Jump to content

Drongo_III

Members
  • Posts

    579
  • Joined

  • Last visited

Everything posted by Drongo_III

  1. Thanks for the reply. So if I did wish to do it all in one line what is the correct syntax? Also, are you sure that request_uri contains the query string data? It's just on the apache website they state for request_uri: The real reason I'm exploring this is a long story but it has to do with trying to sniff out dodgy url encoded data to stop reflected xss attacks - i.e. through scripts appended to the url. I've seen fixes for this that all target the query string parameters but the xss attack i'm trying to fix doesn't use a query string. So I figured it would be prudent to run a condition on both the query string and the url. Incidentally this is for a flat php website so there isn't much I can do to protect the url besides htaccess.
  2. Hi Guys This may be a silly question. Apologies in advance. Lets say I wanted to write a rewrite condition where I need to test both the query_string and the resquest_uri against the same regex. Is it possible to almost parametise these in one line? e,g. RewriteCond %{REQUEST_URI, QUERY_STRING} SOME-PATTERN etc. Or would I have to always split these across two lines using the [OR] flag: RewriteCond %{REQUEST_URI SOME-PATTERN etc. [OR] RewriteCond %{QUERY_STRING} SOME-PATTERN etc. Thanks, Drongo
  3. Hello It was brought to my attention that my website is susceptible to reflected xss attacks. I should say that all pages on my site are static php. The attack was demonstrated to me by adding the following to the end of a page's url %22%3E%3Cimg%20src%3da%20onerror%3dalert(1)%3E6f54e?sub=t For the sake of brevity this adds an image to my page with the onerror event firing the alert. Presumably this can be adapted to incorporate an external script. I've trawled around trying to find a concise checklist of what needs to be done to thwart this type of attack. The only solution I've come upon so far is to use Header set X-Content-Security-Policy "allow 'self' in the htaccess file and white list all legitimate scripts. My questions 1) Is using the x-content-securty-policy header actually a solid solution for guarding against reflected XSS? 2) What else should be on my checklist of things to do to guard against this specific attack? Any help would be very much appreciated!
  4. I never cease to be impressed by regex and the people who get it Thank you!
  5. Hi Guys I have a regex conundrum that at first I thought would be very easy but then appears to be quite hard :/ I want to match a string with a regex where the regex can only pass if it contains letters and numbers (nothing else) and it has to contain at least one of each. I've been trying out lookaheads but just can't get it right. Any help is appreciated. Drongo
  6. Hi Guys I have a question about maintaining scope in OOP. I may just be going about it in completely the wrong way but I'm here to learn. Lets say I have a base class called 'first; set out as per the code below. In the first class there is a method that instantiates another class - called second. This second class extends the first class and I want it to be able to set errors on the first class. The only way I can maintain it's scope is to pass $this into the constructor of the second class. My questions are: 1) Is this the right way to maintain scope? 2) Would this be bad practice and I should explore a different model for setting out these classes? 3) Would it be considered better practice to make $errors a static property? Keen to do things the right way so any advice is very welcome class first { public $errors = array(); public function __construct(){ $this->callSecondClass(); $this->render(); } public function callSecondClass(){ $t = new second($this); } public function render(){ echo "I am rendering errors:"; print_r($this->errors); } } class second extends first { public function __construct($obj){ $obj->errors[] = 'ERROR FROM SECOND CLASS'; } }
  7. Thanks for the response hopeless. I think maybe I was looking at it incorrectly... So would something like this be correct? /^www.mysite.com[\/]?[a-z\-\_]*(?!php|html|htm)[\?\=\&a-z0-9]*$/ So match the literal url, an optional forward slash, then match anything that might be a file name (but this is optional), then negative match any of those file extensions and if they aren't present match something representing a query string (optionally). Does that make sense?
  8. Thanks Kicken that worked perfectly. I need to go away and dissect this now to understand what's going on.
  9. Hi Guys Bit stuck on a negative lookahead and not sure that what i want to achieve is possible. Lets says I have a domain: www.mysite.com I want to have a regex that will match www.mysite.com?q=123&g=34 but I don't want to match any file extensions like .php or .html So the first part of matching the query string and the literal url is fairly straightforward (below) which matches any query string that may be applied /^www.mysite.com[\/]?[\?\=\&a-z0-9]*$/ But then I want to use a negative lookahead to avoid matching a file extension, e.g. /^www.mysite.com[\/]?[\?\=\&a-z0-9](?!php|html|htm)$/ But this doesn't work - presumably because the negative lookahead is following a character class. So my questions: can you use a negative lookahead in this way? If not, how can I achieve what I'm trying to? Any help appreciated! Drongo
  10. Hi Guys I'm a bit stuck on a query and hoping someone can help. I'm sure this has a really simple solution. Below is a simplified representation of a table and I'm trying to select all of the data but where there are instances of the same postID I want to only select the row with the highest version number. So for instance in a select all on the table below I would expect to get IDs of 2,3 and 4. id | postID | version 1 2 1 2 2 2 3 1 1 4 3 1 Any help is much appreciated.
  11. Hi Guys Thanks for sticking with me whilst I try to grasp what is probably an overwhelmingly simple concept...however... This is what has me confused. Excerpt from the google page I referenced: So what I don't understand is what's the value that "uniquely identifies a resource..." when you place the following in your htaccess? How does the eTag get it's unique identifier? Is it set automatically somehow? <Files somefile.css> FileETag MTime Size </Files>
  12. I would suggest two possibipities: 1) check your include path -get_include_path 2) could it be that you are returning a relative path?
  13. Thanks jacques. I'm still confused as to how etags are implemented on a per resource basis. I realise it can be implented through htaccess but how would you define it for a particular resource ? Sorry if I am being slow on this but nothing I read on google leaves me very enlightened.
  14. Hi Guys I have recently been looking into implementing browser caching after reading this: https://developers.google.com/speed/docs/best-practices/caching There are a few things in that google article that don't make much sense to me so I'm hoping someone can clarify. Firstly Question The document says: " we recommend that you configure your web server to explicitly set caching headers and apply them to all cacheable static resources" This implies you can set caching headers for just some resources. How would you do this? Lets assume I only wanted to set caching headers for a file styles.css - would I need to output headers within the CSS file and then change the extension to .php? e.g. <link rel="stylesheet" href="styles.php"/> Second question Etags have me very confused. How would you set etag headers for specific files and then generally? And if you set the etag in the header of the main php page does that mean everything gets cached? Any help someone can provide would be very, very welcome! Drongo
  15. Hello It sounds like you want to remove an event handler? If so here are some options: 1) IF registering events with jquery .on() then you can use jquery .off to remove the event temporarily 2)If you simply wish to stop the event bubbling then you can use e.stopPropagation() method which will stop the bubbling of a child element executing parent element click handlers. Hope that helps - possibly with more clarity I could help more.
  16. The example code below returns the values of the photoFiles array: var json = {"status":1,"recId":"PL-17534","collectionDate":"08-04-2014","collectorsName":"asdf","donorsName":"","sciName":"asdf","family":"asdf","comName":"asdf","variety":"","area":"asdf","photoFiles":["1.jpg","internet.jpg"]}; $.each(json.photoFiles, function(key, val){ //return '<img src="'+val+'"><br>'; console.log( '<img src="'+val+'"><br>'); }); I'm not sure I fully understand what you are trying to achieve by returning in an anonymous function but that code works to give you access to each of the values.
  17. Little more research has uncovered the answer. Apparently function declarations are loaded into the execution context before anything else. Whereas a function expression is evaluated only when the parser reaches it. Hope that helps anyone else confused by this quandary.
  18. Hi Guys I wonder if someone can explain something that is probably quite basic. When I try to add an event listener and target a normal function this works fine - e.g. 'window.addEventListener('load',test)'. However, if I try to target a function that is a property of an object this fails - e.g. 'window.addEventListener('load',initialiser.init)'. Further in this latter case I also get a console log saying it's undefined. The code for this example is below. So my question is why does it fail onload when I use a function in an object as opposed to a straight function? Presumably it's something to do with the way the document and the code are loaded or initialised but what is it that makes them behave differently. Thanks, Drongo <script> //this function call works fine //window.addEventListener('load',test); //this functiton call fails and is undefined in console window.addEventListener('load',initialiser.init); //example object holding a method var initialiser = { init:function(){ alert('Init called!'); } }; //some random function function test(){ alert('test called!'); } </script>
  19. Hi Ben Firstly you would be best to have a setter method on your first calculator class e.g.: public function setNumbers($propName, $propValue){ $this->{$propName} = (int)$this->$propValue; } You then call that method like this to set a new property without being constrained to particular methods: $WhateverYourObjectIsCalled->setNumbers('number1', 50); Extends vs include The point of extending a class is that you inherit all of the properties from the parent class and these can be overridden with new versions of the property or methods from the extending/child class. When you extend a class you do not need to implicitly instantiate the parent class and you can access all of it's methods using $this-> - i.e. as if those properties and methods were part of the extending class. However, if you simply included the new class and instantiated you would have to access the base class' properties via an instance of that object. This is best illustrated in code: //############ Preferred inheritance route ########## class a { public $somePropFromA = 'Prop from A!'; } class b extends a{ public function getProp(){ echo $this->somePropFromA; //Can access any property of method from 'a' using $this-> } } $b = new b; $b->getProp(); //############ include route - not preferred ############## //lets imagine you have included class 'c' file here class c { public $somePropFromC = 'Prop from C!'; } //note we are not extending C in this instance class d { public function __construct(){ //because the class is now included and not extended the properties aren't inherited and can only be accessed //from an object instance - in this case c = new c; $this->c = new c; } public function getProp(){ //echo $this->somePropFromC; CANNOT NOW ACESS C's properties using $this-> because we arent inheriting them echo $this->c->somePropFromC; //this is how we must now access properties } } $d = new d; $d->getProp(); So hopefully from the code above you can see by not extending the class you lose the ability to inherit it's properties and methods - though they can still be accessed via a much more verbose syntax. It's hard to see the significance in the simplistic calculator class but once the complexity of the base class increases you then begin the see the power and flexibility afforded by inheritance via extending parent classes. I am sure that someone else will propose additional benefits but this is one of the main ones that springs to my mind.
  20. Hello all I am implementing TinyMCE in a small CMS system. I have enabled the 'image insert/edit plugin' (as per code below/attached screenshot) but it's very limited. I therefore would like to edit the popup for this plugin to include a custom button which will pop an additional overlay displaying all available images from the server (rather than just the text list that the plugin by default allows). The problem is that the plugin is minified in the production version of tinyMCE, so I it's hard to work directly on that, and when I download the development version of tinyMCE I cannot see the corresponding image plugin that exists in the production version. So, can anyone advise on: a) Should I be using the development package to edit this plugin? b) Is the plugin simply not available in the development package? Or is in under some other name? c) is there actually a much simpler way to add a button to this popup that doesn't require changing the plugin at all? Any help would be massively appreciated! Drongo <script type="text/javascript"> tinymce.init({ selector: "textarea", plugins: "image", image_advtab: true, }); </script>
  21. Ok so my first post didn't garner much of a response but hopefully now I have more of an idea of what I need to achieve one of you bright sparks can nudge me on course. I'm using php/mysql to create a search engine for a site i am working on. I've resorted to using MATCH/AGAINST in Boolean mode (code snippet below) but I really am quite stuck on how I might go about ordering the results based on relevancy. IF someone could point me in the right direction on this it would be very helpful :/ SELECT * FROM articles WHERE MATCH (title,body) AGAINST ('database' IN BOOLEAN MODE);
  22. Hello I soon need to build a php/mysql search feature for a website and I am hoping someone can nudge my research in the right direction. The search functionality is essentially an index of pages. The database table will likely never hold more than 1000 rows max. I read on the MYSQL website that using natural language full text searches are the way to go. However, it also states that where a table contains limited rows, and therefore where occurrences of a search term appear more than 50% of the time, this can return no results. So here are my questions: Is it correct to use natural language full text searches for a table with no more rows than around 1000? If not, can anyone propose another method. For instance should I simply stick to using LIKE searches? Any tips for ensuring efficiency? Any help you can provide is much appreciated as I've not tried to build a search function before so this is all a bit new! Drongo
  23. Have you checked the source html of the email to ensure that is free from some unexpected addition? Email clients are obviously renowned for rendering issues. Possible idea at least.
  24. Hi Guys I am after a little advice. I'm working on a fairly large volume site -2-3 mill hits a month for a large company. The reason this is significant will become clear. I'm creating a multistage signup form (though it is very specific and volumes are likely to be quite low) and part of it requires image uploads - around 2-6 images with max total file size of around 10mb. However, I am a little concerned as to whether this image upload represents a vulnerability. Images get uploaded halfway through the registration process irrespective of whether the user completes because we use the uploaded images to display as thumb nails in the page as they upload each one. I have a cron script set to run each day that cleans downs images of more than 1 day old that don't have a corresponding database record. But my concern is if someone wanted to attack the form they could probably automate an upload to the site over and over and potentially cause big problems. I was wondering if anyone else had ever encountered the same issue or concern and how you recommend getting around it. Possible ways I can think of are: log IPs and deny multiple submissions from the same IP Run the cron more frequently to clean up I have also considered some sort of unload ajax event that would call a cleanup script but I wasn't sure that would really fix this issue since a seasoned attacke rwould likely circumvent that quite easily. Any advice is very welcome. Drongo
  25. Thanks guys - that's a very definitive answer. I realise it's just an OR statement but I've never tried to return one of two values - I would ordinarily evaluate the statement and return one or the other via a conditional, which seems to be the consensus. But I suppose there might be handy instances where it's worth using. Thanks all.
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.