Jump to content


  • Content Count

  • Joined

  • Last visited

Community Reputation

0 Neutral

About Cobra23

  • Rank

Profile Information

  • Gender
    Not Telling
  1. Cobra23

    PHP Login Form by using PDO connection

    Do you mean PDO connection? DNS connection is completely different. We can't tell you if your PDO connection works at all if you don't provide any error messages you received when you submit the form. As with your Connection.php file, the code in there should be something similar to: <?php $host = 'localhost'; $db = 'my database name'; $user = 'my database username'; $pass = 'my database password'; $charset = 'utf8mb4'; $dsn = "mysql:host=$host;dbname=$db;charset=$charset"; $options = [ PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION, PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC, PDO::ATTR_EMULATE_PREPARES => false, ]; try { $conn = new PDO($dsn, $user, $pass, $options); } catch (\PDOException $e) { throw new \PDOException($e->getMessage(), (int)$e->getCode()); } ?>
  2. Cobra23

    Proxy Prevention

    I did a good bit of research on that. The remote port was the wrong solution with this case. The more ports one adds to the list the longer it will take to finish. I have 0.1s set which is the same as 100ms, this means that it takes 100ms per port. If it takes the RTT (round-trip time) 0.3ms seconds per port and 44ms for TCP sync to all ports (65,536 of them) with a total of 44.3ms, then the 100ms set in my connection is well over that time per port which surely should be enough time. Am I going in the wrong direction in my thinking of this?
  3. Cobra23

    Proxy Prevention

    I understand that I can't block them all. What i'm trying to do is block those that are most common if not most of them. I'm avoiding the blacklist services with api's for the moment. Isn't the following code a better solution to getting the port from the user and quicker without continually doing a scan: <?php $_SERVER['REMOTE_PORT'] ?> Which in turn can be placed as: <?php $ports = array(80, 81, 553, 554, 1080, 3128, 4480, 6588, 8000, 8080); $port = $_SERVER['REMOTE_PORT']; if (in_array($port, $ports)) { header("Location: /proxy-not-allowed/"); die; } ?> As for the services, even if its developers with wamp, lamp etc, gamers and so on using different ports. I'm not interested in these users as customers.
  4. Cobra23

    Proxy Prevention

    Hi, I'm trying to understand any how I can block all users trying to view my website through proxies. With the following code, what I have done is a quick version through php (with headers and ports) and not the firewall which isn't exactly the best way but still stops a lot of them. <?php $user_ip = $_SERVER['REMOTE_ADDR']; $headers = array('CLIENT_IP','FORWARDED','FORWARDED_FOR','FORWARDED_FOR_IP','VIA','X_FORWARDED','X_FORWARDED_FOR','HTTP_CLIENT_IP','HTTP_FORWARDED','HTTP_FORWARDED_FOR','HTTP_FORWARDED_FOR_IP','HTTP_PROXY_CONNECTION','HTTP_VIA','HTTP_X_FORWARDED','HTTP_X_FORWARDED_FOR'); foreach ($headers as $header) { if (isset($_SERVER[$header])) { header("Location: /proxy-not-allowed/"); die; } } $queryIP = "SELECT `user_ip_address` FROM `my_table` WHERE `user_ip_address` = :user_ip_address AND `user_blocked` = :user_blocked LIMIT 1"; $queryIP1 = $pdo->prepare($queryIP); $queryIP1->execute(array(':user_ip_address' => $user_ip, ':user_blocked' => 'No')); $queryIP2 = $queryIP1->rowCount(); if ($queryIP2 === 0) { $ports = array(80, 81, 553, 554, 1080, 3128, 4480, 6588, 8000, 8080); foreach ($ports as $port) { $connection = @fsockopen($user_ip, $port, $errno, $errstr, 0.1); if (is_resource($connection)) { header("Location: /proxy-not-allowed/"); die; } } } ?> The headers script blocks any proxy sending those headers while the ports script blocks those using any assigned ports I add. I have tested this which seems to be good, though it won't block all proxies due to the assigned one I have. Is this the best way to go about blocking scripts if I don't have access to the firewall? What I am trying to do is allow users to view my HTTPS website normally and block all proxies. Even if I have some users blocked, I do not want them to be cheeky and use a proxy or even register on my website through a proxy. I was thinking of just using the 443 port as my website is https (is that wise?). Any advice would be great.
  5. Cobra23

    PDO select query with unique LIMIT. Secure?

    I wasn't expecting this reply. But I will answer them anyways, the $items_on_each_page is the default number I set (eg. 50) as of how many items are allowed on each page. Before we get the $started_page, we need the $page_number which is coming from the $_GET variable in the browsers link which will either be 1 or greater. Never 0 or a non number. As for SQL injections, thats the user injecting malicious code into the user inputs which in turn can exploit the database. But with PDO done right, filtering, sanitising and validating user input, the system can be safe from SQL injection. From what I know and how you went about your reply, it seems like the LIMIT is safe to use the way I have it. I just wasn't sure if thats the case with PDO as the LIMIT was outside the query. Thanks requinix
  6. I have searched for a solution to a code that I wrote, with unique numbers in the SQL statement of LIMIT at the end and using execute(). I have also set PDO::ATTR_EMULATE_PREPARES, false I know that there is ways to use bindValue() or bindParam() instead of execute() for this. However, the way I have it set up works, but is there a security flaw with the way I am using LIMIT and should I be using bindParam() instead of execute()? <?php if ($numbered_row == 0) { $limitation = ''; } else { $started_page = ($page_number - 1) * $items_on_each_page; $limitation = ' LIMIT '. $started_page . ',' . $items_on_each_page; } $sql_query = "SELECT * FROM `myTable` WHERE `id` = :id AND `group` = :group AND `name` LIKE :name AND `country` = :country ORDER BY `date` DESC" . $limitation; $query_result = $pdo_connecting->prepare($sql_query); $query_result->execute(array(':id' => '73', ':group' => 'Furniture', ':name' => '%'.$name.'%', ':country' => $country)); ?>
  7. Cobra23

    Help on Regex's to avoid ReDOS attack

    Thank you for the very clear explanation. I can understand how preg_match will be repeated by keep looking for matches in long textareas especially for those used for messages or with content editors used for a summary section or bio. I don't seem to know of a quicker solution than using preg_match for validation as i am filtering, sanitizing and using preg_replace before it. As with lengths similar or even much bigger than the {2,100}+, I am also using strlen before it so I thought that having it's min/max length also in the preg_match will help performance (but believe it's not required if i'm using strlen before it). Is there a solution to using something better than preg_match for long textareas like messages or content editors as I wouldn't want it to become slow or stall?
  8. Cobra23

    Help on Regex's to avoid ReDOS attack

    Thank you very much. I think I used double backslashes because of it crashing or not working due to some of the special characters and got carried away on the others using the same thing. I can see that you have the single backslash before the 3 below: /,- apart from the above 3 and: \s \r \n \d Is there any other special characters that requires the backslash without crashing? Or an online reference to this?
  9. Hello, Can you please help with 3 regex codes I have as I am in experienced with this but they do seem to work fine. What I do not understand is if they do avoid a ReDOS attack as I do not know how to test them. <?php preg_match("/^[A-Za-z0-9.\-\,\!\'\s\r?\n]{2,100}+$/", $mycontent) preg_match("/^[A-Za-z0-9\\!\\@\\)\\-\\_\\#]{8,10}$/D", $mycontent) preg_replace("/[^A-Za-z0-9\\<\\>\\.\\/\\,\\'\\;\\:\\&\\!\\%\\s]/", "", $mycontent) ?> Are the two backslashes acceptable in this? Or is it designed wrong?
  10. Cobra23

    sending email from form

    Just saw your last message. Try and change that form action to mailForm.php ;-) . The reason you got that error is because you have thankYou.php in the forms action while the $email is not even defined on the thankYou.php page.
  11. Cobra23

    sending email from form

    The first error message, the mail() function expects 3 parameters $message = 'My message'; mail($admin, $subject, $message); I've no idea why you got rid of $message previously. I asked where it was defined. 2nd error. I notice from the error address that mailForm.php is in fact THAT PAGE. If you delete header('mailForm.php'); you'll solve that error. Also, what I'm trying to figure out is why you have "thankYou.php" in the forms action when you want to submit this page to mailForm.php (which is the same page you are submitting it from) I think I understand what you did with the form action there. With the code you showed you, you merged the two pages together into one ... Just to show us.
  12. Thats why i'm here. I know it's going to be implementing bits by bits of different programming languages and was hoping to see if there is a quick solution for each of those parts that will help me on my way to what I want to do. As I have said, I'm new to API's and JSON. I was really hoping to be guided on how I can go about this with any quick solution to generate the codes if possible (which would be a bonus but unlikely). I also want to see what is the best options for each one especially the kind of API's to use as well as if JSON is the right secure solution for this project or if there are other choices that would be recommended. Just to note that my main skills are html, php, css, javascript, sql.
  13. Cobra23

    sending email from form

    My mistake. cheers for correcting it Barand
  14. Cobra23

    sending email from form

    I understand you don't have much knowledge of php programming. When you get an error in php it always means that the error has happened anywhere ahead of that line number ... never below it. I would recommend you to delete the following code } if($_POST['submit']){ normally if(isset($_POST['submit'] is the correct code but you don't need to do it twice in your case. Also: } else { echo "<h4>Error - Recovery Error</h4> <p>There was an error sending a recovery password. If the problem persists, please contact us directly.</p>"; } header(Location: 'mailForm.php');//change to contactUs.php when testing is done } Is the correct order due to that mailForm.php being redirected after the validation is done. But i'm getting the feeling that the mailForm.php code is something else and shouldn't be there at all. Maybe it's supposed to be an include file but i can't say. Can you post the mailForm.php code?
  15. Cobra23

    sending email from form

    Always google the error message if you don't know what it means. That error usually means that you forgot a closing brace } Also, get rid of the following code $error_message = and replace it with echo You should also have your header(Location: ....) below all the code and inside the if($_POST['submit']){ } so everything else works before you are redirected

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.