Jump to content
Larry Ullman's Book Forums


  • Content Count

  • Joined

  • Last visited

  • Days Won


Everything posted by Matt

  1. Laurent, maybe I can help with this as I've recently created a massive update form based on a registration form that HartleySan wrote for the same site. First of all, when the user accesses the page, the form needs the previous values already stored in the database. The way HartleySan and I go about this is like this: if ($_SERVER['REQUEST_METHOD'] === 'POST') { Assign $_POST values to variables and validate them. ex.) $email = $_POST['email']; if (is_empty($errors)) { update the database } else { Get the original values from the database and assign th
  2. Larry, Thanks for your response! What do you mean that output buffering is built into php by default? Do you mean that in php 5.5 we don't have to use ob_start() to prevent headers already sent messages? I agree with you about writing better code, and I'm not trying to make you angry, but we were erm... using your code. I wrote a comment because I got the same error as 100yen. However, in many cases I think that preventing the headers already sent error leads to "worse code" because most of the time you have to re-factor everything with a half-ass solution to get around it! I'm so
  3. Larry, I also get tired of dealing with the "headers already sent" stuff! Is there any problem using ob_start() at the beginning of every page to just get around all this? If there isn't, then why isn't it just built into php by default? Thanks, Matt
  4. Laurent, Glad you were able to figure it out! I have been through the same frustrating situations as you many times and it always comes down to some careless oversight (and it's usually the last place you think the problem is too). Setting the correct column type and length for a field storing a hashed password is very important if you want to get back the same value that you originally put in the database. Enjoy the rest of the book! Matt
  5. Laurent, This is Larry's code verbatim, and I know it works, so the problem could be with how the password is originally stored. Do you have the pass field set up as a varchar (255)? Are you using Larry's code (i.e. the BCRYPT algorithm) to store the password? Also, what version of php are you running? Matt
  6. Antonio, Thank you very much for the informative advice! I agree with you that obscuring the id doesn't do anything to improve security and will use more processing to encode/decode it. In our case, only paid customers can "add" users, so users can't add other users. Also, there limit to the number of users a customer can add, so that won't cause any problems. Thanks again, Matt
  7. Larry and Antonio, Thanks for the nice comments, but I think Jon deserves almost all the credit for it right now. He built the site (quite quickly I must add) and wrote the first post, but I did provide feedback and support. My biggest contribution was probably acting as the initial inspiration for it as I was tired of going to S.O. and other sites looking for answers to certain web related questions, only to read a myriad of half informed, or downright wrong responses to the topic. You know the kind of people who, when the OP asks something about mysqli, some arrogant a-hole tells h
  8. Larry, I just had a quick question. I remember you saying that it is not recommended to show a user's ID on a page, but I was wondering why this is so bad? If you have taken the necessary precautions like validation, using prepared statements, aren't concatenating strings in queries, etc... then there is absolutely no way that a user could do anything to manipulate his record in the database. Second, I think that in certain situations displaying the user's ID (or at least a unique ID that can be connected to that user) is almost necessary. For the site Jon and I are working on now, cus
  9. Jon, Thanks for the hard work you have done with this! The functions look great and include most of the best security practices for dealing with sessions. I only had one question regarding the session_init() function. Why did you leave out a property for specifying whether the connection is https? You can then use that parameter to set whether the cookie is being sent over https or not like in the Treehouse Blog tutorial. I have read that it is better to explicitly set all the cookie arguments when the session is created and to set HttpOnly to true as it's more secure. What are
  10. This has been a very interesting read! I want to throw my 2 cents in as well, and either of you can correct me if I'm wrong. Even though I have had a lot of experience coding, both of you guys are better coders than me! I love database design and programming as well as the front end, so I tend to spread myself too thin I think. That being said, I have learned a lot from Jon over the past 2 years, and let me tell you, when it comes down to it we are a lot alike in our attitudes towards coding. For one, I agree with Jon that the iterative style of testing is better than throwing a bunch
  11. @Antonio - Thanks for sharing that session component. I agree that using something that already exists, and not completely reinventing the wheel, is the best way to go. I will look at it! I have looked into how some other frameworks handle session management and wasn't too impressed. For example, with the Zend session component, you have to use 3 or 4 classes to do what could easily be done with one. @Jon - Thanks for taking on this endeavor. One thing I wanted to say was that in my research I found that there are a few small things to watch out for when developing your own session
  12. Larry, Thanks for responding to this thread! I have been looking into session security for a couple weeks and have talked to HartleySan about it. I feel that we absolutely should be working to secure sessions as much as possible as these types of attacks are increasing. I read the same thing! Also, because service providers like AOL use shared IP pools, and an IP address can change mid connection, checking for IP addresses is problematic, unless you write a work around for those using AOL, or anyone else using a similar service. As for checking the user agent, I've heard that
  13. Jon, I agree that using a transaction is the best way to do it! Doing all the queries one after the other, and rolling back if any of them fails, makes sense. Also, for non-JS users, doing the whole form in one submission is great. Adding Ajax requests only to the train data is a whole different story, as we would also have to deal with the rest of the form submission separately. What do you think?
  14. I wasn't here for a couple of days and all hell breaks loose! Jon, yes you understood my question correctly! I think I have a solution for the updates. I think you're right about having them in series, but the problem is that if any one query fails, then only certain sections will get updated. This may confuse the user, so I decided it is better to keep track of errors at each step. This way we can rollback if anything fails. Any thoughts? Antonio, please don't worry at all about any misunderstandings. I know you are a great coder and value your input highly! As far as the fo
  15. Thank you for the advice guys! I really appreciate it! The next problem I have to deal with is all the nested table updates. Only one uses an actual UPDATE query, but the rest use DELETE/INSERT to update the data (because they are many-to-many relations). Because the user probably won't update data that will affect every table, I can't use mysqli_stmt_affected_rows() to check whether a specific update was successful or not (and move on to the next query). Any thoughts on this? Thanks, Matt
  16. Thank you very much for the responses! @Antonio - I really like the idea of using AJAX to update the train data. If a user is going to add/delete train stations where they can work, in most cases it will only be a relatively small amount as they would have already chosen most of them when they filled out the registration form. The AJAX approach sounds clean and fast (if a check box is unchecked then delete it, and if it is checked then insert it). My only concern with this is that it would still require a non-javascript solution for those who have js disabled. And you are right that we
  17. Larry, Happy New Year! I know my posts are often not directly related to the topics in a particular book, but this one is definitely an "advanced" topic, and one which needs to be dealt with by a credible individual (there are scattered S.O. posts on the subject, but none of which provides a definitive solution for the problem). This is a conundrum that has been bothering me for a while, but I want a best practice for updating a many-to-many table involving check box data. Basically, Jon and I are working on an update form where users can add/delete train stations where they want to
  18. Larry, Thank you very much for the valuable feedback! Feel free to recommend changes if you think it will improve the code! Thanks again! Matt
  19. Larry, Sorry I haven't been on here for a while, but I have been working on a project (with Hartleysan) and I have been very busy! I saw the Northeast PHP videos and your presentations were great as usual! I had a question about complicated redirects, since this is kind of an advanced topic, I decided to post it here. I am developing a site where there are customers that register, and they have clients who also register on a separate area of the site. Being very stringent about security, I like to control exactly where different users are allowed to go on the site. If a non-l
  20. Larry, Thank you so much for your advice! I will go ahead and use these in my site design. I just had one last question regarding getting the correct image type. As we know, using $_FILES['type'] to determine a file's correct image type is almost completely useless as it is determined by the browser, and thus, completely able to be overwritten by the user. As such, I wanted to know if it was ok to use getimagesize() to do the same thing? I was thinking of doing something like this: $image_info = @getimagesize($file['tmp_name']); $image_type = $image_info[2]; $valid_types = a
  21. @Jonathan - Yes, I am absolutely using a proxy script! Thank you Larry! That is very reassuring to know that it's not as dangerous as it would seem. Yeah, the article was good, but you're right that it is a little misleading in some places. I had to read a couple sections twice to understand exactly what he was talking about. He could have given more details on a few of the points to clarify what exactly was going on. I just had couple more questions about image uploads, and these mainly have to do with folder security and the proxy script. 1 ) I have read in various plac
  22. Larry, Thank you so much for responding to my post! I know you take security very seriously, and thanks to reading your books, so do I! I think HartleySan probably gets annoyed with my stubborn approach to it sometimes, but nothing can be left to chance. I heard that as of PHP 5.3.0 the Fileinfo extension is installed by default (prior to PHP 5.3.0, it was a PECL extension which had to be installed manually) and my server is using PHP 5.3.13, so it should be fine. Also, I looked more into the image upload security issue and found the following website. It is fairly recent and sh
  23. This might be of interest to many in this forum who want to do image uploads. I am working on a site where users can upload a profile image and I am essentially using Larry's image upload code as written. The site is responsive and has to allow image uploads from smart phones as well. The problem is that when I tried uploading images from my Android phone, I kept getting a "The uploaded file was not of the proper type." error. I then put in an echo statement to display the file type and MIME type and found out that the images had a type of "application/octet-stream" and a MIME of "image/jp
  24. Larry, Thank you for the quick and decisive reply! I always trust your intuition on this sort of thing and I do agree that option 1 is the easiest to implement, query, and maintain (although I might not go as far as to say that it's "normalized", as multiple NULL values are being used to store data). That feedback is always helpful! Thanks again! Matt
  25. Hello everyone, HartleySan and I are working on a web project for a university and my question is about the approach to take for the database design. Basically, the site is designed to help students find tutors for various classes. What happens is that a tutor fills out a profile with basic personal details, as well as price and availability. Students who register on the site can view the tutor's profiles, and when they find one they like, they can click on a "poke" button to send the tutor a request that they are interested in his/her services. Both students and tutors have a contr
  • Create New...