phppup

RE-POSTED for clarity and errors ** Ignore the TWO previous similar postings ** It originates from in the beginning of a FOR loop and I then rename it to use within the same loop. At it's inception And I expected dee to work as described. What exactly is a "proper variable"? What would make it improper? Note: when posting code that contained [ ] and lowercase i the code showed incorrectly and altered text to ITALIC. Mgmt may want to address this.

My problem amounts to tryong to get element using a variable's value instead of a hardcoded name. This works But this has been problematic I've tried an exhaustive array of variations with single quotes, double quotes, and + sign combinations, but seem to be missing the bullseye. How can I insert the variable so that var chosen is viable?

I stayed surfing the web again (someone should unplug that thing) and went down the rabbit hole, again. The code above displays lines of character text. Uncommenting the two header lines created a black screen with a black outlined square. How can I get a the image to display? Can I use this method to display multiple images? Will this provide a layer of security by eliminating a visible url to the image?

Either the code or it's creator needs to take a nap. I get cranky when I'm hungry. Empathetically, I accessed some code this afternoon that had worked fine 2 months ago. But this afternoon it was obstinate about running. It took 3 hours before I discovered that TWO conditional statements had been removed with comment tags. That darn code must've gotten active after I tucked it in and turned out the light. There's no other rational explanation. Pleasant dreams.

You need to understand what your code is saying. The first version says: attempt this, attemp that, try to send mail, try going to the Thank You page. There are no indications or notifications of which success and which fail. The alternate version directs the process to EITHER go to the Thank You on success, or indicate failure. It's safe to safe the email is FAILING in all attempts. You just don't restrict it from going to the Thank You page on the first version. I would hardcode and see where that takes me. Also don't forget my initial statements about spam filters. I'm not familiar with PHPmailer, but it could be beneficial.

@kicken Using file_get_contents($image) gave me a page with characters and LOTS of black diamond-question marks. That's what got me into this mess, and lead me down a path that had suggestions on the WWW to use everything from decode_base64/encode_base64 to bin2hex etc. I think all my images are now inverted, upside-down, and mixed between Latin, Arabic, and Japanese characters. LOL It seemed like a good idea at the start. Maybe I'll just back away from the path verrrry slowly.

Take a break and get back to basics. Did you try @gw1500se suggestion? Add $state= "Test state"; one line above the culprit code line if the email is successfully processed with that text value, then you can resolve the issue with a comparison condition afterward.

In your HTML, the drop-down for states which provides the value for $state is DISABLED. Why?????

I would hardcode the troublesome header and see what happens. Maybe the code doesn't like something in $headers = "From: $email_from" . "\r\n"; PS: I did notice the command sending the user to the "Thank you" page. You could expand it and do something like Gotta go get a COVID shot. Good luck.

Then we did it? Hurray!! Glad we could help. (Don't forget to remove or comment hide the error reporting)

If you put the first few words of a notification into a search engine, you can generally begin to find an understanding (and hopefully a solution). The last item of the message that provides "line #" is referencing the line in your CODE where the error occurred. (Taking into account that sometimes the error existed but didn't cause a problem until this point, the line number is accurate.) Depending on your code editor, the line numbers are available, although counting to line 21 isn't nearly as difficult as finding line 642. LOL. (an empty line is still a counted line) Make sure to eliminate the error initiation code BEFORE going live. It gives too much information to a user if displayed at an inopportune time. I'll take another look at your code, but beyond this point, there are other people here that would be more capable than myself.

Do you want this?? print_r($array_name);

As previously mentioned, YES, place some functional validation to determine IF the system sent the email. Something like This will not only help you during development, but also benefit the user when operational. And, as often recommended, turn on ERROR REPORTING by placing this immediately after your opening PHP tag <? (if you haven't used this, just do something blatantly wrong and then run the page to see the result) ** Remove it BEFORE production ** Aside from your CODE, other variables can be in-play with email. Spam filters are notorious for creating issues. If you're sending and receiving identical messages repeatedly, the safety net may outsmart itself and cause you an issue. I've personally had emails take hours until being released by the server. Or tested soooo many times that a failure/spam designation stopped everything. My suggestion: if the code is good, send an email to an outside address and confirm it to another (with a subject line that does NOT contain "test" or "sample" etc). - EVERYTHING has to 'appear' to be "real/valid" communication. Once you've established that messages are being sent and received adequately, then you can gingerly tweak the settings (with a degree of confidence).

@kicken Thanks for clarifying that for me. Thankfully, my understanding wasn't/isn't that far off, although my terminology may have been a little murky. So how can I display an image as just 1s and 0s in a browser? And to my REAL question, what is the preferred/default method of interpretation for PHP? (Am I correct that images are essentially meaningless to PHP for display purposes? ECHO $img; is worthless [until HTML intervenes to help translate with an <img> tag] It's like a memo being passed thru the United Nations assembly. It is written in plain English, but the note needs to be interpreted depending on the recipient. And for some, the message will never be clear. [No political innuendo intended. LOL]) So what is being displayed from the file_get_contents($image) result?

Unfortunately not a single search result had offered a sentence that elaborates to say "...displays the contents in language XYZ." Nor does any site elaborate on that manner regarding "creating an image", "image code", et al. I assume it all begins with binary, but references to hex, base, etc. seem almost arbitrary without a foundational resource. Ya got that right. But i think I've been understanding and learning more, thanks to the help I've gotten here. At this point "the forest" will probably take care of "the trees" since I'm hopefully disarming ill-intended code with other measures already. This "last thought" seemed like a reasonable idea, if for no other purpose, than to alert me of a potential attack (rather than actually prevent it).

But might it be a start? Stopping even a single 'bad actor' seeems worthwhile. Still, if I echo file_get_contents($image_path); what am I seeing? ASCII? Hex? Other? How do I clean it up to view it properly (in its entirety)? Is it the same for jpg , png, bmp, etc?

Does someone like this seem like a practical and effective effort? Limitations? Potential problems? Sensible?

@requinix THANK YOU. Very enlightening. I think I have most precautionary measures covered adequately, but the more I read, the higher my stress level climbs. Granted there are some articles/blogs that are just inaccurate, misleading, or completely wrong; and I thank you for helping me sort them out from the valid resources and information. I've seen recommendations to encode images to base64. Or decode to hex. Or transform into a string. All suggesting that analyzing the file in this way could facilitate in detecting hidden scripting: Are any of these ideas worth considering? Effective? And then I stumbled across blobs, but thankfully, I don't see that as my preferred pathway.

id = "uploaad" ???? Did you want TWO letter AAs? Easier to fix it now before problems (if it was a typo).

I've been surfing the web and reading various articles, and probably have more questions than answers, so any guidance or direction to resources will (hopefully) be useful. I'm trying to connect the dots to more adequately understand the security issues within uploading image files. From its inception, light hits a camera sensor and an image is created. Is it in binary form? ASCII? Other? Now suppose additional code is added to the image. (For this example, let's say it's a simple script that says Hello - which I suppose would STILL be considered malicious). If it's simply placed into the image code, how can I open the image (as the recipient) to see the code in its TEXT form? (I'm assuming that the code would need to be activated either by clicking the script or calling the code in order to actual function) And if the code is hidden or camouflaged by using an alternate character set, how would it be translated from the unnoticeable character set into something more meaningful in order to perform?

I guess it depends on what is being examined (and retained) by imagecreatefromjpeg(). Surely it's examining more than just the file extension to determine whether true or false. And if an image does PASS (as true) but contains malicious code, is it nullified? Suppose I take a 10 kb jpeg and incorporate 1 MB of evil scripting. The uploaded file is now the size of that sum, right? What size will it be after running through imagecreatefromjpeg? Does the process evaluate the file and eliminate/erase/void pieces that are not color/image related?? (Maybe I should learn to hack so I can test it myself, LoL)

I've got this working thanks to everybody that's assisted. Now I've got a more academic question: what exactly is $im = imagecreatefromjpeg($file); doing when it runs? More directly, suppose a malicious actor places evil code into a jpeg file that passes thru this function. Will the file always fail? Or is it more prudent to continue with: $file = $im; //overwrite with $im Because $im will somehow be 'cleansed' of the evil code that had been inserted. Is continuing with $file safe if it passed this examination? I'm trying to understand the inner workings, especially since I'm using this more as a security measures than a file reproduction method.

@kicken Thanks for the insight. I think/hope that I've got that figured out already, but I'll re-examine again. I've been trying to cover that case too. Perhaps I'll need a new thread, but I found it quite revealing while working on "file sanitization" when I discovered that Lil Bobby Tables could access my data. I've run tests where I added ?file=../../etc/passwd To the end of a php URL, but gotten nothing unexpected. Am I just lucky? Already secure? Or a bad hacker? How can I trigger a negative result to help me implement a more positive security protocol?

@gizmola Good information So essentially, if hosting a fun friendly site, the SESSION can remain active to greet the user every time they visit the website? But what if more security is desired, like a page with banking information? What's the best way to handle a log out and elimination of the session? Will this also eliminate the cookie?

What is it that I (might not) be seeing? What potential problems am I inviting? Or is this just a macho induced control issue? If a sub-folder named userDirs is designated for users to create folders with names that they want, where is the harm? If a user creates folder "puppy" and instead I initiated the new folder 345 (but I equate 345 to puppy), they will still see a URL path /blah/blah/userDirs/345, right? So a hacker will not have been stalled, will they? If the folder is not allowed to contain any . $?<>/ shouldn't that protect me? Or perhaps limiting name size and allowing only alphanumerics is better? I still feel like I'm missing a valuable piece to the puzzle. Insight, please.