152 Replies
when i want to update my profile user photo { there is no insert photo beffor }
nothing will happen
and only name will chenge to data base
and nothing gonna add to my photos folder
and when i try this
it will make new tabel with empty stuff and only with photo
how can i add photo when im updating it and now inserting
use
upload_file_move() after validating it is an actual imageit will work in updating ?
and add to photos folder?
no, it will move the file to the folder
let me test and see what will happen
you have to validate the file first
try to read it
try to resize it
try to save that copy to the folder you want, with a random name
i cut all part
cuse in first it should work and then i add them agine
alright
and you should use prepared statements
nice
it work
if(move_uploaded_file($tempname,$folder)){
echo 'file uplode fix';
} else{
echo 'file not fix !!!!!!!';
}
tnx for help i was stuck in this part for long time
you're welcome
but this is extremely unsafe and you can kill the server easily
i dont add it to website yet
and now its working i need to add the limits and prepared statements ...
which server do you use?
apache? nginx? something else?
dont know?
linux
:linux:
no, the server software
hmm
BISTON
i think
biston?
i think yes
i buy it from parshost
پارس هاست
پارس هاست - خرید هاست, ثبت دامنه, سرور مجازی و اختصاصی ایران
ثبت دامنه و خرید هاست لینوکس و ویندوز با قیمت ارزان وسرعت بالا. خرید هاست نامحدود, وردپرس, دامنه و سرور مجازی, اختصاصی - خرید هاست با پشتیبانی 24/7.
i tried to read that, but chrome translated it to a burchered portuguese-like mess :/
do you have an .htaccess file in your host?
i dont think so
i have cpannel
i know, you showed it the other day
and you have any files?
yes
no htaccess file
if you create one and type gibberish, does the site stop working?
ha ?
i cant undestand
i make a file name htaccess ?
.htaccess
and type something inaide
inside
any nonsense
i cant create it
thats fine
what is thath ?
what it will do ?
.htaccess files are used by apache, to configure it
the idea is to set the folder with images to only allow images to be served, and anything that might end up there will be sent as text
ohh
its only in apache ?
yes
its nice option
yeah, if it worked
this is an important security option, as it prevents that an image.jpeg.php is executed
is it good now for saifty ?
not really, no
😳
you have a mix of snake oil with an almost ok attempt at validating a file
if($row["user_ip"] == $user_ip){ <-- this is horribleNo
yes, very
i mean
in terms of safety, it does absolutely nothing at all, and just causes problems for the users
i do this so who care a profile can only edit it with the same ip
here's how to change my ip in 3 seconds:
- have a phone
- turn off wifi
ye ye i know thath
but
cuse i dont add login and register
i just add this for test
so other people dont remove other people post
i dont make it for total security
why aren't you developing locally?
what u mean
develop locally, not in an hosted server online
for now yes i dont put in the host
cuse im updating it
after it finished i put it in my host
ok, but that's still just a case of cheeto security
what that mean
the security is bad for the ip thing ?
🤣
it looks safe, but it does nothing
u mean the ip part or the uplode part
yes
that does absolutely nothing
ye but other people cant remove each other post
but if their ip chenge they cant get acces to their page too
people can't remove their own post
in this case, image
which makes it pretty horrible in terms of usability
the blue background mean this is match to ur ip and u can edit or dealet it
also, what if you need to delete or edit someone else's image?
u cant only me i can from data base
or the user with hes ip [ the ip when he create hes user ]
for example, someone puts rounchy images as the profile image
as a platform provider, by the european law, you're required to moderate it
i will dealet it very fast
from data base
i realy cant do anything about it until i chenge it to login and register system
or i make report button for it if 5 people with diffrent ip report the photo it get dealet
and only photo get dealet not the user
this is only thing i can do for now with ip system
that's why it's absolutely horrible
you, as the owner, should have the possibility to do anything you need to do
ye even if the user ip get cheange he cant acces to hes page anymore ...
an user, a lowly one, should be allowed to only edit the profile of that user
regardlress of the ip
do u think is good to put the report button ?
why? you made it so you can't edit anything
u can edit ur own profile but people cant
like other soical apps
like instagram and ...
the owner of page can but other people cant
that is how it should work
forget ip verification and bs
you can use it to check the country
and for logs, that's very important
ye thats why no one use this ip system
yes, because it sucks
it's not safe, it's not user friendly, it's just ... a cheeto
ye
i bulid this project for test cuse i never do any other porject with php
i noticed you arent using any session variables
i only use POST
how do you know the user is allowed to upload?
how do you know the user exists at all?
how do you know the user is logged in?
i dont put any of this
which is what you should have done
if someone dealet the page it gonna gone for ever
and dealet from tabel and all stuff
that's not what im saying
i put a serch button u can serch the id of the page if its not looding anything its mean its dealted or wrong
im saying you're not validating if the user is logged in and which user uploaded the image
and there is no login
if u come to my page with the ip u create the user u can see ur profile with blue back ground
you're not listening to me
point me to the line where you update the image of the user that is logged in
is ip match and click in edit button he come in this page
so, the script is just for you, and not for the user itself?
it is
if user ip = the old ip at the first create of account = u can enter this page for update ONLY ur account
then this is missing code
i will finish the part and put in the website
no, at the top
there's code missing
YES
its long
i think i cant send it hear
let me try
you can split it into multiple messages
ok
or send the file
that's a mess and a security nightmare because you're receiving the user id from POST
🤣 i put very IF
i need use sesions right ?
yes, you do
i totaly forget about it
can people chenge the value and put sql injecshen code at my code rn ?
cuse it getting for input
probably
i think thats the only part i need to put sessions
cuse other part user need to send
the first query has security issues
you don't use prepared statements
ohhh
even SELECT need prepared statements ?
EVERYTHING
i only use them for INSERT
i will cheange all of them to prepared statements
you know what i can do?
'"; drop table user;
this
this is enough to ruin your website😭
in all inputs?
in the id
or only the qurry with no prepared statements
any and every single query you didn't use protected statements
ohhh the id will be connect to data base
anything you put into the query, is a possible hole
ye i just understand it
if i put session and protected statements it will be good for now ?
no, not even close
what other thing u can recommend to fix
fix this, then we talk
Aright
tnx for helping
you're welcome
by the way, why did you do ... this:
hmm
so i can use them
🤦
you can use them already
you also misspelled telegram and twitter
its will be eazyer
also, why do you have separated fields for each social network?
there is a eye button
it will direct people at this page
and they can see more stuff
about the user
that's not what i mean
oh
why isn't it in a different table?
some people don't have any
some people have 1 or 2
some people have others
they can put it empty
that's not the point
i put all the stuff only in 1 tabel
the point is ... in 5 years, you will have 5000 columns for every single social network
and that doesn't work
normalize the table, and create 2 tables: social_networks and user_social_networks
im thnking about remove all and add more photo of each soical networks
so people can select each one they want
inside social_network, you put all the information about the networks: logo, name, label, something else
inside user_social_networks, you put the user id, the social network id and the url
and that is how you do a proper normalization of the social networks for users
ye i should do thath cuse there is soo many stuff in only 1 tabel rn
you're putting too much because you're not following the normalization rules for the database
at first it was only 4 row and then i add more and i dont add more tabel only put all in 1
do you need to store the ip there?
the ip should be in a log, not there
in log ?
image, job, country, phone, age and name can be in a separate table
ye i will fix all after i fix the prepared statements
alright
i store the first ip [ the ip user create the first page ]
and ip wont updated
that is even worse, and doesn't belong there
if i put the $user_id in session i wont need prepared statements anymore ? cuse it wont get anything from input anymore
yes, you do
let me explain this straight
prepared statements are NOT optional
:agree:
if you don't send any inputs, or manually enter the input, then you may skip prepared statements
by the way, you really should use pdo