building a page for lazy people (me and my friends)

Zedicus

Gawd
Joined
Nov 2, 2010
Messages
694
the page will be local restaurants with address and phone number. and a picture of the menus that i want to add. the thing i can not do is that. add the upload section for the menu. (the current images of my progress are attached, it is an open source MySQL form that i edited into its current shape.) if you would be willing to add the parts so i can upload an image and have it be clickable to show, that would be cool.

2.JPG1.JPG
 

modi123

Supreme [H]ardness
Joined
Sep 6, 2006
Messages
5,946
What's the page written in? I am not sur what you mean by 'open source mysql form'.
 

Zedicus

Gawd
Joined
Nov 2, 2010
Messages
694
it is all PHP, CSS, and MySQL.
it is well documented and well formatted. i have managed to add some fields and change some names for things, and i have not done anything in PHP. my last website was designed for IE3.
 

modi123

Supreme [H]ardness
Joined
Sep 6, 2006
Messages
5,946
If you been tinkering with it then that's a plus.

You would want to follow the w3schools tutorial. Start with making a secondary form to jack with, and then see what you need to splice in.

The only tricky thing will be to update your database data with the file name for the right restaurant.

https://www.w3schools.com/php/php_file_upload.asp
 

Zedicus

Gawd
Joined
Nov 2, 2010
Messages
694
yeah this part is waay outside of my ability, there is a separate folder for CSS, PHP, and configs. There are about 5 different files with code in them. like i said it is all really well done, and probably a 30 minute project for a web developer. but impossible for me and my near zero coding prowess.
 

modi123

Supreme [H]ardness
Joined
Sep 6, 2006
Messages
5,946
I mean sure.. fifty bucks and ship the files over and I can see about wedging it in. ;)
 

Zedicus

Gawd
Joined
Nov 2, 2010
Messages
694
will etc or eth work?
i will just give you an account on my webserver temporarily and you can work on it there if you dont mind.

are you comfortable in linux?
 
Last edited:

modi123

Supreme [H]ardness
Joined
Sep 6, 2006
Messages
5,946
Naw, it's cool man.

Someone will, most likely, pop fairly quick and help you out.
 

Zedicus

Gawd
Joined
Nov 2, 2010
Messages
694
heres what i made, it does not work.
i have a database field called 'menus' the database is 'restaurants'
Captuere.JPG
Code:
        ###################
        function edit_rec() {
        ###################

                if (isset ($_GET['id'])) $in_id = $_GET['id'];

                # edit or new?
                if ($_GET['mte_a'] == 'edit') $edit=1;
                else $edit = 0;

                $count_required = 0;
                $rows = '';

                $result = mysqli_query($this->mysqli,"SHOW COLUMNS FROM `$this->table`");

                # get field types
                # get field types
                while ($rij = mysqli_fetch_assoc($result)) {
                        extract($rij);
                        $field_type[$Field] = $Type;
                }

                if (!$edit) {
                        $rij = $field_type;
                }
                else {
                        if ($edit) $where_edit = "WHERE `$this->primary_key` = $in_id";
                        $result = mysqli_query($this->mysqli,"SELECT * FROM `$this->table` $where_edit LIMIT 1 ;");
                        $rij = mysqli_fetch_assoc($result);
                }


                foreach ($rij AS $key => $value) {
                        if ($this->edit_all) $this->fields_to_edit[] = $key;
                        if (!$edit) $value = '';
                        $field = '';
                        $options = '';
                        $style = '';

                        $field_id = '';
                        $readonly = '';
                        $value_htmlentities = '';

                        if (in_array($key, $this->fields_required,true)) {
                                $count_required++;
                                $style = "class='mte_req'";
                                $field_id = "id='id_" . $count_required . "'";
                        }
                        else {
                                $field_id = "id='$key'";
                        }


                        $field_kind = $field_type[$key];

                        # different fields
                        # textarea
                        if (preg_match("/text/", $field_kind)) {
                                $field = "<textarea name='$key' $style $field_id>$value</textarea>";
                        }
                        # select/options

                        elseif (preg_match("/enum\((.*)\)/", $field_kind, $matches)) {
                                $all_options = substr($matches[1],1,-1);
                                $options_array = explode("','",$all_options);
                                foreach ($options_array AS $option) {
                                        if ($option == $value) {
                                                $options .= "<option selected>$option</option>";
                                        }
                                        else {
                                                $options .= "<option>$option</option>";
                                        }
                                }
                                $field = "<select name='$key' $style $field_id>$options</select>";
                        }
                        # input
                        elseif (!preg_match("/blob/", $field_kind)) {
                                if (preg_match("/\(*(.*)\)*/", $field_kind, $matches)) {
                                        if ($key == $this->primary_key) {
                                                $style = "style='background:#ccc'";
                                                $readonly = 'readonly';
                                        }
                                        $value_htmlentities = htmlentities($value, ENT_QUOTES, "UTF-8");
                                        if (!$edit && $key == $this->primary_key) {


                                                $field = "<input type='hidden' name='$key' value=''>[auto increment]";

                                                // if you want to change the value of the primary_key,
                                                // remove the <input hidden> and use these 4 lines:
                                                /* *** START ***
                                                $result = mysqli_query ($this->mysqli, "SELECT $this->primary_key FROM $this->table ORDER BY $this->primary_key DESC LIMIT $
                                                $row = mysqli_fetch_array ($result, MYSQLI_NUM);
                                                $new_last_id = $row[0]+1;
                                                $field = "<input type='text' name='$key' value='$new_last_id'>[auto increment]";
                                                *** END ***
                                                Thanks Jules Rommens! */
                                        }
                                        else {

                                                if (isset($this->lookup_table[$key])) {
                                                        if (is_array($this->lookup_table[$key])) {
                                                                $result = mysqli_query($this->mysqli,$this->lookup_table[$key]['query']);
                                                                if (mysqli_num_rows($result) > 0) {
                                                                        while ($menu_items = mysqli_fetch_assoc($result)) {
                                                                                $option_value = $menu_items[$this->lookup_table[$key]['option_value']];
                                                                                $option_text = $menu_items[$this->lookup_table[$key]['option_text']];
                                                                                $option_value = str_replace('"',"&quot;",$option_value);
                                                                                if (str_replace("&quot;",'"',$option_value) == $value) {
                                                                                        $options .= "<option selected value=\"$option_value\">$option_text</option>";
                                                                                }
                                                                                else {
                                                                                        $options .= "<option value=\"$option_value\">$option_text</option>";
                                                                                }
                                                                        }
                                                                        $field = "<select name='$key' $style $field_id>$options</select>";
                                                                }
                                                                $field = "<select name='$key' $style $field_id>$options</select>";

                                                        }
                                                }
                                                else {
                                                        $field = "<input type='text' name='$key' value='$value_htmlentities' maxlength='{$matches[1]}' $style $readonly $fi$
                                                }
#                                       }
#                               }


if(isset($_POST['but_upload'])){

  $menus = $_FILES['file']['menus'];
  $target_dir = "upload/";
  $target_file = $target_dir . basename($_FILES["file"]["menus"]);

  // Select file type
  $imageFileType = strtolower(pathinfo($target_file,PATHINFO_EXTENSION));

  // Valid file extensions
  $extensions_arr = array("jpg","jpeg","png","gif");

  // Check extension
  if( in_array($imageFileType,$extensions_arr) ){

     // Insert record
     $query = "insert into restaurants(menus) values('".$menus."')";
     mysqli_query($con,$query);

     // Upload file
     move_uploaded_file($_FILES['file']['tmp_name'],$target_dir.$menus);

  }

}}}
 

modi123

Supreme [H]ardness
Joined
Sep 6, 2006
Messages
5,946
In what way is it not working? Is there an error message? Copy/paste that here.

Is the data not showing up in the database table?
Is the page rendering weird?
Are the uploaded images not showing up in the folder?
 

Zedicus

Gawd
Joined
Nov 2, 2010
Messages
694
the data is not in the folder. (i have a folder called "menus" )
there is no error.
the blob of code i found has its own save button, i have tried filling out the form and using both save buttons. neither saves data from the Menus file upload field.
i tried moving the blob of code around a little, i do not know if PHP is location orientated. it had no effect.
also maybe of note, the HTML blob that has the browse and save button location stuff in it is in a different file.
 
Last edited:

marshac

American Hero
Joined
Mar 25, 2003
Messages
2,473
It has been awhile since I've done any PHP, but this looks wide open to injection attacks. You may not care depending on the scope of your app, although it's not a great idea to take in a variable and directly concatenate this into the SQL string.

From your code, it's ultimately constructing this query

SELECT * FROM `$this->table` WHERE `$this->primary_key` = $in_id LIMIT 1

I'll save you any rant about the fact that querying a table based on a primary key shouldn't return more than one value (assuming it's not a concatinated primary key, etc), but it's possible for someone to do this to your URL

index.php?id=1; DROP TABLE MENUS;

which would then turn the SQL into this

SELECT * FROM `$this->table` WHERE `$this->primary_key` = 1; DROP TABLE MENUS; LIMIT 1

Which could be a problem when it executes. Or not. I really don't like mySQL and haven't bothered to keep up on what has changed. You can also use injections to try and select from other data and glean compromised data out through the errors generated depending on how verbose the responses are. Check out bind_param and use it to construct your variables which are then passed into the query which may save yourself some grief down the line.
 

Zedicus

Gawd
Joined
Nov 2, 2010
Messages
694
i couldnt do anything about it, i only barely understand what you said. this is entirely multiple chunks of code i copied and pasted off the interwible. i only barely dabble in any code, if you need your SAN, ZFS, virtual environment, or entire network built from scratch, im your guy. if you need something coded beyond 'hello world' please seek someone that knows what the heck they are doing.
 

OpenLooper

n00b
Joined
Oct 22, 2020
Messages
29
// Insert record
$query = "insert into restaurants(menus) values('".$menus."')";
mysqli_query($con,$query);

print your ".$menus." to make sure that is a value. That value should just be the file name. It looks like that line is breaking if you are not getting anything in your menus db after upload. Try to wrap code that you think could be breaking in try/catch. Also just try hard coding the ".$menus." value to make sure its even going in the db.
 

Uncle Humjaba

Limp Gawd
Joined
May 6, 2006
Messages
427
Is there a reason you don't just use one of the many available CMS options out there? Set up a free wordpress site with a form plugin and you will be both secure and lazy.
 

Zedicus

Gawd
Joined
Nov 2, 2010
Messages
694
Is there a reason you don't just use one of the many available CMS options out there? Set up a free wordpress site with a form plugin and you will be both secure and lazy.
why do things the easy way when you can not?

you did make me recall an article i read a while back about self hosting a CMS platform... at the time i thought it was not relevant. would it be idiotic and wasteful to build out a entire self hosted CMS to deploy 1 nearly useless website? very... am i going to do that? all signs point to yes.
 

modi123

Supreme [H]ardness
Joined
Sep 6, 2006
Messages
5,946
Installing a CMS like wordpress or drupal's about a five minute side quest for most any hosting. Just need a DB and space.
 

Zedicus

Gawd
Joined
Nov 2, 2010
Messages
694
i was reading up on the wordpress site network feature. i don't thing it is exactly what i want, i have apache2 set up in multisite enabled form and i think i need to use wordpress single site config inside of an appache2 site container. i will give it a shot and see what i can pork up.
 

Zedicus

Gawd
Joined
Nov 2, 2010
Messages
694
well that was easy.... now i just have to build what i want, in wordpress....
 

Zedicus

Gawd
Joined
Nov 2, 2010
Messages
694
oh thats neet, its like PHPMyAdmin in a plugin for wordpress. i really am more into this than i wanted to be. guess i can't quit now.
 

MrGuvernment

Fully [H]
Joined
Aug 3, 2004
Messages
19,607
marshac as my first thought, someone writing a website in PHP with a MySQL backend and likely very little to no thought put into security of securing the code and the front end webserver, here Internet, here is another webserver you can use to spam the world and install malware from :D

You note you are self hosting this, as in from home on your own network? I hope you have this on its own VLAN with no access to your regular network..
 

Zedicus

Gawd
Joined
Nov 2, 2010
Messages
694
I do security on my firewall. If you cant get to it, my garbage code is less relevant.
 

blackmomba

Limp Gawd
Joined
Dec 5, 2018
Messages
428
It's not garbage, you're just learning. Try not to expose any of this onto the internet as has been mentioned.

Next time around try using more modern technologies to build a webapp
 

MrGuvernment

Fully [H]
Joined
Aug 3, 2004
Messages
19,607
Zedicus How? Limiting port forwards? Do you have the IP's of all your friends to only allow them in when you let it go live on the internet? Are you doing packet inspection? Are you dropping fragmented packets that come in to your NAT rule? If you have port 80/443 open on TCP to a webserver, someone will eventually get in, with custom code or if your using wordpress with 3rd party-addons. A firewall can only do so much.
 

Zedicus

Gawd
Joined
Nov 2, 2010
Messages
694
Zedicus How? Limiting port forwards? Do you have the IP's of all your friends to only allow them in when you let it go live on the internet? Are you doing packet inspection? Are you dropping fragmented packets that come in to your NAT rule? If you have port 80/443 open on TCP to a webserver, someone will eventually get in, with custom code or if your using wordpress with 3rd party-addons. A firewall can only do so much.
i was going to just whitelist the local block of IPs that the ISP here uses but that is a tad extreme really. what i am doing is the webserver is in a DMZ, port forward limits, country IP range blocks for the main list of sus countries. Also the firewall inspects for exploits, broken frames, and injections. nothing is unhackable, but i have done a fair amount to be so difficult they move on. plus the webserver has a minuscule amount of traffic, its not like i am even in the top 10 million webservers.
 

MrGuvernment

Fully [H]
Joined
Aug 3, 2004
Messages
19,607
All good, just checking. Traffic wont matter, it is the bots scanning your IP and looking for an easy way in is all,I get thousands of hits a day at home my pfsense logs, make sure your webserver is not advertising what type of server it is. You may want to consider using an NGINX reverse proxy / cache server in front of your webserver, you can add even more security. No web server back in my poker days ever saw the light of day, everything was locked down behind NGINX. Now too bad I can not find those config files i used!

If you wanted to go one step further, you host the NGINX reverse proxy / cache system on say OVH host for like $5 a month, and route all traffic there, then you lock down your own network and NAT rules to the OVH IP. This way if someone comprimised the NGINX, they would not be on your own network at home.
 

Zedicus

Gawd
Joined
Nov 2, 2010
Messages
694
Yeah i see the bots hammer away, actually a lot less since i blacklisted some complete country ranges. Ive never done the NGINX thing, but mine is all a local vm environment, vlans and separate routers for the dmz. Theres a lot of local businesses that don't have half the security i have. It should dissuade the majority atleast.
 

Logan115

n00b
Joined
Jul 14, 2019
Messages
17
It's not garbage, you're just learning. Try not to expose any of this onto the internet as has been mentioned.
Next time around try using more modern technologies to build a webapp

Well built web application is also pretty important for those webpages and websites, which should be promoted for the higher position in the search engine's result lists.
 
Top