r0b

Its exactly what my script posted above does. It refreshes the page every minute and checks if the value is a match yet. One refresh per minute equals a 1440 times refreshed page per day, which would equal 1440 visitors per day. I hope apache wouldn't need to be restarted for that small amount of hits. (I made it refresh every 50 seconds, so that would make it refresh 1200 times, which is even less than 1440.)

Yes, but that method will only work if your page is visited everyday... and especially at midnight. Sorry for the double post. Correct, the page has to be opened by atleast one user, in my case I had this page opened at all time at atleast one computer.

NOTE: In this code I used a 24 hour system while you probably need a 12 hour one. If thats the case, replace the capital H to a small h.

I've actually made this happen in plain PHP and HTML. (the code for it is below) It basically checks the current time for the wanted one. So lets day we have a variable named $currentTime which is whatever the time it is. The next variable is $wantedTime, which is, in your case, 00:00. I ran a check if $currentTime equals $wantedTime every time the page refreshes. (I used meta content refresh every 59 seconds, which isn't good, but in my case, it did the justice). When the time equaled one another, it redirected to another page. EDIT: (heres the code) - Save this as index.php and change the anotherPage.php to your wanted page with execution. Or you can execute it on the first if statement. <?php $wantedTime = "00:00"; $currentTime = date("H:i"); echo "The time is: $currentTime<br />"; echo "Script will execute at $wantedTime<br />"; if($currentTime == $wantedTime) { echo '<meta http-equiv="refresh" content="0; url=anotherPage.php">'; } else { echo '<meta http-equiv="refresh" content="50;url=index.php">'; } $to = strtotime($wantedTime); $from = strtotime($currentTime); $calculation = round(abs($to - $from) / 60,2); echo "<br />The code will execute in $calculation minutes"; ?>

I think I'm getting closer to the problem, atleast an idea on how to solve this: $ill = "<"; $ill .="?"; $url = basename($_SERVER['PHP_SELF']).$_SERVER['QUERY_STRING']; if(strpos($url, $ill) !== FALSE) //found echo die ("error"); What I'm trying to do here is, if the url containts both < and ?, show error, but still no luck. Still trying to make the original idea work, to show error if < is used in an url, even if it has a ? in front of it. (Works perfectly if theres no ? in front of it).

I also know this would work (note I replaced < with ? this time): if(strpos($url, "?") !== FALSE) //found echo die ("error"); But I don't want to block the "?", I just want < to be blocked no matter what. (even if it has the question mark in front of it)

I'm facing a problem with a simple script I wrote. It has to write out an error if there's a "<" character in the url. $url = basename($_SERVER['PHP_SELF']).$_SERVER['QUERY_STRING']; if(strpos($url, "<") !== FALSE) //found echo die ("error"); Which does the right thing for example: example.com/< will output an error while example.com/?< doesn't output the error. Does anyone have any idea how do make "<" display the error even if the ? (question mark) is in front of it.

You realize embedding and iframing could be used so maliciously it's not even funny? I mean, an iframe is literally a window TO ANOTHER WEBPAGE. lmao. Sorry just had to point that out. First off, I recommend modifying that loop, using all of REQUEST is not necessary, I mean that means you're even running $_GET through this, when really the data you want to sanitize is most likely $_POST data. For $_GET, a great deal can be handled through whitelisting and typecasting, I'm sure a lot of your stuff is whatever.php?action=post&id=1 - So the actions or whatever you're $_GET key is can be whitelisted into an array and checked to be in there, and you can typecast the $_GET[id] to integer forcing it to be an integer. As for $_POST, just making sure you're following the FIEO rule, filter input, escape output. Pretty much standards are, only allow the input you can allow, this means using prepared statements/mysql_real_escape_string. Escaping output is all about displaying the information to the browser, to that extent you would generally want to translate ALL html into it's entities, however you want to allow certain tags. I would allow the most basic of tags, p, b, i, etc. And have your own code for embedding things, notice in open source projects, when you want to embed a video, you don't just throw an embed tag in there, you do something like [embed=url] and their software processes it and I'm sure validates it in someway to make sure it isn't malicious and then converts that to the html code to embed on output. As for looping through $_POST and doing it that way, I'm sure if you want some sort of flexibility this will fail, there are going to be times when you do want html to go through, and you may end up having to html_entity_decode, but that's for a later discussion . foreach ($_POST as $postKey => $postVal) { $_POST[$postKey] = strip_tags($postVal, "<p><b><i>"); $_POST[$postKey] = htmlentities($postVal, ENT_QUOTES, "UTF-8"); } Thank you very much for replying with such an explanation. I might have found a more simple way of solving it, which wont increase the size of the CMS where every kB counts. Marking this as solved. Thanks again Zurev, you saved me a couple of days worth programming.

Solved this with three lines on the index.php $hostname = $_SERVER['PHP_SELF']; $hostname = str_replace('index.php', '', $hostname); $hostname = str_replace($page, '', $hostname); Cheers

The code works just fine, its causing one problem: When logging into the admin panel from a page for example example.com/Home trying to login to the administration panel to example.com/?login the link becomes example.com/Home?login. This problem doesn't occur if I login directly to the admin panel from example.com

Seconds later I just think I figured it out, this works, is the code okay? Options +FollowSymLinks Options +Indexes RewriteEngine on RewriteCond %{SCRIPT_FILENAME} !-d RewriteRule ^([^\.]+)$ ?page=$1 [NC,L] And am is this a valid looking htaccess file? (posting the whole htaccess) # more password protection <Files password> order allow,deny deny from all </Files> Options +FollowSymLinks Options +Indexes RewriteEngine on RewriteCond %{SCRIPT_FILENAME} !-d RewriteRule ^([^\.]+)$ ?page=$1 [NC,L]

I'm currently using Options +FollowSymLinks Options +Indexes RewriteEngine on RewriteCond %{SCRIPT_FILENAME} !-d RewriteRule ^([^\.]+)$ $1.php [NC,L] for changing urls from example.com/pagename.php to example.com/pagename I recently finished a CMS which has uses urls like example.com/?page=Pagename Could anyone help me with the htaccess code for chaning the example.com/?page=Pagename to just example.com/pagename Would something like this work? Options +FollowSymLinks Options +Indexes RewriteEngine on RewriteCond %{SCRIPT_FILENAME} !-d RewriteRule ^([^\.]+)$ ?page=$1.php [NC,L]

I've been trying this but no success (yet), this code htmlentities(strip_tags($content),ENT_QUOTES); isn't doing the job.

I want to allow people to use those yeah, iframe (one reported using it) and embedding (youtube videos of course). Okay, so if I get it right, the code should look something like: strip_tags($content, htmlentities($key)); I hope I'm heading in the right direction as I've dealt with combining strip_tags and htmlentities together. I really appreciate the help Zurev, thanks for bearing with me.

If you check the code you can see I already strip the content for the added tags: if($fieldname=="title") $content = strip_tags($content); else $content = strip_tags($content,"<audio><source><embed><iframe><p><h1><h2><h3><h4><h5><h6><a><img><u><i><em><strong><b><strike><center><pre>"); How would I connect htmlentities and this?

I opened a thread yesterday about an XSS vulnerability when the user is logged in. I'll summarize is in a short quote: xyph solved my problem with this: foreach( $_REQUEST as $key => $val ) $_REQUEST[$key] = htmlentities($val); He warned me it was a risky but I didn't take him that seriously. Well guess he was right. The foreach loop he gave me does protect me from the XSS attack, but it also disables the users to use any kind of code in the pages. Next time xyph warns me its risky, I'll know he means it. Now to my problem, how do I use this foreach loop without disabling the user of using simple html tags? Here's the file (editText.php) where the foreach loop was used: <?php session_start(); // THE LOOP WAS USED HERE BUT I REMOVED IT DUE TO THE USERS PROBLEM. function getSlug( $page ) { $page = strip_tags( $page ); preg_match_all( "/([a-z0-9A-Z-_]+)/", $page, $matches ); $matches = array_map( "ucfirst", $matches[0] ); $slug = implode( "-", $matches ); return $slug; } $fieldname = $_REQUEST['fieldname']; $encrypt_pass = @file_get_contents("files/password"); if ($_COOKIE['wondercms']!=$encrypt_pass) { echo "You must login before using this function!"; exit; } $content = rtrim(stripslashes($_REQUEST['content'])); // if to only allow specified tags if($fieldname=="title") $content = strip_tags($content); else $content = strip_tags($content,"<audio><source><embed><iframe><p><h1><h2><h3><h4><h5><h6><a><img><u><i><em><strong><b><strike><center><pre>"); $content = trim($content); $content = nl2br($content); if(!$content) $content = "Please be sure to enter some content before saving. Just type anything in here."; $content = preg_replace ("/%u(....)/e", "conv('\\1')", $content); if($fieldname>0 && $fieldname<4) $fname = "attachment$fieldname"; else $fname = $fieldname; $file = @fopen("files/$fname.txt", "w"); if(!$file) { echo "<h2 style='color:red'>*** ERROR *** unable to open content_$fieldname</h2><h3>But don't panic!</h3>". "Please set the correct read/write permissions to the files folder.<br/> Find the /files/ folder and CHMOD it to 751.<br /><br /> If this still gives you problems, open up the /files/ folder, select all files and CHMOD them to 640.<br /><br /> If this doesn't work, contact me <a href='http://krneky.com/en/contact'>right here</a>."; exit; } fwrite($file, $content); fclose($file); echo $content; // convert udf-8 hexadecimal to decimal function conv($hex) { $dec = hexdec($hex); return "&#$dec;"; } ?>

Xyph, exactly what I was looking for, I have one question about this though. If I understand correctly - if someone updated the file 2 seconds ago with some content testing the demo of this CMS, wouldn't refreshing the content just reset the demo? On another notice, this is just perfect, all I would have to do is change the time to 30 minutes and it would just reset when someone accessed the page at that time. I would double mark this as solved. Thanks for another great simple solution Xyph. If anyone uses this, don't worry about the $age displaying like this: File is older than $age. Updated file. If you echo $age you'll see it works eitherway. Cheers and a sincere Thank You.

New idea, combine them into one file for convenience. This will delete the files and create a new one at the same time. <?php $path = dirname(__FILE__).'/files'; if ($handle = opendir($path)) { while (false !== ($file = readdir($handle))) { if ((time()-filectime($path.'/'.$file)) < 86400) { // 86400 = 60*60*24 if (strripos($file, '.txt') !== false) { unlink($path.'/'.$file); } } } } ?> <?php $filename = 'files/home.txt'; if (file_exists($filename)) { echo "The file $filename exists."; } else { echo "The file $filename was deleted.<br /> Your file named $filename was created."; echo "<br /><br />This will happen every time you refresh."; } $mydata = "This is my content."; $myFile = "files/home.txt"; $fh = fopen($myFile, 'w') or die("can't open file"); fwrite($fh, $mydata); fclose($fh); ?> If you want to create multiple files at once, duplicate this code with different names. (Example shown below). $mydata = "This is my content."; //change this ti $mydata2 $myFile = "files/home.txt"; //change this to $myFile2 and change the name of the text file. $fh = fopen($myFile, 'w') or die("can't open file"); //thange $myFile to $myFile2 fwrite($fh, $mydata); //change this to mydata2 fclose($fh); Still no idea how to make this do it automatically.

Ok, I think this is pretty much achieved. The are two files, delete.php deletes all the text files in the specified folder and update.php re-creates the fresh ones I wanted to have. There's NO actual auto delete or create, hoping someone will find a way. Here's delete.php (deletes all text files from the folder). <?php $path = dirname(__FILE__).'/files'; if ($handle = opendir($path)) { while (false !== ($file = readdir($handle))) { if ((time()-filectime($path.'/'.$file)) < 86400) { // 86400 = 60*60*24 if (strripos($file, '.txt') !== false) { unlink($path.'/'.$file); } } } } ?> And here's the update.php (creates one text file) <?php $filename = 'files/home.txt'; if (file_exists($filename)) { echo "The file $filename exists."; } else { echo "The file $filename doesn't exist. Your file named $filename is now being created."; } $mydata = "This is my content."; $myFile = "files/home.txt"; $fh = fopen($myFile, 'w') or die("can't open file"); fwrite($fh, $mydata); fclose($fh); ?>

I've found a better solution for deleting the files. This works for deleting text files, if you want it to work for different types of files, please change .txt to something you need.) <?php $path = dirname(__FILE__).'/files'; // directory where you want to delete your text files. if ($handle = opendir($path)) { while (false !== ($file = readdir($handle))) { if ((time()-filectime($path.'/'.$file)) < 86400) { // 86400 = 60*60*24 if (strripos($file, '.txt') !== false) { unlink($path.'/'.$file); } } } } ?> All I need now is some kind of an auto upload to place the fresh files.

Just to make it more clear, the top code I pasted will delete files based on their last edited age. If the file hasn't been modified for more than XY minutes, it will be deleted. In my case, if someone edited Home 5 minutes ago, it wont delete it. Is there any way making it delete the files no matter what the last edit time was? (delete every 60 minutes, no matter what)

I've created a demo page for my CMS, and I want to delete itself and make a fresh content install. I got the delete part figured out, but what about uploading fresh content files? (only a few text files). Here's the delete part: <?php $expiretime=720; // minutes (in how many minutes it deletes the files) $tmpFolder="tmp/"; // where to delete the files - be careful with this. $fileTypes="*.*"; foreach (glob($tmpFolder . $fileTypes) as $Filename) { $FileCreationTime = filectime($Filename); $FileAge = time() - $FileCreationTime; if ($FileAge > ($expiretime * 60)){ //deleting files: unlink($Filename); } } ?>

Xyph, thank you, the first solution solved the problem perfectly. That was a fast, simple and effective solution. Thanks again and cheers.

Now, a couple of hours later I still haven't found a way with that website without making this CMS actually bigger. (trying to keep it under 10kB's). Is there and short and simple solution, something like I mentioned earlier (with htmlentities)?

I have a problem which I've been trying to fix for a while now with htmlentities. I've written my own small cms which is available for the public, and recently I recieved a report that it's vulnerable to an XSS attack: http://host/editText.php?fieldname=slogan&content=slogan<img src=x onerror=alert("XSS")> This vulnerability only works if the user is logged in. I want to secure it anyway to give the security companies contacting me about this a break. I've been rolling around the internet trying to find a simple answer how to prevent this XSS attack with HTMLENTITIES. I've even tried writing my own solutions with the htmlentities and it doesn't seem to solve the problem/stop the attack. I'm thinking something like htmlEntities($content); //but again, this won't do the job. Here's the editText.php <?php session_start(); function getSlug( $page ) { $page = strip_tags( $page ); preg_match_all( "/([a-z0-9A-Z-_]+)/", $page, $matches ); $matches = array_map( "ucfirst", $matches[0] ); $slug = implode( "-", $matches ); return $slug; } $fieldname = $_REQUEST['fieldname']; $encrypt_pass = @file_get_contents("files/password"); if ($_COOKIE['wondercms']!=$encrypt_pass) { echo "You must login before using this function!"; exit; } $content = rtrim(stripslashes($_REQUEST['content'])); // if to only allow specified tags if($fieldname=="title") $content = strip_tags($content); else $content = strip_tags($content,"<audio><source><embed><iframe><p><h1><h2><h3><h4><h5><h6><a><img><u><i><em><strong><b><strike><center><pre>"); $content = trim($content); $content = nl2br($content); if(!$content) $content = "Please be sure to enter some content before saving. Just type anything in here."; $content = preg_replace ("/%u(....)/e", "conv('\\1')", $content); if($fieldname>0 && $fieldname<4) $fname = "attachment$fieldname"; else $fname = $fieldname; $file = @fopen("files/$fname.txt", "w"); if(!$file) { echo "<h2 style='color:red'>*** ERROR *** unable to open content_$fieldname</h2><h3>But don't panic!</h3>". "Please set the correct read/write permissions to the files folder.<br/> Find the /files/ folder and CHMOD it to 751.<br /><br /> If this still gives you problems, open up the /files/ folder, select all files and CHMOD them to 640.<br /><br /> If this doesn't work, contact me <a href='http://krneky.com/en/contact'>right here</a>."; exit; } fwrite($file, $content); fclose($file); echo $content; // convert udf-8 hexadecimal to decimal function conv($hex) { $dec = hexdec($hex); return "&#$dec;"; } ?> There are only 3 files altogether, if someone needs index I'll post that too.