Viruses
I'm creating a simple list in PHP where users can add names, dates, email lists, etc. I also added the visibility parameter, but I want to add a confirmation message when the user presses the “View” button.
I tried Google, but know nothing about jQuery and JavaScript solutions.
What's the best way to make money with PHP?
Delete.php
V
If you want to make a lot of money in PHP, you will need to add the following to your script, for example: Step1 (show form) -> step2 (ask validation) -> step3 (validate) For this purpose, you can select sessions to save instead of using the GET parameter format to extend the amount of time.
Otherwise ourselves
Echo"
x
".$query2["age"]."
Edit
"; ) in while($query2=mysql_fetch_array($query1)) ( echo "
create a javascript function
Otherwise ourselves
Function confirmationDelete(anchor) ( var conf = confirm("Are you sure want to delete this record?"); if(conf) window.location=anchor.attr("href"); )
tell me, you're a robot 🙂
Add an onClick button to click the dialog box javascript:return confirm("are you sure you want to delete this?");
function deletetconfig())( var del=confirm("Are you sure you want to delete this record?"); if (del==true)( alert ("record deleted") ) return del; ) //add onclick event onclick ="return deletetconfig()"
Please do this for me, or change this:
Onclick="javascript:confirmationDelete($(this));return false;"
Onclick="confirmationDelete(this);return false;" Below is a better option that provides a confirmation field and passes the change to PHP Javascript and back to PHP. I need to select the remixer to delete the file from the list of files.
Div. OnClick launch function
I'm php
$ fileName in Javascript, acknowledgment of the file name, and if so, then transfer to href with changes for $_GETHere I will try to describe some of the reporting parts of the process when filtering data from PHP script and dates sorry for the sake of How to properly filter data
At the same time, there are a lot of articles with a data filtering drive, but it doesn’t appear correctly without reporting applications.
Selection of pollutants. Filtration.Concern No. 1 For numerical variables, the following reversal is carried out:
$number = $_GET["input_number"]; if (intval($number)) ( ... configurable SQL query ... ) Why did you bring me to
SQL injections
?
On the right, the user can enter the variable input_number value:
1"+UNION+SELECT
Once the verification will be successfully completed, because
The intval function reads the value of the variable, then.
1, if nothing has changed in $number, then all the bad code will be transferred to the SQL query.
Correct filtration:
$number = intval($_GET["input_number"]);
if ($number) ( ... finalized SQL query ... )
Of course, your mind may change, for example, if you need to narrow down only the singing range:
Enabled register_globals directive.
Soak it thoroughly, as it is soaked.
When we leave, we create a record at the base, which is absolutely important to us. Re-verification. Pardon No. 2. When you perform various actions (adding, editing, deleting) with data, do not forget to check the user's rights to access this function and
additional possibilities
(Virtual html tags or the ability to publish the material without proofreading).Having long since corrected a similar rebuke in one forum module, if anyone could inform the administration.
Re-verification.
Pardon No. 3.
If you have lost a few PHP files, perform a simple verification.
In the index.php file (or any other head file), write the following line before connecting other php files:."); }
define("READFILE", true);
For other php files write:
if (! defined ("READFILE")) ( exit ( "Error, wrong way to file").
Go to main
This way you will limit access to files.Reverification.
Pardon No. 4.
Vikorist hashes for koristuvachs.
This will help you avoid clicking these and other functions by using XSS.
Enabled register_globals directive.
Butt folding hash for koristuvachs:
$secret_key = md5(strtolower("http://site.ru/" . $member["name"] . sha1($password) . date("Ymd"))));
// $secret_key is our hash
Otherwise, it seems, think before us - “what is required of me.”
If anyone has an online store that sells hamsters, we can say that there are more than 100 orders per month - less than that. And if you plan to conduct a business that employs hundreds of thousands and millions of customers, which attracts a large volume of payments, operates with high-value data, which guarantees the transaction of every business - a process that will require parallel processing of data itself. Financial sector, great online stores with hundreds of thousands of items, online auctions, hotel and air ticket booking systems, new "dark" or social services with ambitions to win back the million-dollar base of Koristuvachev of the coming day after the start
advertising campaign– potential charges from the high-end system for its web services.
Who is this material addressed to?
1. To the developers of great web projects, which are focused on creating high-quality and reliable computing services.
2. To the owners of new or businesses that are expanding, which convey the “Vibuchov” growth of the financial base, and raise high profits to the financial part.3. Technical core workers and managers of great web projects, who are not satisfied with the production process, are thinking about a fundamental reorganization. Why is there so much talk about “calculation”? Because the nearest future of great web projects lies in the area of “
Big data
The laws of natural competition dictate that if you want to deliver more value to your customers than your competitors, you will need more data and more billing.
And it’s too early to understand your project, without the right approaches, you can drown in them - just like different projects everywhere are drowning: either through the complexity of the support, or through simply rotten code, or through the high connectivity of modules, or through the inaccuracy of these components. For those who today start a web project with great ambitions, they take more advantage over their rivals, since they first consider their project not only as a program code, but as a computational core - a system with its own laws and development . The more respect you give
management of payments
at the start, you will have a better chance of overtaking your closest competitors.The author of many series of reconsiderations says that the “classic” current approach to the creation of high-quality web services may result in a low number of serious shortcomings.
Let's find out why.
Let’s take a look at the typical current diagram first:
A classic approach to getting a highly sought-after web service
1. There are a lot of servers, divided into roles.
2. Part of the servers (Frontend role) is designed to supply static resources (image, CSS, JS files) and “distribute” the input traffic front to lower nodes.
The main software is usually Nginx.
3. Lower nodes (Backend role) are engaged in dynamic calculations.1. The main trend is folding.
As the project progresses, the “classical” scheme of the project becomes more complex. If you add a new server, you will need to enter it into the traffic distribution scheme. Insanely, in large projects, the introduction of a server has a role of “one-button” action, but it is due to the growth of infrastructure, which needs to be supported.
And what’s more, if there is no longer any current workload under the database, it is necessary to “lively” (without any delay to the service) transfer or distribute the database to new servers. But the main problem is that the expansion of the cluster to separate traffic does not lead to a decrease in complexity. program code
.
You can unconsciously be a cluster, but the code will lose itself like this. 2. Deployment is not atomic. Speaking in sensible words,
new versions
4. Initialization of the script to the skin.
This is the legacy of the use of HTTP and script engines on the PHP base, which, following a long-tired tradition, are launched anew at the same time.
So, in response to 1000 requests per second, the PHP script is started again, all changes are initialized again, and the connection to the database is installed again.
In practice, it happens that it takes 0.005 seconds to process the request, and the script is initialized in about 0.05 seconds - ten times longer!
In other words, 90% of the time your servers are occupied not by processing client requests, but by properly initializing scripts. Try to convert it into pennies. Therefore, a lot of workarounds have been invented for OPcode caching, persistent connections to the database, local caches for Memcache or Redis, designed to mitigate this unpleasant effect.
5. Monolithic supplement. Even if you didn’t distribute add-ons on the module, if you didn’t try to distribute the code behind a foldable directory structure, and if you didn’t vikor lazy autoloading - there is only one criterion: if you want to make one change, you need to add the add-on as a whole - you have a monol This is an additional addition. There is no other way.
7. The political side of the branches.
The department of system administrators is responsible for ensuring that the input front traffic is “smeared” by a bunch of servers on which the PHP code runs.
The programmer department is responsible for the PHP code.Since the PHP code was not able to process any specific request, then it is obvious that it is either an administrator who “let” a lot of traffic to the server and redirected it, or a programmer who wrote a suboptimal script.
As soon as the database begins to fiddle, it is also unknowingly who is deprived of the extreme: an administrator who does not immediately “sorry”, or a programmer who could save money.If you think it’s too big and “not from real life,” guess what the author worked on a project that was located on 200 servers, and 60 of them were used for the database.
How many people are working on this project is scary to guess.
The main shortcoming
Let me reiterate my point: the main shortcoming of the classical scheme, in the author’s opinion, lies in the fact that technical experts optimize not what is required.
They optimize the input front of the inputs, actually “smearing” it with a large group of machines, instead optimizing the very essence - the computational part. But it’s much simpler, it seems. Theoretical ideal
Oh, how we wish we could:
1. Consider buying expensive servers and vikorizing one or two small groups.
2. Look at the Nginx->Apache->PHP scheme with its wild “overhead” for resources, like costing pennies.
3. Turn off costly costs for initialization of PHP scripts for the same reason.
4. Be aware of the need to “paint” the pages on the backend.It would be completely impossible if the web service could work with an unstable or daily Internet connection (for example, with a vicious internet connection). mobile network in dosage). 5. Follow the HTTP “loop” timeout and deliver the response to the client only when the response is ready, and with a delivery guarantee..
1. Design the entire system as a SOA (Service Oriented Architecture) with an ESB (Enterprise Exchange Bus), adopting a monolithic approach, so that the independent part of the business logic is integrated service", and among themselves the stinks would fuse along an independent exchange bus .
2. Be aware of synchronicity.
For example, the synchronous “request-process-submit” scheme has one HTTP loop, which does not have strict control of completion and can easily break.
In asynchronous there are three processes: input (sent and confirmed), processing (repeated if there is a failure), delivery of the line (with guarantee).
3. Divide the project into two programs – Frontend and Backend.
In the case of a web service, the front end is (as a rule) a JavaScript add-on.
The point is that the programs should run asynchronously and be connected one by one, exchanging information about the two-way communication protocol. 4. Use HTTP over WebSocket. The WebSocket protocol has fantastic speed, similar to HTTP, does not have any “loops with timeouts”, and allows you to transfer any kind of data (including binary data) to the other party.
5. Ensure that your drinks are saved.SOA – service-oriented architecture – is not a new trend.
This modular approach to software development was introduced by IBM back in the last century, and is currently being supported and promoted by industry leaders, mainly in enterprise-level products such as .NET and JAVA. #1593 In the classic approach to programming web services using PHP and similar languages, design begins with models, their powers and operations on them.
Models represent real world objects, and operations are performed on objects.
However, as practice shows, the real world is richly rich and complex, and it is more effectively described by my approach and reaction to them (the report of whose dedication post
with description and butts).The real world is formed from conditions that occur simultaneously (in programming terms - “in parallel”) and, most importantly, without our participation, and on which different reactions occur and do not occur.
Reactions, in their own way, can give rise to such ideas. The SOA architecture is ideal for “programming the real world,” because it is the most manually possible to operate with concepts, connections between them, and reactions to them. browsers.
I will respect on Mayday that to which node you can write on pure HTTP, if you need to write gateways with other people's services, for simplicity, you can write on a “pure-HTTP” university.
The entry point for a secure bidirectional channel is a connection with a front-end add-on (simpler, apparently, with a browser), receiving a new request and turning it around.
3. Save power flow in the system.
For this purpose, the most suitable option is the popular AMQP server, which will provide information and routing between them. As soon as you get the best results from the client, place it in the “input” box. Further, the money will be received by a demon, which will analyze the request and send it to the “routing” of the system (which actually means transferring one or more words to the following algorithms).
There is a demon who deals with his part of business logic, we remove the information from “our” input card, process it and place it in the “exit” document.
I respect that in the terminology of the popular broker RabbitMQ there is no concept of output terms.These (in the opinion of the author - outdated) approaches to the creation of modular add-ons are based on the principle of RPC (Remote Procedure Calling), which respects the direct response of specific methods and procedures to a remote component of the project.
This approach essentially eliminates all the advantages of SOA, since it means a direct and tight connection between the sending and finishing nodes.
The design and implementation of a foldable product should maximally adhere to the principle of weak coupling of components, since the very foldability of the architecture and the code will determine the significant variability of the problem (corrections and changes are made to the product after its launch y).
The gender-oriented approach of SOA conveys that components (services) are connected to each other by sending asynchronous processes (“events”, in the word Event). This is the description (for example, in AMQP terminology) of the name(s) and set of parameters. This function is intended to inform the system what has happened, or to “give power” to the system.
In this case, the message is sent “to the system” (more precisely, the ESB bus) without an address - without specific intentions of delivery to specific nodes or Wikonavians.In short, you need to look at your code not as a class with functions (methods), but as at the actions and actions that appear as a reaction to these actions.
Moreover, the results are the same.
Based on the thoroughly discussed architecture, we can say that local ideas are those that were created in the middle of a particular PHP script, and further sections are those that came into this script using AMQP (or be the result).
If you look at all your code yourself this way, it will lead to a surprising and even important effect: Both local and remote sources are the same, local and remote samplers are the same! Why so important? Because your team's programs will continue to write the original PHP code, without worrying about whether or not this other idea will be implemented - right there in some PHP script, or here at the other end of the system, in another daemon, on my other programming . If you are working on a project with a public API, then any third-party participant can “sign” their code to your pods (and publish them), or, finally, force you to share their pods (and charge them for the same). Roshi, If you are following a SAAS business model where you pay for resources, you can get by like Amazon).
Guess what they called the main shortcoming of the great classic web projects -growing continuously
You simply click on the service that needs to be updated.
You update your code and database structure (as needed), then start it again.Be sure to check for this service via AMQP, the service will not be docked.
I appreciate that the pieces of the service are small (a small amount of code is needed to complete a small part of the business logic), but it will be richer than the deployment of an entire monolithic program.
But no matter what, there will be no waste.
Problems with the web interface
A smart, intuitive web interface is essential for a highly successful project.
Let's figure out why the web interface can be "disturbed" with the classic approach to implementation:1. The interface is painted on the backend, which can be redesigned and work completely. It’s easy to move between sides. Please note that AJAX is used – blocks need to be repainted thoroughly.
2. The output code to the interface (HTML, CSS, JS) is supernumerary and is completely transmitted by communication channels, especially when dealing with sensitive skin while the user is navigating the interface. 3. The interface contains a large amount of unoptimized JavaScript logic, which tends to run on weak devices (especially mobile ones). Let's try to solve these problems: How to create a quick and smart web interface 1. First and foremost,
output code
Thus, you only need an Internet connection to access programs for the first time (a few seconds).
You can also use the service within a time-sensitive connection (for example, from a mobile device in the metro, outside the city, in an overcrowded hotel outside the border, etc.) – add a fixed entry and You can send them as soon as you get access to the Internet , and the types will be eliminated in the same way.
Of course, this does not eliminate the need for the developer to optimize and minimize the code.
However, as practice shows (for example, the Trello service), this little detail is not more expensive than others.Note for developers of web services for mobile devices, who doubt: according to the author’s practice, in 2013, single-sided JavaScript add-ons on websocket transport are successfully running on the iPad. The work of a correspondent with many devices When you work, you access your service from your desktop computer, take your iPhone home, and turn on your tablet at home.
When the user sends a command to the service from the interface, he checks the processing results. It is easy to understand that if the processing has taken such a short time, it is necessary to send the message itself to the device in which the koristuvach is trying (mind you for the pun) at the moment delivery via air , but I won’t ask for a moment. The problem is that it is not possible to say unequivocally whether or not the koristuvach koristuvatsya (again) this or that other
specific device
.
Perhaps by closing the browser. Possibly, the battery is low..
4. Ensure that the cutaneous tissue is strengthened along the skin surrounding channel (web interface, mobile device, mail).
The standard AMQP functionality will help you with timeouts so that they do not lie there for more than an hour and do not notice the system.
If a customer appears “on call” through another specific channel, he will be delivered fresh messages that will correspond to a specific type. The author can add that on the basis of this system it is possible to post notifications (which will be sent no earlier than the due date), and send real paper periodic correspondence (assets, payments, etc.), but this is the topic of the relevant article. Let me add a word: do not consider the notifications that are delivered, such as notifications sent to you via Facebook or Vkontakte.
Notifications sent – all the samequery results
koristuvacha!
All communications in the interface that may be requested to be sent to the backend are displayed in the same form as “notify what is being delivered” via a single unified communication channel.
I’ll give you an example: it’s possible that a customer would like to add some additional service, such as turning on an additional paid option for his tariff plan.
The number of options is limited.
If the option is activated successfully, then you need to send a notification to the client in the browser, send a duplicate sheet by email, write off the money from your account in the account, and notify the client account.
Drawing on the lantsyuzhok:
1. The system will prompt you to turn on the option.
2. Authorized by the customer and according to his tariff plan.
3. We check that you can always enable this option for your customer’s tariff plan.
4. Let’s check whether the merchant has enough pennies to spend on money.
5. Please check that this option is not inconsistent with any other settings.
6. If everything is ok, then select the option.
7. Browser notifications are enforced.
8. Notification by mail is enforced.
9. We write off the money from the billing.
10. We inform you about the client section.
Dear reader, you can understand the sequence of actions, but the author can guess what is approaching the butt.What mi bachimo?
Please note that there is no reason to conclude all actions sequentially. It would be much more correct to “unparallel” 3,4,5 into three streams, and at the end - 7,8,9,10 into four streams. Have you thought about threads and forks?
Of course, you have SOA!
How to earn parallel payments in SOA
Of course, since our demon is “visited and checkable”, saving resources (so-called “idle run”), then no high-value service will be like that.
The point is that the daemon is running other tasks and servicing other requests of other clients, while the three adjacent threads (3,4,5) are busy with the most important of their subtasks.
Problems are also added by the fact that the resulting steps may arrive in fairly good order.
However, everything turns out to be easy and simple:
As far as the author knows, the current implementation of AMQP “out of the box” does not allow you to check and “glue” a number of steps into one in order to extract only one result.
So you will have to answer about this independently, for example:
1. Before submitting the topic to AMQP, record the names of the resulting fields that the service will output, as well as the names of the topics ї (called “R” ), which needs to be dissected from the sum of the results.
2. After this service completes the flow processing cycle and exits for the next task.
3. As soon as you come to the list that we have saved in memory, the service “unpacks” it and saves it instead, assigning it to the name of the name.
When it is necessary to check what is still on the list for which no match has been found.Shards in SOA through ESB “walk” equal parts - you need a sign to indicate that “this axis” is “in the first place”.
There is no need for common bicycles here - in the specifications of any popular protocol you will find a parameter called correlation_id.
As a rule, there is a sequence.
You must be aware of the parameters of all aspects of the skin surrounding the business process, from input to output, in order to identify the straps to inform the relevance of this business process.
Looking at the side of the web interface, the web add-on saves the exact active (sent) queries and by correlation_id “reason”, the response to which query has a specific response.
Let's look at the terminology: transactionality - the power of the system to conclude several actions as one secret operation that can sense and can be completed completely.
It is physically impossible to atomically terminate a single operation in branches of the system with parallel threads; the system transfers the names of fail-scripts and rollbacks.Whether the system will require expansion sooner or later.
In the context of SOA, it is easy and inviolable to worry:
1. Dublyuvanya entry point.
The same WebSocket gateway that we looked at at the beginning of the article is being respected.
It can be duplicated a number of times, the splicing fragments between it and the client are unified and connected to the internals of the system, and the splicing between it and the system is related to each other, not in communication with the client.
2. Duplication of instances (examples) of services.
Servants can be duplicated without any problems, so as not to extract the database or only “read” from them.And the standard functionality of RabbitMQ allows you to subscribe N instances to the same device, notifications of which will randomly arrive in the same instance.
When duplicating services that run from external programs (databases, third-party software), it is necessary to ensure that these programs ensure the transactional nature of requests from multiple parallel keys entiv.
3. Dublyuvannya of the collections of data.The author unequivocally omits the topic of “low-level” protection when talking about SYN flooding and flooding of channels with hundreds of gigabits, since hundreds of books of specialized literature have been written about this.
Let's talk about how to hijack the system in the middle, on the logical levels, if the attacker knows how to flood your system (SOA + ESB) with thousands of resources.
1. First rule: there is no need to report anything unless its validity has been confirmed.
If you see a small text in JSON at the input, parsed in BASE64, then the row that arrived, more than a megabyte, is clearly guilty of being thrown out - do not try to unzip it.
The procedure for replacing “non-Latin” characters is similar.
Once you have unpacked the row, do not try to immediately generate json_decode, but first turn over the number and pairing of the arms.
And so on.
It’s similar to paranoia, but in another situation you can easily be “memorized”, so that you can be brought to the service, trying to take up all the RAM available to you.
2. Begin this service with the rules by which “suspect” agents can be identified.
For example, these dispatchers send too many similar notifications within an hour, or repeat notifications, or send notifications based on the name of one customer from different IP addresses... There are a lot of options, indulge your imagination.
In this case, it does not matter how quickly such a service performs (within reasonable limits, of course) – it does not affect the efficiency of the entire system.
3. As soon as the service can gather information about the fact that such a director is suspicious, you can dispatch the process to the system and continue to deal with your rights. 4. Place at the input a very simple and fast-coded demon - a filtering service, the tasks of which will simply “dumbly” block suspicious agents. .
No need for analysis, no analysis, no need for investment.