Join 136,053 Programmers for FREE! Get instant access to thousands of experts, tutorials, code snippets, and more! There are 1,580 people online right now. Registration is fast and FREE... Join Now!
I apologize for asking this, but I don't know if this belongs in the PHP section or in the MySQL section.
If you were going to create a website, lets say blank for example, but with a box and a field for Registration Username and Password, and a Login Username and Password, how would you go about creating the code behind it?
I'm on Sourceforge looking now but not entirely sure on how to do it, or what to look for.. and we all have to start somewhere, we didn't all know this when we started.
Do I want to look for something MySQL based with a database for storing accounts, or some little PHP script that saves accounts to a file (which is what I assume its going to do)?
My website host, IPowerweb.com says I have:
# 1500 GB of file storage # 15000 GB of transfer (bandwidth) # Host Unlimited Domains # 2500 e-mail accounts # Flexible site- and store- builders # FTP, FrontPage extensions, CGI, PHP, MySQL and more .
I know its a big deal to ask for someone to do things here, so I won't. What Im hoping you can provide for me is a link to a website where I can learn how to set this up myself. I already have the Username and Password boxes created. Yes, the password field is set to display ****.
make a table that holds the accounts, use php scripts to create them and check the logging in. To prevent sqlinjection and all kinds of other dubious problems, *ALLWAYS* pay attention to the following: do not trust user input.
There are several functions that can make strings 'safe' to use in sql, although not all of those work equally well. Instead of trying to throw away bad input, you can also only admit good input. So instead of replacing or escaping quotes (they will give you a headache when checking username-password), you can also extract only the valid characters (for example a-zA-Z0-9.,!@#$%^&*()=-+_}{][;:? )
Alternatively, you could use one of those "Flexible site- and store- builders" that your hoster apparently offers.
A third option is to hire someone that knows what he is doing, but that depends mostly on what this effort is for...
We got the database account registration and login working, even set something called "level" which determines whether or not the person is a user, administrator, or any other kind of ranking we determine.
CODE
<? if ( $_SESSION['level'] == "1" ) { ?> <td bgcolor="#FFFFFF" valign="top"> <div style="margin: 5px 0px 0px 5px"> Welcome <? $_SESSION['username']; ?>!<br> User Rank: <font color="#FF0000">User</font> Links to pages for users go here. </div></td> <? } ?>
A question for you all tho, and a pretty technically demanding one too...
We want to create 2 buttons that 1) allows for users to browse for an image on their desktops, and 2) upload them to the database, effectively creating a thumbnail for it on the first page.
This seems like pretty sophisticated technology, and very difficult. Is this possible ( it must be, sites like imageshack.us use it ) - how do WE implement it?
look for file upload on php.net and use image processing software to convert all the garbage the users will upload to put it in a uniform format.
I warn you: it will be hard to get it work, and very very hard to avoid all the security issues that you can have when handling user-uploads. My advice: hire someone that knows what he is doing, or stay away from it. Unless its a hobby project. In that case, have fun (but dont be surprised when one user screws up your server)
This is business related, and very important. Should I hire someone? Can you recommend someone or a particular website or service? This is the life-blood of my new company, we'll pay but hopefully its not THAT expensive a job.
QUOTE(Trogdor @ 22 Jul, 2008 - 05:49 AM)
look for file upload on php.net and use image processing software to convert all the garbage the users will upload to put it in a uniform format.
I warn you: it will be hard to get it work, and very very hard to avoid all the security issues that you can have when handling user-uploads. My advice: hire someone that knows what he is doing, or stay away from it. Unless its a hobby project. In that case, have fun (but dont be surprised when one user screws up your server)
File uploading is very common and fairly simple. Trogdor is greatly exaggerating.
The way uploads work is, you put an upload button on your form (it is a simple html element), which gives the user a dialog to select a file. When the user submits the form, the file gets transferred to a temporary location on your server (usually /tmp for linux servers, but can be set by the server, or individually per account). Your script will see that the user submitted a file, and copy the temporary file over to wherever you want to store it. If you want a thumbnail, use PHP's GD library to resize it to the correct dimensions. After you copy it to the new location, store the filename or path in a table in the database.
For security, the main issue is you don't want people to upload programs and then run them. If your server has an older setup, it may need to give world write access in order to let the webserver copy the uploaded file to the upload directory, which is a permission that you want to avoid. Wherever you make your upload directory, make sure no one is able to execute files from it, or even better, no one is able to access it directly (except from your scripts). You can also limit uploads by size and file type.
Do you know PHP and SQL(my)? I'm having some extremely frustrating issues with a simple line of code. If you have AIM or something, I would love to speak with you. My AIM is sonastylol
QUOTE(mocker @ 22 Jul, 2008 - 11:12 AM)
File uploading is very common and fairly simple. Trogdor is greatly exaggerating.
The way uploads work is, you put an upload button on your form (it is a simple html element), which gives the user a dialog to select a file. When the user submits the form, the file gets transferred to a temporary location on your server (usually /tmp for linux servers, but can be set by the server, or individually per account). Your script will see that the user submitted a file, and copy the temporary file over to wherever you want to store it. If you want a thumbnail, use PHP's GD library to resize it to the correct dimensions. After you copy it to the new location, store the filename or path in a table in the database.
For security, the main issue is you don't want people to upload programs and then run them. If your server has an older setup, it may need to give world write access in order to let the webserver copy the uploaded file to the upload directory, which is a permission that you want to avoid. Wherever you make your upload directory, make sure no one is able to execute files from it, or even better, no one is able to access it directly (except from your scripts). You can also limit uploads by size and file type.
I have seen website where people uploaded images containing virus code. Yes, a virus, inside an image. It is possible, due to a bug in a certain library. If this is a professional project, you just dont want things like this. Some people apparently fail to see risk involved in raw userinput, like Mocker above. Pity the ignorant. Also, you will need to have someone behind the buttons that knows how to properly tune your webserver/php.ini so that the uploads not only work, but also work on slow computers with a slow connection, or when your clients want to upload a 8 MB bmp file... etc. The list of things that can go wrong is long. I seriously suggest you 1: make a very detailed list of needed functionality. 2: think about the risks that certain aspects of a site like this can bring around. 3: rent a professional to code everything. (not just the hard parts. If you fubar the foundation you can just as well pack up and go home) There are enough pro's hovering around here that would jump at a nice project.
Trogdor - your posts are always impressive, thank you for always being patient and informative.
This is a professional project. The only thing that leaves me a bit weary is the price per hour of programming professionals. I can't stomach hiring someone for $70-80/hr like I've seen. I WOULD, however, gladly hire someone at $25-40 /hr for about 5-7 hours of work, praying that this type of controlled user uploading only takes about 5 hours to implement. Going over $300 makes us a bit uneasy, because we are a small 'indie' company, not a corporate giant.
If there are people willing to assist with a project like this, and wouldn't mind cleaning up the database code (and implementing what we need in the database as well) then I would be MORE than happy to hire someone on a purely contracted basis.
Thanks again Trogdor, and the rest of you at Dream.In.Code
QUOTE(Trogdor @ 22 Jul, 2008 - 02:22 PM)
I have seen website where people uploaded images containing virus code. Yes, a virus, inside an image. It is possible, due to a bug in a certain library. If this is a professional project, you just dont want things like this. Some people apparently fail to see risk involved in raw userinput, like Mocker above. Pity the ignorant. Also, you will need to have someone behind the buttons that knows how to properly tune your webserver/php.ini so that the uploads not only work, but also work on slow computers with a slow connection, or when your clients want to upload a 8 MB bmp file... etc. The list of things that can go wrong is long. I seriously suggest you 1: make a very detailed list of needed functionality. 2: think about the risks that certain aspects of a site like this can bring around. 3: rent a professional to code everything. (not just the hard parts. If you fubar the foundation you can just as well pack up and go home) There are enough pro's hovering around here that would jump at a nice project.
This post has been edited by Sonastylol: 22 Jul, 2008 - 02:50 PM
I have seen website where people uploaded images containing virus code. Yes, a virus, inside an image. It is possible, due to a bug in a certain library. If this is a professional project, you just dont want things like this. Some people apparently fail to see risk involved in raw userinput, like Mocker above. Pity the ignorant. Also, you will need to have someone behind the buttons that knows how to properly tune your webserver/php.ini so that the uploads not only work, but also work on slow computers with a slow connection, or when your clients want to upload a 8 MB bmp file... etc. The list of things that can go wrong is long. I seriously suggest you 1: make a very detailed list of needed functionality. 2: think about the risks that certain aspects of a site like this can bring around. 3: rent a professional to code everything. (not just the hard parts. If you fubar the foundation you can just as well pack up and go home) There are enough pro's hovering around here that would jump at a nice project.
I don't want to hijack this thread, but you have not said anything with any technical merit. This is a programming forum.. most of the people, including myself, have a lot of experience with this and your exaggerations without any technical backing is a bit much. I already mentioned protecting against letting people upload code instead of images, and making sure they cannot execute those files. Your 'expert' tuning of php.ini involves changing about 4 values, which takes maybe 5 minutes if you are a slow typer.
If you do hire someone, and they take more than a couple hours for a simple upload script? Then they aren't experts anyways. Pity the ignorant indeed .
Mocker, if this is really that easy, I would love to paypal pay YOU to help me do it.
I messaged you on aim but you did not respond. Lets get in touch!
AIM: Sonastylol Email: jad63@njit.edu
QUOTE(mocker @ 22 Jul, 2008 - 04:58 PM)
QUOTE(Trogdor @ 22 Jul, 2008 - 02:22 PM)
I have seen website where people uploaded images containing virus code. Yes, a virus, inside an image. It is possible, due to a bug in a certain library. If this is a professional project, you just dont want things like this. Some people apparently fail to see risk involved in raw userinput, like Mocker above. Pity the ignorant. Also, you will need to have someone behind the buttons that knows how to properly tune your webserver/php.ini so that the uploads not only work, but also work on slow computers with a slow connection, or when your clients want to upload a 8 MB bmp file... etc. The list of things that can go wrong is long. I seriously suggest you 1: make a very detailed list of needed functionality. 2: think about the risks that certain aspects of a site like this can bring around. 3: rent a professional to code everything. (not just the hard parts. If you fubar the foundation you can just as well pack up and go home) There are enough pro's hovering around here that would jump at a nice project.
I don't want to hijack this thread, but you have not said anything with any technical merit. This is a programming forum.. most of the people, including myself, have a lot of experience with this and your exaggerations without any technical backing is a bit much. I already mentioned protecting against letting people upload code instead of images, and making sure they cannot execute those files. Your 'expert' tuning of php.ini involves changing about 4 values, which takes maybe 5 minutes if you are a slow typer.
If you do hire someone, and they take more than a couple hours for a simple upload script? Then they aren't experts anyways. Pity the ignorant indeed .
Let me just say that i have seen the results of some 'slight omissions' in an image upload script for an affiliate of us. Customers blaming the site for hosting virus infected images, their computers infected, the payments they were doing monthly to use the site canceled. After this incident i had to do a review of the entire codebase, and that was a shitty job.
Making an image upload is not hard, but securing it well is non-trivial. you can use the following guideline as a minimum: - use all the checks that are available directly after the upload - allways recode and resize, not only thumbnails. You can use GD for this, or for example imagemagick (handles more source formats). - determine a new filename, do not use the original filename. - if you want to prevent people from using your webserver as image dump: use a script to display the image itself and place the imagefiles outside of the webroot. - make sure you know what you are doing when tuning your webserver. There are too many people that have no idea what most settings realy do.
| 