PHP: How'd I mess up this time?

[Arenlor]

I pull the username and blog_num each time to prevent the possibility of someone accessing any of the misplaced posts or anything like that, blog_num 0 doesn't exist and is meant to trash spam. It's of course a multi-user blogging system, which is why more than one blog_num, and I try to keep a little more hacker free with using weird words and names as my variables, such as mfa, and I never use $query or $result, I've seen the results of that at a hacker's hands. My code is meant to be somewhat unreadable, those people who I use the for() loop as a marking with are all fellow hackers from a computer summer school, if they can't read my database then they can't hack it. I've only ever used one primary key, and never actually understood how to use the other types of indexes (and my teacher didn't ever use them either, so he forgot about them) And this is just the all index page, you can flip through my site see how it is now, I'm just working on an upload script for images and files now. Oh and I MD5 anything that I don't SHA1 which I don't need to read or have read. I normally would have SHA1'd the username actually. I'm not sure why I didn't this time. And my host for some reason refuses to think that at $1/G harddrive, 10G bandwidth, and a mysql db of unlimted size that we deserve to have the MD5 php function. ^_^ I can live with that truly.

[exam]

Quote:

Originally Posted by Arenlor

I pull the username and blog_num each time to prevent the possibility of someone accessing any of the misplaced posts or anything like that

Hmmmm, my code does the same thing but avoids the inner join, reducing CPU cycle usage on the MySQL server.

Quote:

Originally Posted by Arenlor

It's of course a multi-user blogging system, which is why more than one blog_num, and I try to keep a little more hacker free with using weird words and names as my variables, such as mfa, and I never use $query or $result, I've seen the results of that at a hacker's hands. My code is meant to be somewhat unreadable, those people who I use the for() loop as a marking with are all fellow hackers from a computer summer school, if they can't read my database then they can't hack it.

Sounds like you don't know a lot about hacking When I was talking about code readability, I was referring to your own ability to read the code and maintain it. If you're concerned about hacking, the least of your worries are the names of your variables.

Quote:

Originally Posted by Arenlor

I've only ever used one primary key, and never actually understood how to use the other types of indexes

Indices make it "quicker" for the database to find a row. You should generally use an index on any column that you're using for a lookup. Use with caution, as indices make writes more expensive.

Quote:

Originally Posted by Arenlor

(and my teacher didn't ever use them either, so he forgot about them)

Maybe you should look for a new teacher.

Quote:

Originally Posted by Arenlor

And this is just the all index page, you can flip through my site see how it is now, I'm just working on an upload script for images and files now. Oh and I MD5 anything that I don't SHA1 which I don't need to read or have read. I normally would have SHA1'd the username actually. I'm not sure why I didn't this time. And my host for some reason refuses to think that at $1/G harddrive, 10G bandwidth, and a mysql db of unlimted size that we deserve to have the MD5 php function. ^_^ I can live with that truly.

I didn't quite get all of that, but if I were you, I'd go to my local bookstore and read a couple of books on SQL, and then enroll in a few more coding courses.

Best of luck mate.

[Arenlor]

The course I had was free, sadly... I was one of the people chosen out of my state as the top of 11th graders who were interested in computers. And I was had a mysql database hacked because I used assoc. Thing is though I code for usability, not readability, if I can use it, then that's all I need. I also have short term memory loss and would have to look at my db structure to get the name for assoc anyway.

PHP Code:

{
$loc = "images/";
$loc = $loc . basename($_FILES['upimg']['name']);
if(move_uploaded_file($_FILES['upimg']['tmp_name'], $loc)) {
    echo "<p>The image ".basename( $_FILES['upimg']['name'])." has been uploaded!</p>";
} else{
    echo "<p>There was an error uploading the file, please try again.</p>";
}
}
echo "<form enctype=\"multipart/form-data\" action=\"$PHP_SELF\" method=\"post\">
<fieldset><input type=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"102400\" />
<label for=\"pass\">Password: <input type=\"password\" value=\"password\" id=\"pass\" name=\"pass\" /></label><input name=\"upimg\" type=\"file\" accept=\"image/bmp,image/gif,image/jpeg,image/tiff,image/png\" /></fieldset>
<p><input type=\"submit\" value=\"Upload\" /></p>
</form>"; 


Any idea why that's allowing me to upload any file type?

[exam]

You need to check filetype on the server side after the file has been uploaded.

$_FILES['userfile']['type']

[Arenlor]

So like, if($_FILE['upimg']['type'] == blah)

[StupidScript]

I like, if(!in_array($_FILE['upimg']['type'],$acceptable_types)) better.

[Arenlor]

That looks better lol, was just seeing what he meant when he suggested using it. What the heck is accept for then btw?

[Arenlor]

Still wondering what accept is meant for, but this is my new coding and it works.

PHP Code:

$loc = "images/".basename($_FILES['upimg']['name']);
if(!ereg("^image/(bmp|gif|jpeg|tiff|png)$",$_FILES['upimg']['type'])){
    echo "<p>You may only upload bitmap, gif, jpeg, tiff, and png file formats, if you want a different file allowed send an email to <a href=\"mailto:***@arenblogs.com\">***@arenblogs.com</a></p>";
}
else if(move_uploaded_file($_FILES['upimg']['tmp_name'], $loc)) {
    echo "<p>The image ".basename( $_FILES['upimg']['name'])." has been uploaded!</p>";
}
else{
    echo "<p>There was an error uploading the file, please try again.</p>";
} 


Any simpler ways? Ereg seemed the most correct for what I was doing.

[exam]

ereg works, but is a more costly operation than calling in_array, as SmartScript suggested. In a practical sense, it doesn't matter for your script, but if you needed to make the comparison 5000 times, say, then ereg will take maybe 1/10 of a second and the in_array version would take maybe 1/100 of a second.

Also, you might want to accept 'image/jpg' as well.

[Arenlor]

image/jpeg allows .jpg tiff allows tiff and tif also. That's their official names, we only have the TLA(Three Letter Acronym) because of how the old machines only allowed three letter extensions why did you think .html and .htm were the same thing but .htm was somehow accepted? .html didn't exist, .txt also. /history less

[chicgeek]

Just a note that (while I don't understand all of it) this thread makes me smile. People helping people. (AWWW!)

Greenies all around! (Except for Exam, who I've given too much to lately.. ha!)