Edward

Yes i got everything to work, including the sessions, the issue i had with sessions was that i had used my live website for the redirect function and not my localhost where i was testing. I have have remaining pages to make the login.php, change_password, and reset password. I don't think i will have any problem problems now. But still how do you know you need exactly 32 for the varbinary? I am confused there, i searched online but i am not seeing that?

pass VARBINARY(32) NOT NULL Can you explain why you have used VARBINARY(32), I check SHA256 and it produces 64 Hexadecimal characters. But what i don't understand is why does the value stored in VARBINARY in my database look like this: c73863752feb895c30cb9e6978d7624d7542712ae17c8b505c5c5c225c5a1762 Why is a varbinary value not stored as zero and ones? The number i have looks like hexadecimal. I created my password using this code: return $mysqli->real_escape_string(hash_hmac('sha256', $password, '*^%#$567644#', true));

if ($_SERVER['REQUEST_METHOD] == 'POST') Replace first line with this. Is a parse error on this line also body = "Name: ($POST['name']}\n\nComments: {$_POST['description']}"; Replace with body = "Name: ($_POST['name']}\n\nComments: {$_POST['description']}";

No point in making an unanswered post, better off to delete it like my other sessions post.

No point in making an unanswered post, better off to delete it like my other sessions post.

No point in making an unanswered post, better off to delete it like my other sessions post.

Isn't there a setting in php.ini to change the php runtime?

Thursday, August 09, 2012 Today i have cleared up the 5 problems i set for myself yesterday, it was funny blocking the inappropriate words but i thought a little more about this later and realised, hmm, what about swear words in other languages, like German, French or Spanish. Well i will come back to do those later on. Actually i am starting to keep a record of notes now for improvements or things that will need to be worked on a little later on this site. I was watching a Facebook video last night and i like their comment "Done is better than Perfect", so that has helped to understand and define a goal for my own work. You may have noticed i have not discussed Javascript or JQuery, yes i do know of these and what they are for but i will be honest with you i have a big site to finish which i can't put a time frame on finishing version 1. PHP alone is taking a lot of time especially with the validation and error message css classes, and firstly i would like to complete the whole site with as much PHP as i can. My website will need some javascript for example i need to make a category selector for loading in products, firstly i was going to start of with a top level of categories, then later work on a jquery dynamic category selector later on before site was launched. The activate.php page is now 100%, but you know what i gave the register page a rerun and i guess what i got an system error showing on the registration page after the 1st person had signed up. So what i did is i put error messages in to indicate which mysql table was having a problem, so found it to be the user table and the error message "Duplicate entry '' for key 'username'". Vow isn't that interesting, yes i set both the username and email in the users table to be unique and it was showing that it wouldn't except an unfilled value for username twice indicating it is a duplicate. I don't see what i can really do to fix this so what i have done is rewritten my table SQL and now just left email as unique only, that fixes the problem. And i have a uniqueness check already set to check for username on the Activate.php page where they user will need to select there username. After completing the activation page, the user will be redirected to the index.php page for now logged in, with their session and cookies. These parts i need to work on now including the login page, logout, and password reset. I will just be using normal sessions now to figure out how this stuff works as its my first time, later i plan on being more secure and moving my sessions into the database.

If i was you i would check out SendGrid.com, this would be a much better solution. SendGrid will allow your emails to be pass to Yahoo and other email providers like Gmail and Hotmail, for only a small monthly cost.

Probably better to get it working on a live host, you can get the localhost to send emails but its a lot of work setting it up. Have you got a live server to test on?

I was reading stuff about this last night, you can make a database_connections array and store your connections in that one array, then reference each with a key.

No point in making an unanswered post, better off to delete it like my other sessions post.

Wednesday, August 08, 2012 Antonio, yes writing code like this its my first time, i have written some small parts to test from Larry's PHP and MySQL 4th Edition, by the way thank you it means a lot to me that statement coming from you. Long way to go yet, either i make my own MVC framework which right now looks to me like the best way otherwise use Yii which is probably better if you are a web designer and just need it for the speed of getting jobs done. I was listening to Mark Zuckerburg saying he coded his first version of facebook in just two weeks, he probably did an MVC straight as he was doing a Computer Science Degree. Another thing that is interesting about facebook is hackathon in which they have to stay up all night and hack some new app together, that's insane. Finally back to my project, the activation form is now nearly complete, i have managed to get a prepared statement working which i was having trouble with yesterday as there was little documentation on how to do it. Here it is: // Update user account with username and password $q = "UPDATE user SET username=?, pass=?, activation_code=NULL, registration_date=NOW() WHERE (email=? AND activation_code=?) LIMIT 1"; // UPDATE user SET username='$username', pass='$password', activation_code=NULL, registration_date=NOW() WHERE (email='$email' AND activation_code='$activation_code') LIMIT 1; // UPDATE user SET activation_code='6de7628917d6beb0c0217acb4874fcf0' WHERE email='email@gmail.com' LIMIT 1; // Prepare the statement: $stmt = $mysqli->prepare($q); // Bind the variables: $stmt->bind_param('ssss', $username, $password, $email, $activation_code); // Execute the query: $stmt->execute(); One thing i have done here in my code which is quite useful is leave standard SQL statement commented in. You see earlier i had a problem with the prepared statement so i decided to check the SQL in phpmyadmin to make sure they passed, i did find an error and had renamed one of the database fields wrong so i fixed it. So now ive left those SQL statements commented into my php script just in case i have to do some later testing. I have had a bit of a half day today, as worked straight last three day and brain is a little clustered, coffee is not helping right now. There are a few things that need to be done on the activation page: 1. Username should not contain any inappropriate words, i think you can guess the type i am talking about, so these needs to be placed into an array and later used in a preg_match. 2. The password must not contain the username this must also be checked and blocked to increase security for the user. 3. The password will need to be hashed, so i can modify Larry's example slightly for this, i was going to use SHA256 for encrypting with a hashing algorithm. 4. Username will need to be converted into lowercase letters before entered into the database, i will use a MySQL function to do this. 5. Username must not contain website brand name.

Hahahaha, it's working, it's working i used $q = "UPDATE user SET username=?, pass=?, activation_code=NULL, registration_date=NOW() WHERE (email=? AND activation_code=?) LIMIT 1"; $stmt = $mysqli->prepare($q); $stmt->bind_param('ssss', $username, $password, $email, $activation_code); $stmt->execute();

Realised i made a mistake on some of the syntax, $q = "UPDATE user SET username='$username', pass='$password', activation_code=NULL, registration_date=NOW() WHERE (email='$email' AND activation_code='$activation_code') LIMIT 1"; Here is my statement so how to set this up in oop prepared statements, can't find anything to help me with this? Ive written the code without prepared statements and it works so query is correct but i would really like to know how to get this statement as prepared, any ideas?

Still stuck with this $q = "UPDATE user SET username=?, password=?, activation_code=?, registration_date=? WHERE (email=? AND activation_code=?) LIMIT 1"; //$q = "UPDATE user SET username=$username, password=$password, activation_code=NULL, registration_date=NOW() WHERE (email=$email AND activation_code=$activation_code) LIMIT 1"; $stmt->bind_param('ssssss', $username, $password, NULL, NOW(), $email, $activation_code); My bind statement is not working, i can't find much example online of how to do this kind of statement, anyone have any idea? How to handle the NULL and NOW()?

I think I may know part of the answer we substitute ?'s in for variables used in $q part then include more letters in bind_param? What about NULL and NOW()?

I am not sure how to write the code for a OOP prepared UPDATE statement or how to write bind params? Does anyone know how to do it for the set of code i have below. $q = "UPDATE user SET username=$username, password=$password, activation_code=NULL, registration_date=NOW() WHERE (email=$email AND activation_code=$activation_code) LIMIT 1"; // Prepare the statement: $stmt = $mysqli->prepare($q); // Bind the variables: $stmt->bind_param('ss', $email, $activation); // Execute the query: $stmt->execute(); I have an error showing on my script now: Fatal error: Call to a member function bind_param() on a non-object I thought prepared statements would be better on INSERTS only or am i wrong, i thought they were more secure than just using regular statements. But i think if you have already INSERTED the data with a prepared statement is it necessary?

That's a very brief question, how are we supposed to know that considering we have no idea even what your web site is or what the functions of it must be?

Thanks for that i hope you will continue to enjoy reading my project diary. It is the first time i have written any code, really looking forward to working on Sessions and Cookies as soon as this registration/activation part is cleared up.

Just fixed objects problem with fetch_object() // Retrieve user first name from database. $q = "SELECT first_name FROM user WHERE email='$email'"; $result = $mysqli->query($q); $row = $result->fetch_object(); $first_name = $row->first_name; Hmm the two hidden values can be viewed looking at the document source in the form, that may not be safe for somethings.

Just wanted to say thanks Larry for helping me out with the right advice, it really helps with a point in the right direction. I have the transactions part in my script all working now, thanks very much that was really great of you.

Thanks ill work on that now, thanks for the 5 warning points that looks good under my post count. I noticed there was no error class on the warning points either, the color is still navy and didn't change to red.

I found this Object-Orientated Style bool mysqli::multi_query ( string $query ) I am putting the info into the database for two tablets of a registration form, i am worried this query is not safe, how should this be done, is there a prepared statement way or is stored procedural a better solution?

Hope you can help me with this one, i need some advise. I have information that needs to go to mysql, but it needs to go into two tables. I did make two prepared statements in opp which worked out fine but i know this is not a good way, say one goes in successfully, then i get an error on the 2nd i would have had half the data and a messy database. What is the best way to do this, use a stored procedural? Table Joins are only for reading data is that true? Or should I use a transaction with rollback?