Posts by cereal

It happens because the query returns FALSE instead of returning a result set, there is an error in your query, try to add the quotes around $name:

... category = '$name' ...

But you should really switch to prepared statements:

• http://php.net/mysqlinfo.api.choosing
• http://php.net/manual/en/pdo.prepared-statements.php
• http://php.net/manual/en/mysqli.quickstart.prepared-statements.php

What's your purpouse? You cannot access the client path of an uploaded file, because the browser operates in a sandbox and will send only the file and the name.

If instead you simply want a link, then you cannot use the file input control, use text or if using HTML5, url:

<input type="text" name="link" />
<input type="url" name="link" />

the only difference between the two is the user experience, Google Chrome, for example, will require the user to type an url provided by the protocol, for example: http://, ftp://, file://.

More information here: http://diveintohtml5.info/forms.html

The first error happens because the throwExceptionOnError() method is missing from your class. Regarding the second warning, as explained by the message: define the default timezone in your php.ini file or use:

date_default_timezone_set('UTC');

More information here:

• http://php.net/manual/en/timezones.php
• http://php.net/manual/en/function.date-default-timezone-set.php

By the way, the following class seems to match your constructor code, as you see, at the end of the file, there is also the missing method:

• https://searchcode.com/codesearch/view/74157627/

If you still don't solve then share your full class.

If referring to filter_input() this is not custom, it's part of PHP:

• http://php.net/manual/en/function.filter-input.php

and it's ok, even submitting something like 10 OR 1=1 the filter will sanitize it to 1011. But keep in mind that it doesn't affects $_GET, $_POST and $_REQUEST, so never do:

$record = filter_input(INPUT_GET, 'recordID', FILTER_SANITIZE_NUMBER_INT);

if($record)
    echo $_GET['recordID']; # <- not good

Because it will output the unsanitized data. In any case, if you're going to use this input in a query, then use prepared statements.

Hi,

try to understand how the infection was accomplished, if by using a compromised FTP account (check server logs, change passwords, secure client machines) or because of a code bug, in this last case there's a lot of documentation you can read:

• http://php.net/manual/en/security.php
• http://phpsec.org/projects/guide/
• https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet
• http://phpsecurity.readthedocs.org/en/latest/

Then if you have some doubts about specific procedures show us some example codes.

Ok, the GD library is available also in the PHP linux distribution, however is you still want to use Imagick: which distro are you using: debian, ubuntu, centos? Do you have access to a linux command line (shell/terminal)? Are you sure ImageMagick and the library for PHP are not already installed?

To check if ImageMagick is there type this in the command line:

identify -version

It should return something like:

Version: ImageMagick 6.7.7-10 2014-03-06 Q16 http://www.imagemagick.org
Copyright: Copyright (C) 1999-2012 ImageMagick Studio LLC
Features: OpenMP

Regarding Imagick instead, you can check if the extension is enabled through phpinfo() or by using:

echo extension_loaded('imagick') ? 'true':'false';

if the extension is not enabled, you can check if it does exists by typing this in the linux command line:

locate imagick.so

Or, if locate is missing or not updated, use:

find / -name imagick.so 2> /dev/null

Once you are sure about the existence of the file, just enable it by appending this to the php.ini file:

extension=imagick.so

Debian, Ubuntu and other derived distros from Debian use the apt interface to install software, so if you want to install the extension, type:

sudo apt-get install php5-imagick

As suggested in one of my previouses posts. For other distros, like Centos you have to use the rpm interface:

rpm install php5-imagick

If ImageMagick is missing in both cases you should get a notice and a suggest to continue the process by installing the missing …

@Simon your web server is a Windows system, correct? If yes, then the dll pack to download is dependant on the PHP version and the web server configuration, i.e. as Apache is operating. Look at this file name:

php_imagick-3.1.2-5.3-nts-vc9-x86.zip

1. The first part php_imagick-3.1.2 stands for the Imagick version;
2. the second part 5.3 stands for PHP version;
3. the third part nts stands for Non-Thread-Safe against ts for Thread-Safe, this is related to Apache multi-processing modules, if PHP works under Apache with mod_php then the package should match the same setup;
4. The fourth part vc9 is related to Visual Studio version, it's easy: if using PHP 5.3 and 5.4 it will always be vc9, from PHP 5.5+ it's always vc11;
5. The last segment x86 is the platform, i.e. a 32bit CPU.

Now, in case you still want to use Imagick, the server must be provided with ImageMagick:

• http://www.imagemagick.org/script/binary-releases.php#windows

However if your server is not provided with Imagick or ImageMagick, rather then trying to install it by yourself, the easiest solution is to use the GD library which most of the times is embedded in PHP.

Hi, I suppose SimpleImage is this:

• https://searchcode.com/codesearch/view/69726118/

Or a similar version of the above, the error in your code is that you're overwriting the variable $final_image with the new instance of SimpleImage:

$final_image = '/path/to/file.jpg';
$final_image = new SimpleImage(); # <- value overwrite
$final_image->load($final_image); # <- error

So change the above to:

$image = '/path/to/file.jpg';
$final_image = new SimpleImage();
$final_image->load($image);

and it should work fine.

Hi,
check for GD or Imagick libraries, these are both part of PHP:

• http://php.net/manual/en/book.image.php
• http://php.net/manual/en/book.imagick.php

Also, when saving the images you should optimize them for the web, or at least reduce their quality, read about this topic here:

• http://docs.gimp.org/en/gimp-using-web.html
• https://developers.google.com/web/fundamentals/performance/optimizing-content-efficiency/image-optimization

Anyway don't look only to the file size, but also to the total of the pixels, in particularly read about getimagesize():

• http://php.net/manual/en/function.getimagesize.php

A uploader could serve an apparently small file and crash PHP, for example with the below command in ImageMagick you can create a 2.3MB file with 20000 pixels per side, which uncompressed becomes a 3GB file:

convert -size 20000x20000 xc:white -quality 1% test.jpg

If submitted to a PHP script, this will probably crash because of exhausted memory:

• http://php.net/manual/en/ini.core.php#ini.memory-limit

For more information, search Daniweb, there are several threads about image resizing with PHP.

I've already wrote what is missing. From line 71 to 74, you wrote:

foreach($_POST['choice[]'] as $selected) {
    echo "<p>".$selected ."</p>";
    $qry="insert into diseases (Ans) values ($selected)";
}

Basically you have to repeat the same code you have already used between lines 33 and 38, i.e. you have to prepare and execute the query:

$pdo = Database::connect();
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

$sql = "INSERT INTO diseases (Ans) values(?)";
$q   = $pdo->prepare($sql);

$q->execute(array($_POST['pain']));

Database::disconnect();

If you want to use a radio button to choose the value then you do not need an array to save the selected values, because with radio you can choose only one, so you don't even need a loop.

If instead you wanted to perform multiple inserts then the loop would go around $q->execute(array($selected)):

$pdo = Database::connect();
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

$sql = "INSERT INTO diseases (Ans) values(?)";
$q   = $pdo->prepare($sql);

foreach($_POST['choice[]'] as $selected)
{
    $q->execute(array($selected));
}

Database::disconnect();

But at that point convert your radio buttons to checkboxes or a multi-select list.

Now it seems to work fine, at least for me. I tested the short reply box, new thread & the codemirror link. Thank you Dani!

Uh, I think a local server is required so the template can be processed by PHP.

If you're using PHP 5.4+ then you can start the built in server to load the pages. Open a command line an type:

php -S localhost:8000 -t /path/to/website

More information here:

• http://php.net/manual/en/features.commandline.webserver.php

Hi!

I've experienced this kind of issue in past, it was due to a mismatch of mime-types and I fixed by updating the application/config/mimes.php file. But I was trying to upload PDFs and images.

Set the environment constant in the main index.php file to the development stage, set the log_threshold to 4 in the application/config/config.php file and then create a new method in your controller to get a verbose output:

public function verbose_upload()
{
    $config['upload_path'] = "./uploads";
    $config['allowed_types'] = '*';

    $this->load->library('upload', $config);
    $this->upload->do_upload();

    $data['errors'] = $this->upload->display_errors('<p>', '</p>');
    $data['result'] = print_r($this->upload->data(), true);
    $data['files']  = print_r($_FILES, true);
    $data['post']   = print_r($_POST, true);

    $this->load->view('result', $data);
}

And the view (result.php) will look like this:

<!DOCTYPE html>
<html>
<head>
    <title>Verbose Upload</title>
</head>
<body>

<?php 

    if($errors)
    {
        echo "<h3>Errors</h3>";
        echo $errors;
    }

    if($result)
    {
        echo "<h3>Result</h3>";
        print_r("<pre>".$result."</pre>");
    }

    if($files)
    {
        echo "<h3>FILES array</h3>";
        print_r("<pre>".$files."</pre>");
    }

    if($post)
    {
        echo "<h3>POST array</h3>";
        print_r("<pre>".$post."</pre>");
    }

?>

</body>
</html>

Now, no matter what happens you should see what is really sent from the browser. And check the CI logs to see if something is wrong.

If, for some reason, the Upload library is failing then you should get an output from the $_FILES array which is independent from CI, hopefully this output could help us to understand the issue.

You could implement this check directly in your PHP application. For example with rlanvin/php-ip library you can do:

$block = new IPBlock::create('111.111.111.111/24');

if($block->contains($_SERVER['REMOTE_ADDR']))
{
    header('HTTP/1.1 403 Forbidden');
    include $_SERVER['DOCUMENT_ROOT'] . '/error403.html';
    exit;
}

• library: https://github.com/rlanvin/php-ip
• usage examples: https://github.com/rlanvin/php-ip/wiki

Assuming you're using a switch statement, when the case is mypage you run the IP check:

<?php

    switch($_GET['page'])
    {
        case 'mypage':
            # do check here
            break;

        # other code ...
    }

The same, for rewritten links, can be applied through parse_url(). A part this I don't have other ideas, bye!

IF is part of the core since 2.4, while Require is part of mod_authz_core, which is loaded by default and available since version 2.3, at least in debian & co.

Do you think it would be safe to assume majority of Apache servers (shared hosting etc.) would be using Apache 2.4+ by now?

I don't know, I don't have the numbers but I hope so: 2.4 is stable, while 2.2 is in legacy status and updated only for bug fixes and security patches.

There are a lot of differences between 2.2 and 2.4 but, unless using a specific unsupported module, I would always expect to find the latest stable version.

If you're trying to create a safer approach then use IfModule and IfVersion:

<IfModule mod_version>
    <IfVersion >= 2.4>
        <IfModule mod_authz_core>
            # execute code here
        </If>
    </If>
</If>

Or simply check if mod_authz_core is available.

• http://httpd.apache.org/docs/2.2/mod/core.html#ifmodule
• http://httpd.apache.org/docs/2.2/mod/mod_version.html#ifversion

what does [8-9] mean exactly?

This is used to define a range. The mod_rewrite module does not support the CIDR notation, in your case you could write:

RewriteCond %{REMOTE_ADDR} ^111\.111\.111\.$

Or:

RewriteCond %{REMOTE_ADDR} ^111\.111\.111\.[0-9]{1,3}$

By using Apache 2.4 there is another alternative: you can use the IF directive with Require, the matching rule would look like this:

<IF "%{REQUEST_URI} ^/mypage/$">
    Require not ip 111.111.111.0/24
</IF>

• http://httpd.apache.org/docs/current/mod/mod_authz_core.html#require
• http://httpd.apache.org/docs/current/mod/core.html#if

Hi hi!

If considering only Apache you can try with the Location directive:

<Location /mypage/>
    order deny, allow
    deny from 10.0.0.120
</Location>

The applicable context for this directive is server config or virtual host, it means you cannot apply it into the .htaccess file and after each change you need to reload the server:

• http://httpd.apache.org/docs/current/mod/core.html#location

If you cannot access Apache configuration files, the other solution is to apply a rule to the rewrite conditions, for example:

RewriteCond %{REMOTE_ADDR} =123\.45\.67\.[8-9]
RewriteRule ^/mypage/ - [F]

Check the documentation below, there are several examples:

• http://httpd.apache.org/docs/current/rewrite/access.html

Note: in the documentation you will read about Denying Hosts in a Blacklist, this is not a perfect solution because all requests are queued and managed by Apache main process, so if you have a lot of connections, it can become a bottleneck.

Whoops! There is a little bug in the previous code that prevents correct results when pushing googlemail.com accounts through parseMail() method, fixed by updating the _parts() method:

/**
*   Parse mail, can return email or boolean.
*
*   @param string $str
*   @param boolean $bool
*   @param boolean $strict
*   @return mixed
*/
private function _parts($str, $bool = false, $strict = false)
{
    $isgmail = false;
    $data    = sscanf($str, '%[^@]@%s');
    $compose = array();
    list($local_part, $domain_part) = $data;

    if(in_array($domain_part, $this->domains))
    {
        $local_part = str_replace('.', '', $local_part);
        $local_part = strstr($local_part, '+', true) ? : $local_part;
        $pattern    = '/^([a-zA-Z0-9.]{6,30}+)$/';

        if(preg_match($pattern, $local_part, $match) == 1)
        {
            $isgmail = true;
            $compose = [
                $local_part, '@', $this->default
            ];

            if($bool === true)
                return true;
        }

        else
            return false;
    }

    if($strict === false && $isgmail === false)
    {
        $compose = [
            $local_part, '@', $domain_part
        ];

        if($bool === true)
            return false;
    }

    $compose = array_map('trim', $compose);
    $compose = array_map('mb_strtolower', $compose);

    return implode('', $compose);
}

Previous test:

Array
(
    [0] => user.name@anemail.com
    [1] => username@gmail.com
    [2] => another@gmail.com
    [3] => test@ymail.com
    [4] => this032@googlemail.com    <-- error
    [5] => "valid@test"@email.com
    [6] => awesome@yahoo.com
    [7] => someone@gmail.com
    [8] => anotheruser@gmail.com
    [9] => simple@gmail.com
)

Now:

Array
(
    [0] => user.name@anemail.com
    [1] => username@gmail.com
    [2] => another@gmail.com
    [3] => test@ymail.com
    [4] => this032@gmail.com         <-- correct
    [5] => "valid@test"@email.com
    [6] => awesome@yahoo.com
    [7] => someone@gmail.com
    [8] => anotheruser@gmail.com
    [9] => simple@gmail.com
)

Try video.js: http://www.videojs.com/ it is open source.

Hello!

I'm having few small issues when using Google Chrome on Ubuntu.

It does not seem to indent correctly code snippets, an example here:

• https://www.daniweb.com/web-development/php/code/488524/parse-google-gmail-aliases

Screenshots: Parsed & Plain-Text

It happens only with Google Chrome on Ubuntu, latest version:

Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36

I don't have extensions enabled. I'm not sure this is related to your upgrade.

The second problem, instead, is recent for me and it is not related to code snippets, it is difficult to explain for me, so be patience please ^_^'

When I type in the editor and the cursor reaches the second line, if I try to go to the previous word (which is at the end of the previous line), the cursor jumps at the beginning of the previous line, but if I type something, the text is displayed where the cursor is supposed to be; if, instead, the cursor is at the end of the line and there is a white space, when I try to go back to the previous word, the cursor jumps at the beginning of the current line.

I does not happen, for example, if there is a markdown tag between the two lines.

o_o'

None of these problems occurs on Mozilla Firefox and Opera, latest versions.

When using emails as usernames you want them to be unique over your table, but this can be a problem if you consider a GMail account, because of their username policy. They allow:

• dots
• digits
• letters
• plus addressing text by using the + sign, i.e. orange+juice@gmail.com
• length between 6 and 30 characters, excluding dots and the appended part

But when resolving the username they do not consider:

• dots
• different capitalization
• plus addressing

So, when you write to:

UserName@gmail.com
u.sername@gmail.com
user.name+forum@gmail.com
.u.s.e.r.n.a.m.e.@gmail.com
u.serName+doh@googlemail.com

You will always match the same account:

username@gmail.com

This class can help to define if the submitted email is a valid GMail address and to get the basic version: when using the parseMail() method it will just validate emails from other providers, so that you can submit an array of emails and get in return all the basics versions of GMail and all the other emails. By submitting an array to the isGmail() method, instead, you will get only an array of valid GMail accounts, in their basic version.

I'm applying lowercase to all the emails, the RFC 2821 allows case sensitive local-parts, but this is discouraged. Some examples:

<?php

    $list = array(
        'user.name@anemail.com',
        'username+acme@gmail.com',
        'email' => 'another@gmail.com',

        array(
            'test@ymail.com',
            'will+fail@gmail.com',
            'this032@googlemail.com',
            '"valid@test"@email.com',
            'Awesome@yahoo.com'
        ),

        'someone+doh@gmail.com',
        'AnotherUser+focus@gmail.com',
        'simple@gmail.com'
    );

    $gm = new GMailParser;

    # testing strings
    var_dump($gm->isGmail('user.name@amail.com'));
    var_dump($gm->isGMail('user.name@gmail.com'));
    /*

    bool(false)
    bool(true)

    */

    var_dump($gm->parseMail('user.name@amail.com'));
    var_dump($gm->parseMail('user.name@gmail.com'));
    /*

    string(19) "user.name@amail.com"
    string(18) "username@gmail.com"

    */


    # testing arrays
    print_r($gm->isGmail($list));
    /*

    Array
    (
        [0] …

If the are columns with the same name, for example id, when using the wildcard character the database will return error 1052:

• http://dev.mysql.com/doc/refman/5.6/en/error-messages-server.html#error_er_non_uniq_error

Solution is to define each column:

SELECT property.id, personal.id, spouse.id FROM property JOIN personal ON personal.id = property.id JOIN spouse ON spouse.id = property.id;

As explained in the linked documentation above. Read also:

• http://dev.mysql.com/doc/refman/5.6/en/identifier-qualifiers.html

By the way do not use the MySQL API (mysql_query() & co.) switch to MySQLi or PDO:

• http://php.net/manual/en/mysqlinfo.api.choosing.php

Sorry for my last post, I think it doesn't help much: I'm seeing some weird results from BlueHost DNS server, whatever you search through dig is redirected to the same IP address 74.220.199.6 which is parking.bluehost.com, it doesn't match passhe.edu because they do not redirect any .edu domain, some information here:

• http://comments.gmane.org/gmane.network.dns.operations/3768

So I'm not anymore sure this can be related with your issue. For now, please, do not consider it.

Going back to your script: last check you can do is to search directly their IP:

<?php

    $url = "http://204.235.148.32:8042/cgi-bin/Pwebrecon.cgi";
    print_r(get_headers($url));

With the IP it should work fine and temporarly fix your script, but if the problem is with your hosting DNS then it doesn't solve your issue in case you try to perform a request to another edu domain, for example:

<?php

    $url = "https://search.library.cornell.edu/";
    print_r(get_headers($url));

Anyway, I would still try the dig commands from a terminal in your remote server to evaluate the output and ask if it's possible to enable a forwarding DNS. If the correct IP is displayed then it's not BlueHost but something else like diafol's suggestion.

Ah, so as diafol suspected, then, there's something that prevents my server from accessing the Pilot one. (Right?)

Yes, the error of get_headers() helps a bit: failed to open stream: Connection timed out.

I suspect the problem is given by the DNS of Bluehost, which are:

• ns1.bluehost.com
• ns2.bluehost.com

By quering passhe.edu through the dig command we can see the domain is not resolved by their DNS servers and so it could not be reachable from your server:

dig @ns1.bluehost.com passhe.edu

; <<>> DiG 9.9.5-3-Ubuntu <<>> @ns1.bluehost.com passhe.edu
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56885
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 2800
;; QUESTION SECTION:
;passhe.edu.                    IN      A

;; Query time: 242 msec
;; SERVER: 74.220.195.31#53(74.220.195.31)
;; WHEN: Tue Nov 25 20:40:23 CET 2014
;; MSG SIZE  rcvd: 39

While by testing through Google DNS we can see it:

dig @8.8.8.8 passhe.edu

; <<>> DiG 9.9.5-3-Ubuntu <<>> @8.8.8.8 passhe.edu
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20522
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;passhe.edu.                    IN      A

;; ANSWER SECTION:
passhe.edu.             899     IN      A       204.235.147.180

;; Query time: 247 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) …

Follow these instructions: http://dev.mysql.com/doc/refman/5.6/en/time-zone-support.html

But you should always save as UTC and then convert the datetime to the client local timezone.

Ok, here you can see the code and play the example:

• http://runnable.com/VG_QpOHSMpE82e3u/search-with-curl

Just click on run and then submit the form.

@Ryujin

In addition to diafol suggestion :)

There is no specific rule, you have to try the forms to understand the functionality. In the vufind case the first problem is given by the $url, you're targetting the form page, but the action of the form is pointing to another page:

<form method="get" action="/vufind/Search/Results" id="advSearchForm" name="searchForm" class="search">

so to get results $url must be:

https://vf-kutz.klnpa.org/vufind/Search/Results

The method must be GET, because they could verify the request method also, since this is an advanced search form, the receiving script is going to check for more variables, for example, by searching math & euler the minimun query string to send is this:

$data = array(

    'join'              => 'AND',
    'bool0'             => array(
        'AND'
        ),

    'lookfor0'          => array(
        'math',
        'euler',
        ''
        ),

    'type0'             => array(
        'AllFields',
        'AllFields',
        'AllFields'
        ),

    'sort'              => 'relevance',
    'submit'            => 'Find',
    'illustration'      => -1,
    'daterange'         => array(
        'publishDate'
        ),

    'publishDatefrom'   => '',
    'publishDateto'     => ''

);

$body = http_build_query($data);
$url  = "https://vf-kutz.klnpa.org/vufind/Search/Results?".$body;
$results_page = curl($url);

Note lookfor0[], bool0[], type0[], daterange[]: are all arrays for example lookfor0[] can be declared multiple times, but there are some conditions: you have to match each with $type0[]. The above can be rewritten like this:

$data = array(

    'join'              => 'AND',
    'bool0[]'           => 'AND',
    'lookfor0[0]'       => 'math',
    'lookfor0[1]'       => 'euler',
    'lookfor0[2]'       => '',
    'type0[0]'          => 'AllFields',
    'type0[1]'          => 'AllFields',
    'type0[2]'          => 'AllFields',
    'sort'              => 'relevance',
    'submit'            => 'Find',
    'illustration'      => -1,
    'daterange[]'       => 'publishDate',
    'publishDatefrom'   => '', …

There are few errors in the CSS, first at line 17 of the HTML page fix this:

header h1 { font-size: 48px;
    } type="text/css">

By removing type="text/css">. Then inside the css file at line 79:

nav li:hover {
    background: blue;

nav li:nth-child(even) a {
    color: red;
}

You are not closing the brackets:

nav li:hover {
    background: blue;
}

nav li:nth-child(even) a {
    color: red;
}

At the end of the file it's missing another closing bracket:

@media only screen and (min-width : 320px) and (max-width: 767px) {
/* Styles */

When in doubt you can use the CSS validator:

• http://jigsaw.w3.org/css-validator/

Check if in your system there is the php_gmp.dll file, then edit php.ini and append:

extension=php_gmp.dll

Restart Apache and it should work. Check the comments for more information:

• http://php.net/manual/en/gmp.installation.php

Otherwise, if you cannot find the dll file, you can use Math_BigInteger, you can install it by using pear or composer:

pear install Math_BigInteger
composer require pear/math_biginteger

In both cases you need to install the pear client or the composer client:

• http://pear.php.net/manual/en/installation.getting.php
• https://getcomposer.org/

There's also BC Math which sometimes is shipped with the PHP core installation, but it depends a lot on the PHP version in use, I'm not sure about Windows situation. All these libraries treats the numbers as strings, which gives you the ability to not be limited by the CPU architecture. Math_BigInteger, when available, will use GMP or BC_Math to speed up the execution.

Example:

<?php

    require_once '/path/vendor/autoload.php';

    $a = new Math_BigInteger(rand(0,100), 10);
    $b = new Math_BigInteger(md5('test'), 16);

    echo $a->bitwise_xor($b);

By the way, I'm not sure this example is what you need, I'm just replicating my first example ^_^'

edit

I was forgetting, Math_BigInteger is also available on GitHub:

• https://github.com/pear/Math_BigInteger

Just donwload library and include it in your script. This does not require for you to install pear or composer... bye!

Assign height and width to the #banner-background:

#banner-background {
    width:100%;
    height:100px;
    background: url('/images/banner.jpg') no-repeat top left scroll;
}

Then, if you want, you can assign the background directly to the parent div of the inputs:

<div id="banner-background">
    <input type="text" class="form" name="email">
    <input type="text" class="form" name="password">
</div>

Yup, use the Geocoding API, you can use cURL or simply file_get_contents(), an example:

<?php

    # geocoding
    $api = 'YOUR_SERVER_API_KEY';
    $url = 'https://maps.googleapis.com/maps/api/geocode/';
    $format = 'json';

    $paramenters = array(
        'address' => $_GET['address_line'],
        'key'     => $api
    );

    $submit   = $url . $format . '?' . http_build_query($paramenters);
    $response = json_decode(file_get_contents($submit), true);

    print_r($response);

The format can be either json or xml. Note: the Geocoding API is meant for server side operations, not for direct client access, for that as suggested in the documentation there is another API.

For more information read this:

• https://developers.google.com/maps/documentation/geocoding/
• https://developers.google.com/maps/articles/phpsqlajax_v3
• https://developers.google.com/maps/articles/phpsqlsearch_v3

Hi! Define the namespace in Spotify.php:

<?php namespace Foo\Bar\Baz;

class Spotify
{
    public function __construct()
    {
        echo "yes"; 
    }
}

Then it should work fine.

The real_escape_string method is part of mysqli, so to use it append it to the database object: $conn->real_escape_string($uname).

But don't rely on this for security you have to validate the input, then sanitize and use prepared statements:

$uname = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_SPECIAL_CHARS);
$pword = filter_input(INPUT_POST, 'password', FILTER_SANITIZE_SPECIAL_CHARS);

$query = $mysqli->prepare("SELECT * FROM users WHERE name = ? AND email = ?");
$query->bind_param('ss', $uname, $pword);

$query->execute();
$query->store_result();

if($query->num_rows > 0)
{
    # create session for valid user & redirect to profile
}

else
{
    # error, not found
}

Docs about sanitization of the input:

• http://php.net/manual/en/function.filter-input.php
• http://php.net/manual/en/filter.filters.php
• http://php.net/manual/en/filter.filters.sanitize.php

Docs about prepared statements:

• http://php.net/manual/en/mysqli.quickstart.prepared-statements.php
• http://php.net/manual/en/mysqli-stmt.prepare.php
• http://php.net/manual/en/mysqli-stmt.bind-param.php

You can use a view, for example:

CREATE VIEW test_view AS SELECT fruit FROM t1 WHERE id IN(1,2) UNION SELECT fruit FROM t1 WHERE fruit = 'cherries';

Or you can use a temporary table:

CREATE TEMPORARY TABLE IF NOT EXISTS test_memory ENGINE = memory AS SELECT fruit FROM t1 WHERE id IN(1,2) UNION SELECT fruit FROM t1 WHERE fruit = 'cherries';

In the first case the union is performed each time you run the query, in the second the temporary table will survive until you close the session, so by querying:

select * from test_memory;

you will always get the cached data, nothing new unless you decide to insert new data over a new select. By removing the statement TEMPORARY the table structure will survive and the data will become accessible also to other connections, but if the engine remains memory it will loose the data when performing a reboot of the server.

To see the differences between test_view and test_memory use explain over the queries:

explain select * from test_view;
explain select * from test_memory;

Another method is to enclose the union in a subquery and perform the where statement in the primary query, for example:

SELECT sub.id, sub.fruit FROM (SELECT * FROM t1 WHERE id IN(1,2) UNION SELECT * FROM t1 WHERE fruit = 'coconut') AS sub WHERE sub.id = 5;

The execution plan of this last query is pratically the same of the one produced by the …

Mysqli num_rows returns integers not booleans (true|false) so if you want to check how many rows you're returning change the if statement to:

if($result->num_rows > 0){

But, if the query fails for an error this statement will not prevent a PHP notice:

PHP Notice:  Trying to get property of non-object ...

It happens because $result will be false, so a more complete check is to verify if $result is not false:

if($result && $result->num_rows > 0){

Note that mysqli_query on success can return an object or simply boolean true, the documentation explains the cases:

Returns FALSE on failure. For successful SELECT, SHOW, DESCRIBE or EXPLAIN queries mysqli_query() will return a mysqli_result object. For other successful queries mysqli_query() will return TRUE.

So for SELECT queries you can almost always rely on num_rows but if you perform an INSERT, DELETE or UPDATE then you cannot use num_rows, this for example:

$result = $mysqli->query("create temporary table mytest engine = memory as select 1+1 as 'sum' from dual");

Is a perfect valid query, it's the equivalent of an INSERT ... SELECT, and it will create a temporary table, but it will not return an object, it will return only boolean, so this check:

if($result && $result->num_rows > 0)

Will fail generating the same PHP notice as above, in this case use only:

if($result)

Edit: adding info
I forgot to add an exception: a select query can return only boolean true if you use …

Ron, if you are performing an ajax request within the modal window then show us the javascript code you're using, that way we can suggest an appropriate solution.

But diafol suggested that the error is already there, it does not depend on the execution of the modal window, because the undefined index error happens in the server side.

This error should say something else, not only undefined index but also the index name, the script name and line error, for example:

<?php

    $a = array();
    echo $a['id'];

Will generate a notice:

PHP Notice:  Undefined index: id in /tmp/test.php on line 4

By checking the html source received by the browser you should be able to see the entire error and understand if this is generated by the absence of $_GET['id'] or of a column requested from the query result set.

Hi Dani, this is used in Windows 8.1 with IE 11 to add tiles to the desktop:

• http://msdn.microsoft.com/en-us/library/ie/gg491731(v=vs.85).aspx

From require documentation:

require is identical to include except upon failure it will also produce a fatal E_COMPILE_ERROR level error. In other words, it will halt the script whereas include only emits a warning (E_WARNING) which allows the script to continue.

Links:

• http://php.net/manual/en/function.require.php
• http://php.net/manual/en/function.include.php

Please, next time write a more appropriate title, it will help users to find their answers.

@vizz

hi, you should pay the license and respect their copyright: http://www.menucool.com/ otherwise switch to the free version.

Try with preg_match():

function validateScore($score)
{
    $score = trim($score);
    $pattern = '/^\d{1,2}[\s]?-[\s]?\d{1,2}$/';
    return preg_match($pattern, $score) == 1 ? true : false;
}

Valid inputs are:

var_dump(validateScore('2-0'));
var_dump(validateScore('2- 0'));
var_dump(validateScore('2 -0'));
var_dump(validateScore('2 - 0'));

Spaces around the string are removed by trim(). To validate only those without spaces between the dash change the pattern to:

$pattern = '/^\d{1,2}-\d{1,2}$/';

preg_match() returns integers 1 for true, 0 for false, the above function, instead, will return booleans. The flag \d will search for digits, {1,2} limits the range to 0-99.

• http://php.net/preg_match

You could also try with Composer: create a private repository and use a php/batch script to run the install or update process for your application, the only requirement for the clients it to have the composer binary installed.

Read: https://getcomposer.org/doc/05-repositories.md#hosting-your-own

The same can be done with PEAR, but some of the management tools, such as Pirum, are not anymore maintained in favour of Composer. This can deal also with private repositories in Github or Bitbucket.

You can use mysqldump:

mysqldump -uUSER -pPASSWORD DATABASE > backup.sql

Change USER, PASSWORD and DATABASE to match yours, you can add --routines to backup user defined functions and procedures.

More information here:

• http://dev.mysql.com/doc/refman/5.6/en/mysqldump.html

Add the brackets to extend the statement, otherwise the IF condition will apply only to $IC2= $_SESSION['IC2']; because it finds the ; character, so:

if ( isset($_POST['BMK81A']) && isset($_POST['BMK81']) && isset($_POST['DL3']) && isset($_POST['DL2']) && isset($_POST['DL1']) && isset($_POST['S1']) && isset($_POST['S2']) && isset($_POST['S3']) && isset($_POST['S4']) && isset($_POST['S5']) && isset($_POST['S6']) && isset($_POST['S7']) && isset($_POST['D1']) && isset($_POST['A1']) && isset($_POST['RE1']) && isset($_POST['LU2']) && isset($_POST['NPT']) && isset($_POST['SRP']) && isset($_POST['KTDP']) && isset($_POST['KDP']) && isset($_POST['USPD']) )
{
        $IC2= $_SESSION['IC2'];


        $BMK81A = $_POST['BMK81A'];
        $BMK81 = $_POST['BMK81'];
        $DL3 = $_POST['DL3'];
        $DL2 = $_POST['DL2'];
        $DL1 = $_POST['DL1'];
        $S1 = $_POST['S1'];
        $S2 = $_POST['S2'];
        $S3 = $_POST['S3'];
        $S4 = $_POST['S4'];
        $S5 = $_POST['S5'];
        $S6 = $_POST['S6'];
        $S7 = $_POST['S7'];
        $D1 = $_POST['D1'];
        $A1 = $_POST['A1'];
        $RE1 = $_POST['RE1'];
        $LU2 = $_POST['LU2'];
        $NPT = $_POST['NPT'];
        $SRP = $_POST['SRP'];
        $KTDP = $_POST['KTDP'];
        $KDP = $_POST['KDP'];
        $USPD = $_POST['USPD'];

        # other code here

}

You have to initialize the variables: if $submit is not set then $sql is not initialized and the query will fail.

Also for the query you can use the column BETWEEN value AND value condition. So change your code to:

$submit = $_POST['submit'];

# all code under this condition
if($submit)
{
    $sql = "SELECT * FROM inventory WHERE createdate BETWEEN '$date_in' AND '$date_out'";

    $result = mysql_query($sql) or die(mysql_error());

    if(mysql_num_rows($result) > 0)
    {
        while($row = mysql_fetch_array($result))  
        {
            echo "
            <tr>

                <td align='center' width='200'>
                {$row['date_in']}
                </td>

                <td align='center' width='200'>
                {$row['date_out']}
                </td>

                <td align='center' width='200'>
                {$row['model']}
                </td>

            </tr>
            ";  
        }
    }
}

echo "</table>";

For more information check:

• http://dev.mysql.com/doc/refman/5.6/en/comparison-operators.html#operator_between
• http://php.net/manual/en/mysqlinfo.api.choosing.php

You should use prepared statements. Take a look especially to the second link. Bye!

Hi, have you tried http://nodeschool.io/ ?

You can use DateTime::sub():

<?php

    $dt = new DateTime('2014-08-31 23:06:00');
    $dt->sub(new DateInterval('P30D'));

    echo $dt->format('Y-m-d G:i:s');

Docs:

• http://php.net/manual/en/datetime.sub.php
• http://php.net/manual/en/dateinterval.construct.php
• http://en.wikipedia.org/wiki/ISO_8601#Durations

So, for example:

<table id="names">
    <tr>
        <td data-name="oranges">
            oranges
        </td>
        <td data-name="apples">
            apples
        </td>
        <td data-name="coconut">
            coconut
        </td>
        <td data-name="strawberries">
            strawberries
        </td>
    </tr>
</table>

<form>
    <input type="text" name="aaa" value="" />
    <input type="text" name="bbb" value="" />
    <input type="text" name="ccc" value="" />
    <input type="text" name="ddd" value="" />
    <input type="text" name="eee" value="" />
</form>

Then you can do:

$("#names td").click(function(){
    var name = $(this).data('name');

    $('input:text:visible').each(function(){
        if($(this).val().length === 0)
        {
            $(this).val(name);
            return false;
        }
    });
});

JSfiddle: http://jsfiddle.net/hmwv1hx7/

for each database I create a new username with all permissions except 'grant.' Is that the same thing?

No, it's not the same, I'm referring to the owner of the process, which is system related, i.e. it's outside of the database environment.

How do I know if the mysql runs as root

Run ps -ef | grep mysqld the output should return:

mysql     1346  1129  0 09:39 ?        00:00:01 /usr/sbin/mysqld
    --basedir=/usr
    --datadir=/var/lib/mysql
    --plugin-dir=/usr/lib/mysql/plugin
    --user=mysql
    --pid-file=/var/run/mysqld/mysqld.pid
    --socket=/var/run/mysqld/mysqld.sock
    --port=3306

As you see here the user is mysql. If you see root, instead:

• make sure mysql user exists and which groups are associated, so run: id -uG mysql it should return only mysql.

• open /etc/mysql/my.cnf and find the [mysqld] section, there you can change the user from user=root to user=mysql

• restart the database: sudo service mysql restart, a reload won't change the owner of the process, a restart yes, but if you have problems then stop and start the process again. An issue can happen here: if the logs in /var/log/mysql/ are owned by root then the server will fail to start, if this happens you have to change the ownership of the directory to the mysql user:

  chown -R mysql /var/log/mysql/
  

then you can start the server daemon again. If in doubt check the syslog file:

    tail -n30 /var/log/syslog

If the installation was assigned to the root account, then there could be some other permission issue to solve, for more information read here:

root 30952 30571 0 14:22 pts/0 00:00:00 grep php-fpm

No, that's the execution of grep, when in use you will see the master process and the workers, as here:

root      1437     1  0 set16 ?        00:00:01 php-fpm: master process (...)                    
www-data  1439  1437  0 set16 ?        00:00:02 php-fpm: pool www                                                       
www-data  1440  1437  0 set16 ?        00:00:01 php-fpm: pool www                                                       
user      8989  5877  0 00:49 pts/1    00:00:00 grep --color=auto php-fpm

The two domains that were sending out spam coincidentally have the same wordpress themes installed where a major vulnerability was discovered... using the revolution slider.

If you have this doubt then change the database password, because they used the database SELECT '<?php /*script*/ ?>' INTO OUTFILE 'config.php' to write to the filesystem, it happens if mysqld (the server process) runs as root, more information here:

• http://dev.mysql.com/doc/refman/5.6/en/select-into.html
• http://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html

Are you sure the spammer is using your PHP scripts to send spam and not accessing directly to your SMTP server?

Usually the config.php file in CI does not execute code, it's a container for variables, can you verify if the file is genuine?

Also CI includes .htaccess files into the application and system directories with the Deny from all directive: it means the config files are not directly reachable by an HTTP request, the server will return status 403, but it can be opened through another script, for example a fake image file.

But why to overwrite the config.php of CI?

I think it's another file, for example, if using PHP-FPM and this is not properly set up, an attacker can upload an image script with embedded code an make the server execute it by appending a fake script name, for example:

/images/smile.jpg

Then from remote the attacker calls:

http://domain.tld/images/smile.jpg/config.php

And the code embedded is executed.

Now, can you check the path of the script from the mail log? Can you scan the system in search of files? If you can open a shell with the server, try this command:

find / -name 'config.php' 2>/dev/null

It should return all the config.php files under the root of the server.

So I was thinking why can't I just turn off sendmail and qmail, which appears to be what my server uses.

Yes, but if there's a backdoor, then they can reactivate it or connect …