form method='post' ? ---End Message--- ---BeginMessage--- in this line password='$_POST[pass]'; you have error change it to password='$_POST['pass']'; ---End Message--- ---BeginMessage--- well,sorry change it to password=$pass (better) also check your errors by php yourpage.php it is more better to not stock in errors like this one ---End Message--- ---BeginMessage--- Your code is full of security errors .. You should use mysql escape string(google it ) to protect your database from beiÿng hacked David Holmes twitter @mrstanfan owner of the exclusive StanFan.com Whats Your StanFan? -Original Message- From: wil prim wilp...@me.com Date: Sat, 06 Aug 2011 04:49:32 To: PHP MAILINGLISTphp-gene...@lists.php.net; Philly Holbrookpholbro...@gmail.com Subject: [PHP] Sending a message Ok so I have tried to create a sort of messaging system on my website and I have run into some problems storing who the message is from, ill try to take you through step by step what I am trying to do. step #1 (messages.php): --This is where the member will view the recent messages that have been posted div id='messages' ?php include 'connect.php'; session_start(); $_SESSION['user']=$user; //store sql queries $sql=SELECT * FROM entries; $result=mysql_query($sql, $con); $count=mysql_num_rows($result); if ($count1){ echo 'There are no messages yet!'; } while ($row=mysql_fetch_array($result)){ echo 'From: ' .$row['from']; echo 'br/'; echo 'Subject: ' .$row['subject']; echo 'br/'; echo 'Message: ' .$row['body']; echo 'hr/'; } ? /div Step #2 (create_message.php):-- This is where the user creates a new
Re: [PHP] Sending a message
well,what is the problem with these manuals :) ? google these ones: security exploits that are SQL injection, Cross Site Scripting(xss) and Cross Site Request Forgery many security issues you can find also for your code problems try this site: stackoverflow.com previous times when I had these problems people in this list was too angry about me:D by posting emails about array like $_POST LOL! one of those angry people told me this site I am thankful to him:) I am happy on this Site be a member in there;) they will answer your code issues in just a second:)
RE: [PHP] saving sessions
But please do not use cookies to store a password as code! Cookies are human readable with some add-ons Check like this: if someone registers, insert it into a table: ?php $username = mysql_real_escape_string($_POST[username]); $password = md5($_POST[password]); mysql_query(INSERT INTO USER VALUES(' . $username . ',' . $password . ')); header('location: register_success.php'); ? Then, if someone wants to log in, use like this: ?php $username = mysql_real_escape_string($_POST[username]); $password = md5($_POST[password]); $sel = SELECT * FROM USER WHERE USERNAME = ' . $username . ' AND PASSWORD = ' . $password . '; $unf = mysql_query($sel); $count = mysql_num_rows($unf); if ($count == 1) { header('location: login_success.php'); } else { echo Login not successful!; } ? If you want to store something into cookies, use a name which is not good understandable, like a shortcut for a logical sentense: Titcftmws (This is the cookie for the main webSite) or something ^^ In there, you can save username and password, but PLEASE save the password at least md5()-encryptet, so not everyone can save it. Now you can check like this: ?php if ($_COOKIE['Titcftmws'] == mysql_real_escape_string($_POST[username]) . | . md5($_POST[password])) { //in the cookie is for the user with username 'jack' and password 'test' this value: jack|098f6bcd4621d373cade4e832627b4f6 echo you are logged in; } else { echo not logged in!; } ? This is as far as I know a quite high level of security, in comparisions with other ways. Regs, Flo From: midhungir...@gmail.com Date: Fri, 5 Aug 2011 08:20:11 +0530 To: wilp...@me.com CC: php-general@lists.php.net Subject: Re: [PHP] saving sessions On Sat, Aug 6, 2011 at 7:56 AM, wil prim wilp...@me.com wrote: Hello, im new to the whole storing sessions thing and I really dont know how to ask this question, but here it goes. So on my site when someone logs in the login.php file checks for a the username and password in the table i created, then if it finds a match it will store a $_SESSION [] variable. To be exact the code is as follows: if ($count=='1') { session_start(); $_SESSION['user']=$user; // $user is the $_POST['user'] from the login form header('location: login_success.php'); } Now what i would like to know is how do i make my website save new changes the user made while in their account? thanks! You will have to store the user account related data in the database for persistence Or if the site not having a 'user account system' you may use cookies to store the settings... Midhun Girish
Re: [PHP] Re: testing
Daniel Brown wrote: On Thu, Aug 4, 2011 at 10:39, Jim Giner jim.gi...@albanyhandball.com wrote: Mailing list, newsgroup, either one - something's changed in the last week or so to interrupt the smooth (or semi-smooth) functioning of it. The only messages I'm seeing currently are the ones in this single topic. Why is that??? Actually, we haven't changed anything at all. It's always been temperamental, but it's always just been a small additional offering. As Ash said, this is a mailing list, not a newsgroup. The fact that we offer a newsgroup interface at all is by all means eligible for discontinuation, since only about six people use it in any given year. /me wonders who the other five are :-) Cheers -- David Robley I've mixed up my gloves, Tom said intermittently. Today is Boomtime, the 71st day of Confusion in the YOLD 3177. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] You can play with PHP 5.4.0 alpha3 on Windows, EasyPHP 5.4 alpha3 is out!
在 2011-08-05五的 11:35 +0800,EasyPHP写道: Hi PHP 5.4 alpha 3 is now included in a the Wamp package EasyPHP 5.4 alpha3. Enjoy! Website : www.easyphp.org Screenshots : www.easyphp.org/screenshots.php Facebook page : www.facebook.com/easywamp Twitter : www.twitter.com/easyphp Woo,so quickly.i am using PHP alpha 1 on my CentOS server by compiling from source tarball. -- Best regards, Sharl.Jimh.Tsin (From China **Obviously Taiwan INCLUDED**) Using Gmail? Please read this important notice: http://www.fsf.org/campaigns/jstrap/gmail?10073. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
FW: [PHP] saving sessions
In addition to the info below, I would caution you to do some research on password hashing. MD5 and SHA-1 are both known to be compromised because they are too fast. OWASP (Open Web Application Security Project) is a great resource for security research. There are many hashes available, if you have PHP 5.3+ look into bCrypt (built into PHP 5.3+ as CRYPT). The CRYPT_BLOWFISH option is the best choice. A good article is here: http://yorickpeterse.com/articles/use-bcrypt-fool/ Otherwise, use this code to see a list of your available algorithms. You also want to make sure to research salting and stretching of your hash if you are unable to use bCrypt. ?php print_r(hash_algos()); ? You might also want to look into PHPASS if you have a version of PHP previous to 5.3. Although it will default to using MD5 for older versions, the salting and stretching of the hash are what make it more secure, not the algorithm itself (seems to be a bit of controversy on this point). * Note that if you use PHPASS, once you do upgrade to 5.3+, it will default to the CRYPT_BLOWFISH option. Cheers! Jen -Original Message- From: Florian Müller [mailto:florip...@hotmail.com] Sent: Friday, August 05, 2011 1:35 AM To: midhungir...@gmail.com; php-general@lists.php.net Subject: RE: [PHP] saving sessions But please do not use cookies to store a password as code! Cookies are human readable with some add-ons Check like this: if someone registers, insert it into a table: ?php $username = mysql_real_escape_string($_POST[username]); $password = md5($_POST[password]); mysql_query(INSERT INTO USER VALUES(' . $username . ',' . $password . ')); header('location: register_success.php'); ? Then, if someone wants to log in, use like this: ?php $username = mysql_real_escape_string($_POST[username]); $password = md5($_POST[password]); $sel = SELECT * FROM USER WHERE USERNAME = ' . $username . ' AND PASSWORD = ' . $password . '; $unf = mysql_query($sel); $count = mysql_num_rows($unf); if ($count == 1) { header('location: login_success.php'); } else { echo Login not successful!; } ? If you want to store something into cookies, use a name which is not good understandable, like a shortcut for a logical sentense: Titcftmws (This is the cookie for the main webSite) or something ^^ In there, you can save username and password, but PLEASE save the password at least md5()-encryptet, so not everyone can save it. Now you can check like this: ?php if ($_COOKIE['Titcftmws'] == mysql_real_escape_string($_POST[username]) . | . md5($_POST[password])) { //in the cookie is for the user with username 'jack' and password 'test' this value: jack|098f6bcd4621d373cade4e832627b4f6 echo you are logged in; } else { echo not logged in!; } ? This is as far as I know a quite high level of security, in comparisions with other ways. Regs, Flo From: midhungir...@gmail.com Date: Fri, 5 Aug 2011 08:20:11 +0530 To: wilp...@me.com CC: php-general@lists.php.net Subject: Re: [PHP] saving sessions On Sat, Aug 6, 2011 at 7:56 AM, wil prim wilp...@me.com wrote: Hello, im new to the whole storing sessions thing and I really dont know how to ask this question, but here it goes. So on my site when someone logs in the login.php file checks for a the username and password in the table i created, then if it finds a match it will store a $_SESSION [] variable. To be exact the code is as follows: if ($count=='1') { session_start(); $_SESSION['user']=$user; // $user is the $_POST['user'] from the login form header('location: login_success.php'); } Now what i would like to know is how do i make my website save new changes the user made while in their account? thanks! You will have to store the user account related data in the database for persistence Or if the site not having a 'user account system' you may use cookies to store the settings... Midhun Girish -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] using pg_query in a function not working
I have to sql statements in functions to use in my code. Even though the echo statements show the sql is valid the sql does not seem to execute and I get the error, PHP Warning: pg_fetch_object() expects parameter 1 to be resource, boolean given in . . . line 154 . . . Line 154: while($val = pg_fetch_object($student)) ## Function Calls: $insert = recordSentList($empid, $list, printed); // No record gets inserted into the table $student = getStudent($list); while($val = pg_fetch_object($student)) //No records get listed { ## Functions: function recordSentList($empid, $list, $method){ $today = date(m/d/Y, strtotime(now)); $sql = INSERT INTO lists_sent ( lists_sent_employers_id, lists_sent_type, lists_sent_date, lists_sent_method) VALUES ( '$empid', '$list', '$today', '$method'); echo $sqlbr /; // slq statement looks accurate $result = pg_query($conn,$sql); echo Insert Errors: . pg_errormessage($conn) . br /; //No errors are reported return $result; } function getStudent($list){ $removaldate = date(m/d/Y,mktime(0, 0, 0, date(m)-3, date(d)-7, date(Y))); $sql = SELECT * FROM students WHERE ; if($list == child_care_list){ $sql .= child_care_list ' . $removaldate . ' ; $sql .= AND child_care_list IS NOT NULL ; $sql .= ORDER BY student_lname ASC, student_fname ASC; } elseif ($list == day_labor_list) { $sql .= day_labor_list ' . $removaldate . ' ; $sql .= AND day_labor_list IS NOT NULL ; $sql .= ORDER BY student_lname ASC, student_fname ASC; } else { $sql .= tutor_list ' . $removaldate . ' ; $sql .= AND tutor_list IS NOT NULL ; $sql .= ORDER BY student_lname ASC, student_fname ASC; } echo $sqlbr /; // slq statement looks accurate $result = pg_query($conn,$sql); echo Select Errors: . pg_errormessage($conn) . br /;//No errors are reported echo Rows: . pg_num_rows($result) . br /;//No number is displayed if ((!$result) or (empty($result))){ return false; } return $result; } Marc Fromm Information Technology Specialist II Financial Aid Department Western Washington University Phone: 360-650-3351 Fax: 360-788-0251
Re: [PHP] using pg_query in a function not working
On 8/5/2011 12:08 PM, Marc Fromm wrote: I have to sql statements in functions to use in my code. Even though the echo statements show the sql is valid the sql does not seem to execute and I get the error, PHP Warning: pg_fetch_object() expects parameter 1 to be resource, boolean given in . . . line 154 . . . Line 154: while($val = pg_fetch_object($student)) $conn is not in scope Marc Fromm Information Technology Specialist II Financial Aid Department Western Washington University Phone: 360-650-3351 Fax: 360-788-0251 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] using pg_query in a function not working
Thanks! Sometimes I'm blind. -Original Message- From: Jim Lucas [mailto:li...@cmsws.com] Sent: Friday, August 05, 2011 1:01 PM To: Marc Fromm Cc: php-general@lists.php.net Subject: Re: [PHP] using pg_query in a function not working On 8/5/2011 12:08 PM, Marc Fromm wrote: I have to sql statements in functions to use in my code. Even though the echo statements show the sql is valid the sql does not seem to execute and I get the error, PHP Warning: pg_fetch_object() expects parameter 1 to be resource, boolean given in . . . line 154 . . . Line 154: while($val = pg_fetch_object($student)) $conn is not in scope Marc Fromm Information Technology Specialist II Financial Aid Department Western Washington University Phone: 360-650-3351 Fax: 360-788-0251 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] PHP frameworks
Hello, I am new to PHP and wanted to ask a question which I think is related to this discussion thread. What are you referring to when using the term PHP Framework? I downloaded Eclipse-JEE with PHP Development Tools. Would this development environment constitute a PHP Framework? Best, Christopher From: Laruence [larue...@baidu.com] Sent: Sunday, July 24, 2011 11:19 PM To: Floyd Resler Cc: PHP Subject: Re: [PHP] PHP frameworks Hi: if you have high performance need, you can considering Yaf( a PHP framework which is build in PHP extension) http://pecl.php.net/package/Yaf thanks Best regards 惠新宸 Xinchen Hui http://www.laruence.com/ On 2011/7/22 20:38, Floyd Resler wrote: On Jul 22, 2011, at 8:33 AM, Richard Quadling wrote: On 22 July 2011 13:26, Floyd Reslerfres...@adex-intl.com wrote: On Jul 21, 2011, at 11:41 PM, Micky Hulse wrote: On Thu, Jul 21, 2011 at 6:44 PM, Shawn McKenzienos...@mckenzies.net wrote: A la CakePHP. Will automagically build controllers and views for the admin of your tables/models if you wish. Oooh, interesting! I will check out CakePHP! Thanks for tip! :) I actually use my own framework. I needed a very light weight, flexible framework. I designed it from the ground up to be very flexible and to use AJAX and jQuery on the client side. If you'd be interested in check it out, just let me know and I'll give you a link to the source code. Take care, Floyd http://www.brandonsavage.net/why-every-developer-should-write-their-own-framework/ Good article! I knew there was a reason why I never released mine but just offer it up on occasion to someone who might find it useful! :) Take care, Floyd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php