hacker

Larry, I just applied password protection to my admin directory and am now wondering how to log out by means other than restarting the browser. Is there a way to set an inactivity timer in the .htaccess file? Thank you, Hacker

Thank you Larry, I'm fine... I'm continuing to the second site. Hacker

That's what I was afraid you were going to say. Why then was the following included in ipn.php and ipn_log.php? // Require the configuration before any PHP code as the configuration controls error reporting: require ('./includes/config.inc.php'); // The config file also starts the session. I'm not trying to be annoying, I'm just trying to learn this stuff with a lot of other stuff going on around me. I'll try to reconcile all that. Thank you Larry, Hacker

What are the ramifications to inserting the following line of code after the update query to the users table in ipn.php? $_SESSION['user_not_expired'] = true; In other words, incorporate $_SESSION['user_not_expired'] = true; as the else condition to: if (mysqli_affected_rows($dbc) != 1) { trigger_error('The user\'s expiration date could not be updated!'); } Thank you for the reply Larry... Hacker

After creating a successful PayPal Sandbox transaction and returning to thanks.php I'm greeted with the following message echoed to the viewport: "Thank you for your payment! You may now access all of the site's content for the next year! Note: Your access to the site will automatically be renewed via PayPal each year. To disable this feature, or to cancel your account, see the "My preapproved purchases" section of your PayPal Profile page." However, when I try to view the subscription material without first logging out and then logging back in again, I receive the message: "
Thank you for your interest in this content. Unfortunately your account has expired. Please renew your account in order to view any of the PDFs listed below." Since the buyer is logged in (just after registering) and has just paid, they should be able to immediately view the subscription material without logging out and in again, shouldn't they? Thank you, Hacker

Well yes but this command either sets $uid to (int) $_POST['custom'] OR zero depending on whether isset($_POST['custom']) is true or false. The next time $uid is used in the script (three lines later) it is placed in the variable "user_id" and stored in the users table. I'm going to create another thread with my testing issue above as the subject. Hacker

Thank you all for the replies. I don't recall using or even opening ipn_log.php; however, I'll come back to this issue later in the day. For now, I'm having trouble with the following: After creating a successful PayPal Sandbox transaction and returning to thanks.php I'm greeted with the following message echoed to the viewport: "Thank you for your payment! You may now access all of the site's content for the next year! Note: Your access to the site will automatically be renewed via PayPal each year. To disable this feature, or to cancel your account, see the "My preapproved purchases" section of your PayPal Profile page." However, when I try to view the subscription material without first logging out and then logging back in again, I receive the message: "
Thank you for your interest in this content. Unfortunately your account has expired. Please renew your account in order to view any of the PDFs listed below." I need to figure out why this is happening. Since the buyer is logged in (just after registering) and has just paid, they should be able to immediately view the subscription material. Thanks again, Hacker

Hi Larry... A few lines after the database connection is established in ipn.php, the ternary operator sets $uid to either $uid from register.php or zero, depending on whether a user ID comes back from PayPal in the POST array. My questions are, why would you not check for a $uid > 0 before running the query to insert $uid into the orders table? If zero is an invalid entry into the users table, why would it be OK to insert a $uid equal to zero into the orders table? This doesn't make sense to me, what am I missing here? Thank you, Hacker

Larry, If an attempt is made to upload a file with a file size > post_max_size, add_pdf.php produces "undefined index" error messages with respect to the 'pdf' index referenced by $_FILES; and, the variable state messages indicate $_FILES is empty. Under these conditions, how does the switch contained under elseif(!isset($_SESSION['pdf'])) manage to work since $_FILES is empty? Will a default switch condition always work if the variable being tested is NULL? I'm also curious why you changed the line of code in your book just above switch($_FILES['pdf']['error']) from simply else to elseif(!isset($_SESSION['pdf'])) before you made the script available for download. Thank you, Hacker

Larry, You betcha... thank you... now I can put the Seppuku knife back in the drawer. Hacker

Check the value of the src attribute within the <script> tags and the location of the app on the server. The executable is tiny_mce.js... did you spell it correctly? As Jonathon has indicated, you need to have mode : "exact", AND elements : "content", somewhere inside <script type="text/javascript">tinyMCE.init({ });</script>. Hacker

Larry, I must have a problem elsewhere in the scripts because I have code like the following stored in the content field of my pages table: <div style=\"position: relative; width: 612px; height: 792px; border: 1px solid #999;\"> Regarding your statement, "...the quotes are not stored in the database...", how is the inline CSS created by TinyMCE going to be displayed correctly when the HTML file is retrieved and displayed by page.html? Inline CSS needs to be written with quotes surrounding the rules. You're absolutely correct, I am missing something here. Hacker P.S. Since I had my hosting company turn off magic_quotes_gpc for my account (earlier this afternoon). I've been able to retrieve (from the pages table) my CSS inline styled HTML pages with the style intact. Now, if I can only edit the HTML pages within your app Larry, I'll be in business :-) Thanks again for the book.

Granted, I haven't finished chapter five yet; however, why would one go through the trouble of creating an HTML page with TinyMCE and then use mysqli_real_escape_string() to escape the quotation marks around the values of the style attributes of the HTML tags contained in $_POST['content']? This negates all the CSS created by TinyMCE and when one calls the page through the links under the CONTENT heading, (actually thru page.php) the HTML page is written without formatting (style). Hacker

Larry, Thank you for elaborating. In my mind, the server request (i.e., execute add_credits.php with user=12 and credits=100) is contrastive from the actual request which modifies the user's account (i.e., updates the database). Yes, it is clear to me that Alice had no idea what happened at the time of the server request. Thank you for the book! Regards, Hacker

Larry, The subject of security is excruciatingly important to me since I am new at it and would like to get an e-commerce site running that sells physical products and accepts credit cards. On page 45 you cite an example of a CSRF attack which I don't understand. Wouldn't "Bob the hacker" (user=12 in the src url) need to be a registered user on the server running the example site in order to know his user id? Assuming Bob is a registered user, wouldn't this hack be risky for Bob? What am I missing here? Also, in the middle of the page you go on to say that "Bob will never see the results of the request... but hopes that his account gets credited when some authenticated user stumbles upon his code". Seems to me if Bob's account gets credited, he'll definitely see the results of his request. Thank you, Hacker (not to be confused with Bob THE hacker )

Thank you Larry. So, MySQLi_STMT::insert_id() and mysqli_stmt_insert_id() are interchangeable and case insensitive? Thanks again, Hacker

Here's all I was able to find with a very confusing USER CONTRIBUTED NOTE: http://www.php.net/manual/en/mysqli-stmt.insert-id.php Also, what is the significance of the :: notation; i.e., mysqli_stmt::insert_id? My concern is this function's level of support. Hacker

Can someone please explain why the function mysqli_stmt_insert_id(), used in chapter 17, is currently not documented in the PHP Manual? Thank you, Hacker