Jump to content


  • Posts

  • Joined

  • Last visited

  • Days Won


Gilbert last won the day on April 25 2018

Gilbert had the most liked content!

Profile Information

  • Gender
  • Location

Gilbert's Achievements


Newbie (1/7)



  1. Not sure what topic to post this under. I've read a bunch about sql injection and have done all the testing for bad input when building forms and input devices, but then I thought what if you display an alpha-numeric pad for a person to enter the data. I figured you have complete control over the input by processing each character as they are entered and then using a php file to process the end result. Basically there is no place for a hacker to enter a sql string with slashes or whatnot. I'd like to hear what pitfalls there are with this type of approach and what injections or hacking might be tried if I used something like this. Would there be an article someone could point me toward concerning this and how to avoid trouble (not just sql injection, as I've said I've read a bunch, but other standard forms of hacking). Thank you very much! I forgot to mention that my idea of an alpha-numeric pad is to have just A-Z, 0-9 and a button for spacebar, bckspc and enter.
  2. That seems to have done the trick. Now I have one other item concerning syntax that I hope you can help me with. I have a button with an onclick function and in that function I want to set a php session to the option that was chosen. function saveTheValue(theSID){ '<?php $_SESSION['editSchedStand']=' + theSID + ';?>'; } Can you tell me if this is possible or show me the correct syntax? Thank you
  3. OK, I will keep that in mind, but the thing that seems conflicting is that I used the session_start() only once at the beginning of my main page and then the session worked fine in the first http request but then bombed in the second. I've also read that if you invoke the session_start in more than 2 places it can screw things up. So you're saying I do need a session_start() at the beginning of each php code I invoke with an HTTP request. I'll give it a whirl. Thanks for the help!
  4. I thought I had this down, but I have a situation that isn't working. I have a page for dealing with schedules called adminSchedules.php and right at the top I put <?php session_start(); .... Then later on I make a xmlHTTPRequest and use the $_SESSION to get & set some session variables. I echoed them back to be sure they were set. Then I go back to the main adminSchedules page and I make another xmlHTTPRequest and when I try to access the session vars I set before, they are not set. I've checked over all the syntax carefully and the error I'm getting in the error_log file is 'variable undefined '_SESSION' . So I'm confused and thought maybe the sessions don't extend to xmlHTTPRequests or what. Can someone explain exactly what the 'scope' of a session is, or what I should be doing differently? I do understand about when you invoke a session var the compiler looks on your computer for the session key and all that, so I don't understand why it's not returning the value when I ask for it. should I be putting a 'session_start()' at the top of every PHP file that I make an xmlHTTPRequest to? Thank you so much for your help
  5. Thanks a lot, justsomeguy! After I posted I tinkered some more and I came up with creating 2 views called viewDropOff and viewPickUp and then referenced them separately in the left joins. I use aliases sometimes, but I never really understood how powerful they can be, like in this instance. I will go back and try it the way you said and I'm sure it will work. Thank you for the help.
  6. Hi all, I have a table of a schedule of workers at kiosks and I have a table of drivers who drop them off and possibly a different driver picks them up. I have a view that lists other details from other tables (like times, dates, names) and I'd like to list the drop off and pickup drivers separately, because they might be different. I've tried a couple of things and got error messages - like 'referencing same table' when I tried this: create view allScheduleInfo AS ..... schedule.dropOffID, drivers.dropOffName, schedule.pickUpID, drivers.pickUpName, .... FROM schedule left join ..... left join drivers ON schedule.dropOffID = drivers.driverID left join drivers ON schedule.pickUpID = drivers.driverID .... I got it to display the view with an error message when I tried combining the joins on one line, like this --> left join drivers on schedule.dropOffID = driversID AND schedule.pickUpID = driversID And the dropOffID and pickUpID go thru correctly, but it makes the dropOffName and the pickUpName = to NULL. I considered making two separate tables for drop off and pick up drivers, but wouldn't that contradict the normalizing of table data? I know this may be kind of odd, and i hope I've explained it sufficiently that some one can point me in the right direction of how to do this. Basically I guess I am trying to access 2 pieces of information from the same table, but with different pointers to them. Thank you for your help.
  7. Hi all, I upload a text file to extract info to put into my database on GoDaddy and when I run my php code on it, it tells me that it can't read the file because it is in ansi-xxxx format. In my php code I'm using $var = fgets() to read each line and then put the $vars into the correct table of the database. So I have clicked the button at the top of the code editor and converted the text file to utf-8 - but the conversion leaves the file with 2 odd characters at the beginning of the file and puts a blank line between each line. When I delete the 2 characters and the blank lines and I run my code, everything works as it should and updates my tables. My question is: Can I do a conversion on the ANSI text file using php without any manual manipulating? I've read about the utf-8_encode(), but it says it encodes an ISO-8859-1 file, but mine is an ANSI, or is the ISO-8859-1 an umbrella to a lot of different codes? Can I convert the whole file at once or do i set up a loop to read a line, convert it and write to a new file? Am I interpreting this correctly? I'd appreciate a code snippet so I can see how to set it up - or a reference to more reading so I can learn. Thank you very much!
  8. Thank you very much - I was getting the feeling that it couldn't be totally automatic. I guess I'll just have to take 30 seconds out of my day to upload the txt file to my server. Thank you for the link and your help. Happy Holidays to you!
  9. Thanx for the reply. Maybe I'm not understanding what I need to do - I think I want to upload because I want to use php to do something with the file on the server. Right now I am opening my phpAdmin every day and entering my daily data by hand which is getting kind of tedious. I do want to COPY my data from a text file on my computer, but I thought that to get it on the server I had to UPLOAD. I know I could go to the file manager on the server and click upload and put the file wherever I want, but I wanted to make it automatic so I would have a button on the website to run the php to upload the file and then add the info to my database, parsing it using php. I think I see what your saying - maybe I don't need $FILES at all because that has to do with the Form action and Post method? Maybe I need to specify the address of the file on my computer in a different way? I would think this would be possible to do, I just don't have the correct coding to do it. I hope you can help me figure this out; please be specific as I'm still learning. Thank you!
  10. Hi all, I use MS Access to keep track of income at various kiosks and each day I create a text file which I would like to upload to my server and save the data to my tables so I can publish the results on a website. My question is about the uploading. The W3 schools example uses a form to pick the file and then uploads with php, as several other help sites have suggested. I already know the name of the file - it's not like a user picking one from his computer - so I'd like to skip the user interface and just tell the 'uploader' which file to use. I just want to click a button and have the whole thing done with, exactly the same every day. I think I've got an idea but wanted to run it by you experts to see if I'm on the right track. I believe the key is to assign $FILES with the name of the file on my computer, instead of getting it from the form and then using that in the move_uploaded_file method to move it to a folder on my server. But I'm not sure how to assign a value to $FILES and what other background things I may have to do to get it to work. Or is it as simple as coding $myFile = $FILES["C:/Users/me/myfolder/myFile.txt"] and then moving it to my target file on the server? I don't want to do a test on it as I realize how much things could get messed up. And I do know there are plug-ins that could do the job, but I want to understand the basics of uploading and code it myself. Thank you for your help. I thought I'd add what I'm hoping could be my solution - but I'm not holding my breath - it seems too simple. Please explain to me what needs to be done. <?php $myFile = $FILES["C:/Users/Me/ThisFolder/myFile.txt"]; // file on my computer $target = "uploads/newKettleInfo.txt"; // where to put the uploaded file if (move_uploaded_file($myFile, $target_file)) { echo "The file " .$myFile. " has been uploaded."; } else { echo "Sorry, there was an error uploading your file."; } ?>
  11. Thank you so much justsomeguy!! I decided on the HTML element.scrollIntoView because I already had the ID of the list item. I said I had used php & sql to create the list so I just added a unique id attribute to the output wrapper and then used that as my element to scroll to. It works perfectly! I don't know why I didn't find this sooner - it's kind of weird that sometimes you have to know exactly what you want to find in order to search for it. Ah well, thanx again!
  12. Hi all, I have a list anywhere from 10 to 100 items retrieved from a database table using php & sql via an XMLHttpRequest. The list shows 5 or 6 records at a time in the screen view (phone) and you scroll thru them. I have an edit button included with each record which triggers an overlay to change that record - then you click OK and it updates the info in the database table. Then I show the list and the changes have taken place, but what I would like to do is show the list from just where the edit occurred, instead of the user having to scroll down maybe 50 or 60 records to confirm that it has changed. I want ALL the records there but just to start at the one that was edited. I have the unique ID of the table record and I think I should be able to use that to indicate where I want to start the listing, but I'm not sure how to go about implementing it. I hope I explained it well enough - any ideas? I've looked at several sites and haven't seen exactly what I want. Thanx for responses! PS I think once the list has rendered on the screen, what I need is a gotoRecord command to scroll down automatically or something like that. I might also add that the reason for wanting to do this is that the user will probably be changing a few records in approximately the same area of the list so it would save a lot of scrolling back and forth. Thanx
  13. Thanx justsomeguy - I think what you're basically saying is that I did it correctly - that I have the right idea. I'm not sure I follow you on the 'validation' part because I'm getting the information from a database and asking the user to click on one of the options in the combo box list. Where is the validation needed? I think I'm missing where a user could inject malicious code. Thanx....
  14. Hi all, I am populating the <options> of a <select> statement from a database using php. I'm setting the value of the options to the 'workerID' and setting the innerHTML to the worker name, reading both of these values from the database table 'workers'. The 'input' button runs the php and I have the workerID as a value, but then I have to access the table again matching the workerID in a where clause to get the first & last name of the worker. It seems kind of redundant to do it this way - the question is, is there any way to pass along the worker name (which you just looked up) along with the worker ID, to the php function, or is this a normal way to do this. I thought of making the 'value' attribute a combination of ID and name, and then separating it in the php function to use, but I was wondering if there was an easier way that I am missing. I am just trying to cut down on traffic to the server. It would seem like there would be a better way to do this. Here is my code - thanks for your help!! <div id="chooseWorker"> <?php if ($_SERVER["REQUEST_METHOD"] == "POST") { $chosenWorker = ($_POST["mySelect"]); include "phpConnection.php"; $sql = "SELECT firstName, lastName FROM workers WHERE workerID = '".$chosenWorker; $result = $conn->query($sql); if ($result->num_rows > 0) { while($row = $result->fetch_assoc()) { $_SESSION["adminFirstName"] = $row["firstName"]; $_SESSION["adminLastName"] = $row["lastName"]; } } } else { return "Worker not Found"; } } ?> <h3>Please choose a Worker</h3> <form method="POST" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>"> <select name="mySelect" size="12"> <?php include "phpConnection.php"; $sql = "SELECT * FROM workers ORDER BY ranking"; $result = $conn->query($sql); if ($result->num_rows > 0) { while($row = $result->fetch_assoc()) { $fullName=$row["firstName"] . " " . $row["lastName"]; ?> <option value="<?php echo $row['workerID'];?>"><?php echo $fullName;?></option> <?php } // end while } // end if ?> </select> <input type="submit" value="Submit"> </form> <div> <button>cancel</button> </div> </div>
  15. How so justsomeguy? Don't you need to UPDATE after you INSERT INTO? I learned my sql from MS ACCESS, but I realize mySQL has some different syntax. In Access the insert into doesnot update the table until you say 'update'. Have I written it wrong? A little more help, please. Thank you.
  • Create New...