So, here is the question. I have a small flash application that sends some variables to a php script (via POST), and that php script sends them to a mySQL database.
This works fine when I'm testing my flash offline, I go to phpmyadmin, and the registry is done. When I upload the swf to a online html, this stops working. It no longer creates another registry in the database. I have no ideia why this happens.
I read a bit about it and found out about cross domain policy, and thought it might be the problem. Thus I made a small .xml file and uploaded it to both servers (the one the swf is on, and the one that has the database), and its still not working.
Here is my crossdomain.xml file (named that way):
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
And the php (named insert.php), that is on the same server as the database:
<?php
//connect to the local MySQL
$connect=mysql_connect("localhost", "DBName", "DBPass");
//select your database
mysql_select_db("DBTable");
//query the database
$query="INSERT INTO results(Nome,Email,Idade,Profissao,Pais)
VALUES
('$_POST[nome]','$_POST[email]','$_POST[idade]','$_POST[profissao]','$_POST[pais]')";
//$result=mysql_query($query);
if (!mysql_query($query,$connect))
{
die('Error: ' . mysql_error());
echo "InsertOk=NotOk";
}else{
echo "InsertOk=Ok";
}
mysql_close($connect)
?>
Thank you!
Marco Roberto
Apart from obvious security flaws, try to
"INSERT INTO results(Nome,Email,Idade,Profissao,Pais)
VALUES
('{$_POST['nome']}','{$_POST['email']}','{$_POST['idade']}','{$_POST['profissao']}','{$_POST['pais']}')";
Basicly add {} and ''.
EDIT:
Nevermind that part. Noticed it's not relevant.
I believe you have to do the call to your own site, and use CURL to pass $_POST-values to the other domain.
Try this answer
Even though this is for javascript, I belive the same rules apply for your swf file.
Related
I have a client that uses a website builder that does not offer the ability to edit the code or access the database but hey want to track the downloads of a file.
I setup a system in which I host the file elsewhere, and their website has an <a> link to a page on the host site with a very simple script to insert a record to track the download, as well as download the file.
This is the php script in the page on my site, download-agreement.php:
<?php
$db = new mysqli('localhost', 'username', 'password', 'database');
if ($db->connect_error) {
die("Connection failed: " . $db->connect_error);
}
$file_path = 'agreement.pdf';
$stmt = $db->prepare("INSERT INTO `download_log` (`date`) VALUES (CURRENT_TIMESTAMP())");
if ($stmt===false) {
error_log($db->error);
}
$result = $stmt->execute();
if ($result===false) {
error_log($stmt->error);
}
$stmt->close();
$db->close();
error_log("Downloaded: " . date("Y-m-d H:i:s"));
header('Content-type: application/pdf');
header('Content-Disposition: attachment; filename=agreement.pdf');
readfile($file_path);
?>
And the link I have placed on their site:
https://www.host.com/theirdirectory/download-agreement.php
If link is visited directly, it works properly - the error_log() executes and the record is inserted.
If the link is visited after being clicked on their website, only the file downloads. The error_log() is not executed and the record is not inserted.
I am at a bit of a loss as I cannot even get an error. And thoughts or ideas would be appreciated.
EDIT
This seems to be an issue with Chrome for Desktop (which doesn't really make any sense). This works properly on all browsers except for Chrome for Desktop (it works on chrome for mobile), tested on all with caching disabled on multiple computers.
Thanks to everyone for all of the help, the issue turned out to be the elements in the "GoDaddy Website Builder" on the client's website where the link was stored.
I am still not sure what exactly the issue was but my solution was to make this work I had to use an HTML Section that allowed me to write in the link manually as an html code block - which happens to render as an iframe in their builder, differently from other pre-built elements such as buttons with links etc. It seems that there may be some caching happening on their end (as esqew mentioned there may be) or something going on behind the scenes with those elements that is behaving differently in different browsers.
I am using Birt 4.5 and PHP/MYSQL.
I am able to run birt reports with php. I have enabled tomcat and copied 'birt-runtime-4_5_0/WebViewerExample' to tomcat/webapps and renamed it to birt.
So I can run birt viewer with php;
<?php
$fname = "report/test.rptdesign&__showtitle=false";
$dest = "http://localhost:8081/birt/frameset?__report=";
$dest .= $fname;
header("Location: $dest" );
?>
Above code is working fine. But report connectstring already saved in test.rptdesign file.
I want to remove DB login credentials from test.rptdesign file and assign it while report open with PHP.
I have tried with report parameters. But all the parameters will display on browser address-bar.
Is there any secure way to do this? This is very important when we need to change the database location. It is very hard to change the data source of each and every .rptdesign file.
Thank You,
Supun
I don't believe using report parameters to handle a database connection is the right way. In addition to the address-bar problem you mentionned, it will cause unexpected issues: for example you won't be able to use this database to feed the dataset of another report parameter.
With Tomcat the best approach is to externalize the database connection in a connection pool: easy, robust, and reports might run significantly faster.
Alternatively the datasource can be externalized in a BIRT library (.rptlibrary) and shared across all report-designs: thus only the library needs to be updated when the database location is changing.
I agree with Dominique that sending the database parameters via the query is most likely an inappropriate solution - and you've not given any explanation of whether this is a requirement of the system.
But it is quite trivial to proxy the request via PHP and decorate the URL with the required parameters, something like...
<?php
$_GET['__showtitle']=$_GET['__showtitle'] ? $_GET['__showtitle'] : 'false';
$_GET['__report']=$fname; // NB this should be NULL in your code!
$_GET['dbuser']='a_db_user';
$_GET['passwd']='s3cr3t';
$qry=http_build_query($_GET);
$url="http://localhost:8081/birt/frameset?" . $qry;
// if its simply returning HTML, then just....
$fin=fopen($url, 'r');
while ($l=fgets($fin)) {
print $l;
}
exit;
If the returned content contains relative links the you'll need to rewrite the output stream. If the content type is unusual or you want to project other headers (e.g. for caching) to the browser, then you'll need to use Curl, capture the headers and relay them.
I have created a login_activity for my android app. I've gone through quite a few tutorials on how to fetch data from an external MySQL database. I have access to this external MySQL database. I've followed one of them to write the following PHP code which will fetch my data from the server for my login_Activity:
<?php
error_reporting(E_ALL ^ E_NOTICE ^ E_WARNING);
$dbhost="localhost";
$dbuser="";
$dbpass=""
$connect=mysql_connect($dbhost,$dbsuer,$dbpass) or die("database selection error");
$username=$_POST['username'];
$password=$_POST['password'];
$query=mysql_query("SELECT * FROM app_users_parent where Email='$username' AND Password='$password');
$num=mysql_num_rows($query);
if($num==1) {
while($list=mysql_fetch_assoc($query)) {
$output=$list;
echo json_encode('$output');
}
mysql_close();
}
?>
I understand I've got to place this php file onto the same server. But I don't really understand how to do that? Should I use something like FileZilla for FTP or what?
I could not find any tutorial on the net which shows how and where to save this php file.
If you need my Java code where I'm connecting to this file,I could give it to you.
(P.S.- I just started with android so not really a pro out here. Please respect that )
How to connect Android with PHP, MySQL tutorial definitely help you. Good luck.
Yes, you have to upload your .php file onto your server (wich contain the MySQL database).
Then, in you android class, create an asynctask class. That aynsctask class have to request your phpfile an get the json.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
How to secure database passwords in PHP?
Recently I was given a website project which was supposed to be done in PHP but I don't have much experience in PHP. Anyway, it is up and running but there is a big room to improve. The one thing that I am not feeling well is the way I am dealing with database: I put the database connection information in a separate db.php file and include it where needed. But I remember seeing PHP source files returned by the server many a time.
So now my question is: what is a better or the best way / place to put database sensitive data?
By the way, how NOT to let PHP show error messages on web pages when things are gone wrong? A custom error page or settings somewhere in php.ini? Thanks!
Note: I am using PHP in it's old flavor not object-oriented way. But I am open to object-oriented or MVC way if there are better approaches that way to prepare for future projects
I don't know if this is what you are looking for:
You can put your sensitive data in your db.php, but outside the web root directory (public_html or www).
For example, you could have a directory called config which is a sibling of your web root directory, and store your db.php file there.
You can include your db.php file like this:
require_once('../config/db.php');
I hope this helps.
Its fine to put it in a db.php file, just use require_once() just after the opening <?php tag of each document.
If basedir restriction is not in effect, move db.php file outside of your web/ftp root that way its definitely not accessible via http/ftp. Make sure permissions are set properly on this file though.
Since you aren't using OOP or an MVC structure for your code this is the best route to go.
I would personally create a file called db.php and place this above the public_html folder on your server
for example
<?php
error_reporting(0);
$link = FALSE;
$link = mysql_connect('hostname', 'username', 'password');
if ( ! $link)
{
die("Couldn't connect to mysql server!");
} else {
mysql_select_db('databasename');
}
?>
This turns off error reporting at the same time as connecting to your database, from your index.php you would include the file like so:
<?php require('../db.php'); ?>
I am using CodeCharge Studio to finish a large PHP application. This question isn't really CCS related, but a bit more general. I have a web form that is supposed to allow CRUD capabilities with a certain SQL Server table, but the Inserts keep failing without throwing any errors. What would be the best way to debug this?
When I'm having trouble with dynamically generated SQL queries, I typically echo out the query and try running that query on the console for the DB. Or alternatively, you could write a simple PHP function that writes out strings to a file, and that way you don't have to display the query directly on your page, but instead in a log file.
See what the actually query is and then try doing that query directly on the DB. Then you know whether it's a PHP issue or a DB issue.
Then go from there, depending on the outcome.
If the query looks OK, double check that the user running the query has insert rights to the database.
I've been caught out by that before.
You can monitor all sql queries in mysql as shown in this site, once you enable logging, run the query manually and see why its failing..this should be good starting point.
In addition to what's mentioned before, I can add my recent discovery:
trigger_error(print_r($your_var,1),E_USER_ERROR);
So you can output and debug your variable, even if it's a complex script with redirects, where simple echo would not help.
Dmitri.
You should try using FirePHP and log all the SQL to your Firebug:
An Example would be:
$sql = "SELECT * FROM table"
if (!mysql_query($sql)) {
// In un successfull log to FireBug
FB::error($data, "SQL error: ".mysql_error());
}
You can also implement the FB::error call from your own function, so you can later deactivate this behaviour modifying your function:
function log_error($data, $msg){
//dont forget to deactivate in case the application goes live!
FB::error($data, $msg);
}
if (!mysql_query($sql)) {
// In un successfull log to FireBug
log_error($data, "SQL error: ".mysql_error());
}
Most of the database connection classes in CodeCharge have a 'debug' flag which will automatically write all the page's database commands at the top of the page.
For example, in an old PHP project of mine, 'Common Files' the file 'db_mysql.php' (line 27):
public $Debug = 0; ## Set to 1 for debugging messages.
Change to '1' and publish that file. Load the web page. Change back and re-publish when done.
I've used this in CCS for PHP and ASP projects, and is likely in the other languages (not sure if or where to find in .NET projects).