jazzman1

You shoud get some error messages without them I am affraid we cannot help you.Try to add the following error_reporting functions on the top of the file you call. ini_set('display_startup_errors',1); ini_set('display_errors',1); error_reporting(-1);

A lot of security technics you could apply in the dedicated server from MAC/DAC/SeLinux until chroot, LXC so forth if you're running the project on a linux server. About SSL, this is a method of encripting all TCP/IP transmissions stack (including web pages and data entered into web forms) in case some malicious user tries to sniff and catch the data trafic and tying to read or re-write the same data pretending that he is the owner of the file, most often that happened in a local environment. So HTTP over SSL is a good thing you should use it. I'm still stay behind the scenario to use the database as an upload files storage engine since the files contain a sensitive data and not to be publish at all.

I got it sorted out and going to set the topic to "solved". The glibc-headers library were be reinstalled again with selinux set to permissive mode in the "hosting" machine. I'm not sure what happens here, but when the "host" machine is set to selinux enforcing mode a lot of things are failed to the "guest" machine (container). For instance, I'm able to create a new user but I'm failed giving him a new password. I followed The Dan Walsh's Blog and CentOS Guide as well to create a new selinux policy and everything looks nice but at the end I got the same shit ....anyways....it's a different story..

Did you create an ftp account to this domain? If so, all you need to do is to connect to the server via some GUI or console ftp program ( FileZilla Client version is a good choice) and to download files into your local flash drive.

Have you had an opened ftp or ssh connection to the remote machine?

Well, in this case instead of build a new layer of security based on the web server (most likely a shared hosting) for multiple users, I'd be consider to use the database as an upload storage.

I think he renames the uploaded file using a hash algorithm as a file name, then just compare if this name exists in the db table and belongs to the uploader (user) with this ID. Well, this would work good, but could cause a lot of server's resources

Yes, we can help you on this in case you help us by providing some code.

Is it only one uploaded/downloaded directory for all users?

Sounds like you need to find a simple file manager written in php/js/html. Neil is already described the basic skeleton, but dealing with users/dirs/files/permmissions and so forth on the web server ( where the users not belong to the file server) is not an easy job as you think.

You should get an error message if you're trying to post a huge script. If so, you need to post only that piece(s) of code that relevant to your actual problem.

Hey guys, I'm facing an issue compiling the above stack from a source code inside lxc using centos 6.5 as a domain OS. This problem has been detected by me when I replaced my desktop machine with new one and installed a centOS again. This such a problem never happened before using my old machine with the same version of OS and libvirt. Just to be clear, a new selinux policy into a "domain machine" has been created to be able to use the "dbus daemon" to all containers and if I try to complile this stack from source using the "domain os" this problem never happens at all. All "Development tools" is installed to this particular container, in case someone asks me why I get the following error message - "configure: error: cannot run C compiled programs" Any ideas?

Sorry, i forgot to put an ampersand (&) in front of every html form field name in array data. When I run the login test I got a html error page. Next script works for me: $data = array( 'username'=>'email%40gmail.com', '&password'=>'pass', '&redirect'=>'', '&source_flow'=>'', '&__source_node__'=>'start', '&__context__'=>'dG7hxHue89rxYi1En6avVefzAKAQDAVFfmXJ0fbZP8OrIAoW22b9ImZz6j_j5B-7KAUc7ijL7dwkY-tsC9U1aUpQfCATLtAvxcSsb6FPTFwZkB2_ATGv7uZO6s5l8QF-KrnFfkcX3qB5OvsjnbhMlA%3D%3D', '&__form__'=>'login', '&redirect'=>'', '&button'=>'Log%20In'); $curl_cookie = "cookies.txt"; //$fp = fopen("example_homepage.txt", "w"); // create a new cURL resource $ch = curl_init(); // set URL and other appropriate options curl_setopt($ch, CURLOPT_URL, 'https://www.23andme.com/user/signin/'); curl_setopt($ch, CURLOPT_RETURNTRANSFER, FALSE); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($ch, CURLOPT_COOKIEFILE, $curl_cookie); // Read cookie file curl_setopt($ch, CURLOPT_COOKIEJAR, $curl_cookie); // Write cookie file curl_setopt($ch, CURLOPT_POSTFIELDS, $data); //curl_setopt($ch, CURLOPT_FILE, $fp); // grab URL and pass it to the browser $output = curl_exec($ch); $info = curl_getinfo($ch); curl_close($ch); //fclose($fp);

Please, use the forum's code tags when providing code next time! Did you test it? Try my script it would be something like this, $data = array('username'=>'user', 'password'=>'pass', 'redirect'=>'', 'source_flow'=>'', '__source_node__'=>'start', '__context__'=>'IhEcX2ivtGzK30cuk0eODNsNcX7FHNZJWPaEIYtdQT12OIx41EALfWWl4eTEIKDMJ-tQ9LhFIui8U0dpV0sBIipLq5jLnCJmworArmgt_QkbbfLczY_T8_6WR7-B4QxZRn8zxfTWKKvZI8nyQaVHmA%3D%3D', '__form__'=>'login', 'redirect'=>'', 'button'=>'Log%20In'); $curl_cookie = "cookies.txt"; $fp = fopen("example_homepage.txt", "w"); // create a new cURL resource $ch = curl_init(); // set URL and other appropriate options curl_setopt($ch, CURLOPT_URL, 'https://www.23andme.com/user/signin/'); curl_setopt($ch, CURLOPT_RETURNTRANSFER, FALSE); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($ch, CURLOPT_COOKIEFILE, $curl_cookie); // Read cookie file curl_setopt($ch, CURLOPT_COOKIEJAR, $curl_cookie); // Write cookie file curl_setopt($ch, CURLOPT_POSTFIELDS, $data); curl_setopt($ch, CURLOPT_FILE, $fp); // grab URL and pass it to the browser $output = curl_exec($ch); $info = curl_getinfo($ch); curl_close($ch); fclose($fp); Double check the login credentials. If everything is fine with the server permissions, you would be able to find the content of the requested, then redirected form page inside example_homepage.txt file.

Post all relevant code here using forum's code tags and don't attach files when providing code, some users like me do not like the idea to download files into their own macines.

There is a wonderful ad-ons for firefox, it's called - Life HTTP Headers, which, you can use to get a form login credential. So, I made a fake request to this site and this is what I get: The first line is the action of the login form, the last one is the login credentials and you need to send this data in exactly same way as the browser does.

You also need to send the specified data in a POST request to the HTTP server, in the same way that a browser does when a user has filled in an HTML form and presses the submit button. Can you show us your current curl script?

The script works for me with some little corrections. if (isset($_GET['page'])) { $path = urlencode($_GET['page']); } else { $path = ''; } Example1 (whitout get parameter) URL:10.10.1.5:90/pdo/freaks.php Example2 URL:10.10.1.5:90/pdo/freaks.php?page=6.Years.in.Love.2008

Absolutely true!

@Jacques1, would you be so kind to crack my account to phpfreaks.com, please? IP board uses by default md5() algorithm and the salt, it's a string of 5 random characters including letters, numbers and symbols. I would not be able to crack credentials in 2 days after I started the brute force attack against my account, so what I want to say is that the hash algorithm is important but it's not everything to stop attacking. There are lots of security mechanisms which prevent of it.

I always use this wiki mozilla's overview and recommend you to read up on it when you're dealing with images - https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Uploads

Prior to html5 all types of control for the html input fields that I know are those - http://www.w3.org/TR/html401/interact/forms.html#edef-INPUT If you re running into html5 you could use a number type, but yours is "int" type.

@rocky48, there is nothing wrong to use PRG pattern as shown in my example. The whole point of using it, is to prevent the same data to be sent to the server multiple times by reloading the form page. For more information - http://web.archive.org/web/20061211082049/http://www.theserverside.com/patterns/thread.tss?thread_id=20936 I prefer to use javascript because this increases the speed of the application if the validation somehow failed, however you don't have to trust it because javascript could be easily disabled from some malicious user. You must be sure that the user input fields validation exists on the server side as well. For a newbie in javascript i recommend you of using jquery validation plugin - http://jqueryvalidation.org/documentation/

Well, personally I am using javascript to do this and return only true or false in the server side if the test passed...I don't like to waste the server resources with stupid things

Use the header() php function with some get parameter to it if you wat to redirect the validated script to the basic form in case it failed. Without going into details about validation of client's email. Qstore.php if (empty($mail)) { header('Location: form.php?action=error'); exit; } form.php <?php if(isset($_GET['action']) && $_GET['action'] == 'error') echo '<p style=color:red>your email is either 0, empty, or not set at all</p>';?> <form NAME=feedback action="Qstore.php" method="post"> <strong>Your email address:</strong> <input type="email" size="20" name="email"/><br/><br/> Please rate the Verse Utility</br> <input type="radio" name="rate" value="1"> 1 <input type="radio" name="rate" value="2"> 2 <input type="radio" name="rate" value="3"> 3 <input type="radio" name="rate" value="4"> 4 <input type="radio" name="rate" value="5"> 5 <br/><br/> <strong>Are there any ways we can improve the utility?:</strong> <br/><textarea name="Vimp" rows="5" cols="30"></textarea><br/><br/> <strong>What do you think of the site as a whole?:</strong> <br/><textarea name="site" rows="5" cols="30"></textarea><br/><br/> <strong>How do you think we can improve the site?:</strong> <br/><textarea name="Simp" rows="5" cols="30"></textarea><br/><br/> <strong>Any other comments?:</strong> <br/><textarea name="Simp" rows="5" cols="30"></textarea><br/><br/> <input type="submit" value="Submit"/> </form> You should go to the source (php.net) to learn how to validate user's email address.