cherri8

i dont have members for it as yet but i did postback test on those offerwall sites. i did change code to match my site. it seems that the server will only allow changes to the database if someone is present on the page and if it's my own site. 

hi when i get postbacks from the outside like mediumpath which is an offerwall, my database doesnt update or select member's info. i didnt use the exact postback below but it's the same idea. it's an example from that site.

if(!empty($_POST)){
	
	define('EvolutionScript', 1);
	define('ROOTPATH',dirname(__FILE__).'/');
	define('INCLUDES',ROOTPATH.'includes/');
	require(INCLUDES.'core.php');
	require_once INCLUDES.'global.php';

	$user_id = isset($_POST['user_id']) ? $_POST['user_id'] : null;
	$transId = isset($_POST['transId']) ? $_POST['transId'] : null;
	$reward = isset($_POST['reward']) ? $_POST['reward'] : null;
	$currency = isset($_POST['currency']) ? $_POST['currency'] : null;
	$signature = isset($_POST['signature']) ? $_POST['signature'] : null;
	$status = isset($_POST['status']) ? $_POST['status'] : null;
	$userIp = isset($_POST['userIp']) ? $_POST['userIp'] : null;
	$campaign_id = isset($_POST['campaign_id']) ? $_POST['campaign_id'] : null;
	$country = isset($_POST['country']) ? $_POST['country'] : null;

	$secret = "[YOUR_WEBSITE/APP_SECRET_KEY]"; // check your app info at www.mediumpath.com

	$user_id = isset($_POST['user_id']) ? $_POST['user_id'] : null;
	$transId = isset($_POST['transId']) ? $_POST['transId'] : null;
	$reward = isset($_POST['reward']) ? $_POST['reward'] : null;
	$signature = isset($_POST['signature']) ? $_POST['signature'] : null;

	if(md5($user_id.$transId.$reward.$secret) != $signature){
		print_r($_POST);
		exit;
	}else{
		$insert = array(
						'user_id' => $user_id,
						'transId' => $transId,
						'reward' => $reward,
						'currency' => $currency,
						'signature' => $signature,
						'status' => $status,
						'userIp' => $userIp,
						'campaign_id' => $campaign_id,
						'country' => $country,
						);
		$insertdb = $db->insert("mediumpathipn", $insert);
		$orderid = $db->lastInsertId();

		$user_info = $db->fetchRow("SELECT * FROM members WHERE id={$user_id}");
		if(!empty($user_info)){
			$set = array(
						'money' => $user_info['money']+$reward,
						);
			$upd = $db->update("members", $set, "id = {$user_id}");
		}
	}
}else{
echo "ERROR: No key founds";
exit;
}

hi i have a little issue. Host server doesn't want to change database when there is incoming info from postbacks. Is there a code to stop this in htaccess or something?. I had a gpt site that had no issues but i didnt create the script and the script was encrypted.

I was just trying to tell you that if there were more questions in the part that I didn't understand that you should rephrase them. The part I didn't understand looked like superfluous information about the first question.

Well I'm sorry. If it will help I'll avoid trying to help you in the future.

WTH = what the heck, I didn't understand the rest of your post except the part about the if/elseif/else.

The number of if/elseif/else nests shouldn't be a problem. I didn't understand WTH the rest of your question was about, maybe I missed the prequel.

hi, I have a question about the code below which has always been on my mind.Is there a limit to how many times I use the elseif(condition) ?.the site only mentions that several blocks of code can be executed but i don't know the amount of code that can't be used.first i'll use the if statement to check if user inputs are empty and in the else statement it would contain more condition statements: in the if(condition) and elseif(condition) i will validate(for these conditions it would show true that there has been an error like for example: the users didn't use a proper email address) user inputs and in the else im plan to put user input in database( since the other conditions aren't true it would be safe to enter user data in database).thanks if (condition){code to be executed if condition is true;}elseif (condition){code to be executed if condition is true;}else{code to be executed if condition is false;}

There's an example here, although it's a bit old and doesn't use best practices (e.g., mysql instead of mysqli, and global variables instead of a class): http://w3schools.inv...?showtopic=9731 mysql_real_escape_string isn't for filtering, it is to make sure the data you're trying to put in the database makes it there and doesn't break the SQL query.

I will look at the codes on the net to understand session handler better

session_set_save_handler() makes session safer when it stores data in database. in shared host the session data is stored in flat files usualy. and all of user/ other sites hosted on that server use same sources. so it is not safer that if that one is compromised your session data will be compromised. saving in db will make it more secure. but that does not makes secure from stealing session id from any user as justsomeguy already stated. you dont have to use session_regenerate_id() unless you want to regenrate id explicitly. when you star a session it checks that any of session cookie or propogated session id is there are not. if its there it resumes to it else it genrate new one. if you want to check against ip and user agent you have to store it in database. there is callback for reading session data in session_set_save_handler() in that function you have to check the ip an user agent and session id combo. when it matches make the data read. same with write callback. you should check the link jsg posted to get the idea. when you use to check integrety of session using $_SESSION['PREV_REMOTEADDR'] here it already read the data from the current activated session. you have to do the checking before it read. that is what for session_set_save_handler() for. it let you customize session behaviour

Or a hash of the IP address plus user agent string.

Checking like that and regenerating the ID wouldn't necessarily protect the session. If someone gets a session ID from someone else and puts it in a cookie, the server will look that up and find all of the correct data in the session. If you want to make sure people don't steal other sessions then you should store unique values like the user's IP address and user agent string and compare those each time to make sure they match for the same session. That's still not perfect, but people would at least need to be on the same IP and have the same user agent string in order to steal it.

If you're talking about the session save handler, you can use that to store your session data in a database or somewhere else instead of the default file handling for sessions. There are some examples here that use classes to handle the session functions: http://www.php.net/m...ave-handler.php I'm not sure how regenerating the ID relates to using a custom session handler. You don't need to use a custom handler, you would only do that if you want to use a way to save sessions other than the defaults. It depends where the log is, if it's the system log then it's fine, otherwise it's preferable to use an error log that is not publicly accessible. I prefer to always write errors to a log file, regardless of who is accessing it. Error logging is especially important for ajax development where you may not even see the output of the script. error_reporting(E_ALL);ini_set('error_log', dirname(__FILE__) . DIRECTORY_SEPARATOR . 'error.log');ini_set('html_errors', 0);ini_set('log_errors', 1);ini_set('display_errors', 0); That will set PHP to report all errors in a file called error.log in the same directory as the script. Like I said, it's preferable to save the error log in a location that people can't open it from a browser.

Hi, Session set safe handing is abit confusing for me to use now even though i can get the codes on the net.I will not be able to store sessions in database without the session set safe handler.if I always change session id when users login than i shouldnt have to use session set safe handler? is this code alone good enough to use to change id? .i got the code from wikipedia : //accept only SIDs generated on my serverif (!isset($_SESSION['SERVER_GENERATED_SID'])) { session_destroy(); // destroy all data in session}session_regenerate_id(); // new sid$_SESSION['SERVER_GENERATED_SID'] = true; Are errors safe in the error log on server? and is this code that i got at php.net good enough to use for error logging? my purpose is to not display errors to people. /* 00.00.00.00 is replace with the site owner ip address.*/// Report all PHP errorserror_reporting(-1);if($_SERVER['REMOTE_ADDR']=="00.00.00.00"){ini_set('display_errors','On');}else{ini_set('display_errors','Off');}

Very nice color combo.I like the navigation bar ,it is something i dont really see on websites.In the box called slide one i was expecting to see pics but i guess you plan to put them in later.in my opinion i wouldnt have put contact form with address on the home page but instead interesting info about company and etc.