i want to make TOEFL test. when user want to start the test, first user must input email. So, when user click start, user have an id. I want take id from table ‘id’ and save it in session. so when i want to take score from ‘listening’, ‘structure’ and ‘reading’ table, i used that id.
but the problem is: when i do the test, listening, reading and structure score will be ‘0’. but i sure i has answered the questions correctly. Maybe it because id not save in session correctly. please help meeee
add_id.php will throw you an undefined index error since you are requesting a post value and what happens if someone accesses that file directly? You will indeed get the undefined index because you aren’t checking for submissions. While I’m at it, don’t use if(isset($_POST)), if(isset($_POST['submit'])) or anything that has to do with if(isset($_POST....)). This a normally written by noobies and are always on nooby tutorials. Don’t let anyone tell you otherwise because if they do, they support legacy codes. Proper way is by using if($_SERVER['REQUEST_METHOD'] == 'POST').
Don’t stuff the actual value into the SQL string, this will most likely cause SQL Injections. SQL Injections doesn’t come from PHP nor the clients, it comes from bad coding. If you use prepared statements and stop using the old deprecated mysql_* functions, you can avoid SQL Injections. Prepared statements will separate what is code and what is actual data. Strings will be nothing, but just strings. It won’t be interpreted as part of the SQL string or PHP.
Don’t display MySQL errors as you have done here
echo mysql_error();
This will just give the hacker an easy pass. Rather, you should be logging errors to the error log and not display these kind of errors at all.
As per your OP, you aren’t setting the session and that is probably why you aren’t seeing any answers being answered when they really are.
Right, but only if someone was using PHP 5.4 - 5.5.
That login system isn’t actually safe. It’s using hash instead of password_hash. Why recreate the wheel when there’s already the default password_hash? Using just hash with sha256 a lone to hash the password isn’t safe. I’m not saying I’m an encryption expert, but that person who made that system should leave it to the encryption experts because they have now just made the password even weaker than before.
Also, don’t use W3 School’s website. They are known to be using legacy codes. They teach you simple codes, but don’t back up that code with security measures. They teach you how to do things in a simple matter, in the simplest way possible, but leave out anything to do with security.
Im sorry the part where you said “I am not an encryption expert” got me. Your telling me what you think is wrong with it but then telling me you aren’t an expert yourself
You don’t need to be an encryption expert to know that. Its just the entry level for php is so low that people tend not to know basic things. Like everyday on this forum when obsolete mysql functions are used. Very basic thing but it seems like ever other question lately someone is using those functions. Honestly, I just stop caring. Its not my problem if you get hacked. I’ve just stopped helping people who don’t know the bare minimum. That and people using WordPress – yuck.
Encryption isn’t supposed to be reversible. Hash and encryption are two different things. Hashes are reversible while encryptions shouldn’t. I am not an encryption expert because I don’t know how many byte is need for a secure encryption and how many salts are needs for one, but I know that creating your own encryption is not as safe as one that is already built in.
Encryption IS supposed to be reversible. It is hashes that are not reversible as they have a many to one mapping. The important aspect of hashes is that a small change in the input results in a totally different hash.
Symetric encryption means that the same key that was used to encrypt something can be used to decrypt it.
Asymetric encryption means that the key to decrypt is different from the key to encrypt, One example use of this is public/private key encryption where the public key can be used to encrypt and only the person with the private key can decrypt or a person uses their private key to encrypt as an effective digital signature as only what they encrypted can be decrypted using their public key.
The primary purpose of hashing is for change detection.For example by providing a hash created from the executable of a program, it is possible to confirm that no one has tampered with the program as if they have regenerating the hash would produce a totally different value. For this purpose no salt is needed.
When hashes started to be ‘misused’ for concealing passwords from everyone except their true owner the concept of a salt was introduced as a way to make the simpler hashing algorithms harder to reverse engineer (you can’t find a password that will produce a given hash as easily if part of the value to be hashed is also specified).
To ensure that the most appropriate hashing algorithm is used for passwords (as greater computing power makes it easier to reverse engineer simpler hashes) the password_hash and associated functions were introduced to PHP - these ensure that the salt used on a given password is changed every so often by verifying the password using the old salt and then rehashing it with a new one and also ensures that if the current level of hashing is starting to become insecure that the new hashes will also use a better hashing algorithm.