Posts by ryantroop

It will come with practice...

I think youre doing it right... first, get it working the way you want. Then we can work on refactoring your code and making it "pretty." It's hard when you are plopped into advanced (heck, Im not even that advanced) code, without knowing the basics of what it is doing.

Did you find the error in the place I said? Or is it somewhere else?

In all honesty, I would like to know how to simply begin with a project like this... Im still rather new to Python and I read all over the place "Python is GREAT for prototyping!" And then fails to expand on that... Perhaps it is my lack of experience with C or JAVA betraying me...

I still think you are using $_POST a bit...awkwardly...

I also think youre using MySQL very ineffeciently... you can make combined queries, I feel, for much of what you are doing.

However, line 28 is the only query that matches your error. On line 27 and 28, your comma is being placed improperly, I think... to double check, change line 31 to:

mysql_query($sql2a) or die("THIS IS MY ERROR!");

If you get that message, then you need to change your iteration, and make it happen one step earlier.

Ryan

I learned something new, that co.cc is a free domain holder... I guess I didn't understand the question.

Sorry.

Most (if not all) email systems will ignore PHP (it has no meaning to the mail protocol), and JavaScript, as far as I know, will not transfer over through email. You would have to click links and go to pages and interact with the malicious page. It sounds like you may have gotten phished (as above) and put your password in on a site that looked like a legitimate site. It's happened to the best of us.

unless you're talking about country codes, in which case you need to register your domain with a country code (there are probably some limitations.. like.. you have to find a server in that country to host your data)

Like, in your example, co.nz would be new zeland
http://www.godaddy.com/domains/searchresults.aspx?ci=54814
(assuming their links are persisten)

Otherwise, check out godaddy for more info.

Ugh.. lets try again.. just did a long explanation, hit delete, and I lost the page... fun fun...

I shall shorten it...

iterate over your post instead of calling them directly...

mysql_connect('localhost', 'foo', 'bar');

$expected = array('check', 'lote', 'val' ....);
$inserts = array();
foreach($_POST as $key => $value) {
    if(in_array($key, $expected)) {
           if(is.... ) {                 // you have a ton of choices here. Check data 
              $inserts[$key] = mysql_real_escape_string($value);    //type, check from
                                              //inside an array... is_numeric,
               }                            //is_string....) look here for more
           }                         //http://php.net/manual/en/function.is-numeric.php
                                           //alternatively, you can run a preg_match()
      }

$sql2a = "update table entrada set ";
$i = 0;
$count = count($inserts);
foreach($inserts as $k => $v) {
$i++;
if($i < $count) {
$sql2a .= "$k = '$v', ";
}
else {
$sql2a .="$k = '$v' ";
}

$sql2a .= "WHERE ......";

$result = mysql_query($sql2a);

So... that's my suggestion... I think I got that right...

Keep in mind, that when you run your type check you can do multiple ifs, or if you are less caring about what type of data goes in jsut run if(is_foo() || is_bar() ) {} or something similar...

Ryan

Having a little trouble getting my "pre-loader" to show properly... I would assume, what this script would do is that once xmlhttp is invoked, JS would make a div with an ID called 'preload' and it will persist until we get a 400 response from the server, and then destroy the div.

As a note, I am using an animated .gif as a background for the div that is set in an external CSS. Do I need to define the background within the javascript?

Thanks!

Ryan

<script type="text/javascript">
 function showProducts(str)
 {
 if (str=="")
   {
   document.getElementById("products").innerHTML="";
   return;
   } 
if (window.XMLHttpRequest)
   {// code for IE7+, Firefox, Chrome, Opera, Safari
   xmlhttp=new XMLHttpRequest();
   }
 else
   {// code for IE6, IE5
   xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
   }
 xmlhttp.onreadystatechange=function()
   {
       var body = document.getElementById('main');
       var ajaxLoader = document.createElement('div');
       ajaxLoader.setAttribute('id', 'preload')
       body.appendChild(ajaxLoader);
   if (xmlhttp.readyState==4 && xmlhttp.status==200)
       var ajaxLoader = document.getElementById('preload');
       document.getElementById('main').removeChild(ajaxLoader);
     {
     document.getElementById("products").innerHTML=xmlhttp.responseText;
     }
   }
 xmlhttp.open("POST","return.php",true);
 xmlhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
 xmlhttp.send("prod_list="+str);
 }

cant figure out how to edit my post... so...
I made a boo boo..

change 'i+1' to 'page+1' in both instances, assuming my script works in the first place...

and the more I look at it, I think pages would be an int... so the for line should read:

for page in range(pages):
    ....

If you want the field name directly, simply don't use an alias. By defining FIRST_NAME as NAME you are asking to return "NAME" with the contents (the alias is there to lessen the amount we have to type). If you don't want them, dont use them.

If that wasnt clear, try running it as "SELECT n.FIRST_NAME, a.STREET_1, .... " and see what you get.

Ryan

since there really isnt a whole lot of documentation (at least that I could find) I will make an assumption --
PDF files are basically a collection of "pages" and it seems that you are simply running the create image function on the first "page"

I would encourage you to find a way to break apart the pages of the pdf, and run the image creation individually....

you can probably try...

from pyPdf import PdfFileReader
from PythonMagick import Image


myfile = PdfFileReader('files.pdf')
pages = myfile.getNumPages()

for page in pages:
    im = Image(myfile.getPage(i+1))
    im.write('file_image{}.png'.format(i+1))

Now.. Im a bit of a newb with Python... so.. would be interested to know if I figured that out right.. You may have to download the PyPdf package to make it work, though...

Ryan

k.. so first off, you are connecting to your database twice, for no reason

mysql_connect('localhost','root','root');mysql_select_db('project');$dbname="project"require('fpdf.php');//Connect to your databasemysql_connect("$host", "$username", "$password")or die("cannot connect");mysql_select_db("$db_name")or die("cannot select DB");

all that could be simplified...

$usr = 'usrname';
$pw = 'pw';
$host = 'localhost';
$dbname = "project";

$db = mysql_connect($host, $usr, $pw);
mysql_select_db($dbname, $db) or die ('Could not connect to MySQL: '.mysql_error());

Most of that should be in an include file, that is above your root.

Then, include_once('fpdf.php'); is fine...

You create your pdf file as per the fpdf object...

After that... Im having a little trouble following what your code is trying to accomplish...

you have

$filename = a non existent $file variable
and

you have a header that refers to a non existent variable $viewresults1.php... which... Im not even quite sure what to make of....

A little more info would be helpful in order to help you...

So... I guess this raises an "ethical" question of - do I develop for as many browsers as possible (since HTML5 is not fully supported yet), or do I develop for the latest tech?

Is there anything in particular that is "broken" or out of place that you guys are pushing a template design, or is it simply because that's where most sites start?

yeah, sorry... it would need to be a string.

I did this in 3 days... we still need a lot of materials (images, etc..) and I have a lot of database work to flesh out (and some spelling errors as well)... while I do need to work with some frameworks/packages (joomla, droopal, jquery, etc...) I want to make sure my basics are solid before I go making it easy (after all.. when you rely on tools without knowing what they do, when something goes wrong you get in trouble!)

I would like to complete it without templates. However, I do appreciate the idea.

Do you mean as an IP address? Need a little more specifics than that...

dicts require an identifier (usuall a string), and the object(s) that the identifier refers to... so...

ip_addys = dict()
ip_addys['first_ip'] = 12.0.0.0

should probably work... There are other ways to directly insert into a dict as a key=>value pair, but the simplest way is to use the above (in my opinion).

Hey all,

Im hoping this isnt too out of line to ask - it is genuinely out of a desire to learn and improve, but sadly it is not necessarily code based.

I am working on getting "experience" so I can persue a career in programming, either web, platform, or otherwise... and in an effort to practice, I have put together a website for someone's small business...

http://www.abbyrosecookies.com

I am looking for feedback on:

• Layout
• coding (if you wish to dig into it - though there is a bit of ajax/back end so that wont be seen very well)
• user experience

What is not asked for by the individual -

• eCommerce (so, while I know it's something I need to learn it is not going into this website)
• at the moment, no Web 2.0 communications
• pictures are coming
• I will be eventually adding a session/login functionality so people may email orders.

Feel free to be brutal... but please remember I am just learning some of these technologies (mostly, the javascript and css)

Thanks!!!

Ryan

You could probably look into the unittest module, and make tests based on the various injection types you are trying to test against.

The user would input their database/table and username/password (or, check for their proper setup of a database/table user privelege by spoofing an anonymous query), and use various asserts against the expected result. If any failures occur, then you have a vulnerability.

In truth, you may just want to look into what assert does, and you may not even need unittest, but unittest gives a lot of built in tools to setup and remove all the actions you take.

Of course, if youre making a unittest, you will also need to write a script that will do the actual testing of the things you want to test (assuming you do things "right")... so basically, your first steps should be:

1) Know SQL and all its flavors (Oracle, MySQL, etc...), and their particular differences in structure.
2) Know the different injection practices and how to exploit them
3) Know the particular vulnerabilities that poor SQL admins will make
4) Know how to use unittest, mysql.connect within python
5) Know how to write injections using python.

And that will get you started.

If the database doesnt have an ID column then why are you referring to it?

Also, Im pretty sure that you may want to identify something to delete (unless you want to delete the entire row).

You also have your POST names set up rather strange...

99.$checkbox = $_POST['checkbox']; //from name="checkbox[]"
100.            $countCheck = count($_POST['checkbox']);

In PHP, $_POST['checkbox'] is different than $_POST['checkbox[]']

So the code I had your change is working properly, $_POST['checkbox'] is currently empty because your form is not assigning it a value.

for($i=0;$i<$countCheck;$i++)
103.            {
104.                $del_id  = $checkbox[$i];
105.                $sql = "delete FROM table WHERE id = $del_id";
106.                $result = mysql_query($sql, $con);
107.            }

You need to put single quotes around $del_id on line 105.

Change it to $sql= "delete FROM table WHERE id = '$del_id'";

However, I would seriously encourage you to reconsider letting this SQL line pass into your database. For one, for table accuracy, you should not really ever delete anything from a database unless space is a serious issue. Second, this line is rediculously hackable and exploitable.

To start... if that is a direct copy, you shouldnt have spaces after the $

so.. change

function AppNotify ($Uid,$Message,$Data)
 {
  return;
 }
function AppNotifyUnfriend($Uid,$Message,$Data)
 {    
  return;
 }

and see if that makes any changes...

otherwise, personally I would need more info than that to help... something is missing.

If you open a file using "w" mode it truncates the file (thus making it 0 in length) so your code wont even execute. Try opening the file in "a" or "a+" mode. (a is writing, a+ is reading and writing)

Adding/improving on what is above...

Learn SQL and understand what an SQL injection attack is.... if you know the language, you will understand what you don't want users putting into your SQL table, and what they will be getting out of it. Once you know all of that, you can use PHP to remove those threats before they are ever passed into your SQL query.

Learning at minimum to use mysql_real_escape_string() on your user variables will help a lot. It seems that PHP is moving more towards mysqli prepared statements, or PDO.

So, in response to your question... preg_match, mysql_real_escape_string, str_replace and a few others that will prepare your queries to keep them clean are what you will be using.

I know it sounds silly.. but it's happened to me before that I didn't put a semi-colon at the end of my sql query, and it failed since SQL was waiting for a new command...

Try:

$queryget = mysql_query("SELECT * FROM image WHERE user_id = '$user_id_s';");

If that doesnt work, change it to

  $queryget = mysql_query("SELECT * FROM image WHERE user_id = '$user_id_s';") or die (mysql_error());

and see where it is failing.

So.. sorry to rez a 10 month old post, especially as my first post... but here goes...

I dont think that using sessions the way you are is the best method... instead, you should declare in your SQL DB what security level, or what options, the user will have, based on their initial sign up/register.

So.. a table would be something like...
usrID, login, securty_level

So, what the user logs in, you can store a session variable $_SESSION['sec_level']=$blah

using something as simple as numeric identifiers for their level of involvement.... if ('sec_level')==1 then basic commands.. if ==2 then more advanced, and so on and so forth...
Or you could even use language constructs - clearance1, clearance2.... this way, you can even offer scalability in the future, and you are not necessarily making 2 whole websites, just choosing which functions are available to which users...

If you want, you can even dedicate a full table to security...
userID, security_level

In this instance, you can assign multiple levels to the same individual, and check against what rank they have.. if they are a 1 and 2, they get both. If they are just a 1... or just a 2...

Then, include a file that will run a function based on what security level they have... it can be something as simple as changing the query allowed, but under two different function names...

Just my 2 cents...

ryan