Posts by cereal

Hi, what's the result of curl_error()?

Is there a specific reason for this setup? Some points to consider:

1. MySQL does not support socks connections, you can create a socket unix file, but it's not the same thing
2. you will have to setup Tor nodes in both ends: application server and database server
3. you will have to setup an hidden service in order to generate private & public key in the database server
4. share the public key in the application server and connect through a Tor client or proxy
5. latency issues
6. the database will still be exposed to attacks and if an attacker can access the application server or run SQL injections, then it can track back the database server location
7. does your hosting allows such setups?

It would be a lot easier to set up a SSH tunnel or to use Tor to serve an HTTP database interface and then use curl to perform CRUD operations, but this will avoid only point one of the above list, the other points will still be valid.

Then add error checking to the connection and to the query:

$link = @mysqli_connect($servername, $username, $password, $dbname);

if ( ! $link)
    die('Connect Error: ' . mysqli_connect_error());

# . . .

if( ! $result = mysqli_query($link, $sql))
    echo mysqli_error($link);

if you don't get any error, then post the updated script.

Hi,

how did you applied the color to the box? Stylesheets? And if affirmative, did you used a media print stylesheet? For example:

<link rel="stylesheet" href="/styles/print.css" media="print">

And: are you sure the print is not preset to grayscale?

Hi, you're mixing object $conn with procedural $link and opening two indipendent connections to the database, if you want to stick with procedural, then change:

$result = mysqli_query($conn, $sql);

to:

$result = mysqli_query($link, $sql);

and then it should work properly.

I'm thinking not because I don't really want "smutt" related to my website.

It's probably the same for your other clients, I doubt they would like to be associated with an adult site.

Hi, in practice this is a page that waits for a POST form submission, made by the PayPal service. An example can be found in their GitHub account:

• https://github.com/paypal/ipn-code-samples/blob/master/paypal_ipn.php

You receive data and send it back to check if it's valid, then you can use save it.

Source:

• https://developer.paypal.com/webapps/developer/docs/classic/products/instant-payment-notification/

By the way, I prefer using Guzzle instead of cURL, if you want to consider it here's the documentation:

• http://docs.guzzlephp.org/en/latest/

Hi,
check the Process States documentation:

• http://supervisord.org/subprocess.html#process-states
• http://supervisord.org/configuration.html?highlight=exitcodes

In practice: define the expected exitcodes for the script and then set autorestart=unexpected so that it will restart only when it does not match.

By the way, you're missing the $ symbol in the $_POST array:

$blood_typeA = _POST['Blood_TypeA'];
$blood_typeB = _POST['Blood_TypeB'];
$blood_type0 = _POST['Blood_Type0'];
$blood_typeAB = _POST['Blood_TypeAB'];

Should be:

$blood_typeA = $_POST['Blood_TypeA'];

And so on.

Hi,

if you have, or can enable, the intl extension then use the IntlDateFormatter class:

• http://php.net/manual/en/intldateformatter.format.php

Look also at the comments in the documentation page.

Hi,

A good point to start to investigate the issue is sale2.php on line 58, can you show us that part of code? I mean: paste the relevant code not just that line.

When you use double quotes you can include the variable and this will be expanded to the associated value. The curly braces {$var} are used to write complex expressions when the variable is: an index array, an object or an anonymous function.

Few examples:

# array
$str  = "Hello {$data['name']}";

# object
$str  = "Hello {$data->name}";

# anonymous function
$data = ['name' => 'James'];
$name = function($array) { return $array['name']; };
$str  = "Hello {$name($data)}";

For more information look at the complex syntax examples in the documentation:

• http://php.net/manual/en/language.types.string.php#language.types.string.parsing.complex

@Natsu123 please reply with a post, not with comments. Can you show the table schema for T_school? In practice run:

show create table T_school;

And return the output here.

Not tested but try:

    $sql = <<<EOD
    INSERT INTO T_Student(Name, Surname, Street, City, F_ID_Teacher) VALUES('$Name', '$Vorname', '$Strasse', '$Plz', '2');
    SET @id = last_insert_id();
    INSERT INTO T_Class(Subjekt, Number, F_ID_Student) VALUES('', '', @id);
    INSERT INTO T_School(Name, Street, City, F_ID_Student) VALUES('', '', '', @id)
EOD;

Here the student id is retrived by the second query which sets a variable @id and returns the value in the following queries. It works if the student id is an auto_increment column type.

More information about the heredoc syntax:

• http://php.net/manual/en/language.types.string.php#language.types.string.syntax.heredoc

Hi, PHP does not have a $_PUT method (unfortunately) so, in order to accept such input you have to listen for stdin streams. The following documentation explains how you can upload a file through this method:

• http://php.net/manual/en/features.file-upload.put-method.php

A part this solution, some frameworks and APIs use fake PUT (and DELETE) requests, which are usually POST requests, check for example the implementations on the old Dropbox API or in Laravel.

Hi,

if you want to return the value of a variable then use double quotes, if you want to return plain text, then use single quotes.

For more information check the documentation:

• http://php.net/manual/en/language.types.string.php

i have deleted them and placed my files there. Maybe its because of them ?

This should not affect the execution of your scripts or the connection, in general, to the database.

So i need to pay for my account to use 000webhost ?

No, unless you want to connect directly to the database from another host (i.e. localhost, or another web hosting service).

Also i had on the same server other files and it was working good.. so now when im uploading this new files that error appear.

This confuses me: the error reported in your first post returns a Macedonian IP address, which means the attempt connection was executed from a script in a computer in Macedonia, not from a 000webhost machine.

If $DBServer is a 000webhost database and the scripts are executed in a 000webhost hosting then, you may want to ask help to their support or to their forums.

Hi, supposing 31.170.161.176 was your IP address, you cannot connect directly from your computer to the 000webhost MySQL server because remote connection is disabled, unless you upgrade your account:

• https://www.000webhost.com/faq.php?ID=27

It means that, with the basic plan, they only allow connections to the databases from a defined range of IPs: their hosting machines. So in order to work, you have to upload the script to the 000webhost web server and run it from there, not from your local installation.

Hi, which error? Can you be more specific?

Hi,

it should be possible, try by decoding the json data to array and use array_column(), see the examples in the documentation:

• http://php.net/array-column

If you need more help, open a new thread, bye!

Hi, this should work:

public function upload_multi()
{
    $config['upload_path']   = FCPATH . 'uploads/';
    $config['allowed_types'] = 'gif|jpg|png';
    $config['remove_spaces'] = TRUE;
    $config['encrypt_name']  = TRUE;
    $config['max_size']      = '10000';
    $config['overwrite']     = FALSE;

    $this->load->library('upload', $config);

    # upload
    foreach($_FILES as $key => $value)
    {
        if($value['error'] == 0 && $value['size'] > 0)
        {
            $this->upload->do_upload($key);
            $upload['data'][$key] = $this->upload->data();
        }

        else
            # @see http://php.net/manual/en/features.file-upload.errors.php
            # and also if: (size == 0 && error == 0) then file is empty
            $upload['errors'][$key] = "Error: {$value['error']}";
    }

    print "<hr>";

    print '<h3>$_FILES:</h3>';
    print "<pre>" . print_r($_FILES, true) . "</pre>";

    print "<h3>Upload data:</h3>";
    print "<pre>" . print_r($upload['data'], true) . "</pre>";

    print "<h3>Errors:</h3>";
    print "<pre>" . print_r($upload['errors'], true) . "</pre>";
}

The $upload array will hold the data for each uploaded image and eventual errors. (And will probably work also for the previous question, not sure what I was thinking when answered...).

Bye!

Hi,

first of all, you have to run $this->load->view('page', $data); in your method controller. Also could you indent your code of the view page?

Hi,

you can use the Form helper, like in the documentation example:

• https://codeigniter.com/user_guide/helpers/form_helper.html?highlight=form#form_dropdown

Otherwise you can use custom code. Have you tried to write some code? Show it to us, so we can suggest you how to fix it, bye.

It was $rows not $row, the variable was overwriting itself, anyway to avoid confusion do:

$sql  = "SELECT * FROM admin WHERE username = '$username'";
$rows = query($sql);

if(is_array($rows) && count($rows) == 1)
{
    $row = $rows[0];

If the functions.php file is included by the config.php file then try:

$rows = query($rows);

It should work and return an associative array.

I was talking about these lines:

// query database for user
$rows = "SELECT * FROM admin WHERE username = '$username'";
// if we found user, check password
if (count($rows) == 1)
{
    // first (and only) row
        $row = $rows[0];

In this case $rows is not a result set, it's only a string and if you do $row = $rows[0]; the contents of $row will be S, i.e. the first letter of the string. You have to submit the query to your function and return the result set, after that you can execute the rest of the code.

Ops! I forgot to complete the command:

sudo ln -s $PWD/pyinstaller.py /usr/bin/

Bye!

Hi,

You are not executing the query:

$rows = "SELECT * FROM admin WHERE username = '$username'";

Where is the execute()?

Besides, the IF statement will fail because the crypt() function will generate a different hash each time you run it. So change line 30 to:

if (password_verify($_POST["password"], $row["hash"]))

It's better to use password_hash() instead of crypt(), it will generate strong hashes. More info here:

• http://php.net/password-hash
• http://php.net/password-verify
• http://php.net/crypt

@rookhaven

you can use special characters, but you have to escape, for example instead of:

mysql -uroot -pabc!def

do:

mysql -uroot -pabc\!def

and it will work, bye!

Hi,

if you haven't found a solution, could you show the Product model and the table definition?

Hi,

you should not need the win32 version, just download the archive to a specific path, for example ~/sources/, extract and create a link to /usr/bin/ so that the script is available through the system:

wget https://github.com/pyinstaller/pyinstaller/releases/download/v3.1/PyInstaller-3.1.tar.gz
tar -zxf PyInstaller-3.1.tar.gz
cd PyInstaller-3.1
sudo ln -s $PWD/pyinstaller.py
pyinstaller.py -h | less

And you have finished. Also, instead of the Windows idle you can install the linux version, just run:

sudo apt-get install idle -y
idle &

Bye!

If you're using PHP 5.5+ then you could use array_column with implode(), for example:

<?php

// example contents
$_POST['data'][] = ['a' => 1];
$_POST['data'][] = ['a' => 2];
$_POST['data'][] = ['a' => 3];
//

$data = $_POST['data'];
$data = implode(' ', array_column($data, 'a'));

print $data;

That will print 1 2 3. Docs: http://php.net/array-column

Hi,

you could use the Nowdoc syntax, I prefer it because the code is more readable, but it's your choice, an example:

<?php

$id      = rand(1,1000);
$name    = 'MissMolly';
$email   = 'email@email.tld';
$request = <<<'EOD'
<?php
    $to      = "%1$s";
    $subject = "Invoice Request";
    $message = "%2$s is requesting %3$d quote";
    $headers = "From: %1$s\r\n";

    mail($to, $subject, $message, $headers);
    unlink(__FILE__);
?>
<h1>Invoice Being sent asap</h1>
EOD;

$request = sprintf($request, $email, $name, $id);
$myfile  = fopen('clients/' . $name . '.php', 'w');
fwrite($myfile, $request);
fclose($myfile);

With sprintf() then you replace the placeholders %1$s, %2$s, %3$d with the data you want to inject:

• http://php.net/sprintf

Do you have a specific reason to create such file? The email is already sent by the line 33.

Also, you're using the $name variable to set the filename, but if $name contains special characters or spaces, then it could affect the access to the generated PHP file, you should use a function to replace the spaces, something like this:

• https://github.com/bcit-ci/CodeIgniter/blob/82761265da6a4ccd913583239a89487c40d46329/system/helpers/url_helper.php#L480

Hi,

look here user_id = '".$_SESSION['userid']."' ")" remove the second-last quote, so that changes to: )". Then it should work, but consider that an INSERT query does not support the WHERE statement, unless this is into an INSERT ... ON SELECT query:

• http://dev.mysql.com/doc/refman/5.7/en/insert-select.html

It doesn't look like JSON or anything. It looks like byte codes or something. (I DID NOT WRITE THIS APPLICATION)

So, you have decoded the base64 string and you're seeing some strange code? What is the variable for? It could be an icon. An easy method to see the contents is to set data:text/plain;base64,STRING HERE into a Google Chrome browser tab, being text/plain the code will not be executed, but if in doubt use an incognito browser window or start a new profile... an example:

data:text/plain;base64,PHNjcmlwdD5hbGVydCgiaGVsbG8iKTs8L3NjcmlwdD4=

Will display:

<script>alert("hello");</script>

Otherwise, you can decode through the base64_decode() PHP function:

<?php

    $str = "PHNjcmlwdD5hbGVydCgiaGVsbG8iKTs8L3NjcmlwdD4=";
    file_put_contents("output.txt", base64_decode($str));

And then check the contents of the output.txt file.

Link: http://php.net/file-put-contents

Once you have the contents, if it's code and you don't recognize what it is, you can use the search engines to try to find some information, just paste a function name or some constants, this engine is a good place to start:

• https://searchcode.com/

Bye!

Hi,

the error is telling you the index key cid does not exists in the $_GET array. So, are you submitting the cid attribute through the form or through the action link? I mean, like this:

<form action="script.php" method="post">
    <input type="hidden" name="cid" value="123">

or like this?

<form action="script.php?cid=123" method="post">

By using $_GET the cid key should arrive to the script through the query string ?cid=123, if instead it's inside an input tag, then change it to $_POST:

$cid = $_POST['cid'];

Note: it's always a good practice to check if the expected keys are set and if they are transmitting the expected input. Use filter_input() to validate and sanitize the input, read:

• http://php.net/filter-input

Bye!

Ok, at line 16 and 17 you are declaring a variable but then using another one:

$mContent   = '';
echo $mcontent .=

so, set $mcontent = ''; or reverse and fix line 67. Note: this should not preclude the execution of the script, usually it should send a notice for undefined variable mcontent but then it should continue to work.

Try to set error_reporting(-1); in top of the script, to see if you get some errors.

So, you get the email but not the query contents, correct? Is the $conn resource set in the included config.php file?

So how does look the real query? The one posted in your previous post does not match, it seems you are using:

$delete = "DELETE FROM `users` WHERE `user_id`='$_GET['user_id']'";

And it happens because you're using single quotes, in this case you should do:

`user_id`='$_GET[user_id]'

Or:

`user_id`='{$_GET['user_id']}'

But, why you do not use a prepared statement? It's very simple and puts your query in safe.

Hi, at line 9 do:

 mysqli_query($MySQLi_CON, $delete) or die(mysqli_error($MySQLi_CON));

You should get the error returned from the database server.

The reason " " are in the place they are is to define $_POST[text]...and the reason it defines text is because "text" is in the [] brackets of post...If it was

$clean["abc"]=str_replace("malicious", " ", $_POST[abc]);

It would define ABC instead?

Hmm, no:

$clean["abc"]

and:

$clean["ABC"]

would generate two different index keys, for example, you can do:

$clean = array(
            "abc" => 123,
            "ABC" => "hello"
        );

var_dump($clean);

And you would get:

array(2) {
  ["abc"]=>
  int(123)
  ["ABC"]=>
  string(5) "hello"
}

if, instead, you try to define two index keys with the same name, then you will end to overwrite the first index, for example, you can do:

$clean = array(
            "abc" => 123,
            "abc" => "hello"
        );

var_dump($clean);

And you get:

array(1) {
  ["abc"]=>
  string(5) "hello"
}

In reference to the str_replace() function you have to define four arguments:

str_replace(ARG_1, ARGU_2, ARG_3, ARG_4)

ok? The last is optional, so I won't talk about it. Now, the first three arguments can take strings or arrays, to simplifly we will look only at strings.

So, ARG_1 is the needle, a string you want to match, in your case "malicious"; the second argument (ARG_2) defines what you want to use to replace the malicious string, in your case " ", which is an empty space; ARG_3 instead is the string in which you want to apply the replacement, i.e. the haystack, so as example:

$string = "I want two oranges";
$replace = …

Hi, about this:

$clean["text"]=str_replace("malicious", " ", $_POST[text]);

In all cases these quotes are used to define a string, in:

$clean["text"]

You are defining an index key on an array defined in the $clean variable, the other two, instead, are arguments of the str_replace() function.

In this case, unless text is a constant, then when executing $_POST[text] you will get a Notice: Use of undefined constant text - assumed 'text', in practice the PHP engine will try to serve it as a string index key: $_POST['text']

See:

• http://php.net/manual/en/language.types.string.php
• http://php.net/str-replace

By the way: str_replace() is not the way to sanitize input, look at the filter extension:

• http://php.net/manual/en/intro.filter.php

You're welcome!

Hi,

look at the manual: http://php.net/manual/en/mysqli-result.fetch-array.php

The argument must be a constant, in your case MYSQL_ASSOC without the quotes, the constant in this case is an integer and his value is 1, for MYSQL_BOTH instead is 3, so you could write:

$result->fetch_array(MYSQL_ASSOC);

# or

$result->fetch_array(1);

and get the same result type.

Sure is $key and not $primaryKey?

protected $primaryKey = 'user_id';

Model source:

• https://github.com/laravel/framework/blob/06182c2b498cfc1bbb82e5d49bad0c92d256a337/src/Illuminate/Database/Eloquent/Model.php#L56

You can run netstat with these options:

sudo netstat -tulpn |grep -E ':[0-9]{5}'

Or simply search for a specific port number:

sudo netstat -tulpn |grep :28017

It should return something like:

...
tcp    0    0 0.0.0.0:17500    0.0.0.0:*    LISTEN    3374/dropbox
...

You can get more information about the process by checking the identifier in the /proc/ directory:

ls -lh /proc/3374/exe

this should return the path. More information here:

• http://www.cyberciti.biz/faq/what-process-has-open-linux-port/

Hi,

you could set the line separator into getValue(), for example at line 28:

editor.getValue('<br>')

But this will add the <br> also in the code blocks, otherwise you can apply a CSS rule to #question-preview:

#question-preview {
    white-space:pre-line;
}

And change the #question-preview pre code white-space rule at your preferences:

#question-preview pre code {
    padding: 0;
    white-space: inherit;
}

Docs: http://codemirror.net/doc/manual.html#getValue

Can someone change their IP address repeatedly in a short time, say less than a minute or five?

Yes, if IP is dynamic you disconnect & connect to get a new address, not always in the same range and it can change even at each request when using services like Tor.

Some use the Etag header, this is used to cache resources into the browser: you set a specific Etag ID for each client and, when the browser asks the server if there is a new version of the resource, you can track the request and by consequence that specific user associated to the Etag ID.

An IP change will not affect the tracking with Etags, but deleting the browser cache will delete the Etag entries.

Other use the screen resolution and viewport size to track users. Consider that these are not considered ethical practices, see:

• https://en.wikipedia.org/wiki/HTTP_ETag#Tracking_using_ETags
• http://www.w3.org/2001/tag/doc/unsanctioned-tracking/

Hi, you can try HackerRank: https://www.hackerrank.com/

Once logged, you can choose the domain you want to explore, some are language specific, but there are many challenges that can be answered in different languages, including javascript, if this is your interest.

The problem is generated in the IN() statement: what happens if $topuid is empty, like in your code?

$topuid   = array();
$idtopuid = implode(',', $topuid);

The result of $idtopuid will be an empty string, example:

var_dump(implode(',', []));
string(0) ""

This will generate the syntax error you got: syntax to use near ') order by rand() limit 0,5' at line 1 because the IN() statement cannot be empty.

Also, keep in mind that you are setting something that will display as a single CSV string, for example:

$topuid   = ['a', 'b', 'c'];
$idtopuid = implode(',', $topuid);

# in query
... IN(".$idtopuid.") ...

Will generate:

IN(a,b,c)

without quotes, which will work fine if these will be integers [1,2,3], but it will fail if using alphanumeric IDs, because it will be like testing table columns and it could generate an error like:

ERROR 1054 (42S22): Unknown column 'a' in 'where clause'

to avoid it, in case of alphanumeric IDs, the IN() statement values should be set with quotes around each element and commas to separate them, so:

IN('a', 'b', 'c')

Bye!