Jump to content

surefire

Members
  • Posts

    1,008
  • Joined

  • Last visited

Everything posted by surefire

  1. I recently started collecting email addresses just for this purpose... but I know that lots of folks at TCH use the script and grabbed their code before I collected emails. This info is important and I have no way of contacting you other than to post it here. What will soon follow is a post in my support forums. I also want to let you know that some major changes have gone on and we're now on version 2.4 with lots of bells and whistles, upgrades to error reporting and stability. But another major change is that the code is now no longer transparent as I encode the main engine. If that's not to your liking, stick with the version you have. But I think you should still make the change outlined in this post below. Here it is: ////////////////////////// In the past, some users have reported that the extra security precaution, >$set['referer_check'] = '1'; Was preventing them from completing the form, even though they were coming from the same site. In other words, it was giving a false negative. Initially, I thought that the problem was with different versions of PHP, server installations, or possibly the operating system of the server. I did some thorough research and found out that the server varibale $_SERVER['HTTP_REFERER'] is not reliable. It's not a fault in the php language but rather a variable that is set by the browser, and therefore can be missing, or faked. Some settings on firewalls can mess with it too. What this means for you In order to make sure that all users can access and use your form, you should immediately turn the referer check to the off position by changing >$set['referer_check'] = '1'; to >$set['referer_check'] = '0'; "But is this unsafe?" Short answer: no Long answer: Spammers want only one of two things, 1- to harvest emails automatically through easy means 2- to hijack your form and send out spam through your website so you get blamed (Number two is the holy grail of spammers.) Your email address is hardcoded into the php script and so a spam harvesting 'bot' can't find it. If you have a catchall email address set up then it's easy to send you a spam email, but that's totally unrelated to the script. That's just how you choose to set up your hosting account. The more important issue is the spammer's goal of hijacking your form and sending spam through your site. When you break the script down to it's simplest component, it basically does this when triggered: See, since the recipient isn't defined in the posted data but rather is hardcoded into the php script, there is no danger of hijacking (that I know of). What's the worst that could happen without the referer check? To the best of my knowledge, the worst that could happen is that someone writes a script to send a flood of emails to your account and the emails go to you. In order for this to happen, someone would have to know how to write such a script choose you out of all the sites on the web be content with sending all those emails to just you... not a list of spam recipients In other words, have time on their hands to annoy you. What if I'm still concerned about this? Well, I've created a solution. Two actually. The free solution is in the form of a time sensitive code that is generated at runtime on your site. You have the flexibility to determine how long you want to give visitors who are filling out your form. Could someone still write a script, go to your site, grab the latest key, and send the info to your form, before the time limit expired. Yes. But it makes them jump through another hoop. And all that work for no other payoff than to send YOU an email???? I don't see it happening. .... (excess deleted)
  2. These are CSS questions that you are posting in a thread on using php to make headers and footers on your page... a rudimentary templating system. The templating system written in php (which you appear to be using correctly) is just outputting html. So the php has zip to do with positioning. If you already know this, my apologies. But it would be best to repost this in a new thread in a category where CSS is discussed. I think that's why you didn't get any attention.
  3. I believe it would be more efficient, but by HOW MUCH... only a test could tell. There are timing scripts you can plug into your pages to give you a rough estimate of how long they take to execute. from php.net
  4. I thought you were trying to reinvent the web based contact form. But it sounds like you could actually borrow from the private message posts from Invision Board or phpBB Good luck.
  5. I can't tell you 100% that this is the answer... but it's a change you should definitely make. You shouldn't program with the assumption that globals are configured 'on' (which they are). The start of your code should initialize your posted data in a manner close to this: >$sendto = $_POST['sendto']; $message = $_POST['message']; now, to debug your script, I would add this to the top of page.php >$var = $_POST; print_r($var); exit; That should show you all the posted data and give you an idea of what is missing and maybe some ideas as to why. One last thing... although it's good to know how to write your own code and this is a wonderful way to learn php, it appears that the code you are writing already exists. You seem to be creating a checkbox of email recipients and a manner to email them. Why reinvent the wheel?
  6. I didn't make it. I don't even believe it... but still funny.
  7. There's another alternative... I've recently done some server side coding with the GD library that comes with PHP (and is installed on servers at TCH) Rock Sign What this does, is takes a snippet of text and converts it into an image based on any true type font you desire. So, it has the advantage of being an image, but with all the flexibility of being generated by text.... so it can be updated VERY quickly. Even on the fly. I don't think this is a solution for ALL the text on a site... and it doesn't really address the orignial question but it's a nifty little trick.
  8. It's a code that programmers (and really, non programmers too) can use to build 'dynamic' pages such as shopping carts, guestbooks, message boards (like this one), and all sorts of database related applications. All of the 'magic' goes on at the server and then regular html is sent to the browser. This is different from javascript... js is client side. So if I turn off javascript in my browser or I have an extremely old browser, I won't see the same thing as the next person. With php (or cgi, python, etc.) the wizardry happens before the first byte is sent to your visitor... so it's much more user friendly. There are some things js can do that server side code can't so I'm not saying one is better. Just different. If you are using a database, you'll most likely be employing server side code. Hope that helps.
  9. If you're on dsl or cable, you should check this out. Regardless of how you feel about Mac vs PC... this clip is a hoot. Enjoy Mac Rant Edit: TCH-Lianna says, "Contains adult language that may be offensive to some. Dont' view if you don't want to hear it." Thank you.
  10. If you mean to hardcode the email address into a php, cgi, or other server side language, then I disagree. If you mean to put the email address into the html that makes your form, then I agree, that's insecure. Raul said: That's one way... another is an authentication check to prevent posted data coming from a site other than yours. The image generation idea is a good one, so long as you realize you are raising the 'pain in the butt' factor and might turn away the lazy. If you're okay with that, then the image generation idea is a sound one. Actually, for most sites it wouldn't have to be as complex as an image... just a random alphanumeric string that the user copies into the form. It can be read by other scripts, but a spammer would have to write one just for your site... not worth the effort. But here's a link to a php class you might use for that image generation ht*p://www.phpclasses.org/browse.html/package/1329.html
  11. I'm sad, and surprised, to see you go. Best of luck to you.
  12. You want to avoid putting your email in your html of the form if you can avoid it. Otherwise, spam software will pull it out of your code (which is visible in your html) and start sending you spam. By script is a code which enables you to add your email to the php code in a way that others can't see the exact email address. You can specify multiple addresses, upload several files, or even have a drop down list of recipients in your form. What you do is download the files, then upload them to your server (in binary form). You might want to change the name of the main directory... but other than that, you only have to change your email address in one of the files you upload. It might seem a bit overwhelming at first, but it's actually really easy. And if you get stuck, I have a help forum where I answer questions and provide assistance. But don't feel compelled to use my code. There are lots out there.
  13. I'm not familiar with Fusion v.7 but I know quite a bit about programmer, scripts, and forms. I wrote Ultimate Form Mail Script... but even if you don't use it, I want you to understand what has to happen in order for you to accomplish your task. It's not always as easy as just providing you with an 'extension' to plug into your form. If Fusion v.7 works with Frontpage extensions, then you might be able to get what you are looking for. I'm not familiar with Frontpage either since I don't use it... so maybe someone else can chime in on that topic. Otherwise, you're going to have to tell your form to post to a page that uses some sort of server side code to parse the data, validate, and then send you the email. This could be php, cgi, asp (only on select servers), cold fusion (not avail), or some other server side code. There are a bazillion server side scripts at Hotscripts.com or you can use my Ultimate Form Mail Script
  14. I would use a session that dies when the browser is closed or a certain amount of time passes. If you want the session to die if they leave your site for even a second then you'll have to incorporate a client side mechanism (javascript) to kill the session. If you're going to write your own code, I'd consider checking out PatUser in order to get you moving in the right direction. I haven't used it personally but plan to. I've written my own code and it's a lot easier to go with someone else's work. Best of luck to you. Hope these ideas help.
  15. Are you saying you want to force users to type a login rather than getting straight through on subsequent visits? I'm not sure I understand what you're trying to accomplish.
  16. When all is said in done... it's just html. If your html has frames, you get frames. If it only has tables and divs, the page loads just like any html page with tables and divs. It seems to me that elements from page to page that are exactly the same seem to load very quickly from the browser cache, and it often appears that the only thing changing is the content... but that's not exactly what's happening.
  17. Sorry I didn't reply sooner... What you are trying to do I have done as a custom script on one of my own sites. I strongly recommend you look at session info at php.net. I learned a LOT from that site even though I already knew the basics of sessions. My login code uses sessions unless they click 'Remember Me' and then it uses a cookie. As I recall, a session is going to be destroyed when the browser closes. So I think any sort of 'remember me' function will either have to use a cookie, or will be most easily done with a cookie.
  18. What is it you're trying to do that other, existing authentication scripts aren't giving you?
  19. The script to do it should be available but I didn't find it in my search.
  20. No. Jim's htaccess code tells the server to pars files with.htm extension as php. If you name your files as php then the server gets the idea.
  21. Do you want to learn to do it, or get one that is secure. If the latter, Ultimate Form Mail Script If the former, you create a class that hard codes the email addresses into the script so that none of the recipient information is in the html form. That's a very general overview of how to do it.
  22. Look at php.net for session_start() and other related comments and you'll see a goldmine of info on do's and don'ts of sessions and some ideas on how to prevent spoofing... if that's a concern of yours.
  23. As you said And that's my feeling too. It takes more upfront investment in setting up your database tables and setting up more complex queries. But the end result is much better. Take apart open source scripts like Invision Board, phpBB, OSCommerce, and so on, and you'll see multiple tables. With complex queries and relationships tying them together. Plus, I've heard that a computer can search for an integer more quickly than a string... but don't quote me on that. The real reason to do it is to make it easier in the long term to manage your site. Now, I will switch gears and tell you that there are situations I've run into in the past where I will serialize() the data into a string and save the variables in a text field instead of multiple rows of the same table. I think the reason I did it is because I hadn't yet set up a good admin page and so I was going to have to be editing the table directly in phpMyAdmin. And for me, if the table has severl hundred rows, it's just easier to edit the data if I only have to edit one row... It's really just a matter of preference.
  24. yep. I would prefer to answer your request over there... only because it makes it easier for others to learn from the feedback. Lots of folks using the script aren't at TCH (fools) and so I try to answer everything over there. Thanks.
  25. Yep, you're thinking in the right way. You should do a separate table for ingredients. And possibly a table for type of measurement (but that's a little complex) Then, in your recipe table, you have a column for quantity. So it might look like: Item_ID: 1 Recipe_ID: 21 Ingredient: 4 Quantity: 2 Unit: 'Tablespoons' (or you could put an integer for unit_ID) And then the next line might look the same except for ingredient and quantity Item_ID: 1 Recipe_ID: 21 Ingredient: 10 Quantity: 3 Unit: 'Ounces' (or you could put an integer for unit_ID) So if you set your query up, and Ingredient 4 was 'Butter' and Ingredient 10 was 'Sugar' you'd get Mom's Apple Pie 2 Tablespoons of Butter 3 Ounces of Sugar etc... Good luck.
×
×
  • Create New...