FalseProphet

That did it! Thank you so much, this freakin' thing has been bugging me for two days straight now.

var_dump doesn't print anything, but it's strange. If I comment the header out of apnetwork_login.php I can see that everything post correctly, and I can view cookie data there. [edit] Here is some debug data... Okay, so cookies are NOT getting set. But why? My apnetwork_login.php script shouldn't contain any errors with the cookie headers? The debug data below was taken directly from apnetwork_login.php

I don't get any errors at all and apnetwork_login.php is in the right directory. When I try to log in, the browser just refreshes and I am still presented with the login form, which should not occur. In my temporary directory it worked fine, I would see "Welcome to the site, name" whenever I logged into the test account.

I wrote a simple login system to try out new things with. It works super great until I pull it out of my temporary testing directory and onto the real site. My website structure: [+] mywebsite.com - index.php [+] system [+] scripts - apnetwork_login.php [+] mydatabase [+] database - admin.log index.php <?PHP if ($_COOKIE['apn_clientname'] != "") { $apnetLogin = $_COOKIE['apn_clientname']; $apnetPassword = $_COOKIE['apn_clientpass']; } function LoginFunction($apnetLogin,$apnetPassword) { // TODO: ereg express apnetpassword & apnetlogin $filePath = "../mydatabase/database/"; $fileFullPath = $filePath . $apnetLogin . ".log"; if (file_exists($fileFullPath) == TRUE) { $file = file($fileFullPath); if ($file[0] == $apnetPassword."\n") { // Login successful $clientLoggedIn = TRUE; } else { // Login unsuccessful - incorrect password echo "Unable to log you in, $apnetLogin"; $clientLoggedIn = FALSE; } } if ($clientLoggedIn == TRUE) { // Logged in successfully echo "<font color=#ff0000>Welcome to the site,</font> <font color=#dd1111>$apnetLogin!</font>"; } else { // Not logged in echo '<form method="post" action="system/scripts/apnetwork_login.php">'; echo '<input type="submit" class="csubmit" value="Login"/>'; echo '<input type="password" name="apn_password" class="pinput" value="Password"/>'; echo '<input type="text" name="apn_name" class="linput" value="Username"/>'; echo '</form>'; } } ?> <html> <head> </head> <body> <div> <?PHP LoginFunction($apnetLogin,$apnetPassword); ?> </div> </body> </html> APNetwork_Login.php <?PHP $apnetLogin = $_POST['apn_name']; $apnetPassword = $_POST['apn_password']; if (setcookie("apn_clientname",$apnetLogin)) { if (setcookie("apn_clientpass",$apnetPassword)) { header('location:http://mywebsite.com/index.php'); } } else { echo "Error logging in."; } ?> Any idea's? I am stumped. Like I said, it works perfectly if I have it in the original folder that I tested the code on. But anywhere else it just don't work.

i need solution not suggestion about using any browser. I didn't mean to strike a nerve, sorry. From my limited knowledge, IE6 does not support the mouse over effect. The website I linked to was an official Microsoft page.

You should stop supporting Internet Explorer 6. It's time to let it go. IE6 doesn't support CSS very well. http://ie6countdown.com/

Hi Ken, Here is my include() code. $pageID = $_GET['id']; $charIllegal = array(); $charIllegal[0] = "/\.\.\//"; $charIllegal[1] = "/\//"; $charIllegal[2] = "/\%/"; if ($pageID != "") { $fileExt = substr(strrchr($pageID, '.'), 1); if ($fileExt == "php") { if (file_exists("scripts/" . preg_replace($charIllegal,"",$pageID)) == TRUE) { include("scripts/" . preg_replace($charIllegal,"",$pageID)); } } else { if (file_exists("pages/" . preg_replace($charIllegal,"",$pageID)) == TRUE) { include("pages/". preg_replace($charIllegal,"",$pageID)); } } } else { // todo }

I was using Include() with an ereg expression to strip all harmful characters out of the $_GET['id'];. However, a few people have stated to me that no matter what I do this function is not safe to use and is easily exploitable even after removing illegal characters from $_GET['id']; Now I am looking for a way to include a web page that uses html and php. file() does not work as it includes my php code within the output so anyone can read it. File_get_contents() did not display any of the page whatsoever.

I fixed the issue, it was caused by using float:left; in the wrong place. I am using float to create a horizontal unordered list. Are there better ways?

I have a styled Unordered List that appears all over the place in these three browsers. In Chrome, the list looks just fine, in Internet Explorer, it's borked. I set up a new style just for IE(using conditional comments) and that fixed it for the most part. Now, FireFox just doesn't seem to want to fall into line. I was expecting the page to look exactly like it does in Chrome however, it doesn't. It resembles Internet Explorer's version before I introduced it's own stylesheet. Doctype: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"> CSS in question: div.navbar-content { position:absolute; left: 60px; top: 20px; } ul { list-style:none; } li { float:right; padding:0px 15px 5px; } Why is this broken so? I can't see any reason it wouldn't work properly in FireFox. Are there any tricks I can use in detecting if the users browser is FireFox? I've tried using PHP's get_browser() function but that always reports browser => default browser no matter what browser I use.

I managed to "hack" my own site through exploiting the download script. So no, its not secure at all.

Use CSS and HTML for this.

Bring up my post!

anyone?

I lost the ability to edit my post..? Anyway, here is my Upload script and my download script. Upload.php <?PHP $fileName = $_FILES['fileupload']['name']; $pathUploads = "../../../uploads/" . $_FILES['fileupload']['name']; if (strstr($_FILES['fileupload']['name'],"../") || strstr($_FILES['fileupload']['name'],"%") != TRUE) { if(move_uploaded_file($_FILES["fileupload"]["tmp_name"], $pathUploads)) { echo "File uploaded successfully.<br>Download link: <font color=#0055ff>http://mywebsite.com/system/temp/download.php?file=$fileName</font>"; echo "<br> This link is CASE SENSITIVE!"; } else { echo "File size exceeded. Maximum size: 2MB"; } } else { echo "File contains illegal characters."; } ?> Download.php <?PHP $getID = $_GET['file']; $fileID = "../../../uploads/" . $getID; if (strstr($getID,"\\") || strstr($getID,"/") || strstr($getID,"../") || strstr($getID,"%") != TRUE) { // header code below taken from php.net if (file_exists($fileID)) { header('Content-Description: File Transfer'); header('Content-Type: application/octet-stream'); header('Content-Disposition: attachment; filename=' . basename($fileID)); header('Content-Transfer-Encoding: binary'); header('Expires: 0'); header('Cache-Control: must-revalidate, post-check=0, pre-check=0'); header('Pragma: public'); header('Content-Length: ' . filesize($fileID)); ob_clean(); flush(); readfile($fileID); } // header code above taken from php.net else { echo "File does not exist on the server!"; } } else { echo "Illegal string not allowed."; } ?>

This is my download script: <?PHP $getID = strtolower($_GET['file']); $fileID = "../../../uploads/" . $getID; if (strstr($getID,"\\") || strstr($getID,"/") || strstr($getID,"../") || strstr($getID,"%") != TRUE) { // header code below taken from php.net if (file_exists($fileID)) { header('Content-Description: File Transfer'); header('Content-Type: application/octet-stream'); header('Content-Disposition: attachment; filename=' . basename($fileID)); header('Content-Transfer-Encoding: binary'); header('Expires: 0'); header('Cache-Control: must-revalidate, post-check=0, pre-check=0'); header('Pragma: public'); header('Content-Length: ' . filesize($fileID)); ob_clean(); flush(); readfile($fileID); } // header code above taken from php.net else { echo "File does not exist on the server!"; } } else { echo "Illegal string not allowed."; } ?>

Anyone?

I'm allowing users to upload a file into a directory that is inside of my ftp's root directory(what is the proper term for this area anyway?) Anyway, I am uploading to this folder: + www.mywebsite.com/ + files/ + images/ - welcome.jpg + system/ - text.txt - index.php + upload/ <-- here, this one right here - an_uploaded_file.zip If I have a php script that downloads from this folder would I need to worry about someone doing something that is not intended? I don't want someone overwriting my index.php with their own.

I tried the tizag code and it worked just fine. The code I was using was near identical except I wasn't using basename(). I think my problem was CHMOD in the folder not being set by filezilla(it seems to take several attempts to get it to set..).

It's good that you refuse to believe this since I never said any such thing. I simply said that it produced nothing that would work for me(out of my own stupidity, probably as I am still very new to web development). I receive this warning whenever I use move_uploaded_file: Warning: move_uploaded_file() [function.move-uploaded-file]: URL file-access is disabled in the server configuration Which is why I added allow_url_fopen in my topic. I thought the two were correlated together.

I wrote a rather simple email script that I used when I was stuck to an old cell phone. Excuse the terrible table set up in send.htm. send_message.php <?PHP // PHP Mail Script $sendname = "From: [email protected]"; $recvemail = $_POST["recvemail"]; $mailsub = $_POST["mailsub"]; $message =$_POST["message"] . "\n\n\n\n\n\nsent from mywebsite.com, you can not reply to this message"; $Home = "<a href=http://website.com>Home</a>"; if (mail($recvemail,$mailsub,$message,$sendname) == TRUE) { echo "Sent message.\n" . $Home; } else { echo "Failed to send message!\n" . $Home; } ?> send.htm <html> <body> <form method="post" action="Send_Message.php"> <table frame="box"> <tr> <td> <input type="text" name="recvemail" size="40" value="[email protected]"/> </td> </tr> <tr> <td> <input type="text" name="mailsub" size="40" value="Subject"/> </td> </tr> </table> <table frame="box"> <tr> <td> <input type="text" name="message" size="40" value="Message"/> </td> </tr> <tr> <input type="submit" value="Send"/></form> <form action="index.php"><input type="submit" value="Cancel"/></form> </tr> </table> </body> </html>

I need a way a user can upload a file onto my website(it's a shared site, I believe, but I own the domain), I've tried using the cURL library but it seems a bit over my head at the moment. And everything I tried with it would not result in a file being uploaded into any folder. What can I do what I need? I've searched around and never found anything that worked for me.