1

Hehe, sure you can!

If you want to solve it, instead, read the notice, it says Use of undefined constant session - assumed 'session', which means you probably wrote:

$autoload['libraries'] = array(session); # without quotes

Instead of:

$autoload['libraries'] = array('session'); # with quotes

By adding quotes the value is considered a string, which is what you need in this case.

1

Hi,

at line 7 you have:

$update_id = $post_id;

while $post_id is initialized at line 68:

$post_id = $row_post['post_id'];

Which in practice depends on $edit_id defined at line 60:

$edit_id = $_GET['edit_post'];

So, it seems that you open the page like this:

page.php?edit_post=123

All you have to do is to initialize $edit_id on top, at line 4, so that is available to the POST conditional statement and to the other code.

Do not use $_GET directly, filter the variable:

$edit_id = filter_input(INPUT_GET, 'edit_post', FILTER_VALIDATE_INT, ['options' => ['default' => NULL]]);

Then replace:

$update_id = $post_id;

With:

$update_id = $edit_id;

Or simply adjust the following code to use $edit_id. Use the filter functions also for the other input coming from POST and GET requests, and use prepared statements too:

1

Hello Dani,

I don't think it's the user agent, I'm testing with Phantomjs and it uses this user agent:

Mozilla/5.0 (Unknown; Linux i686) AppleWebKit/538.1 (KHTML, like Gecko) PhantomJS/2.1.1 Safari/538.1

The testing script render.js:

var page   = require('webpage').create(),
    system = require('system'),
    vsize  = {width: 1280, height: 1024},
    address, output;

address = system.args[1];
output  = system.args[2];

page.viewportSize = vsize;
page.clipRect = {
  top: 0,
  left: 0,
  width: vsize.width,
  height: vsize.height
};

page.open(address, function() {
  page.render(output);
  phantom.exit();
});

Execution:

./phantomjs render.js LINK output.png

And it works fine. In this specific case Microsoft is rejecting HEAD requests, it allows GET requests, in fact, it returns 200, but the page has no contents because are loaded by Javascript: test with Postman to see how it renders. So, it seems it needs a rendering engine to show the contents.

2

Hi! You can use pathinfo() or a directory iterator:

$ext = pathinfo($file)['extension'];

BUT right now the img() function can, potentially, allow the access to the contents of any directory on the server, by adding ../ to the variable, as example you can write the following and access /etc/:

pictures.php?imageID=images/../../../../etc

It depends on the position of the document root in the file system. You could use an integer and make sure it's valid, for example:

$imageID = filter_input(INPUT_GET, 'imageID', FILTER_VALIDATE_INT, ['options' => ['default' => NULL]]);

if(TRUE === is_null($imageID))
{
    # redirect or show 404
}

# continue if $imageID is valid

See also: https://www.owasp.org/index.php/Path_Traversal

Votes + Comments
thank you @cereal
2

Hmm, the session in this case it is not, probably, the best approach: what happens if, in the current session, you open multiple tabs of A.php with different IDs?

A.php?id=123
A.php?id=124
A.php?id=125
...

It would screw up, because the session value would be rewritten by the latest loaded tab. Append the query string to B.php, so if you are using a form you can do:

<form method="get" action="B.php?id=123">

Or hide it in the input fields:

<input type="hidden" name="id" value="123">

If you want more appropriated help, share an example of what you are trying to do.

Votes + Comments
Good shout about multiple tabs +1 - a common gotcha!
0

Thank you Jim! Yes, that works fine and also counting the resulting array works fine.

The original query is not like in the above example: I was using FOUND_ROWS() in a PHP PDO class, to automatically extract the number of rows, but it was not working appropriately. So I started playing with an example table and added SQL_CALC_FOUND_ROWS too and came down with the above test.

Even by doing:

SELECT SQL_CALC_FOUND_ROWS * FROM `test` LIMIT 3;

then FOUND_ROWS() should return 5, instead it returns 1. In practice, I do not understand why it does not output the expected result.

I just did a test on MariaDB 10.0.28 and MariaDB 10.1.19 and returns 5, as expected. My current instead is 10.0.29, so it may be a bug.

//EDIT

@Dani, yes, I added SQL_CALC_FOUND_ROWS just to test the query.

0

Hello,

so, I'm playing a bit with MariaDB 10.0.29 and I cannot understand why FOUND_ROWS() keeps returning the 1 whatever happens to the latest select query. Here's my test:

> CREATE TABLE `test` (`id` INT UNSIGNED AUTO_INCREMENT PRIMARY KEY, `msg` VARCHAR(100) NULL) ENGINE = InnoDB;
Query OK, 0 rows affected
Time: 0.782s

> INSERT INTO `test` (`msg`) VALUES('apples'), ('oranges'), ('strawberries'), ('cherries'), ('random');
Query OK, 5 rows affected
Time: 0.180s

> SELECT SQL_CALC_FOUND_ROWS * FROM `test`;
+------+--------------+
|   id | msg          |
|------+--------------|
|    1 | apples       |
|    2 | oranges      |
|    3 | strawberries |
|    4 | cherries     |
|    5 | random       |
+------+--------------+
5 rows in set
Time: 0.003s

> SELECT FOUND_ROWS();
+----------------+
|   FOUND_ROWS() |
|----------------|
|              1 |
+----------------+
1 row in set
Time: 0.002s

Expected result 5. The same happens with MyISAM engine.

Any clue why this happens? To avoid any possible backside issue, I have tested from a fresh connection through the command line client, but it does not seems to make difference.

The online test with MySQL 5.6, instead, returns 0, it is accessible here:

For the online test result I'm not sure it depends on SQLfiddle or it is MySQL 5.6.

1

Hello,

I just saw your question, so according to FB best practises:

Use images that are at least 1200 x 630 pixels for the best display on high resolution devices. At the minimum, you should use images that are 600 x 315 pixels to display link page posts with larger images. Images can be up to 8MB in size.

If your image is smaller than 600 x 315 px, it will still display in the link page post, but the size will be much smaller.

We've also redesigned link page posts so that the aspect ratio for images is the same across desktop and mobile News Feed. Try to keep your images as close to 1.91:1 aspect ratio as possible to display the full image in News Feed without any cropping.

And last:

The minimum image size is 200 x 200 pixels. If you try to use an image smaller than this you will see an error in the Sharing Debugger.

Source: https://developers.facebook.com/docs/sharing/best-practices#images

0

Hi Jailani,

in your code you are using:

$value = $_GET['change'];

which will not work if the form set the method to POST:

<form method="post">

if you perform a POST request then you have to use $_POST in the PHP side to access the values of the input fields. You could use $_GET, but only if appending values to the action link of the form tag, for example:

<form method="post" action="script.php?id=123">

Also, you are trying to access the id, like this:

$id = $_REQUEST['id'];

I suppose you want to get it from this line:

echo"<td><font color='black'>" .$test['id']."</font></td>";

It will not work, unless you do not add an input field like this:

<input type="hidden" name="id" value="<?php echo $test['id']; ?>">

This is more correct, but you are also looping the array from the query, so you are going to create a group of rows, in the HTML, each with:

echo"<td><input type='text' name='change'/></td>";

In this case, since you are not submitting $_POST['change'] as an array and since this is a text type, you will apply only the last one in the list:

<tr>
    <td><input type='text' name='change'/>
<tr>
    <td><input type='text' name='change'/>
<tr>
    <td><input type='text' name='change'/> <-- only this will be applied

So the input name should look like more name='change[]':

<tr>
    <td><input type='text' name='change[]'>
<tr>
    <td><input type='text' name='change[]'>

Even by applying this your update query will still not work, because you have to loop the $_POST['change'] and the other fields values.

This post may help you:

it applies to <select> tags, but ...

1

Check arp-scan -ln it outputs something like this:

> arp-scan -ln
Interface: wls1, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.8.1 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.0.1     00:c0:9f:09:b8:db       QUANTA COMPUTER, INC.
192.168.0.5     00:02:a5:90:c3:e6       Compaq Computer Corporation
192.168.0.87    00:0b:db:b2:fa:60       Dell ESG PCBA Test
192.168.0.90    00:02:b3:06:d7:9b       Intel Corporation
192.168.0.153   00:10:db:26:4d:52       Juniper Networks, Inc.
192.168.0.191   00:01:e6:57:8b:68       Hewlett-Packard Company
192.168.0.196   00:30:c1:5e:58:7d       HEWLETT-PACKARD

7 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.8.1: 256 hosts scanned in 1.628 seconds (157.25 hosts/sec). 7 responded

And you could simply parse the output. But I'm not sure if there is a version for Windows platforms. Some info here:

0

In this very specific case, because $ID is expected to be an integer, you could use exec() which returns the number of affected rows by the statement or something that evaluates to boolean FALSE (if something goes wrong) but you have to properly sanitize the variable.

$ID = filter_input(INPUT_GET, 'ID', FILTER_VALIDATE_INT);

if(FALSE !== $ID)
{
    $update = $db->exec("UPDATE table SET count = count + 1 WHERE id=".$ID);

    if(FALSE === $update)
    {
         // log the error, kill the script, etc.
    }

    else
    {
        // successful update
    }
}

else
{
    // $ID is not valid
}

In case of strings, instead, the filter function is not enough, because sending something like 0 OR 1=1 would be valid and expose your query to an SQL injection attack.

I prefer to have few extra lines of code and go with prepared statements.

Besides, in PDO you can send the values as an array, in the execute() method:

$stmt->execute([':ID' => $ID]);
1

I was supposing the $_POST['Net'] arrays to hold float values, not file names. Anyway you could write:

$files    = [];
$products = [];

while($rowProduct = mysql_fetch_array($productSQL))
{
    $products[] = $rowProduct['POProductNet'];
}

if(TRUE === isset($_POST['Net']) && TRUE === is_array($_POST['Net']))
{
    $files = array_map('basename', $_POST['Net']);
    $diff  = array_diff_assoc($products, $files);

    if(count($diff) > 0)
    {
        // write data to db
    }
}

Here I'm just using the array functions, instead of the loops, it's just a choice. You can go with loops.

But if $_POST['Net'] is supposed to always be an array, then I would check it in the sanitizing step, not after the query to the database. So it would look like more:

$net = filter_input(INPUT_POST, 'Net', FILTER_SANITIZE_STRING, FILTER_REQUIRE_ARRAY);

if(FALSE !== $net)
{
    $files    = array_map('basename', $net);
    $products = [];

    // select query the database
    // populate the $products array
    // compare with $files
}
1

You could use the RecursiveDirectoryIterator() something like in this comment:

More precisely like this:

<?php

$path = dirname(__DIR__);

$dir_iterator = new RecursiveDirectoryIterator($path
                     , FilesystemIterator::SKIP_DOTS);

$iterator     = new RecursiveIteratorIterator($dir_iterator
                    , RecursiveIteratorIterator::LEAVES_ONLY
                    , RecursiveIteratorIterator::CATCH_GET_CHILD);

foreach($iterator as $file)
    if(TRUE === $file->isReadable())
        echo $file . PHP_EOL;
0

Hi,

look, this hex dump suggests it could be C++:

0007e0a0  72 20 61 72 67 75 6d 65  6e 74 73 0d 0a 00 00 00  |r arguments.....|
0007e0b0  52 36 30 30 32 0d 0a 2d  20 66 6c 6f 61 74 69 6e  |R6002..- floatin|
0007e0c0  67 20 70 6f 69 6e 74 20  6e 6f 74 20 6c 6f 61 64  |g point not load|
0007e0d0  65 64 0d 0a 00 00 00 00  4d 69 63 72 6f 73 6f 66  |ed......Microsof|
0007e0e0  74 20 56 69 73 75 61 6c  20 43 2b 2b 20 52 75 6e  |t Visual C++ Run|
0007e0f0  74 69 6d 65 20 4c 69 62  72 61 72 79 00 00 00 00  |time Library....|
0007e100  0a 0a 00 00 52 75 6e 74  69 6d 65 20 45 72 72 6f  |....Runtime Erro|
0007e110  72 21 0a 0a 50 72 6f 67  72 61 6d 3a 20 00 00 00  |r!..Program: ...|
0007e120  2e 2e 2e 00 3c 70 72 6f  67 72 61 6d 20 6e 61 6d  |....<program nam|
0007e130  65 20 75 6e 6b 6e 6f 77  6e 3e 00 00 00 00 00 00  |e unknown>......|

And this:

0008ead0  46 53 4f 55 4e 44 20 50  72 69 6d 61 72 79 20 4d  |FSOUND Primary M|
0008eae0  69 78 42 75 66 66 65 72  00 00 00 00 43 3a 5c 64  |ixBuffer....C:\d|
0008eaf0  65 76 5c 66 6d 6f ...