Jump to content


  • Posts

  • Joined

  • Last visited

  • Days Won


Everything posted by Gilbert

  1. Not sure what topic to post this under. I've read a bunch about sql injection and have done all the testing for bad input when building forms and input devices, but then I thought what if you display an alpha-numeric pad for a person to enter the data. I figured you have complete control over the input by processing each character as they are entered and then using a php file to process the end result. Basically there is no place for a hacker to enter a sql string with slashes or whatnot. I'd like to hear what pitfalls there are with this type of approach and what injections or hacking might be tried if I used something like this. Would there be an article someone could point me toward concerning this and how to avoid trouble (not just sql injection, as I've said I've read a bunch, but other standard forms of hacking). Thank you very much! I forgot to mention that my idea of an alpha-numeric pad is to have just A-Z, 0-9 and a button for spacebar, bckspc and enter.
  2. That seems to have done the trick. Now I have one other item concerning syntax that I hope you can help me with. I have a button with an onclick function and in that function I want to set a php session to the option that was chosen. function saveTheValue(theSID){ '<?php $_SESSION['editSchedStand']=' + theSID + ';?>'; } Can you tell me if this is possible or show me the correct syntax? Thank you
  3. OK, I will keep that in mind, but the thing that seems conflicting is that I used the session_start() only once at the beginning of my main page and then the session worked fine in the first http request but then bombed in the second. I've also read that if you invoke the session_start in more than 2 places it can screw things up. So you're saying I do need a session_start() at the beginning of each php code I invoke with an HTTP request. I'll give it a whirl. Thanks for the help!
  4. I thought I had this down, but I have a situation that isn't working. I have a page for dealing with schedules called adminSchedules.php and right at the top I put <?php session_start(); .... Then later on I make a xmlHTTPRequest and use the $_SESSION to get & set some session variables. I echoed them back to be sure they were set. Then I go back to the main adminSchedules page and I make another xmlHTTPRequest and when I try to access the session vars I set before, they are not set. I've checked over all the syntax carefully and the error I'm getting in the error_log file is 'variable undefined '_SESSION' . So I'm confused and thought maybe the sessions don't extend to xmlHTTPRequests or what. Can someone explain exactly what the 'scope' of a session is, or what I should be doing differently? I do understand about when you invoke a session var the compiler looks on your computer for the session key and all that, so I don't understand why it's not returning the value when I ask for it. should I be putting a 'session_start()' at the top of every PHP file that I make an xmlHTTPRequest to? Thank you so much for your help
  5. Thanks a lot, justsomeguy! After I posted I tinkered some more and I came up with creating 2 views called viewDropOff and viewPickUp and then referenced them separately in the left joins. I use aliases sometimes, but I never really understood how powerful they can be, like in this instance. I will go back and try it the way you said and I'm sure it will work. Thank you for the help.
  6. Hi all, I have a table of a schedule of workers at kiosks and I have a table of drivers who drop them off and possibly a different driver picks them up. I have a view that lists other details from other tables (like times, dates, names) and I'd like to list the drop off and pickup drivers separately, because they might be different. I've tried a couple of things and got error messages - like 'referencing same table' when I tried this: create view allScheduleInfo AS ..... schedule.dropOffID, drivers.dropOffName, schedule.pickUpID, drivers.pickUpName, .... FROM schedule left join ..... left join drivers ON schedule.dropOffID = drivers.driverID left join drivers ON schedule.pickUpID = drivers.driverID .... I got it to display the view with an error message when I tried combining the joins on one line, like this --> left join drivers on schedule.dropOffID = driversID AND schedule.pickUpID = driversID And the dropOffID and pickUpID go thru correctly, but it makes the dropOffName and the pickUpName = to NULL. I considered making two separate tables for drop off and pick up drivers, but wouldn't that contradict the normalizing of table data? I know this may be kind of odd, and i hope I've explained it sufficiently that some one can point me in the right direction of how to do this. Basically I guess I am trying to access 2 pieces of information from the same table, but with different pointers to them. Thank you for your help.
  7. Hi all, I upload a text file to extract info to put into my database on GoDaddy and when I run my php code on it, it tells me that it can't read the file because it is in ansi-xxxx format. In my php code I'm using $var = fgets() to read each line and then put the $vars into the correct table of the database. So I have clicked the button at the top of the code editor and converted the text file to utf-8 - but the conversion leaves the file with 2 odd characters at the beginning of the file and puts a blank line between each line. When I delete the 2 characters and the blank lines and I run my code, everything works as it should and updates my tables. My question is: Can I do a conversion on the ANSI text file using php without any manual manipulating? I've read about the utf-8_encode(), but it says it encodes an ISO-8859-1 file, but mine is an ANSI, or is the ISO-8859-1 an umbrella to a lot of different codes? Can I convert the whole file at once or do i set up a loop to read a line, convert it and write to a new file? Am I interpreting this correctly? I'd appreciate a code snippet so I can see how to set it up - or a reference to more reading so I can learn. Thank you very much!
  8. Thank you very much - I was getting the feeling that it couldn't be totally automatic. I guess I'll just have to take 30 seconds out of my day to upload the txt file to my server. Thank you for the link and your help. Happy Holidays to you!
  9. Thanx for the reply. Maybe I'm not understanding what I need to do - I think I want to upload because I want to use php to do something with the file on the server. Right now I am opening my phpAdmin every day and entering my daily data by hand which is getting kind of tedious. I do want to COPY my data from a text file on my computer, but I thought that to get it on the server I had to UPLOAD. I know I could go to the file manager on the server and click upload and put the file wherever I want, but I wanted to make it automatic so I would have a button on the website to run the php to upload the file and then add the info to my database, parsing it using php. I think I see what your saying - maybe I don't need $FILES at all because that has to do with the Form action and Post method? Maybe I need to specify the address of the file on my computer in a different way? I would think this would be possible to do, I just don't have the correct coding to do it. I hope you can help me figure this out; please be specific as I'm still learning. Thank you!
  10. Hi all, I use MS Access to keep track of income at various kiosks and each day I create a text file which I would like to upload to my server and save the data to my tables so I can publish the results on a website. My question is about the uploading. The W3 schools example uses a form to pick the file and then uploads with php, as several other help sites have suggested. I already know the name of the file - it's not like a user picking one from his computer - so I'd like to skip the user interface and just tell the 'uploader' which file to use. I just want to click a button and have the whole thing done with, exactly the same every day. I think I've got an idea but wanted to run it by you experts to see if I'm on the right track. I believe the key is to assign $FILES with the name of the file on my computer, instead of getting it from the form and then using that in the move_uploaded_file method to move it to a folder on my server. But I'm not sure how to assign a value to $FILES and what other background things I may have to do to get it to work. Or is it as simple as coding $myFile = $FILES["C:/Users/me/myfolder/myFile.txt"] and then moving it to my target file on the server? I don't want to do a test on it as I realize how much things could get messed up. And I do know there are plug-ins that could do the job, but I want to understand the basics of uploading and code it myself. Thank you for your help. I thought I'd add what I'm hoping could be my solution - but I'm not holding my breath - it seems too simple. Please explain to me what needs to be done. <?php $myFile = $FILES["C:/Users/Me/ThisFolder/myFile.txt"]; // file on my computer $target = "uploads/newKettleInfo.txt"; // where to put the uploaded file if (move_uploaded_file($myFile, $target_file)) { echo "The file " .$myFile. " has been uploaded."; } else { echo "Sorry, there was an error uploading your file."; } ?>
  11. Thank you so much justsomeguy!! I decided on the HTML element.scrollIntoView because I already had the ID of the list item. I said I had used php & sql to create the list so I just added a unique id attribute to the output wrapper and then used that as my element to scroll to. It works perfectly! I don't know why I didn't find this sooner - it's kind of weird that sometimes you have to know exactly what you want to find in order to search for it. Ah well, thanx again!
  12. Hi all, I have a list anywhere from 10 to 100 items retrieved from a database table using php & sql via an XMLHttpRequest. The list shows 5 or 6 records at a time in the screen view (phone) and you scroll thru them. I have an edit button included with each record which triggers an overlay to change that record - then you click OK and it updates the info in the database table. Then I show the list and the changes have taken place, but what I would like to do is show the list from just where the edit occurred, instead of the user having to scroll down maybe 50 or 60 records to confirm that it has changed. I want ALL the records there but just to start at the one that was edited. I have the unique ID of the table record and I think I should be able to use that to indicate where I want to start the listing, but I'm not sure how to go about implementing it. I hope I explained it well enough - any ideas? I've looked at several sites and haven't seen exactly what I want. Thanx for responses! PS I think once the list has rendered on the screen, what I need is a gotoRecord command to scroll down automatically or something like that. I might also add that the reason for wanting to do this is that the user will probably be changing a few records in approximately the same area of the list so it would save a lot of scrolling back and forth. Thanx
  13. Thanx justsomeguy - I think what you're basically saying is that I did it correctly - that I have the right idea. I'm not sure I follow you on the 'validation' part because I'm getting the information from a database and asking the user to click on one of the options in the combo box list. Where is the validation needed? I think I'm missing where a user could inject malicious code. Thanx....
  14. Hi all, I am populating the <options> of a <select> statement from a database using php. I'm setting the value of the options to the 'workerID' and setting the innerHTML to the worker name, reading both of these values from the database table 'workers'. The 'input' button runs the php and I have the workerID as a value, but then I have to access the table again matching the workerID in a where clause to get the first & last name of the worker. It seems kind of redundant to do it this way - the question is, is there any way to pass along the worker name (which you just looked up) along with the worker ID, to the php function, or is this a normal way to do this. I thought of making the 'value' attribute a combination of ID and name, and then separating it in the php function to use, but I was wondering if there was an easier way that I am missing. I am just trying to cut down on traffic to the server. It would seem like there would be a better way to do this. Here is my code - thanks for your help!! <div id="chooseWorker"> <?php if ($_SERVER["REQUEST_METHOD"] == "POST") { $chosenWorker = ($_POST["mySelect"]); include "phpConnection.php"; $sql = "SELECT firstName, lastName FROM workers WHERE workerID = '".$chosenWorker; $result = $conn->query($sql); if ($result->num_rows > 0) { while($row = $result->fetch_assoc()) { $_SESSION["adminFirstName"] = $row["firstName"]; $_SESSION["adminLastName"] = $row["lastName"]; } } } else { return "Worker not Found"; } } ?> <h3>Please choose a Worker</h3> <form method="POST" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>"> <select name="mySelect" size="12"> <?php include "phpConnection.php"; $sql = "SELECT * FROM workers ORDER BY ranking"; $result = $conn->query($sql); if ($result->num_rows > 0) { while($row = $result->fetch_assoc()) { $fullName=$row["firstName"] . " " . $row["lastName"]; ?> <option value="<?php echo $row['workerID'];?>"><?php echo $fullName;?></option> <?php } // end while } // end if ?> </select> <input type="submit" value="Submit"> </form> <div> <button>cancel</button> </div> </div>
  15. How so justsomeguy? Don't you need to UPDATE after you INSERT INTO? I learned my sql from MS ACCESS, but I realize mySQL has some different syntax. In Access the insert into doesnot update the table until you say 'update'. Have I written it wrong? A little more help, please. Thank you.
  16. I'm still a bit fuzzy on how to go about checking every page. Can you give me a typical example of how to check if a user has permission to view it. I came up with the following code but got stymied as to how to break off gracefully and return to whereever. Is this the right approach to start with - where do I go from here? Or am I not seeing the whole picture? Thank you!! <?php session_start(); $pageLevel = "4"; if ($pageLevel > $_SESSION["userUserLevel"]) { // userUserLevel is a single string digit created at log in echo "You do not have permission to view this page"; // where does it echo to? return; // where do I return to? } ?> <!DOCTYPE html> etc
  17. Hi, I have a goDaddy account and I'm learning to import data. I've had success with a couple of uploads, but I get an error message and I don't understand what I need to do to get rid of it. My code is below, along with the error message I get and the excerpt from the mySQL documentation. Can anyone offer some advice about how to proceed and what may be the problem? The query works and updates the table with the info perfectly, but I think I should find out what this error is b/4 I incorporate into my website. Thanks a million! SET SQL_MODE = "NO_AUTO_VALUE_ON_ZERO"; SET time_zone = "+00:00"; CREATE TABLE IF NOT EXISTS `myUsers` ( `UserID` char(8) NOT NULL, `firstName` varchar(24) NOT NULL, `lastName` varchar(24) NOT NULL, `viewPref` varchar(16) NOT NULL, `pagePref` varchar(48) NOT NULL, PRIMARY KEY (`UserID`) ) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=2 ; INSERT INTO `myUsers` (`UserID`, `firstName`, `lastName`, `viewPref`, `pagePref`) VALUES ('sak20007', 'John', 'Smith', 'mobile_phone', 'about.html'); UPDATE; #1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 Error: 1064 SQLSTATE: 42000 (ER_PARSE_ERROR) Message: %s near '%s' at line %d
  18. Thank you very much! I appreciate you helping me get this basic stuff under my belt from the start so I can do it right. Gil
  19. OK thank you very much. I have the log in in php and at the same time I set a $_SESSION var called userLogStatus to 'loggedIn' - so I have to check that global in php when each page opens. Or do you suggest I copy 'userLogStatus' to a sessionStorage to make it more accessible for checking. Would that compromise my security by being in the browser? Thanx, Gil
  20. Hi all, I'm trying to control where a visitor enters my website. I only want a visitor to open my homepage, pass security and then continue, like a menu-driven app. I know you can enter a domain name and a slash and go to that page in the website like 'amazon.com/tools' will bring up the tool page. Is there a way to prevent this from happening? Can it be turned off or on according to a security level imposed? I only want higher level users to see pages like 'checkswritten.html' or 'incomelevel.html' and not a casual user type in 'myDomain/incomelevel'. anybody can see the links in <a href> or where buttons take you so they could learn all your pages and go directly to them. Do you need to invoke security precautions on every page? Thank you for responses, Gil
  21. Hi all, I'm trying to wrap my head around the idea of the window object and the document object relationship. I've read some really good explanations in stackoverflow and others. I have a pretty good grasp of it so I tried an experiment. If the window object opens in the browser, and then the document object opens in the window, then if I change the document, will the window object remain the same. I tried make 2 simple html's - in the first I set a variable like window.myVar = "myValue";. I was able to change the value with a button so it was working fine, and then I used an <a> href to change to a different document. I tried to reference the window.myVar but it came back 'undefined'. If you change documents in a window, does the document always come with a new window, or am I doing something wrong here? Like I said, I've read a lot about the window and document object, but I couldn't see that this was addressed. Thank You for any response....
  22. Thanx justsomeguy - I think I've got it now. I've got to read very carefully what is being referred to - the window or browser or page or site. Thanx
  23. I think I understand your point - The following excerpts are from thew3 JS tutorial under jsScope, but I think I read 'web page' as 'web site' in the first one, which would support your answer. But down further are two other excerpts which are confusing me. It says that HTML global variables belong to the window object and remain until the window is closed. The last line of the 3rd quote is what I was basing my hypothesis on. Please set me straight if I'm reading this wrong. Thanks for all your help. In the end, I have nothing against sessionStorage - I'm just trying to understand the scope thing (actually I use Listerine) (chuckle, chuckle) Global JavaScript Variables A variable declared outside a function, becomes GLOBAL. A global variable has global scope: All scripts and functions on a web page can access it. Global Variables in HTML With JavaScript, the global scope is the complete JavaScript environment. In HTML, the global scope is the window object. All global variables belong to the window object. The Lifetime of JavaScript Variables The lifetime of a JavaScript variable starts when it is declared. Local variables are deleted when the function is completed. In a web browser, global variables are deleted when you close the browser window (or tab), but remain available to new pages loaded into the same window.
  24. Hi, I tried a couple of searches and couldn't find a post that compared these 2 forms of storage. I was using sessionStorage in my script to remember information from a Db, but as I was reviewing variable properties and scope, I said to myself Why should I involve sessionStorage when I can just assign the info to a global variable which is accessable to the whole website and goes away when you leave the website, just like a session variable. Is this correct? Are the global variables not as reliable or something? What are the differences, similarities; and what can you recommend to me about this. Thanx a million!
  25. Thank you very much - great explanation! I have programmed in 'normal' languages for some time now, but I have to start thinking in abstracts more with asynchronous stuff going on. I appreciate all the help from good, experienced coders like yourself. Gil
  • Create New...