SparK_BR

the $connection object there is a class that holds the db link resource as a private attribute and the escape method does mysql_real_escape_string so I'm using both, addslashes and mysql_real_escape_string... tough I might create some asserts for primitive types and type-cast when needed. thanks for the help, I will just mark the thread as solved for now.

I found an entry point the arquivo.php which is responsable for getting the uploaded files from the folder to the browser, uses a query to fetch file information, that php was not using addslashes for that, because fetching file information was a secondary task in it, and the file author didn't pay much attention. he was using extract($_GET) and then passing the parameters directly to the function. now I added $connection->escape($string); and $get = array_map("addslashes",$_GET); I hope that's enough sorry for bothering (ps: geolocation on the ip showed me the hacker's house on google maps and nmap told me which services he is running on his machine and what modem he is using... unfortunatelly, I can't do anything with that info :/ )

I attached the two files there they do: if(!$_SESSION["logged_in"]){ include("control/login.view.php"); return; } include("control/index.view.php");

the problem is that, I only use the index.php and the load.php; the index verifies that and redirects to login, then it loads the panel and the middle part is called with Ajax and only changes the middle part of the panel calling load.php; ok, I admit that checking a session var is fragile... but is there a way to manipulate session from client side? [attachment deleted by admin]

I use OOP and MVC, so each beam/ folder class has it's own static table property, implements their getters and setters (modifying a stdClass object), and they all extend from the Beam class that assembles the queries. And I don't know how that query went empty, because even when the user changes something the whole query goes to the log. The 3 single quotes (''') in the log is what worries me. Code is in portuguese, if you know a little spanish, french or latin you may understand a thing or two. attached the control class that log into the system, code is old, so I didn't refactor it for long. [attachment deleted by admin]

Hi, here, at work, we developed a system through which the user can change the website contents. The thing is, the day before yesterday somebody from either from 209.73.132.242 or 187.35.48.26, have been messing around the 'welcome screen' and managed to login and upload a c99 php shell file (that russian file and database management tool). We are using addslashes (which I heard recently can be bypassed with high unicode chars) and we also encrypt the password before comparing it with database results (our query looks for user, then we get the password and compare). So not even the SysAdmin knows the passwords. Any recomendation as how to stop these attacks? here is a piece of the log (won't do much but...): and then he managed to get into a login loop: any information is welcome

I made a typo there $this->subject instead of $subject when inside methods... sorry (editing time limit? :-\)

ok, let's say you have a class Car you have a unit test for that car: class TestCar{ private $subject; public function TestCar(){ $this->subject = new Car(); } public function testAccelerator(){ $oldValue = $this->subject->getSpeed(); $this->subject->accelerate(); if($this->subject->getSpeed() <= $oldValue) throw new Exception("Accelerator Failed"); } } $unitTest = new TestCar(); $result = "It Passed"; try{ $unitTest->testAccelerator(); }catch(Exception e){ $result = "It Failed"; } echo $result; that's how you make a unit test

hehehe, you broke your project horizontally, you actually have to break it vertically, the layer thing called MVC may be a good line to follow well... first you gotta connect to the database (create a class that manages connections and executes queries so that when you change your database you have to modify only a single file) then you have to either use the connection class directly on the page to fetch and display data on your screen or create a Beam class that will navigate the registries and have gets and sets

OOP in php is now somewhat do-able, I wonder when AOP will be available I was working on an Aspect.class thing and a replacement for require_once to load the proxies and stuff but my boss is really close minded. public function anyway($you){ $this->see($you); } public function __construct(){ $world->addEventListener("Later",array($this,"anyway")); } //Anyway, see you later!

Thank you! @the first note: new String(false) is "" it will concat false to the empty value and return empty, which you can eval as false @the second note: now it got fixed I remember trying to use my List class there (the same as using array but as class methods and not language functions) but then I wanted the classes not to depend on eachother and forgot to write the 2 missing lines. *attached new file* ps: for some reason I can't modify the first post to upload the new file there too [attachment deleted by admin]

so uhh... what do you think of the class? useful, unuseful? something I forgot to do? feedback is what keeps me working and don't worry, I don't like to use code people give me. I need to read, understand and then adapt a solution to my problem

Hi, I'm new here my father (and co-worker) told me to interact with a few communities that it would be good for my professional carreer. However I can't just come here and take whatever I want, so I offer you guys this piece of code. *attached* Sorry for the autodoc comments in portuguese, I'm from Brasil. [attachment deleted by admin]