RMorrison

Ok weird.. I got it to stay on by logging out of all my other accounts then changing it. works now

I'm getting the following error when using imap_open for my gmail account: I'm not getting any suspicious login emails on the account, and the one time I did I was asked to turn on access for less secure apps, which I did but it seems to keep defaulting back to being off. Anyone ele managed to get this working? Code below: <?php /* connect to gmail */ $hostname = '{imap.gmail.com:993/imap/ssl}INBOX'; $username = 'myemail@gmail.com'; $password = 'mypassword'; /* try to connect */ $inbox = imap_open($hostname,$username,$password) or die('Cannot connect to Gmail: ' . imap_last_error()); /* grab emails */ $emails = imap_search($inbox,'ALL'); /* if emails are returned, cycle through each... */ if($emails) { /* begin output var */ $output = ''; /* put the newest emails on top */ rsort($emails); /* for every email... */ foreach($emails as $email_number) { /* get information specific to this email */ $overview = imap_fetch_overview($inbox,$email_number,0); $message = imap_fetchbody($inbox,$email_number,2); /* output the email header information */ $output.= '<div class="toggler '.($overview[0]->seen ? 'read' : 'unread').'">'; $output.= '<span class="subject">'.$overview[0]->subject.'</span> '; $output.= '<span class="from">'.$overview[0]->from.'</span>'; $output.= '<span class="date">on '.$overview[0]->date.'</span>'; $output.= '</div>'; /* output the email body */ $output.= '<div class="body">'.$message.'</div>'; } echo $output; } imap_close($inbox);

You'll have to escape the double quotes in your div style as such: <div style=\"height: 100%; width:100%\"> You're using the same quotes to open the string in PHP so essentially you're telling it to close after = and reopen before the > but since the semi-colon ends a line of php coding, the width partis actually a new php command.

If this is such a big security issue, why do other packages such as phpbb write their config file in a php file after the installation? Fair enough the file already exists and it's empty but they still write it.

I know this can be done seeing as I've used many php packages over time. Basically, I'm trying to run an install.php which will take the mysql connection info, then write to another config.php file for the user. Here is the code I have (at this point, I have verified the database connection is fine) //Connection success, let's create config.php $file = "some/path/to/config.php"; $lines = array( '<?php\n', 'class config\n', '{\n', ' var $mysql_server = \''.$mysql_host.'\';\n', ' var $mysql_port = \''.$mysql_port.'\';\n', ' var $mysql_user = \''.$mysql_user.'\';\n', ' var $mysql_pass = \''.$mysql_pass.'\';\n', ' var $mysql_db = \''.$mysql_db.'\';\n', ' var $table_prefix = \''.$table_prefix.'\';\n', ' var $template_dir = \'styles\';\n', ' var $mysql_server = array();\n', '}\n' ); $writing = fopen($file, 'w+'); foreach ($lines as $line) { fwrite($writing, $line); } chmod($file, 600); The first error in my error log: failed to open stream: Permission denied in public_html/install.php on line 77, referer: ./install.php The rest of the errors are all the fwrite returning I used a boolean instead of resource which makes sense if the file didn't open. I'm gathering it's a permission thing for the directory i'm trying to get the config to write but I have the same setup i've always used and never had this issue with other systems.

The first line was actually the problem. Should have been $sess_id here. The code supplied was part of a switch statement in this case which is why I had break in there. I also modified the check in common.php not to do the check if the user is mid-login in this case.

I made a login for my site, and when testing it, I found that either the cookie is not setting or it is unsetting right after. Code which handles login: if (isset($_POST['login'])) { $submitted_username = request_var('username', false); $submitted_password = request_var('password', false); if (!$submitted_username || !$submitted_password) { $template_file = "user_login.html"; $template->assign_var('ERROR', 1); $template->assign_var('MESSAGE', 'Error: Username or Password not supplied.'); break; } $user_info = $user->user_login($submitted_username, $submitted_password); if ($user_info) { $sess_id = unique_id(); setcookie('hs_user_sess', $sess_id, time()+(86400*30)); //Set cookie for 30 days to auto login. $session_info = array( 'user_id' => $user_info['user_id'], 'uniq_id' => $sess_id ); $query = $db->build_query('insert', SESSION_TABLE, $session_info); if ($db->query($query)) { $template_file = "user_message.html"; $template->assign_var('ERROR', 0); $template->assign_var('MESSAGE', 'Success. User Logged in'); } else { $template_file = "user_message.html"; $template->assign_var('ERROR', 1); $template->assign_var('MESSAGE', 'Error: Unable to save session information'); setcookie('hs_user_sess', '', time()-3600); break; } $userinfo = $user->get_user('session', $sess_id); if ($userinfo) { //Valid session so lets renew cookie and get info from database setcookie('hs_user_sess', $session, time() + (86400*30)); $permissions = $user->get_permissions($userinfo['user_id']); $userinfo['permissions'] = $permissions; $userinfo['logged_in'] = 1; $user->user_info = $userinfo; } } else { $template_file = "user_login.html"; $template->assign_var('ERROR', 1); $template->assign_var('MESSAGE', 'Error: Incorrect Username/Password combination'); } } Code which grabs info from database at start if the cookie exists: if (isset($_COOKIE['hs_user_sess'])){ $session = $db->clean($_COOKIE['hs_user_sess']); $userinfo = $user->get_user('session', $session); if ($userinfo) { //Valid session so lets renew cookie and get info from database setcookie('hs_user_sess', $session, time()+(86400*30)); $permissions = $user->get_permissions($userinfo['user_id']); $userinfo['permissions'] = $permissions; $userinfo['logged_in'] = true; $user->user_info = $userinfo; } else { //Not valid session so lets remove cookie setcookie('hs_user_sess', '', time() - 3600); }} I wholly expect this to be some silly error on my part as I wrote this while at work earlier today and i'm tired and can't for the life of me work it out now. Thanks in advance.

Update Managed to parse the file with this code: $file = './modules/test_mod/test_mod.mod'; $contents = explode("<br />", str_replace("\n","",nl2br(file_get_contents($file))));$some_array = array(); foreach ($contents as $line){ $a = explode('=', $line); $some_array[$a[0]] = $a[1];} This does what I need it to do for getting the information, but is this the best most efficient way to do it?

Okay so trying this out and my brain feels like it's been pickled atm. I have a file test_mod.mod in the folder modules/test_mod/ This file contains: name=test_mod description=A test module to be installed version=1.1.0.1 author=RMorrison

Wouldn't local file inclusion vulnerability only exist if the user is inserting filenames in the url? The way I've been doing it, the files are checking if a file exists before deciding what to do. Going your way, I would need as follows? ./modules/module_name/mod_info.php ./modules/module_name/module.php ./modules/module_name/admin_module.php And then save the enabled modules in a database after they are activated in the admin cp?

I'm trying to make things as simple as possible for a friend. The idea is a CMS system where to install new features they simply have to upload the new files and voila. So far i've managed fine, but there's 1 part I need a little help with. Layout is as follows Main Directory ./includes ...various things here... ./modules ....where the new features will get uploaded to Now lets say there are admin parts to each module, each will consist of a prefix of admin_ in the name (ie, admin_blog.php) where the actual module itself will be blog.php The admin part of the site has it's administrative navigation on the left hand side. How would I go about searching through all files in the modules directory for those beginning with admin_ and then saving the part after to say an array? For example, if i have blog.php, admin_blog.php, forum.php, admin_forum.php I would look through the directory, and put forum.php and blog.php in an array where I can use the information later. Thanks in advance

Thanks I never thought of that. For reference for future people the function is pow()

I've written a small ELO class for calculating a players rating for a game league, and for the life of me I don't know why these calculations are coming up wrong. The Class: <?php class elo { function get_rating($current_rating, $expected, $win = true) { if ($win === true) { $r = $current_rating; $add = 32; $multiplier = 1 - $expected; $add = $add*$multiplier; $r = $current_rating + $add; return round($r,0); } else { $r = $current_rating; $add = 32; $multiplier = 0 - $expected; $add = $add*$multiplier; $r = $current_rating + $add; return round($r,0); } } function get_expected($player1_rating, $player2_rating) { $e = 1; $divider = 1; $power_of = $player2_rating - $player1_rating; $power_of = $power_of / 400; $power_of = 10^($power_of); $divider = $divider + $power_of; $e = $e/$divider; return round($e,2); } } Code for testing: $elo = new elo(); $a = 1000; $b = 1000; $chance['a'] = $elo->get_expected($a,$b); $chance['b'] = $elo->get_expected($b,$a); $chance['%a'] = $chance['a'] * 100; $chance['%b'] = $chance['b'] * 100; echo "Player A ({$a}) has a " . $chance['%a'] . "% Chance of winning.<br/>"; //should be 50% (0.5) echo "Player B ({$b}) has a " . $chance['%b'] . "% chance of winning.<br/>"; //should be 50% (0.5) $winpoints['a'] = $elo->get_rating($a, $chance['a']); //should return 1016 $winpoints['b'] = $elo->get_rating($b, $chance['b']); //should return 1016 echo "Player A's new rating will be {$winpoints['a']} if they win.<br/>"; echo "Player B's new rating will be {$winpoints['b']} if they win.<br/>"; $losspoints['a'] = $elo->get_rating($a, $chance['a'], false); //should return 984 $losspoints['b'] = $elo->get_rating($b, $chance['b'], false); //should return 984 echo "Player A's new rating will be {$losspoints['a']} if they lose.<br/>"; echo "Player B's new rating will be {$losspoints['b']} if they lose.<br/>"; The output i'm getting is as follows, when they should match what i've stated above (as done on paper with a calculator) I've tried re-writing the calculation over and over but just can't get it. I used the Wikipedia page to get my calculations. I've not added K Factor yet but I will be at some point.

I don't see any error. all the links under services work fine for me, no matter where I am on the site. I managed to click on "Proxy Advisory and Solicitation" then in the same category "Telecommunications and Technology" without any issues.

I think the best way to do this would be put the filenames in an array and check each file individually rather than trying to check 2 at a time.