Posts by cereal

No, the temporary table is visible only by the current connection, if you start a connection from another mysql client (PHPMyAdmin or just a shell) the id will be different. This means that you can have more then one temporary table Basket at the same time:

• http://dev.mysql.com/doc/refman/5.1/en/create-table.html#idm47525032009712

When using persistent connections, these will be cached and reused if using the same credentials.

With mysql_pconnect() you can create temporary tables, these will not be destroyed when the script ends, because the connection will stay open, unless you don't use mysql_close() or you drop the table:

• http://php.net/mysql_pconnect

Sorry, I didn't edit in time.

Edit 2

I'm probably wrong, because actually there are few conditions: capitalization matters, you cannot use characters of the name and if you choose more than one character from the username, then the password cannot be choosed. So it is much more complicated, but you still know that you can exclude all those combinations.

Going back to my corner to think è_é and sorry for the off-topic.

Interesting thread. In Yahoo mail when you set the password you are not allowed to use the characters included in the username, no matter if you're using only one of those characters and this check is case insensitive. But they still want at least an uppercase character. In my opinion this solution is self-defeating because an attacker will know what characters can omit from the bruteforce.

For example, if the username is deceptikon we can exclude 18 characters: decptikon and DECPTIKON, if the minimum password length is 8, then it translates to:

((44^8) * 100) / (62^8)

Where 62 is a-zA-Z0-9. It means that, by excluding the known characters, the combinations to check can be reduced to 6.43% of the total, which is a huge difference. Not only this, but increasing the lenght, the range will continue to drop: with a length of 12, the combinations to check will be only 1.63% of the total (62^12), it will be always a big number of combinations, but why they exclude those characters, I don't see the logic of this decision. Or my observations are wrong?

EDIT
Ok, I'm probably wrong, because actually there's a condition: if you choose more than one character equal to the username, then the password cannot be used. So is much more complicated, but you still know that you can exclude all those combinations that include at least 2 of the username characters, if you apply this to a dictionary you can limit a …

Can you explain better what you want to achieve?

I just want point relation between Word A, B, C to Z

Are you referring to the signifier or to the meaning?

The reason why we turn URLs into clickable links within code snippets is because sometimes snippets include comments with a link crediting the origin of the source code and that type of thing

Ok, thank you for your reply.

Please, mine is just an opinion, not a complaint. I'm paying attention to this just because the links are crossed out in the code blocks. To me it's not a problem if a link is clickable or not, I was only suggesting a solution.

If a link is going to be overlined because is broken, then it can become difficult to read, at least for me: many times in the threads we use example links, to request help with rewrites or just to show the structure of an url. That line does not help me to answer, it just make it difficult to read.

Bye :)

In my opinion in the code blocks this is distracting. The link should not be clickable by default, no matter if this is broken or not and mantain his readability.

:)

Ok, if you still want to create a temporary table, use my suggestion, change your code, then modify the insert query to:

$query_insertintotable = "INSERT INTO everything (ArtistName, NAMEoftheDVD) VALUES ('RIHANNA', 'SHAWSHANK')";
$result_insertintotable = mysql_query($query_insertintotable, $dbhandle) or die(mysql_error());

Where NAME of the DVD is NAMEoftheDVD or name_of_the_dvd as in my example.

Note that the temporary table will be deleted at the end of the script.

Also the name of a column cannot contain whitespace, use underscores instead, so Name of the DVD becomes name_of_the_dvd. That's probably why your temporary table does not work, you can change the first query to:

$query_createTemporaryTable = "CREATE TEMPORARY TABLE temp(temp_id INT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY, ArtistName VARCHAR(20), name_of_the_dvd VARCHAR(30))"; 
$result_createtemptable = mysql_query($query_createTemporaryTable , $dbhandle) or die(mysql_error());

Yes, create the table with the columns you need and then post the result of the explain command here, or just post the create statement. After that we can fix your queries.

Yes, without the dot, just explain temp;

Without the semi-colon at the end of mysql_query():

$result_selecttemptable = mysql_query($query_selecttemptable, $dbhandle) or die(mysql_error());

And with die(mysql_error()) which is more useful because it will display the actual error or the query.

Yes, try the suggestions in my previous post and let us know the results.

Hmm looking better at your code, I doubt that this would work:

"SELECT ArtistName,NAME of the DVD FROM temp";

Can you show us the structure of this table? Run explain temp; from a MySQL table and paste here the result.

@Mohamed don't worry about her, she's a spammer.

Regarding your problem, try to change this:

$result_selecttemptable = mysql_query( $query_selecttemptable,$dbhandle);
$row_selecttemptable = mysql_fetch_array($result_selecttemptable, $dbhandle);
while($row_selecttemptable = mysql_fetch_array($result_selecttemptable, $dbhandle)){
      echo $row_selecttemptable
      or die mysql_error("Error");
  }

To:

$result_selecttemptable = mysql_query($query_selecttemptable,$dbhandle) or die(mysql_error());

while($row_selecttemptable = mysql_fetch_array($result_selecttemptable))
{
    echo $row_selecttemptable['ArtistName'];
}

Same here on:

• Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
• Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0

I've seen this in many threads in the last few days.

The big problem here is that cells_num, grid_num and cell_weight do not have a suffix, as the others, that would simplify a lot the game. Anyway, if these groups are of fixed length you can split them and then rearrange as you like. An example:

<?php

include 'array.php';

function ohoh($a, $needle)
{
    $result = array();
    $i = 0;
    foreach($a as $key => $value)
    {
        foreach($value as $kv => $vv)
        {
            preg_match("(.*title|.*content)", $kv, $res);
            if(count($res))
            {
                $result[$i][$res[0]] = $vv;
                if(strstr($res[0], 'content')) $i++;
            }

            preg_match('/(grid_num|cells_num|cell_weight)/', $kv, $rs);
            if(count($rs) > 0) $result[$kv] = $vv;
        }
    }

    return $result;
}

function fire($a, $keys)
{
    $length = count($a) / count($keys);
    $arrays = array_chunk($a, $length);
    $result = array();

    $i = 0;
    foreach($arrays as $array)
    {
        $result[]['tabs'] = ohoh($array, $keys[$i]);
        $i++;
    }

    return $result;
}

$keys = array('rEXMp', '3T2IV');

echo "<pre>";
print_r(fire($a, $keys));
echo "</pre>";

Will print:

Array
(
    [0] => Array
        (
            [tabs] => Array
                (
                    [0] => Array
                        (
                            [tab-title] => tab-1
                            [tab-content] => tab-1 content
                        )

                    [1] => Array
                        (
                            [tab-title] => tab-2
                            [tab-content] => tab-2 content
                        )

                    [2] => Array
                        (
                            [tab-title] => tab-3
                            [tab-content] => tab-3 content
                        )

                    [cells_num] => 1
                    [grid_num] => 0
                    [cell_weight] => 100%
                )

        )

    [1] => Array
        (
            [tabs] => Array
                (
                    [0] => Array
                        (
                            [tab-title] => tab-4
                            [tab-content] => tab-4 content
                        )

                    [1] => Array
                        (
                            [tab-title] => tab-5
                            [tab-content] => tab-5 content
                        )

                    [2] => Array
                        (
                            [tab-title] => tab-6
                            [tab-content] => tab-6 content
                        )

                    [cells_num] => 1
                    [grid_num] => 1
                    [cell_weight] => …

Hi,

I'm not sure if is this but: neither the From: header, nor the Reply-To: are correct email addresses. In the From header is missing the local part, i.e. the part that goes before @:

"From: Bright-Tutors <bright-tutors.com> \n";

In the Reply-To the missing part is the top level domain, it should be:

"Reply-To: enquiries@bright-tutors.com\n";

You can also try to change all the \n with \r\n. And consider the use of the SwiftMailer library: http://swiftmailer.org/

So, what have you done so far?

Ok. Maybe I'm missing something, but from what I see, I think your script should not work, because it needs some specific conditions. For example: register_globals is on? The documentation of session_register() says:

If your script uses session_register(), it will not work in environments where the PHP directive register_globals is disabled.

As of PHP 4.2.0, the default value for the PHP directive register_globals is off. The PHP community discourages developers from relying on this directive, and encourages the use of other means, such as the superglobals.

And:

Caution
If you are using $_SESSION (or $HTTP_SESSION_VARS), do not use session_register(), session_is_registered(), and session_unregister().

Reference: http://www.php.net/manual/en/function.session-register.php

Your intent is to make the first part (up to line 17) work with the second (after line 19)? If yes, remove session_register() and the others, as suggested by the documentation and use $_SESSION to make it work.

You should, also, get some errors because session_start() is declared only at line 23 while it should be in the first line of the script.

Use the $_SESSION array instead:

• http://www.php.net/manual/en/reserved.variables.session.php

At the top of the script place session_start(), then define the variables you want to save to session, for example:

<?php

    session_start();

    $_SESSION['username'] = 'Stefan';

    echo $_SESSION['username'];

Regarding the form, I cannot help much on the javascript side, but you have to be sure the logged user cannot submit to the login script, not only that the form is visible or not. This means you have to filter the requests to the script, you could place this in top:

<?php

    session_start();

    if(array_key_exists('username', $_SESSION))
    {
        $_SESSION['error_flashdata'] = 'Already logged';
        header('Location: /');
    }

Then if you want, you can apply a session variable to send and display error messages in the landing page, in this case as you see in the header(), the redirect points to the homepage:

<?php

    session_start();
    $error = false;

    if(array_key_exists('error_flashdata', $_SESSION))
    {
        $error = $_SESSION['error_flashdata'];
        unset($_SESSION['error_flashdata']);
    }

    echo $error;

The first argument of session_is_registered() must be a string, in your case myusername is not a constant, it's a string, so add the quotes:

if(session_is_registered('myusername'))

In addition these functions will be removed from PHP 5.4, their use is highly discouraged:

• http://www.php.net/manual/en/function.session-register.php
• http://www.php.net/manual/en/function.session-is-registered.php

The problem is given by the double quotes inside the date function, you're breaking the quotes of the echoed string, if you escape them then it will print the line without executing the code.

So, you can get the output by setting a variable and include it in the string:

$date = date("Y/m/d");
echo "<div class='date'>$date</div>";
echo '<div class=\'date\'>$date</div>';

Check the output of the above example. Do you see the differences between single and double quotes? Here's the documentation:

• http://www.php.net/manual/en/language.types.string.php#language.types.string.parsing

An alternative syntax:

echo "<div class='date'>" . date("Y/m/d") . "</div>";

The variable values, in this case, must be strings, so surround them with quotes:

$dbhost = "sql.domain.tld";
$dbuser = "username";
$dbpass = "password";

The port value can be submitted as integer, so you can omit the quotes. Anyhow, by adding mysql_error() you should be able to see the error.

Since you're rewriting the code I suggest you to switch to PDO or MySQLi libraries, because the one you're currently using is going to be removed from PHP, so check:

• http://php.net/pdo
• http://www.php.net/mysqli

Yes, in the arrays you start to count from zero, you can see all the structure by using print_r():

print_r($file);

The second xml file is not correct, here's the fixed version:

<?xml version="1.0" ?>
<sys>
    <major>
        <id>1</id>
        <point>Tower</point>
    </major>
    <major>
        <id>2</id>
        <point>Castle</point>
    </major>
</sys>

Now, you basically get an object array, so:

echo $file->major[0]->id . ' ' . $file->major[0]->point;

And if you loop it:

foreach($file as $key => $value)
{
    if($value->id == 1) echo $value->point;
}

You get the same results.

Ok, I got it, it happens because you have to encode & in the query string, try with:

echo rawurlencode("http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]");

It should work fine.

I don't know if there is anything in PHP, but there is a tool written in Python:

• http://pythonhosted.org/querycsv/

Otherwise you can check the SQLite library, it's used with sqlite files:

• http://php.net/sqlite

But files and sqlite are, generally, good to save little data, if your application will be used by multiple users and deal with many MB of data then it's better to use a relational database. In alternative take a look at NoSQL solutions:

• http://nosql-database.org/

You're using an array, so you have to surround it with parentheses, otherwise you have to escape the single quotes:

mysqli_query($con,"UPDATE goodship SET brick=brick+1 WHERE id = {$_COOKIE['id']}");

In addition, use prepared statements, otherwise a user can push in arbitrary code:

• http://www.php.net/manual/en/mysqli.prepare.php

IF you're using Windows, the mail() function will not parse emails in format Name <email@domain.tld>.

Second use double quotes:

$email = "{$_REQUEST['email']},{$_REQUEST['email2']}";

Otherwise you have to escape the array keys quotes.

Third: avoid using $_REQUEST and filter the input, currently this makes your script attackable.

It seems your SSL domain is not well configured, if you browse to the root https://nadim.org/ you get the default page. The index.php page is missing, the new2 directory is missing as well.

By the way, even switching from HTTPS to HTTP it does not work, you need to complete the query string with &prodid=132&cat=1.

Use mysql_affected_rows() instead of mysql_num_rows($num_rows). Also use MySQLi or PDO libraries, since the MySQL library is going to be removed.

Docs: http://php.net/mysql_affected_rows

Good, if we are done, please mark the thread as solved. Bye! :)

It seems there's an extra space near the end of the filename, run the trim function against the $file variable: $file = trim($file); before populating the $sql variable.

You're welcome, I'm glad it works all fine.

can rename the phpmyadmin-4.0.4-all-languages without problem???

You can rename it without any problems.

in cpanel we have a option for protected directory to put user and password

Do it. Most scanners will try to find /phpmyadmin-* or strings like /pma, /mysql, /db or /database so if you can add an extra layer it won't hurt.

Ok, sorry for previous suggestions about the Authentication method, I was a bit asleep and I confused the options :D

So, if you don't use the config mode, do not fill username and password fields.

For now use cookie or http modes. In both cases, you do not need to fill anything else in those forms, there are some extra options, but you can skip them for now. With these modes you will get a form to insert the database credentials.

The signon method is used to unify the login, for example: you have a login script to access the admin pages, through this method you can start a session that gives you access also to PHPMyAdmin (PMA). Check examples/signon.php to see a demo script, this expects that your login credentials matches with the MySQL account, but you could encrypt them into a table and extract them when you start the session... anyway, this is a bit tricky and if you don't have special requirements go straight to the cookie or http methods.

Good! Click on New Server then as:

• Verbose name of this server: choose something of your choice, in my previous example, the name were local1 and local2, this is related only to PHPMyAdmin;
• Server hostname: is the same hostname you use in your scripts to connect to the database, so it can be something like an IP, it can be localhost or a domain name as db001.oneandone.com;
• Server port: the default listening port for MySQL servers is 3306, so you can leave it blank, if you have another setting then fill the field;
• Server socket: this is a file in the filesystem, it's used when the database is in the same box of the web server, in practice the socket overrides the network layer and gives much speed between the server and the web application, I don't know if you can use it with your current hosting plan, I don't have experience with 1and1;
• Use SSL: as the previous it depends on your configuration, if your plan provides SSL connection to the database then use it, otherwise leave it empty;
• Connection type: is used to switch between TCP (given by hostname:port) and socket connections, you'll probably need TCP;
• PHP extension to use: if your current version of PHP supports MySQLi then select it, the requirements are MySQL 4.3.1 and PHP 5.*, if you have doubts create a file with phpinfo() inside to check your PHP configuration;

After you've done with this form, go to the Authentication tab …

Ok, alternative solutions:

• install on local, and create the config file, then upload it to the server;
• manually create config.inc.php, I've created two generic connections.

Here's the template:

<?php
/*
 *  Generated configuration file
 *  Generated by: phpMyAdmin 4.1.0 setup script
 *  Date: Sat, 14 Dec 2013 22:12:01 +0100
 */

/* Servers configuration */
$i = 0;

/* Server: local1 [1] */
$i++;
$cfg['Servers'][$i]['verbose'] = 'local1';
$cfg['Servers'][$i]['host'] = 'localhost';
$cfg['Servers'][$i]['port'] = '';
$cfg['Servers'][$i]['socket'] = '';
$cfg['Servers'][$i]['connect_type'] = 'tcp';
$cfg['Servers'][$i]['extension'] = 'mysqli';
$cfg['Servers'][$i]['auth_type'] = 'cookie';
$cfg['Servers'][$i]['user'] = 'root';
$cfg['Servers'][$i]['password'] = 'root';

/* Server: local2 [2] */
$i++;
$cfg['Servers'][$i]['verbose'] = 'local2';
$cfg['Servers'][$i]['host'] = 'localhost';
$cfg['Servers'][$i]['port'] = '';
$cfg['Servers'][$i]['socket'] = '';
$cfg['Servers'][$i]['connect_type'] = 'tcp';
$cfg['Servers'][$i]['extension'] = 'mysqli';
$cfg['Servers'][$i]['auth_type'] = 'cookie';
$cfg['Servers'][$i]['user'] = 'root';
$cfg['Servers'][$i]['password'] = 'root';

/* End of servers configuration */

$cfg['blowfish_secret'] = 'place a very random string here'; # change this
$cfg['DefaultLang'] = 'en';
$cfg['ServerDefault'] = 1;
$cfg['UploadDir'] = '';
$cfg['SaveDir'] = '';
?>

Set your connections, upload it to /phpMyAdmin-4.0.4-all-languages/ and then remove setup and config directories. For more options check the PHPMyAdmin documentation linked in one of the previous posts.

it folder when you say directory??? right???

Yes :) Folder is the name of the graphical representation (the icon) of the directory. You can try with 777, but this is not the best setting, so: check if with 777 the error message disappears, then setup PHPMyAdmin, check if it works fine and then try to set config permissions back to 644.

Hope it works, I don't have other ideas.

i contacted 1and1 support they told me it is not possible

Ok, it means the database server accepts connections only from allowed IP, as your server IP, so it won't work from your PC.

Regarding 755 and 644 these are system permissions, 644 equals to read + write for the user that runs Apache (usually named www-data) and ownes the files in the server, if this does not work try with 755 that equals to read + write + execute.

If you're using Filezilla or another FTP client, right click the config folder and choose File Permissions, from there you can set the correct setting. Otherwise check the help center, I've found this:

• http://faq.1and1.co.uk/web_space__access/webspace_explorer/4.html

It may be useful.

Also, you could try with insert ... select ... on duplicate key, an example query:

insert into table1 (user, score) values(1,2);

insert into table2 (user, total_score) select user, score from table1 where id = last_insert_id() on duplicate key update total_score = total_score + score;

The conditions are:

• you cannot use group by on the select segment
• you need an auto increment key in table1 to get the last_insert_id()

• you cannot perform multiple inserts into table1 like this:

  insert into table1 (user, score) values(1,7), (1,3), (1,4);

because last_insert_id() will refer only to the first of these and the second query will continue to add 7.

An example: http://sqlfiddle.com/#!2/7e6e58/1

Ref. http://dev.mysql.com/doc/refman/5.5/en/insert-select.html

Can you avoid running phpmyadmin from accessible docroot? It may be better to run from cPanel/Plesk only.

Chris in addition to diafol's suggestion, if you can connect to the database from your localhost installation (XAAMP or WAMP), then install PHPMyAdmin in your computer, so you can manage it without exposing your web space.

Follow these steps:

• delete config.inc.php file;
• under www.myadomainname.com/phpMyAdmin-4.0.4-all-languages/ create the directory config;
• change permissions of this new directory to 644 or, if it does not work, to 755;
• then reload the setup page, the red message will disappear, after that just click on Add new server to insert the credentials to your databases.

Once you have finished remove the setup directory, otherwise anyone can browse there and change the settings.

Show the code of this page if you want, we can suggest you what to fix.

In general the rule is: whenever the script receives data from $_POST, $_GET, $_REQUEST, $_COOKIE or any external source (as a file), then filter and validate it.

Additional documentation: http://php.net/filter

Also, browse to the setup directory, you can use the wizard:

www.myadomainname.com/phpMyAdmin-4.0.4-all-languages/setup/

Before doing this, I suggest to change the name of phpMyAdmin-4.0.4-all-languages to something less predictable and searchable by the web spiders. Other information here:

• http://docs.phpmyadmin.net/en/latest/setup.html

Standing at their Help Center, PHPMyAdmin is already available from your control panel:

• http://help.1and1.com/hosting-c37630/linux-c85098/mysql-database-c37730/access-phpmyadmin-a627818.html

In both cases it means that the application does not filter the data received from the clients, and so an attacher can enter additional statements to the query, for example, you receive a GET request on this link:

• http://localhost/article.php?id=17&action=delete

and the script does not filter:

$id = $_GET['id'];

$query = "delete from articles where id = $id";

now, imagine if the attacker enters something like this:

?id=17 and id between 1 and 1000&action=delete

It will delete 1000 articles. To mitigate these problems you should use prepared statements and sanitize all data received by the clients. If you're using the MySQL library consider to switch to PDO:

• http://php.net/manual/en/book.pdo.php

For more information about that kind of attack check this article:

• https://www.owasp.org/index.php/Blind_SQL_Injection

The search form should use the GET method, because it's a reading instance, the update form a POST method because it writes to the database. So you can do:

# read
if($_SERVER['REQUEST_METHOD'] == 'GET')
{
    # execute search
    if(isset($_GET['search']))
    {
        # code and populated form
    }

    else
    {
        # blank form
    }
}

# write
if($_SERVER['REQUEST_METHOD'] == 'POST')
{
    if(isset($_POST['update']))
    {
        # execute update query & redirect to referer page
    }
}

The redirect after a POST request is important, otherwise, by refreshing the page it will be submitted another time. Check header():

• http://php.net/manual/en/function.header.php

After:

if(isset($_POST['submit']))
{

Insert:

$_POST = array_map('trim', $_POST);

If, instead, you want to apply it only to one variable then write only this:

$billno = trim($_POST['billno']);

Ref: http://www.php.net/trim

Hi, have you tried to enable the module? You can try with a2enmod:

sudo a2enmod cgi

If you remove the last argument then you get a list of the available modules. Then reload the server:

sudo service apache2 reload

Regarding the warning check with:

apache2 -V

or with httpd -V the command will list some information about the Apache configuration, try also with -l to get the modules included when the server was compiled.

That page (kosnica.html) needs to be processable by the PHP engine, so you can:

• change the extension to .php
• otherwise modify Apache to process .html files as php scripts

As suggested you should use tables to save data, otherwise when the browser window is closed the data is lost, at the end of this post there's a link to the PDO library.

To simply send data from a page to another you can use session. In the page in which you calculate the total, start the session and save the data:

<?php

    session_start();

    # other code here
    # . . .


    # set the sessions
    $_SESSION['total_in_cart'] = array_sum($sum);
    $_SESSION['items_in_cart'] = count($sum);

When you go to kosnica.php, again start the session and retrieve what you have saved in the previous page:

<?php

    session_start();

    echo '<p>Items in cart('.$_SESSION['items_in_cart'].')</p>';
    echo '<p>The total is '.$_SESSION['total_in_cart'].'</p>';

This is a simple example, if you check the documentation I linked to you in my previous post you will find few examples about the session.

In addition, you should read:

• http://www.php.net/manual/en/function.session-start.php
• http://www.php.net/manual/en/book.pdo.php

Good work!