ericp
-
Posts
58 -
Joined
-
Last visited
Posts posted by ericp
-
-
Hi,
Just a small curious about a note on page 307 regarding this script that says that '... For example, if the query tries to delete the record where the user ID is equal to 42000 (and if that doesn’t exist), no rows will be deleted but no MySQL error will occur. Still, because of the checks made when the form is first loaded, it would take a fair amount of hacking by the user to get to that point.'
Does it mean that the primary key number 42000 would NEVER be generated, by default, for the table in MySQL platform used with PHP? or what?
And what can make it easily vulnerable?
Thanks
-
Okay, my point is that if you want to debug what's going on here, you need to implement the standard PHP-MySQL debugging technique I recommended. The error message you posted is this:
MySQL error: Unknown column '$pid' in 'where clause'.
That clearly indicates a problem with the query. There's no reason why the literal text $pid should be in the query.
Now, the thing is, it doesn't matter whose script it is. There's a problem with the query. You may think that there isn't a problem with this script because you downloaded it from my site. And that may be 100% the case. But the query uses information that's established in another script. That other script could be causing the problem.
Regardless of all that, if you want to debug this, print out the value of the query being run. In fact, the debugging code you added already does this:
or die("MySQL error: " . mysqli_error($dbc) . "<hr>\nQuery: $q")Taking this a step further, if you want help debugging this problem, you'll need to provide to us that query value. Knowing the error message and the actual query being run can illuminate the problem.
Instead of typing $_SESSION['cart'][$pid], I did $_SESSION['cart']['$pid']
That's the reason....and it took me days to find it out....
Thanks for your help.
-
Ok. I will check it again and come back to you for help should any problem occurs. Thanks
-
That would suggest that you're passing the actual value $pid in the query, not the value of the variable $pid. If you apply the standard PHP-MySQL debugging techniques (step 1: print the query being executed), you'll see this is the case.
Thanks. but the point is that I haven't changed anything in your script.
/ check if the form has been submitted (to update cart) if($_SERVER['REQUEST_METHOD'] == 'POST'){ // update quantities: foreach ($_POST['qty'] as $k => $v) { // Must be interger $pid = (int) $k; $qty = (int) $v; if ($qty == 0){ // Delete unset ($_SESSION['cart']['$pid']); } elseif ($qty > 0){ // change quantity $_SESSION['cart']['$pid']['quantity'] = $qty; } //end of IF } // end of foreach } // end of submitted IF // Display the cart if it's not empty... if (!empty($_SESSION['cart'])) { // Retrieve all of the information for the prints in the cart: require ('./mysqli_connect.php'); // Connect to the database. $q = "SELECT print_id, CONCAT_WS(' ', first_name, middle_name, last_name) AS artist, print_name FROM artists, prints WHERE artists.artist_id = prints.artist_id AND prints.print_id IN ("; foreach ($_SESSION['cart'] as $pid => $value) { $q .= $pid . ','; } $q = substr($q, 0, -1) . ') ORDER BY artists.last_name ASC'; $r = mysqli_query($dbc, $q) or die("MySQL error: " . mysqli_error($dbc) . "<hr>\nQuery: $q"); // Create a form and a table: echo '<form action="view_cart_19.php" method="post"> <table border="0" width="90%" cellspacing="3" cellpadding="3" align="center"> <tr> <td align="left" width="30%"><b>Artist</b></td> <td align="left" width="30%"><b>Print Name</b></td> <td align="right" width="10%"><b>Price</b></td> <td align="center" width="10%"><b>Qty</b></td> <td align="right" width="10%"><b>Total Price</b></td> </tr> '; // Print each item... $total = 0; // total cost of the order while ($row = mysqli_fetch_array($r, MYSQLI_ASSOC) ) { // Calculate the total and subtotal: $subtotal = $_SESSION['cart'][$row['print_id']]['quantity'] * $_SESSION['cart'][$row['prnt_id']]['price']; $total += $subtotal; // Print the row: echo "\t<tr> <td align=\"left\">{$row['artist']}</td> <td align=\"left\">{$row['print_name']}</td> <td align=\"right\">\${$_SESSION['cart'][$row['print_id']]['price']}</td> <td align=\"center\"><input type=\"text\" size=\"3\" name=\"qty[{$row['print_id']}]\" value=\"{$_SESSION['cart'][$row['print_id']]['quantity']}\" /></td> <td align=\"right\">$" . number_format ($subtotal, 2) . "</td> </tr>\n"; } // End of WHILE loop mysqli_close($dbc); // Close the database connection. // Print the total, close the table, and the form: echo '<tr> <td colspan="4" align="right"><b>Total:</b></td> <td align="right">$' . number_format ($total, 2) . '</td> </tr> </table> <div align="center"><input type="submit" name="submit" value="Update My Cart" /></div> </form> <p align="center">Enter a quantity of 0 to remove an item. <br /><br /><a href="checkout_19.php">Checkout</a></p>'; } else { echo "<p>Your cart is currently empty!</p>"; }And the error still happens. What should I be wrong?
Eric
-
Hi Larry cc all,
I have tried to code the view_cart.php script for several times. The error returned saying that MySQL error: Unknown column '$pid' in 'where clause'.
I first thought that it was my typing mistake or so. So, i later tried copying and pasting your original script 19.10 - view_cart.php into my site to test it. The same error happened too.
Note:
1/ I added or die("MySQL error: " . mysqli_error($dbc) . "<hr>\nQuery: $q") after the $r = mysqli_query($dbc, $q) to turn on the error message. When I commented it out, the error message returned like this:
Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, boolean given in /home/content/.../view_cart.php on line 55, which means the error happens at while ($row = mysqli_fetch_array ($r, MYSQLI_ASSOC)) {...
2/ I use Linux shared web hosting package at godaddy.com
3/ PHP version: 5.3.21
Your help will be appreciated.
Eric
-
Hi Larry cc all,
I totally understand how to create the self-defined error handling function, i.e., my_error_handler, and what the error-reporting levels mean as indicated in table 8.1. However, the question that i am still concerning (and it's still vague) about the five arguments such as $e_num ber, $e_ message, $e_file, $e_line, and $e_vars in the function.
So,Where do the values come from that these variables can get to give report to email when errors may occur (as I don't see any of them have been created or defined as an variable normally should be before these arguments/ variables are named and added to the function)? in order words, what is the possible debugging information they can get to add to the $message? or is it set as/by default in PHP programming language?
Thanks and regards, -
Hi Larry and all,
Have you ever tried revising the script 19.2 using Fileinfo extension to validate the file type yet with more security improvement?
With my limited knowledge and experience, I failed to create the $temp variable so that I could rename the files later in the script.
Your sharing will be appreciated.
Rgds,
-
Hi all,
One more thing about this script is that I tried to improve this script by adding the validation code to allow some certain file size and types as per the script 11.2 in the chapter 11 suggests- before moving them to the permanent destination, 'uploads' folder. It works well!
My concern is that should I add the else { $temp = NULL; } to the if (is_uploaded_file($_FILES['image']['tmp_name'])) {... or to the if ($_FILES['image']['error'] > 0) {... ? because the code check the size errors before the type ones.
Rgds,
-
What is $id equal to?
To my understanding, it is the variable that carries the value to be retrieved so that the associated image can be renamed later. Am I correct, Larry?
-
It's not renamed in the database or renamed on the file system? The rename() function only impacts the file system.
OK. I will take a look at them when the files—the images—are served by the public side of the site, as the book says 'you’ll soon see'.
Just a bit curious... as I thought that it's renamed in the database.
-
Hi there,
Is there anyone having the same issue as mine or not that my uploaded file is not renamed in the database though I have tried several uploads?
I do not make any changes to the sample codes at all.
// Create a temporary file name:
$temp = './uploads/' . md5($_FILES['image']['name']);.
.
.
// rename image
$id = mysqli_stmt_insert_id($stmt); // Get the print ID
rename ($temp, "./uploads/$id");Your help will be appreciated.
Regards,
Ericp
-
I successfully configured this already. The problem was at godaddy server.
If you guys out there use Godaddy sharing hosting plan (Linux), you need to create a php5.ini file with the code to reset the upload_tmp_dir to /tmp value instead of No Value by default.
the code is upload_tmp_dir = /tmp
-
1
-
-
Sorry, but the name of the book i am discussing about is PHP and MYSQL for Dynamic web sites, 4th Edition, Copyright © 2012 by Larry Ullman.
So, can you help me move this topic to the appropriate book's forum, please?
Thanks and regards,
Ericp
-
yes, because margaux complicated it.
-
yes, because margaux complicated it.
-
Hi, You could set up an array of allowed file types and check if the file extension is in that array. See this thread.
Thanks, But the variable $array('x','y','z') as in script 11.2 as per your recomendation is to check the MIME type of the particular files the browser can do. What I mean is to be able to apply the Fileinfo extension into the syntax of the multiple file's types verification or not?
Would I code if (finfo_file($fileinfo, $_FILES['upload']['tmp_name']) == 'text/x', 'image/JPG') {
or
if (finfo_file($fileinfo, $_FILES['upload']['tmp_name']) == $allowed) {
or what?
Thanks
-
Hi Larry and all,
Is there anyway that the Fileinfo extension can verify multiple file's types, but not only a certain one (e.g., == 'text/rtf'). If yes, what does the syntax look like?
Regards,
-
Hi there,
Can you help me with the script 19.2. please?
The problem is that though I uploaded the size-allowed image to uploads folder, which is in the same directory as add_print.php file, but it failed and the error message says 'No file was uploaded.' . You can test it here (http://hiteachers.com/add_print.php)
Note: As the uploads folder is on the same level as the add_print.php, and I don't create the admin folder either, I change the paths for $temp from '../../uploads/' . md5($_FILES['image']['name']); to $temp = './uploads/' . md5($_FILES['image']['name']); and for rename from ($temp, "../../uploads/$id"); to rename ($temp, "./uploads/$id");
Is it the cause of the problem or what else?
Thanks for your help in advance.
Regards,
Ericp
-
Hi,
Regarding script 13.3, which is the more reliable way of confirming a file’s type using the Fileinfo extension. I understood. However, the example script 13.3 I could see shows that the codes (... if (finfo_file($fileinfo, $_FILES['upload']['tmp_name']) == 'text/rtf') {...) only check and validate only one type of file, called .rtf.
Is there other ways that we can validate multible types of file using the Fileinfo extention, e.g., .jpg, .gif, .docx, ect?
Thanks
-
spookie makes a good point. Make sure that the active column in the users table can actually be set to NULL, as that's not possible for columns by default. You may have to alter the active column in the users table to get things working properly.
Also, try echoing out your $q variable to the screen before you execute the query to make sure it's actually what it should be.
Lastly, try echoing out the value of mysqli_affected_rows($dbc) to see what it is (because clearly, it's not 1).
I can see the root cause now. As I use godaddy.com hosting service, which requires the From email address MSUST be the hosted domain name. The email address does not necessarily need to exist, but there are SPAM filters on the outgoing emails to prevent SPAM and spoofing.
Eric P
-
There's an entire chapter/section in the book that talks about using a proxy script to access files stored outside the web directory.
I personally have never felt the need to store files directly in a DB. Simply storing the path to the actual file outside the web root seems more than sufficient.
But we can not do this @ godaddy.com
Do you think so?
Ericp
-
Hi,
I copy-and-paste the activate.php
I indeed received emails with activation links for the first several days.
Now. It stops working. And I don't know why?
I learned from another post (http://www.larryullman.com/forums/index.php?/topic/1648-chapter-18-registerphp-sendmail/) to add sendmail_path =/usr/sbin/sendmail -t into my .ini file. It still didn't work.
I use:
Linux share host at godaddy.com
PHP version: 5.3.21
Can you help?
Eric P
-
Oop... I haven't got them yet.
BTW, have you got any code for this to share?
Loving is caring, right?
Ericp
-
Hi all,
This is my code:
<?php //Count the logged in users in the last 600 minutes:
require ('includes/config.inc.php');
$page_title = 'Count Logged in users in the last 60 minutes';
include ('includes/header.html');
require (MYSQL);
// Define the query:
$q="SELECT COUNT(*) FROM users WHERE last_login > DATE_SUB(NOW(), INTERVAL 600 MINUTE)";
$r = mysqli_query ($dbc, $q) or trigger_error("Query: $q\n<br />MySQL Error: " . mysqli_error($dbc));
$row = @mysqli_fetch_array ($r, MYSQLI_NUM);
// Count the number of returned rows:
$num = mysqli_num_rows($r);
if ($num > 0) { // If it ran OK, display the records.
echo "<p>There are <strong> $num </strong> active users in the last 600 minutes: </p>\n";
// Table header:
echo '<table align="center" cellspacing="3" cellpadding="3" width="75%">
<tr>
<td align="left"><b>User\'s First Name</b></td>
<td align="left"><b>Last Log-In</b></td>
</tr>
';
// Fetch and print all the records:
while ($row = mysqli_fetch_array($r, MYSQLI_ASSOC)) {
echo '<tr>
<td align="left">' . $row['first_name'] . '</td>
<td align="left">' . $row['last_login'] . '</td>
</tr>
';
}
echo '</table>';
mysqli_free_result($r);
} else { // If no records were returned.
echo '<p class="error">There are no active users in the last 600 minutes.</p>';
}
mysqli_close($dbc);
include ('includes/footer.html');
exit(); // quit the script
?>and this is the output: http://hiteachers.com/count_logged_in_users.php
Which returns zero logged in users though it counted 1 (one) active users from the last_login row in users table.
Can you help me with this?
Thanks
Chapter 14, Page 443, Character Class: [^aeiou]
in PHP and MySQL for Dynamic Web Sites: Visual QuickPro Guide (4th Edition)
Posted
In your book, you said that [^aeiou] will match any non-vowel because the caret is a negation operator when used as the first character in the class. However, in the PHP manual (http://php.net/manual/en/regexp.reference.character-classes.php) , it says that [^aeiou] matches any character that is not a lower case vowel.
This makes me confused, as I think that [a-z] will match any single lowercase letter and [A-Z] is any uppercase, or [A-Za-z] is any letter in general.
Thanks for your feedback.
Eric