php mysql create an entry into a field. (INSERT INTO) WHILE logged in currentuser/session

I did the php registration system and it works https://www.tutorialrepublic.com/php-tutorial/php-mysql-login-system.php

but i created extra fields in the DB so the user can add some data to the database.

All search results are only to add to database from scratch, not from CURRENT SESSION USER. or they are just how to make php user reg systems but no further PHP CURRENT SESSION user interaction with DB

DB structure is just like on that site, i posted above, but created a URL field so a user can save their favorite URL. DB = **users > username > URL ** once i get that working im going to figure out how a user can append to the field and keep adding URLs

i came up with this.. .

if (isset($  _SESSION['loggedin']) && $  _SESSION['loggedin'] == true) { echo "<a href="file.php?save=yes>Add to Favorites</a>";}   if(isset($  _GET['save'])){          echo "got a save";      userID = $  _SESSION["username"];      echo $  userID; //it does give the current username, meaning im logged in , session-start is on the header .        $  URL = $  _GET['URLforbookmark'];      $  sql = "INSERT INTO users (URL, UserID)      VALUES ('$  URL', '$  UserID')";            if (mysqli_query($  sql)) {         echo "New record created successfully !";      } else {         echo "Error: " . $  sql . " " . mysqli_error($  sql);      }      mysqli_close($  sql); } 

Feedback Error reads: Error: INSERT INTO users (test, UserID) VALUES (‘theusersfavorurl’, ”)

thank you !

Get all Gravity Form entry IDs for current user and display the highest value

I have a Gravity Form with a user registration plugin installed, so every time someone completes the form, they are added as a user and the submitted form is assigned an entry ID which is linked to that user. But whenever a user re-submits the form a new entry ID is created – there is a column in the "wp_gf_entry" table called "created_by" which contains the user ID for who submitted the form. So I figured I need to find currently logged in user ID, match it against the "created_by" column then find the highest value entry ID for that user, which I will then need to display in a shortcode.

I have figured out how to find the initial entry ID which is linked to the users meta details and display that inside the shortcode, see below.

  $  user_id = get_current_user_id();   $  key = 'entry_id';   $  single = true;   $  gform = get_user_meta( $  user_id, $  key, $  single );     echo do_shortcode('[gravitypdf id="5ffc7508269e7" entry="' . $  gform . '" text="Download"]'); 

This would work great if the entry ID got updated every time the user re-submits the form, as the entry ID would always stay the same, but a new entry ID gets created for every form submission.

So…

That led me to searching for another solution which would update the same entry every time the user re-submitted the form, but I was at a lose and could only find the following gform_entry_id_pre_save_lead which after testing wouldn’t work for me and a new entry was created each time.

Ideally I would prefer the first solution, just in case the user needs to access an older entry. Although its not essential so all suggestions and possible solutions are welcome.

I’m relatively new to PHP, but feel like the solution Is not far away and feel like the use of the foreach loop and the max() function will help with looping through the array of entry IDs for current user and finding the max value in that array…I just can’t figure out how to get there with code!

Any help would be appreciated.

What does the entry 3/day mean if several spell-like/psi-like abilities are listed?

I am preparing an encounter involving a psionic Yuan-Ti Abomination. The entry in the XPH lists under the section psi-like abilities:

3/day—body purification (6 points*), psionic charm (all targets, 1 day/level, DC 19*), concealing amorpha, deeper darkness, mind thrust (ML 7th, 7d10, DC 18*), psionic suggestion (four targets, DC 16*); (XPH, p. 218)

Does that mean the Yuan-Ti can manifest

a) each psi-like ability listed here 3/day,

b) a total of three manifestations of abilities in this list, including using the possibility to use one ability three times

c) three abilites out of this list once each

A similar issue arises with the spell-like abilities in the gnome entry in PHB, where it says:

1/day—dancing lights, ghost sound, prestidigitation.

Does this mean gnomes can use each of these abilities once, or only one of these?

What are the spells that have a target other than self (and a target entry) that deals damage?

I asked the question Does Ocular spell make every eligible damage spells have a critical chance since it becomes a ranged touch attack (ray)? and I realized it was a bit hard to find spells that were eligible for Ocular spell that weren’t already touch spells or rays.

@Hey I Can Chan told me about Finger of Death (when the save is successful)

@Erik made me realize Chain lightning was indeed in my requirements.

What other spells meet those requirements?

Sidenote:

-*Spells that do damage,ability drain or level loss since only those can benefit from criticals.

-I’m not sure if Healing spells that hurts creatures like undeads would work because I think they normally don’t score a critical even on a natural 20. Correct me if I’m wrong. But would they if they were cast as a ray?

Password entry: are “paste from password manager” and “eyeball to view passwords” mutually-exclusive features?


Context

NIST SP 800-63b gives the following guidance for password forms (aka login pages):

Verifiers SHOULD permit claimants to use “paste” functionality when entering a memorized secret. This facilitates the use of password managers, which are widely used and in many cases increase the likelihood that users will choose stronger memorized secrets.

In order to assist the claimant in successfully entering a memorized secret, the verifier SHOULD offer an option to display the secret — rather than a series of dots or asterisks — until it is entered. This allows the claimant to verify their entry if they are in a location where their screen is unlikely to be observed. The verifier MAY also permit the user’s device to display individual entered characters for a short time after each character is typed to verify correct entry. This is particularly applicable on mobile devices.

I had the argument made to me that these two features should not be implemented together because they would allow a user to circumvent a password manager’s protection and view the auto-populated password. I suspect this argument won’t hold water, but I’m curious about community opinions.

Does this registry entry for implementing custom protocol handlers in Windows present a security risk?

Background

Some features are not yet available on the web platform and thus require cooperation with a native application in order to provide them. One method for a web application and a native application to communicate with each other is a custom protocol handler.

For instance, the web application can call "mycustomproto://some/params", where "mycustomproto" must first be registered with the operating system as a valid URI protocol. On Windows, this is done in the registry. There are a few keys/subkeys/values etc that must be added to the registry, but only one actually deals with specifying the executable and it’s parameter(s).

Note that once the protocol handler is registered with the operating system, it can be launched by any website that knows of its existence, subjecting it to potential abuse.


Example Windows registry value for this purpose

All of the examples that I’ve found documenting this show the following:

C:\myapp.exe "%1"


Primary Question

Assuming that the registered handler (e.g. "myapp.exe") has zero possible security flaws, is the above example registry value sufficient for ensuring that malicious websites are unable to piggyback additional commands and/or arguments?


Clarifications

  • For the purpose of this question, please assume that the protocol handler (e.g. "myapp.exe") is incapable of exposing vulnerabilities of its own – it’s idle – it launches, does nothing, and quits. This question is specifically related to the browser and/or OS and the "execution" of this registry value.
  • Can malicious actors somehow escape out of the "%1" double quotes and cause the browser and/or OS to run additional commands (e.g. && C:\Win32\do-something-malicious.example.exe)?
  • Similarly, can malicious actors somehow send additional arguments to the protocol handler? Or does the "%1" ensure that the handler will only ever receive a single argument?
  • If this registry value is insufficient to only ever call the protocol handler (and nothing more) with a single argument, is there a better way?

Is there a security vulnerability in setting a public DNS entry to a private IP Address?

I recently set up a wireguard server-network configuration with a home server and client devices. I have one main domain that I hope to route everything through via subdomains (in this example, abc.domain.com, def.domain.com, etc.). I hope to use nginx to do this routing.

Is is possible/secure/recommended to register a private IP address (specifically of my home server within the wireguard network, i.e. 10.27.0.1/24) in a public DNS (e.g. google DNS), so that if you run ping abc.domain.com you would get back 10.27.0.1? I found a few questions that answer a question that are close to this one (this one covers private IP for public DNS for MX records, this one talks about having A records without much mention of VPN), and the overall picture I get from these links is that it is possible, but not technically perfect since a hacker gets a small piece of info about your local network (wireguard network is 10.27.0.1/24…isn’t this relatively a moot point given it’s behind wireguard, assuming I have all of the usual safety checks in place (no remote ssh (root or otherwise) unless on wireguard network, fail2ban, no password authentication for ssh, etc.)?

This IP (10.27.0.1) would be only accessible through the wireguard network, so I don’t think it would expose the services to the internet. I want to do this so that I don’t have to setup local DNS entries on each device, as I don’t believe this is possible on a phone, and it would be ideal to make one change [i.e. set the DNS entry to 10.27.0.1] and then have each device just running a simple DNS query for abc.domain.com. This would also have the added benefit of only opening the wireguard port, and keeping the firewall closed for 80 + 443.

A corollary of this question is how best do you manage certs/ssl if this is possible? I managed to get certbot working by temporarily exposing port 80 on my server to acquire the certs for abc.domain.com, and then closing 80 to only access the webserver via wireguard through the wireguard port + nginx. I can already see one downside to this method – having to manually open port 80 everytime certbot wants to get new certificates (I believe by default this is every 60 days). I understand that wireguard is approximately as secure as SSL/HTTPS, but for my personal OCD I would prefer to have the connection secured through https on top of wireguard. I’m somewhat iffy on the details of managing certs for wildcards, but could I do it with my main domain.com (that is pointing to a internet facing site) and have it propagate to the subdomains, allowing it to be renewed through that? (this question seems to indicate so)

My goal long term is to expand this into a network that includes family/close friends as a type of ‘intranet’ for sharing photos and using other self-hosted services.

My nginx config file (abc.conf) looks something like this:

server {    server_name abc.domain.com;   # DNS Entry of abc.domain.com is 10.27.0.1, which is the local IP for the wireguard network   # SHOULD NOT be accessible outside of wireguard network    location / {       proxy_pass http://127.0.0.1:8000; #Redirects to local service on port 8000   }       listen [::]:443 ssl; # managed by Certbot     listen 443 ssl; # managed by Certbot      // SSL Certs provided by certbot [removed manually]     // .     // .     // .  }