When the CEO becomes a developer II
-
To activate his account the user has to enter a key which is stored in the database in his account-record. How do we find this record? Well, we search the table:
$loginname = $_POST['loginname'];
$keyEntered = $_POST['key'];
$query = "SELECT * FROM user";$result = mysql_query($query) or die(mysql_error());
while($row = mysql_fetch_array($result)){
if ($keyEntered == $row["activator"]){
$sql="UPDATE user SET activator = '', status='activated' WHERE username = '$loginname'";
mysql_query($sql);$time=time()+ 365\*24\*60\*60; setcookie("check", "1",$time);}
}if ($keyEntered != $row["activator"])
{
$msg2="Invalid key";
}So: - No escaping of the entered POST-parameters. - First query fetches ALL datasets! - WHERE-clause in second query takes the loginname given by the user, not the id of the dataset found Can this be worse?
Clippy: I see that you entered the wrong password. The correct password is "apple"; shall I enter it for you?
-
To activate his account the user has to enter a key which is stored in the database in his account-record. How do we find this record? Well, we search the table:
$loginname = $_POST['loginname'];
$keyEntered = $_POST['key'];
$query = "SELECT * FROM user";$result = mysql_query($query) or die(mysql_error());
while($row = mysql_fetch_array($result)){
if ($keyEntered == $row["activator"]){
$sql="UPDATE user SET activator = '', status='activated' WHERE username = '$loginname'";
mysql_query($sql);$time=time()+ 365\*24\*60\*60; setcookie("check", "1",$time);}
}if ($keyEntered != $row["activator"])
{
$msg2="Invalid key";
}So: - No escaping of the entered POST-parameters. - First query fetches ALL datasets! - WHERE-clause in second query takes the loginname given by the user, not the id of the dataset found Can this be worse?
imagiro wrote:
$time=time()+ 365*24*60*60;
Does nobody know that there are 86,400 seconds ina day? [I can't prove this but I have thios ingrained in my long-term memory.]
Panic, Chaos, Destruction. My work here is done. or "Drink. Get drunk. Fall over." - P O'H
-
imagiro wrote:
$time=time()+ 365*24*60*60;
Does nobody know that there are 86,400 seconds ina day? [I can't prove this but I have thios ingrained in my long-term memory.]
Panic, Chaos, Destruction. My work here is done. or "Drink. Get drunk. Fall over." - P O'H
Distant memories of childhood wonderment:
Eight six four two zero(es).And yes, it has been useful these last 60-odd years. Cheers, Peter ps No idea why you got downvoted. Have my 5 in at least partial compensation.Software rusts. Simon Stephenson, ca 1994.
-
imagiro wrote:
$time=time()+ 365*24*60*60;
Does nobody know that there are 86,400 seconds ina day? [I can't prove this but I have thios ingrained in my long-term memory.]
Panic, Chaos, Destruction. My work here is done. or "Drink. Get drunk. Fall over." - P O'H
Nagy Vilmos wrote:
Does nobody know that there are 86,400 seconds ina day? [I can't prove this but I have thios ingrained in my long-term memory.]
Just last week I wrote a formula that included "numdays * 86400" and then I replaced it with "numdays * 24 * 60 * 60" because that adds clarity for the people who don't know how many seconds are in a day. If other people are going to read your code, it's easier to do 24*60*60 than to add a comment explaining why you're multiplying by 86400.
-
Nagy Vilmos wrote:
Does nobody know that there are 86,400 seconds ina day? [I can't prove this but I have thios ingrained in my long-term memory.]
Just last week I wrote a formula that included "numdays * 86400" and then I replaced it with "numdays * 24 * 60 * 60" because that adds clarity for the people who don't know how many seconds are in a day. If other people are going to read your code, it's easier to do 24*60*60 than to add a comment explaining why you're multiplying by 86400.
Indeed. Your compiler should do that multiplication as part of the optimization stage anyway, so feel free to leave arithmetic on constants like that in your code as long as it improves the situation. Even if it didn't optimize that out, if you're waiting on the SQL server to retrieve your results like that, the last thing you'll notice is 2 extra integer multiplication operations.
-
imagiro wrote:
$time=time()+ 365*24*60*60;
Does nobody know that there are 86,400 seconds ina day? [I can't prove this but I have thios ingrained in my long-term memory.]
Panic, Chaos, Destruction. My work here is done. or "Drink. Get drunk. Fall over." - P O'H
I didn't, but for some reason I know there are 525,600 minutes in a year. :rolleyes:
-
I didn't, but for some reason I know there are 525,600 minutes in a year. :rolleyes:
A workable "slide rule" approximation: 1 year = 10^7.5 seconds. [A leap year is even closer! ;P ]
Software rusts. Simon Stephenson, ca 1994.
-
A workable "slide rule" approximation: 1 year = 10^7.5 seconds. [A leap year is even closer! ;P ]
Software rusts. Simon Stephenson, ca 1994.
I guess now we know how you measure a year. :)
-
I guess now we know how you measure a year. :)
All is revealed! From the "Eight Days a Week" school of mathematical chronology. :laugh: :laugh:
Software rusts. Simon Stephenson, ca 1994.
-
Nagy Vilmos wrote:
Does nobody know that there are 86,400 seconds ina day? [I can't prove this but I have thios ingrained in my long-term memory.]
Just last week I wrote a formula that included "numdays * 86400" and then I replaced it with "numdays * 24 * 60 * 60" because that adds clarity for the people who don't know how many seconds are in a day. If other people are going to read your code, it's easier to do 24*60*60 than to add a comment explaining why you're multiplying by 86400.
Wow. So you replaced a "magic number" with a set of "magic numbers" for clarity? Replace the thing with a constant and you'd be doing far, far better.
A guide to posting questions on CodeProject[^]
Dave Kreskowiak -
Wow. So you replaced a "magic number" with a set of "magic numbers" for clarity? Replace the thing with a constant and you'd be doing far, far better.
A guide to posting questions on CodeProject[^]
Dave Kreskowiak#define SECONDS_IN_A_DAY 86400 is clearer and slightly educational to the reader, so definitely a better solution You trivialize my approach as using "magic numbers", but in the real world probably 90% of the population can tell what you're doing if you do 24 * 60 * 60 whilst maybe 15% of people know what 86400 is. So, I'd still say 24 * 60 * 60 is clearer than 86400 despite it being 3 "magic numbers" instead of 1. Astonishingly, if you add a fourth magic number, nearly every literate human on the Western calendar understands it with no explanation: "365 * 24 * 60 * 60".
-
#define SECONDS_IN_A_DAY 86400 is clearer and slightly educational to the reader, so definitely a better solution You trivialize my approach as using "magic numbers", but in the real world probably 90% of the population can tell what you're doing if you do 24 * 60 * 60 whilst maybe 15% of people know what 86400 is. So, I'd still say 24 * 60 * 60 is clearer than 86400 despite it being 3 "magic numbers" instead of 1. Astonishingly, if you add a fourth magic number, nearly every literate human on the Western calendar understands it with no explanation: "365 * 24 * 60 * 60".
Charvak Karpe wrote:
but in the real world probably 90% of the population can tell what you're doing if you do 24 * 60 * 60
You haven't worked with some of the developers I work with now. No, they couldn't tell you what that code was doing... seriously.
A guide to posting questions on CodeProject[^]
Dave Kreskowiak