Jump to content

requinix

Administrators
  • Posts

    15,229
  • Joined

  • Last visited

  • Days Won

    427

Everything posted by requinix

  1. What does var_dump() show and what is the bin2hex of it?
  2. You need to define things before you try to use them. You try to use $i without giving it a value anywhere, and you do $arrFeeds[$i]->titlewithout first setting $arrFeeds[$i] to anything. Set $i=0, I assume, before you try to use it, and initialize the values in $arrFeeds with $arrFeeds[$i] = new stdClass();
  3. Any particular reason for that? Not really possible: the only thing available to you is the HTTP_REFERER and that can be spoofed very easily.
  4. Just to be sure, check the actual Apache configuration. If not then you can simply install it.
  5. Not the "secret question/secret answer" things. Those could have been good but everybody uses stupid ones like "What's the name of your pet?" and "Where did you grow up?" that even the most amateur stalker can find out pretty easily, so yes they're frowned upon now. I mean ask them about information about their account. Maybe they sent a PM to somebody recently. Maybe they were doing some shopping for a type of product. Maybe they were reading something on your site earlier. The point is it's information that you can't just find through Google.
  6. That URL is the one where the player is getting the video from. No, you can't break it and make it incorrect because then the player wouldn't be able to load it either. [edit] For the record, YouTube and porn sites have the same problem. If there was a way, they'd be using it.
  7. The thing I quoted, so those steps from the blog. Admittedly I was answering the question in my head and not quite the one you asked, so it should be more of a Here's how I would probably do it: 1. The link to go reset their password takes them to a page where they enter their whatever identifier (eg, username or email address). 2. Form stores a unique code with the account but doesn't reset the password yet. 3a. Send an email to the account with a link (including that code) to the next page. 3b. SMS would be a better alternative as it's much less likely an attacker also has the user's phone. Then the code, a short string of course, is required to continue to the next step. 4. Page asks questions that supposedly only the user knows the answers to. Possibly multiple pages. 5. After confirming all that information, allow them to change the password. You could actually skip the email step and go straight from 1 to 4, but I like requiring the email as it means an attacker also has to have control over the email account - which could already be the case, of course, so you don't rely on just that. Ditto for SMS except the phone is a real, physical device and not something on the internet. Usual other "gotchas" apply: don't reveal information like whether an account exists, don't let people brute-force this, etc.
  8. Depends mostly on step 3, but let's just say "no": I try the system myself and get some random-looking hash value. I see that's MD5 and Google it, where I discover that's the hash of the number 115982. I look around on my account and don't see anywhere that number is used. I try requesting that page with the hash of 115983, 115984, and so on. They all take me to a page to reset someone else's password. I notice that I'm hitting the reset page for the users immediately after me. Using 115981 uses the one before me. My user ID is 112112, and 115982 - 112112 = 3870. I find the admin account, user ID 2, and try the page with MD5(2+3870). It works. I reset the admin password and I'm in. Now it does depend on what you do with the "display a form" part, but at least this entire encrypt=hash nonsense is useless.
  9. Like with a print_r() or var_dump() of an array, you have to navigate down through the layers to get the data you want. You're starting at the top. First (and only) thing you can use is ICProductAvailByWhseResult. Your next choice is between errorMessage and arrayAvailability, of which you want the latter. Then "ICProductAvailByWhse.output.Availability" is next, but mere -> syntax isn't enough to access that. Then you'll get an array, and then you can do [0]->warehouse. foreach ($xml->ICProductAvailByWhseResult->arrayAvailability->{"ICProductAvailByWhse.output.Availability"} as $availability) { echo (string)$availability->warehouse;Note the (string) because pretty much everything you get from a SimpleXMLElement object will be another SimpleXMLElement object - cast to string to get the plain value. Technically it's unnecessary here because echo will do it automatically for you, but do it anyway so you get in the habit.
  10. Yup. That's exactly the case. error_log('Hello') has PHP telling Apache what to log, so Apache is the one doing the logging. Using error_log() to write to a specific file has PHP doing the logging.
  11. Is the root 17936 0.0 0.1 404344 14592 ? Ss 13:20 0:00 /usr/sbin/httpdfrom earlier still there? Apache can switch from root to another user, but not the other way.
  12. Literally just nowcast: is invalid. There must be something after the colon. How about this. It looks like the value will be a string. Maybe an empty string. Or maybe even null. But probably not an array or object. You already have the fully-decoded JSON as $parsed_json, and you have nowcast as the variable $nowcast. The easiest way to check for something "being empty" is if (empty($nowcast)) {empty() would also consider the string "0" to be empty, but I doubt that the "nowcast" thing would ever be just the number 0. What's more, even if it was, that's not a very useful value so you might as well pretend it was empty. All my questions up until now were because I wanted to find out - no, to have you tell me - what kind of values nowcast could be. And the answer was just what I said: about how it "will be a string". That's all. I didn't expect it to be so difficult...
  13. How can you tell if it's empty without knowing what its value is? Does empty mean null? Array with no items? Object with no properties? You only have to check the value once for yourself. When you know exactly what "empty" means then you can make sure your code checks for that. The reason they used that is because sometimes SimpleXML and json_decode() will produce objects with invalid property names. Like Naturally you can't do $xml->the-node-name. PHP has a way where you can bend the rules a bit: the {} syntax you had. $xml->{"the-node-name"}While it works for valid property names too, like "current_observation", there really isn't any reason to use it then. And as you said, it sure looks cleaner without.
  14. If you say so... What matters is the HTML source of the page. What is it?
  15. ...That error message comes from Outlook. What are you doing with this code?
  16. Now the "json != null" and "json.getString" is completely wrong. You've already decoded the JSON. Up at the top. You don't have to do any more decoding. Use var_dump($nowcast) to see the value(s) you have to work with. Then you can decide what you should check for in your code. While I'm here, $Updated = $parsed_json->{'current_observation'}->{'observation_time'}; $location = $parsed_json->{'location'}->{'city'}; $nowcast = $parsed_json->{'current_observation'}->{'nowcast'};Please don't use the {} syntax when it's not needed. Regular property access will work just fine. $Updated = $parsed_json->current_observation->observation_time; $location = $parsed_json->location->city; $nowcast = $parsed_json->current_observation->nowcast;
  17. Unless $nowcast (which is distressingly close to $nowCast) is, itself, JSON data - thus an array encoded into JSON twice - you should only be looking at $nowcast by itself. No json_decode(). Or you could dump the value of $nowcast and see what you're actually working with.
  18. Jacques will be around shortly. He loves these threads. Until then... - Always use mysql(i)_real_escape_string() on everything coming from outside your own PHP code, including anything in $_GET, $_POST, $_REQUEST, and $_COOKIE. - Also use it when dealing with string values in SQL. Yes, you would use it on $s['username'] because it is a string and you don't know that it's safe to use. "Safeness" is about whether the value can mess up your SQL query because it has quotes or something that you're also using, not about where the data came from. - Nowadays don't use stripslashes(). There are legitimate uses for it but none of them involve sanitizing form data or running SQL queries. - Use htmlspecialchars() for outputting data into HTML and XML. You should use ENT_QUOTES in the second argument and you should always make sure it uses the correct encoding (such as by using the third argument). Even better than wondering when to use mysql(i)_real_escape_string is to use prepared statements instead. They're a tiny bit slower but you don't have to think about SQL injection. mysqli and PDO only - not available with the mysql extension and mysql_* functions. You make a query with placeholders for where the data should go, like INSERT INTO table (username) VALUES (?), prepare it, then when you execute it you say what that data should be.
  19. Short answer is you can't. Long answer is that you can make it harder but ultimately the "user" has to know the URL for them to be able to go retrieve and play the video. The "Copy video URL" is because you're using HTML 5 stuff to show the video and you can't hide that; if you used a Flash player then you'd have full control over the right-click menu - but you still wouldn't be able to completely hide the URL.
  20. Not sure what distro you're using but somewhere is configuration that tells what user/group Apache should switch to after launching.
  21. So only root can access /var/log/httpd - that's why you're having problems. And yes, definitely don't run as root.
  22. Okay, easy question: What are the permissions on /var/log/httpd and /var/log/httpd/test?
  23. You can't. It's writable only by root and I'm sure you're not running as root.
  24. PHP needs not just write permission on the file itself but also execute permission on all the parent directories.
  25. Why you're going to /sites/login is straightfoward: you gave the browser the relative location "login" so if you're trying to go to /sites/123 then it will take you to /sites/login. If you went to /sites/123/, with the trailing slash, then you'd be redirected to /sites/123/login. You need an absolute URL in there so you don't have to worry about paths.
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.