1. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    436
    Rep Power
    8
    I have found something regarding email injection and stuff like that, please look at this link:

    http://www.w3schools.com/php/php_secure_mail.asp

    What script is better for emails? The one we use now (from the site Jacques gave) or this one?
  2. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    don't use stuff from w3schools. Despite their name, they're not affiliated with the W3C. And they're infamous for insecure code, bad practices, wrong and obsolete information and plain nonsense.

    So that's really the last place you wanna get your code from. This example proves that yet again. As far as I can tell, they do get the security right (which is pretty rare), but the overall quality and usability is crap, and they completely miss the bigger picture: Developers usually shouldn't fumble with low-level mailing functions like mail() at all. There are many excellent libraries taking care of the low-level stuff so we don't have to. For example, there's PHPMailer and Swift Mailer. Use them. Don't reinvent the wheel (or use code that does).
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  3. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    436
    Rep Power
    8
    ok, but what website you would recommend then? w3.org?
  4. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Well, the W3C has nothing to do with PHP, so that won't help you in this case.

    Unfortunately, there doesn't seem to be a good PHP resource anywhere on the Internet. Pretty sad, right? Of course we have the manual, but you cannot really use it for learning.

    So instead I suggest searching in good forums like stackoverflow for a particular problem. Those people usually know what they're doing, so you can be pretty sure you get good solutions. Forums also have the benefit of being self-correcting: If somebody posts garbage, the other users will downvote it and explain why it's wrong.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  5. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    436
    Rep Power
    8
    ok, thanks

    It is pretty sad yes...

    If you would make a tutorial it would be one of the rare ones hahaha
  6. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2013
    Location
    America
    Posts
    8
    Rep Power
    0
    One that I use is called betterPHP just do a quick google search. They have php tutorials forums. They have helped me out alot! Also go to youtube and look up "phpacademy" Pretty good tutorials there too while you are at it look up "thenewboston" He has alot of videos on php.
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2009
    Posts
    4
    Rep Power
    0
    I really liked the tutorial. Is the code purely aimed at learning PHP? Or would anyone be happy with it being used on a secure site with confidential information?
  8. No Profile Picture
    Dazed&Confused
    Devshed Novice (500 - 999 posts)

    Join Date
    Jun 2002
    Location
    Tempe, AZ
    Posts
    506
    Rep Power
    128
    Originally Posted by Jacques1
    For example, most systems show a huge time difference when processing a valid email address vs. processing an invalid one. That's because login attempts with an invalid address are usually rejected very early, whereas valid ones require hashing the password, which is an expensive operation. By measuring the exact time, an attacker can determine whether someone is registered on a website or not. If you don't take care of that, this will violate your users' privacy.
    You could mitigate this consistently by normalizing the amount of time it takes to perform the logic--whether it's a valid email/username or not, like so:

    PHP Code:
    <?php
        $cost 
    1// Minimum processing time
        
    $start microtime(true);

        
    // Lookup user, authenticate, etc.

        
    $end microtime(true);
        if ( (
    $wait $cost - ($end-$start) ) > ){ usleep($wait*1000000); }
    You could similarly use this in any "Forgot my password" logic that triggers an email, if the email address provided is on record. Instead of masking the hashing time you'd be masking any time it takes to send the email.

    This has the added benefit of remaining consistent even if you upgrade to superior hardware, which would normally lower the time cost of hashing algorithms.

    I'll probably employ this concept in my code when I get a hold of 5.5 and update to the new password functions.
    Last edited by dmittner; July 10th, 2013 at 03:32 PM.
  9. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,317
    Rep Power
    7170
    I really liked the tutorial. Is the code purely aimed at learning PHP? Or would anyone be happy with it being used on a secure site with confidential information?
    The code as-provided is intended to teach someone how PHP and MySQL interact; it's not a library intended to be taken and used verbatim. Various pieces of it are simplified to facilitate teaching and are not something you would want to do on a production site (like dumping the exceptions to the screen).
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  10. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Posts
    7
    Rep Power
    0
    hey guys, new to the form and followed this nice guide to creating my login page and such. thanks a lot btw. however my next goal is to use some kind of css to theme the login form. how would i go about doing this.
  11. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    436
    Rep Power
    8
    Originally Posted by itzdustin
    hey guys, new to the form and followed this nice guide to creating my login page and such. thanks a lot btw. however my next goal is to use some kind of css to theme the login form. how would i go about doing this.
    Hi,

    You can use php to make templates, like this:

    PHP Code:
    <html>
        <head>
            <link href="style.css" rel="stylesheet" type="text/css" />
        </head>
        <body>
            <div class="wrapper">
                <?php require('requires/header.php'); ?>
                <div class="content_wrapper">
                    <?php require('requires/nav_bar1.php'); ?>
                        <div class="content">
                            <div class="content_header">Confirm</div>
                            <form action="confirm_function_change.php" method="post">
                                <input type="hidden" name="action_token" value="<?php echo html_escape($_SESSION['action_token']); ?>">                             
                                <?php foreach($important_function_change as $user_id => $stand): ?>
                                    <input type="hidden" name="important_function_change[<?php echo $user_id ?>]" value="<?php echo $stand?>">
                                <?php endforeach; ?>
                                <input type="submit" name="action" value="Confirm">
                                <input type="submit" name="action" value="Cancel">
                            </form>
                        </div>
                    <?php require('requires/nav_bar2.php'); ?>
                </div>
            </div>
            <?php require('requires/footer.php'); ?>
        </body>
    </html>

    dustin, you may have seen (a part of this) script, it's from the "Memberlist with functions" Thread, I delete some things like css to make the html part easier to read

    You can even use php for styling a process bar, for polls for example. I have done that. It's not hard to do, you just do something like this:

    PHP Code:
    .percent_for {width:<?php echo $percent_for?>%;}
    .percent_against {width:<?php echo $percent_against?>%;}
    Last edited by derplumo; July 20th, 2013 at 09:42 AM.
  12. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    436
    Rep Power
    8
    Oh and Jaqcues, I think we didn't edit the edit_account.php ... What should we change I would wish I'd seen that earlier -_-
  13. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Posts
    7
    Rep Power
    0
    well i got the login page itself to look like the rest of the page as far as html and such, i just put my login code in the body of the page, and made it a php file as so. but i want to actually change the look of the form boxes instead of a plain input box
  14. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    436
    Rep Power
    8
    Originally Posted by itzdustin
    well i got the login page itself to look like the rest of the page as far as html and such, i just put my login code in the body of the page, and made it a php file as so. but i want to actually change the look of the form boxes instead of a plain input box
    This is a css problem, but you put the php code inside the <html></html> or not? because in the tutorial all the processing is done before the html...

    regarding the css problem, you could try:

    Code:
    <input type="text" name="the_name" class="your_class">
    and in the css file:
    Code:
    .your_class {
    css lines;
    }
  15. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Posts
    7
    Rep Power
    0
    Originally Posted by derplumo
    This is a css problem, but you put the php code inside the <html></html> or not? because in the tutorial all the processing is done before the html...

    regarding the css problem, you could try:

    Code:
    <input type="text" name="the_name" class="your_class">
    and in the css file:
    Code:
    .your_class {
    css lines;
    }
    it seems to work fine, everything functions, i just don't like the look of the plain square inout boxes, i want them more fancy.

IMN logo majestic logo threadwatch logo seochat tools logo