PHP project help

[jameshumphries47]

okay so im making a small PHP project, an admin panel for where they login(doing now with a SHA-512 hash and a 128 character salt) so it's pretty secure. And change text and add photos. so one thing i cannot think how to do is add to photos. For example i have a page with 25 photos on i need the admin of the site to add some information to the picture. then that photo will get displayed on the site. now the only way i can think of doing this is by having code which the paramters get entered into. the code gets uploaded to a mysqli database, then on the required page this code is taken from the database and ran. 

now my question is how do i run php code which will be a string in  a variable? is this possible and if not how can i go about doing this? 

Many thanks 

~James

[colonel_mortis]

Please use the PHP password_hash and password_verify functions rather than handling passwords manually - SHA512 is not designed for hashing passwords, and is faster to brute force than dedicated functions such as bcryt.

 

Regarding your original question, are you talking about adding something like a description to the image?

It is possible to execute PHP code from a script using eval(), but it isn't recommended where it can be avoided.

[jameshumphries47]

Please use the PHP password_hash and password_verify functions rather than handling passwords manually - SHA512 is not designed for hashing passwords, and is faster to brute force than dedicated functions such as bcryt.

 

Regarding your original question, are you talking about adding something like a description to the image?

It is possible to execute PHP code from a script using eval(), but it isn't recommended where it can be avoided.

ill look into that thanks. basically its for an animal webpage, and there is some HTML with some parameters like what sort of animal it is, this is nessecary because there is a link on the page to only display a certain type of animal. now i want the admin of this site to be able to add photos. is there another alternative to eval() which is more recomended. is there a better way to do this?

[jameshumphries47]

Please use the PHP password_hash and password_verify functions rather than handling passwords manually - SHA512 is not designed for hashing passwords, and is faster to brute force than dedicated functions such as bcryt.

 

Regarding your original question, are you talking about adding something like a description to the image?

It is possible to execute PHP code from a script using eval(), but it isn't recommended where it can be avoided.

using password_hash now thank you seems much harder to crack im using a custom 128 bit salt. 

[Brenz]

Use a form to upload the images, store the images in a folder and create an entry in the DB with the animal it links to, the image filename and the alt. Then you can just use image tags to display the images from the DB.

[colonel_mortis]

ill look into that thanks. basically its for an animal webpage, and there is some HTML with some parameters like what sort of animal it is, this is nessecary because there is a link on the page to only display a certain type of animal. now i want the admin of this site to be able to add photos. is there another alternative to eval() which is more recomended. is there a better way to do this?

If the admin is able to set arbitrary data that should be displayed with the image, you could store it as HTML in the database, then just output that HTML when the page is requested. If instead the admin sets structured data, you should store that data in the database, then when the page is requested, you load that data from the db, and you can process it to display it on the page and to decide whether you need another link to be displayed (or whatever).

 

 

using password_hash now thank you seems much harder to crack im using a custom 128 bit salt. 

Using a custom salt has been deprecated in PHP 7 - it offers almost no security benefit, and can actually be a security issue if you aren't generating the salt securely. PHP will generate a secure salt for you automatically if you don't supply it.

[jameshumphries47]

If the admin is able to set arbitrary data that should be displayed with the image, you could store it as HTML in the database, then just output that HTML when the page is requested. If instead the admin sets structured data, you should store that data in the database, then when the page is requested, you load that data from the db, and you can process it to display it on the page and to decide whether you need another link to be displayed (or whatever).

 

 

Using a custom salt has been deprecated in PHP 7 - it offers almost no security benefit, and can actually be a security issue if you aren't generating the salt securely. PHP will generate a secure salt for you automatically if you don't supply it.

how can i run the html code from the database? 

and okay i run a custom salt, but is this a secure way to do it? $salt = base64_encode(openssl_random_pseudo_bytes(128, $secure));

i decided i wanted to take on this as more of a learning curve more than anything so thank you for your help

[jameshumphries47]

Use a form to upload the images, store the images in a folder and create an entry in the DB with the animal it links to, the image filename and the alt. Then you can just use image tags to display the images from the DB.

the problem with this is how do i input all the data such as the animal and how do i change this for every photo that needs to be displayed.. if that makes sence

this might help

 <li class="span3 gallery-item" data-id="id-2-" data-type="animal-here">      <img src="img/gallery/pics/pic 3.jpg" alt="Gallery"></a>       <span class="project-details"><a href="gallery-single.htm"></a></span></li>

thats how im doing it i need to use that as a template as such and import the data which is the file path and the data type. which is where im insure, 

[colonel_mortis]

how can i run the html code from the database? 

and okay i run a custom salt, but is this a secure way to do it? $salt = base64_encode(openssl_random_pseudo_bytes(128, $secure));

i decided i wanted to take on this as more of a learning curve more than anything so thank you for your help

When you've loaded it from the DB, just echo it.

$response = your_database_query();echo $response['column_with_html'];

When generating the html, be careful that you don't allow admins to accidentally break things by running

$data_you_can_store = htmlspecialchars($original_data, ENT_QUOTES|ENT_HTML5);

If you are handing untrusted data, is is absolutely critical that you run this to prevent people from injecting script tags into your data.

 

Your method for generating a salt is secure, but 128 characters is unnecessary - 6 characters is plenty. A long salt doesn't increase the security any more than a short one, so you might as well just let it generate the salt itself.

 

 

the problem with this is how do i input all the data such as the animal and how do i change this for every photo that needs to be displayed.. if that makes sence

this might help

 <li class="span3 gallery-item" data-id="id-2-" data-type="animal-here">      <img src="img/gallery/pics/pic 3.jpg" alt="Gallery"></a>       <span class="project-details"><a href="gallery-single.htm"></a></span></li>

thats how im doing it i need to use that as a template as such and import the data which is the file path and the data type. which is where im insure, 

In that case, it would make more sense if you stored the image URL and the type in the database, then run

$response = your_database_query();echo "<li class='span3 gallery-item' data-id='id-{$response['id']}' data-type='{$response['type']'>";echo "<img src='{$response['image_src']}' alt='Gallery'>";

etc (note that you have invalid HTML in the sample that you posted because there are extra </a> tags.

[jameshumphries47]

When you've loaded it from the DB, just echo it.

$response = your_database_query();echo $response['column_with_html'];

When generating the html, be careful that you don't allow admins to accidentally break things by running

$data_you_can_store = htmlspecialchars($original_data, ENT_QUOTES|ENT_HTML5);

If you are handing untrusted data, is is absolutely critical that you run this to prevent people from injecting script tags into your data.

 

Your method for generating a salt is secure, but 128 characters is unnecessary - 6 characters is plenty. A long salt doesn't increase the security any more than a short one, so you might as well just let it generate the salt itself.

 

 

In that case, it would make more sense if you stored the image URL and the type in the database, then run

$response = your_database_query();echo "<li class='span3 gallery-item' data-id='id-{$response['id']}' data-type='{$response['type']'>";echo "<img src='{$response['image_src']}' alt='Gallery'>";

etc (note that you have invalid HTML in the sample that you posted because there are extra </a> tags.

thanks thats really helped me, ill try get all this coded before 11pm my time its now 6 so ill keep you informed. Thankyou and yeah... i was rebuilding the gallery and i forgot to remove them ahaha