hacker
-
Posts
43 -
Joined
-
Last visited
Posts posted by hacker
-
-
Thank you Larry, I'm fine... I'm continuing to the second site.
Hacker
-
The ramifications are that adding that line will cause an error. As I say in the part you quoted just before that, the user isn't accessing ipn.php; a PayPal process is. So there is no session established in the ipn.php script...
That's what I was afraid you were going to say. Why then was the following included in ipn.php and ipn_log.php?
// Require the configuration before any PHP code as the configuration controls error reporting:
require ('./includes/config.inc.php');
// The config file also starts the session.
I'm not trying to be annoying, I'm just trying to learn this stuff with a lot of other stuff going on around me.
...let alone a session for any particular user. Put another way, although it's the user going through PayPal that causes the ipn.php script to be accessed to update that user's account, the actual request of the ipn.php script is an entirely separate process from what the user is doing.I'll try to reconcile all that.
Thank you Larry,
Hacker
-
Well, yes, but...
The issue is that a session var reflects the user's expiration. Until the user pays, the expiration is in the past. Once the user pays, the expiration gets updated to the future. The problem is that the official notice of the account being activated is through the IPN script, not thanks.php. The IPN script cannot change the user's session value because the user isn't accessing the IPN script.
What are the ramifications to inserting the following line of code after the update query to the users table in ipn.php?
$_SESSION['user_not_expired'] = true;
In other words, incorporate $_SESSION['user_not_expired'] = true; as the else condition to:
if (mysqli_affected_rows($dbc) != 1) {
trigger_error('The user\'s expiration date could not be updated!');
}
You could have thanks.php change the session value, but that could make the site vulnerable for fraud as it will assume that the user paid. You could have thanks.php re-select the expiration from the database and update the session value, but that will only be meaningful it it's done AFTER the IPN script runs, and there's no guarantee which will happen first.
You could try re-checking expired dates when the user goes to view content, in the hope that by then the IPN script will have done its thing.
Basically, this is one of those situations where there are a couple of options, each with its plusses and minuses, and you just need to decide for yourself what you're most comfortable with.
Thank you for the reply Larry...
Hacker
-
After creating a successful PayPal Sandbox transaction and returning to thanks.php I'm greeted with the following message echoed to the viewport:
"Thank you for your payment! You may now access all of the site's content for the next year! Note: Your access to the site will automatically be renewed via PayPal each year. To disable this feature, or to cancel your account, see the "My preapproved purchases" section of your PayPal Profile page."
However, when I try to view the subscription material without first logging out and then logging back in again, I receive the message:
" Thank you for your interest in this content. Unfortunately your account has expired. Please renew your account in order to view any of the PDFs listed below."
Since the buyer is logged in (just after registering) and has just paid, they should be able to immediately view the subscription material without logging out and in again, shouldn't they?
Thank you,
Hacker
-
Let me see if I can get close. The line I think you are looking at is:
$uid = (isset($_POST['custom'])) ? (int) $_POST['custom'] : 0;
Well yes but this command either sets $uid to (int) $_POST['custom'] OR zero depending on whether isset($_POST['custom']) is true or false. The next time $uid is used in the script (three lines later) it is placed in the variable "user_id" and stored in the users table.
I'm going to create another thread with my testing issue above as the subject.
Hacker
-
Thank you all for the replies. I don't recall using or even opening ipn_log.php; however, I'll come back to this issue later in the day. For now, I'm having trouble with the following:
After creating a successful PayPal Sandbox transaction and returning to thanks.php I'm greeted with the following message echoed to the viewport:
"Thank you for your payment! You may now access all of the site's content for the next year! Note: Your access to the site will automatically be renewed via PayPal each year. To disable this feature, or to cancel your account, see the "My preapproved purchases" section of your PayPal Profile page."
However, when I try to view the subscription material without first logging out and then logging back in again, I receive the message:
" Thank you for your interest in this content. Unfortunately your account has expired. Please renew your account in order to view any of the PDFs listed below."
I need to figure out why this is happening. Since the buyer is logged in (just after registering) and has just paid, they should be able to immediately view the subscription material.
Thanks again,
Hacker
-
Hi Larry...
A few lines after the database connection is established in ipn.php, the ternary operator sets $uid to either $uid from register.php or zero, depending on whether a user ID comes back from PayPal in the POST array.
My questions are, why would you not check for a $uid > 0 before running the query to insert $uid into the orders table? If zero is an invalid entry into the users table, why would it be OK to insert a $uid equal to zero into the orders table? This doesn't make sense to me, what am I missing here?
Thank you,
Hacker
-
Larry,
If an attempt is made to upload a file with a file size > post_max_size, add_pdf.php produces "undefined index" error messages with respect to the 'pdf' index referenced by $_FILES; and, the variable state messages indicate $_FILES is empty. Under these conditions, how does the switch contained under elseif(!isset($_SESSION['pdf'])) manage to work since $_FILES is empty? Will a default switch condition always work if the variable being tested is NULL?
I'm also curious why you changed the line of code in your book just above switch($_FILES['pdf']['error']) from simply else to elseif(!isset($_SESSION['pdf'])) before you made the script available for download.
Thank you,
Hacker
-
Larry,
You betcha... thank you... now I can put the Seppuku knife back in the drawer.
Hacker
-
Hi
I have been following your book and up to add_page.php. I have it working but tin_mce doesnt load up. It only shows the content box with nothing inside. I've checked the source link and its correct and I have also downloaded the latest tiny mce. My base URL is ('BASE_URL', 'localhost/');
Please help
Thanks
Check the value of the src attribute within the <script> tags and the location of the app on the server. The executable is tiny_mce.js... did you spell it correctly? As Jonathon has indicated, you need to have mode : "exact", AND elements : "content", somewhere inside <script type="text/javascript">tinyMCE.init({ });</script>.
Hacker
-
Larry,
I must have a problem elsewhere in the scripts because I have code like the following stored in the content field of my pages table:
<div style=\"position: relative; width: 612px; height: 792px; border: 1px solid #999;\">
Regarding your statement, "...the quotes are not stored in the database...", how is the inline CSS created by TinyMCE going to be displayed correctly when the HTML file is retrieved and displayed by page.html? Inline CSS needs to be written with quotes surrounding the rules. You're absolutely correct, I am missing something here.
Hacker
P.S. Since I had my hosting company turn off magic_quotes_gpc for my account (earlier this afternoon). I've been able to retrieve (from the pages table) my CSS inline styled HTML pages with the style intact. Now, if I can only edit the HTML pages within your app Larry, I'll be in business :-) Thanks again for the book.
-
Granted, I haven't finished chapter five yet; however, why would one go through the trouble of creating an HTML page with TinyMCE and then use mysqli_real_escape_string() to escape the quotation marks around the values of the style attributes of the HTML tags contained in $_POST['content']? This negates all the CSS created by TinyMCE and when one calls the page through the links under the CONTENT heading, (actually thru page.php) the HTML page is written without formatting (style).
Hacker
-
Larry,
Thank you for elaborating. In my mind, the server request (i.e., execute add_credits.php with user=12 and credits=100) is contrastive from the actual request which modifies the user's account (i.e., updates the database). Yes, it is clear to me that Alice had no idea what happened at the time of the server request.
Thank you for the book!
Regards,
Hacker
-
Larry,
The subject of security is excruciatingly important to me since I am new at it and would like to get an e-commerce site running that sells physical products and accepts credit cards. On page 45 you cite an example of a CSRF attack which I don't understand. Wouldn't "Bob the hacker" (user=12 in the src url) need to be a registered user on the server running the example site in order to know his user id? Assuming Bob is a registered user, wouldn't this hack be risky for Bob? What am I missing here? Also, in the middle of the page you go on to say that "Bob will never see the results of the request... but hopes that his account gets credited when some authenticated user stumbles upon his code". Seems to me if Bob's account gets credited, he'll definitely see the results of his request.
Thank you,
Hacker (not to be confused with Bob THE hacker
) -
Thank you Larry. So, MySQLi_STMT::insert_id() and mysqli_stmt_insert_id() are interchangeable and case insensitive?
Thanks again,
Hacker
-
Here's all I was able to find with a very confusing USER CONTRIBUTED NOTE:
http://www.php.net/manual/en/mysqli-stmt.insert-id.php
Also, what is the significance of the :: notation; i.e., mysqli_stmt::insert_id?
My concern is this function's level of support.
Hacker
-
Can someone please explain why the function mysqli_stmt_insert_id(), used in chapter 17, is currently not documented in the PHP Manual?
Thank you,
Hacker
Is There A Way To Log Out Of A Password Protected Dir?
in Effortless E-Commerce with PHP and MySQL
Posted
Larry,
I just applied password protection to my admin directory and am now wondering how to log out by means other than restarting the browser. Is there a way to set an inactivity timer in the .htaccess file?
Thank you,
Hacker