Jump to content
Larry Ullman's Book Forums

All Activity

This stream auto-updates

  1. Yesterday
  2. Hello! Please explain why to use the constant of an average speed and then let user enter any value of it into the form. Where this value of 65 goes?
  3. Last week
  4. Earlier
  5. Thanks for the nice words and for the interest in my books. It is appreciated! I discuss PDO in my PHP Advanced book, however that was last published in 2013 and I'm sure I didn't cover all the functions. Since you're already using PHP, maybe try giving the PHP manual a go first?
  6. Lol, wow that was it. Literally just not double checking my form action in the HTML section was causing the script to be ran on the old, register.php. At least, I'll now know to double check that aspect, and hopefully won't make this mistake again. I really appreciate your help in figuring out this issue, even though it was a mistake in the HTML form action on my end, at least we were able to get it working. Thanks Again Larry!
  7. Larry, a few years back, I taught myself PHP by using you books. Like the way you present topics. What book covers PDO in detail including all functions? Appreciate the feedback. Don
  8. Ah, okay, so it could definitely be possible that you're just not running the code you think you're running. Specifically: you're still submitting the form to the older version of register.php, which does not mysqli_real_escape_string(). That would solve this mystery.
  9. Hey, I'm going to test that new code you sent later today, but I've been busy on my end. Either way, I was looking into making this a prepared statement, and think I got that aspect figured out, but I noticed something that I think eluded me before. Essentially, we have the register.php for 9.3, originally made without the mysqli_real_escape_string, and at the bottom of which, we have HTML code, that creates the input, using form action="register.php". As I've been working on this, I noticed there was a typo that was displaying at the bottom of my screen, 'jj0j' via HTML. I found that s
  10. Sorry, I should have been more clear. The original else clause for handling the last name is this: } else { $ln = mysqli_real_escape_string($dbc, trim($_POST['last_name'])); } Replace that with what I previously posted and then fill out the form--using an apostrophe in the last name value--and submit the form to see the results. But that mysqli_get_charset() returns nothing is informative already. The problem isn't going to be with your HTML form. The values are getting to PHP fine, they're just not being escaped by mysqli_real_escape_string().
  11. No worries -- I'm cool to keep debugging it. Based on your prior response, I put this code on the page: if($dbc) { echo "$dbc"; } else { echo '<p>Submitted last name: ' . $_POST['last_name'] . '</p>'; echo '<p>Established charset: ' . mysqli_get_charset($dbc) . '</p>'; $ln = mysqli_real_escape_string($dbc, trim($_POST['last_name'])); echo '<p>Processed last name: ' . $ln . '</p>'; } And when I do so, I see this printed: So it prints the HTML elements, but not the information called by PHP. For re
  12. Sorry for the delay; this is a super random issue that I've never seen before. I'm not finding anything relevant in Google searches, either. Yes, you can use prepared statements, which don't use mysqli_real_escape_string() at all. That's totally fine, if not a better end result. If you want to continue debugging this, change your code to this, try it, and let me know what the result is: } else { echo '<p>Submitted last name: ' . $_POST['last_name'] . '</p>'; echo '<p>Established charset: ' . mysqli_get_charset($dbc) . '</p>'; $ln = mysqli_real
  13. Ah, okay. First, you definitely DO NOT store the hashed password in the cookie. The password may be the most important thing to protect, period, especially since users often re-use passwords (i.e., you wouldn't just be compromising their security at your site, you'd be compromising it at other sites potentially as well). "Keep me logged in" is just a matter of extending the session beyond its normal, short length. The specifics of how you do this depend upon how you manage sessions but the basic idea is: 1. Store the session ID in a cookie with a longer expiration. 2. Store th
  14. I need to make a correction to my original question, I meant a "Keep me logged in" function! Do we just store the hashed password in the cookie..?
  15. The premise is pretty simple: if the user checks the "Remember Me" box you send an additional cookie with a longer expiration and a unique identifier. When the user returns, if the cookie still exists, the unique identifier can then be used to pull their username or email address from the database and prepopulate the form with it. In terms of security, just be sure that the cookie value isn't easily reverse-engineered. For example, storing the user's ID or email address or some similar unique identifier in plain text would be the worst possible thing. Storing a hashed version is slightly
  16. I do have an update on this topic, maybe it can help to shed some more light. I double checked my SQL in phpMyAdim -- and my tables have all been collated in utf8_general_ci, but the server collation (in phpMyAdmin) was set to: utf9mb4_unicode_ci. I changed the server collation to match utf8_general_ci, but it looks like the error is still persistent. I also changed the mysqli_set_charset() in mysqli_connnect.php to ...($dbc, 'utf8_general_ci) to see if that would have any affect, but it looks like that's not the case. I also accessed the mySQL from the terminal and could find/edit al
  17. Thanks for the reply, Larry. I double checked my database in myPHP admin, to make sure it's using UTF8, and it says the collation is 'utf8_general_ci' but that's how all my databases have been set up, so I think that's good to go. I fixed the mysqli_connect syntax, but the issue is still happening where I can enter a name w/o an apostrophe, but not one including the special character. I had some issue printing the value of $dbc to confirm it's an object: require('../mysqli_connect.php'); echo "$dbc"; and got the error message: Recoverable fatal error: Object of class mysqli
  18. Hello, I am a new user on these forums, forgive me if I'm in the wrong hood. I am new to the idea of sessions/cookies, and I have implemented chapter 12's session based "login/logout" functions on my website. I am curious what the best practice for implementing "remember-me" functionality entails. I have seen several solutions on the internet, ranging in complexity and age (age of post). I was curious if there's a specifically robust & secure method of implementing this that conforms with design patterns/good security. Regards, David
  19. You have a syntax error in your connection script: "my_sqli_connect..." Working backwords, mysqli_real_escape_string() won't work--won't escape an apostrophe--if it doesn't have access to a database connection with an established CHARSET. To the problem should be either with the database connection or the charset not being set. First, fix the syntax error and then try again. If that doesn't work, print out the value of $dbc to confirm that it's an object. If it has a false value, that's a problem. If you're still not seeing the cause, connect directly to MySQL using the terminal
  20. Okay, in looking at ZF, as of a year ago it's now been converted to an open source project: https://framework.zend.com/blog/2020-01-24-laminas-launch So in a production environment you'd use Laminas mail, not ZF (https://docs.laminas.dev/laminas-mail/). It should be secure and efficient enough and would work in a hosted environment. Another alternative is to use a third-party email service like Mailgun or Sendmail. Both cost money but provide additional features, such as detailed logs, protection from spam (i.e., your mail server being used to send spam), greatly improved success in an em
  21. I am trying to capture user input to use as the criterion in an sql, which will ultimately display the recovered records to the user. However although I can capture the user input and can apply it in an sql against the database and display the results to the user, problems arise if pagination is applied to the activeDataProvider. When multiple records are displayed and the view allows the user to display further results, instead of displaying those further results the user is returned to the initial user input view. I have tried ‘sqlDataProvider’ and 'activeDataProvider’ but always
  22. Qu 1: What I mean, is zend mail secure and efficient enough to be used as a professional email sender in a fully functional ecommerce website? Qu 2: if zend mail is not meant for a professional environment or not secure enough, what professional email sender would you recommend? regards
  23. Hey Larry, Thanks for getting back to me, I really appreciate it. Also, really digging the book, I'm starting to feel much more confident in the PHP and SQL -- the book and forum is very helpful in learning this, and this knowledge has helped me me a ton in my work, so thank you! Regarding your suggestion, I double checked my script, and it has the CHARSET in it, I'll attach that code below. One other thought I had is that it might have something to due with a setting in mySQL. In chapter 7, I can't remember the script, but I got an error, and upon reading the forums, I fou
  24. Ok, that's fine. So would I be able to use the zend mail in a production environment? Meaning, if I upload the whole application to my hosting provider, will i be able to use their smtp/email settings along with the zend mail code you wrote, to implement sending emails using zend mail?
  25. This is very weird. You've done good detective work but it doesn't seem like mysqli_real_escape_string() is doing what it's supposed to be doing. I'm kind of guessing here, but mysqli_real_escape_string() requires that the CHARSET is established. I'd start by making your your MySQL connection script does that. mysqli_set_charset($dbc, 'utf8');
  1. Load more activity
×
×
  • Create New...