Jump to content
Larry Ullman's Book Forums


  • Content Count

  • Joined

  • Last visited

  • Days Won


Everything posted by Matt

  1. Thanks for the help Larry! I had another question. I have been putting my ajax files in the "inc" directory, and since I added the .htaccess file to prevent directory browsing, a side consequence of this is that I can't call the ajax files with javascript any more. What I did was create another directory called "ajax" and put all the php files for handling ajax requests in there. Is this the best way to fix this problem? What do you recommend doing in this situation? Thanks again, Matt
  2. Larry, Sorry to keep bombarding you with posts, but I just wanted to post one more time to show you my code for the contact form. I have taken your code and added a few other checks to make it more secure. You know I am very strict about security (as you are), and I want this form to stop any kind of attack, while at the same time being easy to use. Please take a quick look at it and if you have any suggestions or advice, please let me know. <?php require('config.inc.php'); require(SITE_FUNCTIONS); $model = array( 'errors' => array() ); if ($_S
  3. Larry, Thanks for the advice! I implemented your spam_scrubber() function and everything works great! Also, the http_status_codes are useful in that I can listen for a failure in my ajax callback and react accordingly. I suppose I could also have done this by sending back a boolean and using a conditional in the success handler to decide what to do, but it does allow very precise control over the how to handle different types of errors. Also, have you heard of ReCAPTCHA? HartleySan told me about it the other day and it looks pretty amazing! I would still validate everything, but it
  4. @Jonathan, Thanks for the response! I had a question about phpMailer, does it do any sanitizing for the headers to remove spam? I have heard that it is "safer" than using the standard mail() function, so I was wondering what it does besides having built in support for SMTP that makes it better. Thanks @Larry, You are right about IPs getting blacklisted. I was doing a few tests with my GlobeDomain account and tried to send mail to my outside mail accounts. Almost all of them blocked the email completely (gmail did accept it, but put it in the "spam" folder). This is totally unac
  5. Larry, Thanks for the response! I did some research on the subject, but I just want to clarify. 1. SMTP is what I should be using for all email on my site. 2. I should outsource all my email handling to a site like Mandrill (both mail sent to users when they register or change their password, as well as mail sent to the admin account on my site when a user completes the contact form). 3). I should definitely use a professional mailer script like Zend/mail or PhpMailer. Thanks for any help or advice you can give! @Jonathan, Thanks for recommending Mandrill. I looked
  6. Larry, Sorry for not giving more information about the error. Basically, when I was testing the ajax script, there were some bugs that were causing it to fail certain conditionals. When that happened it was sending the appropriate error message back as json data as well as the http_response_code. In the javascript console it would display an error like the following: Error with contact_form.php 403 (forbidden) Is it normal for this to be displayed in the console upon sending an http_response_code for an error? As far as the span_scrubber, I was looking at the code for email.php
  7. Larry, I created the .htaccess file you provide on page 70. I put it in the includes directory and it does prevent browsing the directory, however it also am getting an error: You don't have permission to access /inc on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request. Why is it giving an error? I don't want it to handle the request. I want it to not allow people to browse the directory. Is there anything I can do to stop this? Thanks, Matt
  8. Larry, Thanks for the help and sorry for the late response! I started working on the contact form and using the http_response_codes. They seem to work fine, but when when the script fails, it displays an error in the console window showing the error and the ajax script which failed. Is this what is supposed to happen? The average user won't see it, but it is still showing an error which bugs me. Also, I am trying to follow all the modern best practices for implementing the form, as contact forms are a very popular attack vector. It seems like the sanitization people use is all over
  9. Jonathan, Thanks for responding! Ok, then I will probably go with phpMailer then. Also, I know this might sound like a ridiculous question, but is it ok to use the regular mail() function for a contact form? The reason I ask is that the email will not be sent to a user, and doesn't need any fancy formatting, so I thought it was probably just fine for that. I thought that there is no way security can be breached because I am formatting the mail in php and it will be sent to the admin (myself). Also, when I was looking into phpMailer, almost every tutorial shows it using SMTP. I started
  10. Larry, I am looking into using a good php mail library/framework and am thinking about using Zend Mail. However, the instructions you gave for installing it with Composer are great, but only for a local server environment. How do I set this up on a hosted production server? Also, I have heard good things about PHPMailer. What is your impression of it? I want to send both plain text and HTML embedded emails. I would really like to stay away from setting up complex dependencies on any preinstalled modules on the server. A stand alone class package that I could download and install myself
  11. Larry, Thank you for the clear and well explained answer. By sending back the response codes, I am assuming that I can then display very specific error messages that are also styled for that error. Sorry Larry, I wrote that last question quickly and didn't word it correctly. I was absolutely going to do error checking with php and just forgot when I was writing the post that the ajax script has to do error checking along with the unobtrusive version of the page. What I wanted to know is if it's better to just do all the error checking in the ajax script and send back the correspon
  12. Larry, I know this probably belongs in the Javascript forum as it involves AJAX, but because it focuses on HTTP Status Codes, I just decided to put it here instead! I was doing a quick search for "Contact Form" scripts because I wanted to see what the new trends were for submitting them and handling errors and I came across a good tutorial from Treehouse. I noticed that they were setting HTTP response code headers before sending the response back to the client. Here is the AJAX script: <?php // Only process POST reqeusts. if ($_SERVER["REQUEST_METHOD"] == "POST") {
  13. Larry, I am creating an "account settings" page and I had a design implementation question about it that had to do with these forums, and after talking with Hartleysan about it he suggested that I write a post here and get your thoughts. Basically, I am creating a page where a user can change their email, password, or other private information all in one form just like the account settings page in this forum. I modeled mine almost exactly like this one! All fields are blank until filled in and when they click the submit button, the sections that are filled out will get processed, and i
  14. Antonio, I do agree with you about the abstractions! It definitely cleans up the code when functionality is organized that way. I am not opposed to using a little OOP on a web site for this very purpose. It is why I made the Session class (which really isn't true OOP, but a namespaced set of static functions). Also, I am still not completely sure I know what you mean about the Sorter not accepting an object that doesn't implement the interface. How does the sorter know this? What I thought was that if the object you pass doesn't have the functions defined by the interface (i.e. it doesn't impl
  15. Antonio, Sorry it took me so long to respond. I was ver busy recently with work! Thank you for your detailed response, but I was a little confused about the following: So you mean to say that some object that you pass to the Sorter class should implement an interface so that we know that it can be sorted? I could see that being done in some large company where there are a lot of developers and rules need to be enforced, but why on earth would you want to do that with a small web site? And how does the Sorter class even know that you implemented the interface? Correct me if I'
  16. Antonio, Sorry for not responding yet! I have been pretty busy and I wanted to think about what I wanted to say before leaving a reply. I am enjoying the discussion too! I will write soon! Matt
  17. Antonio, Thanks for the detailed response. I understand most of what you said but I did have a couple of questions. I am a little confused here. I thought an interface was just a programming structure used to enforce certain properties on a class. It isn't an object, and it isn't a class either. That being the case, why would you want to pass one to a sorter? Sorry to sound so naive, but things have gotten much more complicated with 00P in recent years! I know what you're saying, but the site that Jon and I are making isn't Amazon.com, where we have a huge team of devel
  18. I found an error in this guys class! If you look at the _read() function, it is first checking if the $key exists in the session. Then it calls the _age() function just before reading the session variable. Normally this is fine, but if the session has gone past it's age limit, the _age() function calls the destroy() function, which destroys the session. Then, when it reaches the point where it tries to read the session variable, it will give an error saying it can't find the variable blah, blah. I discovered this by accidentally hardcoding the $SESSION_AGE to 30, then I was always gett
  19. Larry, Thanks for the kind reply! I have done more research and I had a couple of questions: 1) The properties/functions are all static, but should I change them into non-static properties/functions where the class has to be instantiated before using it? Antonio said before that using "static" classes is bad, and I have read that on many sites as well, as you are doing nothing more than creating a namespace for the static properties and functions so they don't crowd the global namespace. However, it just seems that a static class is the cleanest thing to do here. There is only
  20. As per the previous topic on Session Best Practices, I have put together a class that I believe is the simplest, most comprehensive, and secure I have ever seen on the web or in books! It is an amalgamation of a session class I found on Github here: https://gist.github.com/Nilpo/5449999 and the session security functions Hartleysan wrote. I also added a few other things as well! It uses static functions, so it doesn't have to be instantiated. To use it, just call the start() function with the following, optional, parameters: Session::start(boolean $regenerate_session_id = false, int
  21. Everyone, I am going to start a new topic and post the final version of the Session class. Matt
  22. Antonio, Thanks for your input on this! I just had a couple of questions: I'm curious why you would separate session handling functionality into a separate class? A while back, when Jon and I were researching session best practices, I looked at the way (I think it was Zend) a framework was handling sessions, thinking that I could just copy over some code. I was absolutely shocked! It used not 1, not 2, NOT 3, NOT 4, but 5 classes to handle sessions! I know it's a framework, and almost all frameworks by their very nature are pieces of bloatware that are designed to handle nume
  23. I finally got around to start writing a session manager class using Jon's functions. While I do have a lot of OOP experience, this is the first class I've written in PHP. I wrote it in about 5 min., so there are probably some bad practices/errors here! If anyone wants to use it, or make improvements to it, by all means, please do! <?php class SessionManager { private $SESSION_DIR = 'd79252d7dea8e2812b4ebf29ffc603ed\\'; private $SESSION_NAME = 'f7eac143c2e6c95e84a3e128e9ddcee6'; static function session_init($regenerate_session_id = true, $secure_cookie
  24. Also, just in case you are not aware of this, when you perform the update and none of the values have changed from those previously stored in the database, the query will return 0 for the number of rows affected! The best way to check that the update was successful is to test if the execute statement returned 'true'! if (!mysqli_stmt_execute($stmt)) { $errors['system_error'] = 'There was an error updating the database. Please try again.'; }
  • Create New...