Jump to content

requinix

Administrators
  • Posts

    15,229
  • Joined

  • Last visited

  • Days Won

    427

Everything posted by requinix

  1. I'm saying it's not an attack. Look at what's in the query. href=httpindianautoobservercomfemale url=httpindianautoobservercomyang httpksign-mallcom tradingThat's HTML and BBCode and straight up URLs and spam terms. For spam. They're spamming. SQL injection will have keywords like "SELECT" or pieces like "1=1".
  2. Looks like you strip out non-alphanumeric characters? Someone's botting your search page with spam, thinking it might be a kind of comment form or something. Is it causing a problem? Something you can just ignore? They'll leave once they realize they're not accomplishing anything.
  3. That is correct. There are two stages to dealing with data: getting it and displaying it. When you get the data from the user you should only try to correct for "errors" with the input. Such as there being leading or trailing space - not so much an error per se but very likely undesirable. You may trim() in that stage. Then when you're displaying the data you might need to do some special things to it: * Unless told otherwise HTML will collapse whitespace down into a single space character: if I type blank lines in a textarea (which will show up as blank lines to me, such as the one before this paragraph) and then you display it in regular HTML, all those blank lines will disappear. If you don't want that then you can use nl2br() to "fix" it. To be clear, that fixes how the text is being displayed. * Meanwhile if that text contains HTML and you simply output it, the browser will very happily treat it like real HTML. You very likely don't want that either and that's what htmlentities() can help with: it will make sure the text that I entered is literally what I will see on the page. If I type "old" then I will see exactly "old" again - not a bolded word. If you do want people to use HTML then you should use BBCode instead: it's too difficult to provide a way to allow people to use HTML safely. (You can make the BBCode tags look like HTML though...) Again, this is a matter of how the input was being displayed which is why you also don't use this function until the last possible moment. Of course between getting and displaying the data you have to store it somewhere. Since you can't use mysqli/PDO (for now ) then you need to make sure the data goes into the database safely. That's the only purpose for mysql_real_escape_string() and thus the only time you should use it. So, - trim() for the input - mysql_real_escape_string() when you put unknown/unsafe strings into SQL queries - htmlentities() and nl2br() (in that order if you need both) for the output
  4. Use [code] tags when posting code. if (isset($_POST['submit']))If that's not true then neither $SongToAdd nor $ExistingSongs will exist. You probably need to move the in_array() stuff up into that if block.
  5. Have you checked the value of $lines? Is it correct? How are you calculating it?
  6. sleep() does not count towards execution time so your script will not terminate after five minutes. However both of them will eventually die: the first script has more code and so will die sooner, but your test script will die too if you wait long enough. However you look at it, you told PHP to stop after some amount of time so why are you surprised that PHP is stopping after some amount of time?
  7. requinix

    XSS

    Not allow arbitrary HTML. BBCode et al. are there specifically for that kind of situation.
  8. Yep.
  9. Potentially, depending what you're doing with it. Why are you editing a .php file with code?
  10. Ah, typo. $filenoext = substr($file, 0, -strlen($extension) - 1);Negative number. If the extension is "ogg" then it should act like substr($file, 0, -4) (-1 for the period).
  11. Scan a file? You mean directory. Really confusing otherwise. Build an array beforehand of the names of files and their various extensions. Like $rawvideos = glob('videos/*.*'); natcasesort($rawvideos); $videos = array(); foreach ($rawvideos as $file) { $extension = substr($file, strrpos($file, '.') + 1); $filenoext = substr($file, 0, strlen($extension) + 1); if (!isset($videos[$filenoext])) { $videos[$filenoext] = array(); } $videos[$filenoext][] = $extension; }Then do your normal loop over $videos but you can check for extensions. Or go fancy and use another loop.$types = array( 'mp4' => 'video/mp4', 'ogg' => 'video/ogg' ); foreach ($videos as $filenoext => $extensions) { echo '<video controls tabindex="0">'; foreach ($extensions as $extension) { if (isset($types[$extension])) { echo '<source src="' . $filenoext . "." . $extension . '" type="' . $types[$extension] . '" />'; } } echo '</video>'; }
  12. But if you're writing a "short manual for storing passwords in the DB" then you really should include salting.
  13. Unlikely since the thread is ALMOST FIVE YEARS OLD.
  14. I must be misunderstanding you because it sounds like you said "there are no records, then it inserts one, and then there's a record".
  15. cURL can do multiple connections at once. See curl_multi_init for an example.
  16. I don't see how it's at all possible to get that "You are now enrolled! 1" message with the code you've given. Is it your actual code or did you paraphrase it for the post?
  17. No, it's not. When you decide to install computer monitoring software, be sure to let them know that you don't trust them. Goes a long way towards showing them how you feel
  18. A little too overzealous with the pluses. /[a-z0-9-]+/checkout/[a-z0-9-]+/thank-youYou might not need to escape the slashes (they'd probably tell you to if you did) and you might need ^ and $ anchors (if they say anything about it matching parts of the URL and not the entire thing).
  19. Well, the individual letters in each segment would be [a-z0-9-] (add a A-Z if the regex isn't already case-insensitive), and to have more than one use a + quantifier. The rest is basically just a literal copy of the URL you're matching.
  20. Change where? Where are the new phone numbers coming from? How will the PHP script know what to use?
  21. And what's the code for buyupgrade()? Because now that I see this it's probably a Javascript question.
  22. That's a URL, not a query. What is "?skill=web-design" supposed to do? What does the $skills array have to do with it?
  23. You can't base64_encode() an array. Given the code you've shown, what are you trying to get out of it?
  24. Probably. If you would be oh so kind as to explain what you're talking about I'm sure you could get a better answer.
  25. That's what the $fname is for.
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.