Jump to content


  • Content Count

  • Joined

  • Last visited

Everything posted by Cobra23

  1. Yes, not to allow multiple zeros in one input box without another positive digit. It is a case of the client validation notifying the user of their input being wrong eg bootstraps red highlighted input boxes that notifies the user of the input being wrong and needs to be sorted. Inputs of two or more 0's only should not be allowed in this case. Anyways, I got this sorted with the following regex. /^([0]|[1-9]|[1-9][0-9]+)$/
  2. Hi, Is there a jQuery validator way to block two or more 0's input and allow one 0. Or even trim the inputs like 00 or 000 or 0000 or 00000 etc and replace it with 0. But I also, want to allow all 0's after a positive number. I can do it on server side no problem but in the jQuery validator i am struggling to do this. Thanks
  3. Thank you Barand. I will make a test with it and compare on my preference
  4. Are you using Wordpress by any chance? I asked because you mentioned a blog
  5. Very very similar Barand. One query is always best. How does one do the SVG part? I've never used SVG. I do have a few different colors and meanings for all the different graphs produced in the same table and their percentages. Anyways, I did get this to work perfectly for what i'm doing and stopped users getting kicked out. I'm still curious to know about the other option in SVG output instead of dynamically adding php variables automatically to the css and produce the classes.
  6. Gas = Laughable The whole idea of doing it this way is so the css classes can be created as soon as there's a change in the database, and then those classes are used in the html's div or span tags automatically. But this is too advanced for you by the way you have commented. Explaining it would be useless to you and will get more ridiculous questions. If you don't understand what headers are, how can you understand anything about generating css classes or even how sessions work (in regards to previous thread).
  7. Again, gas! Second post to me and you leave a gas comment, again 😂 I don't see why you have the need to comment on things you have no clue about? Especially not knowing about a header of "text/css" or the creation of css classes.
  8. This is a problem I had long ago with the same error. Include files allow the php closing tag of ?> but for closing brace } to not be closed in the include files, you will get that error. To make it work, you will need to move all that code with the opening and closing braces into the code you showed above or close it with a closing brace inside the include file.
  9. I was absolutely shattered when I wrote that. It needed to be more clearer. What I am trying to do is have the website automatically create css classes in a css file (mainly with a .php extension) but also have php, sql, and sessions data in that file so I can create unique classes that would change based on each users car_id and progress column names in the database (car_id is an example and not my real column name). I hope that helps. I forgot an include("/database-connection.php"); in the first line which contains a connection for the database. But If I use the above code and refresh or click the link, the following session $_SESSION['identity']; will sometimes become undeclared, and will kick me out of the website.
  10. Hi, I thought it was easier to open a new thread on a different topic. I have a css file that works fine with PHP, SQL and Sessions but this file affects my users by logging them out after a few clicks when a session is in the file due to it sometimes not recognizing the $_SESSION['identity'] where it gets undelcared. The session is the only way I can get it working from all my tests. <?php header("Content-type: text/css; charset: UTF-8"); header('Cache-control: must-revalidate'); mySessionFunction(); $identity = $_SESSION['identity']; $startquery = "SELECT `id` FROM `user_table` WHERE `identity` = :identity LIMIT 1"; $start1 = $connecting->prepare($startquery); $start1->execute(array(':identity' => $identity)); while ($start_row = $start1->fetch(PDO::FETCH_ASSOC)) { $id = $start_row['id']; $querySelect = "SELECT `car_id`, `progress` FROM `cars` WHERE `member_id` = :id LIMIT 1"; $query = $connecting->prepare($querySelect); $query->execute(array(':id' => $id)); $num = $query->rowCount(); if ($num !== 0) { while ($row = $query->fetch(PDO::FETCH_ASSOC)) { $car_id = $row['car_id']; $progress = $row['progress']; echo '.progressed'.$car_id.'{width: '.$progress.'%;}'; if ($progress === 0) { $hidden_progress = '100'; } else { $progress1 = $progress; $hidden_progress = 100 - $progress1; } echo '.hiddenprogressed'.$car_id.'{width: '.$hidden_progress.'%;}'; } } } ?> What I am looking for is how can I get this to work in a different way but to accept the id and progress into the css file. Each user will have different data, so this is why I am doing it this way. Maybe there is a better way outside of css but inline css is not allowed.
  11. I pin pointed the problem 🙄 It was due to the creation of css files with php which in turn had another session in the css that confused the system. It was the only way I could generate them with the exact results. By disabling that, no more kicking out. Onto creating one a new way now. Cheers for helping
  12. Sorry kicken, I didn't see your comment. I was just silly with the session.cache_limiter set to as private. That just saves a cache of the whole page without getting any new updates from the database when logged in. Although, the cache would stop kicking me out of safari, it's not what I need as I need updated content that changes any time. My problem is with safari browser and not really with the sessions as the session file is still active in my tests. So I think the cookies are deleted on the client side with safari even though browser settings are set to not delete them. This happens mostly on some links (sometimes) and repeatedly clicking its link. I did have this problem on Google Chrome but sorted that with jQuery "on" events via the click to not allow a second click until page is loaded. This may be caused by bootstrap 3. I tried adding cookie expiry to 3600 instead of 0 in php.ini which added the expiry date but had no affect on sorting the problem. Also, safari doesn't detect the SameSite settings in htaccess while the other browsers do. It might have to be a case of going to php 7.3 for this to work. SameSite=Strict
  13. Gas! I think I may have sorted it with the php.ini of session.cache_limiter = private I'm not sure of it's restrictions or vulnerabilities, so i'll have to find out on that. and activated: session.gc_divisor = 100
  14. I just want mine to be very secure and private as possible without the use of cookies like PHPSESSID or keeping sessions in the original assigned folder. But having some problems keeping users logged in. That's why i'm asking the question for some advice and help on this.
  15. What do you mean exactly?
  16. Hi, I have sessions and cookies for my website with PHP 7.2 version. But now and again, it logs me out quickly. Sometimes after 10 minutes inactivity, other times it doesn't, or even sometimes on clicking a link on the site. I can't tell if it is the browsers settings which I changed, but made no difference. Can anybody see a problem with my sessions, if that is set up wrong and if it is the reason as to why I am getting logged out of my site a lot without logging out? htaccess Header always edit Set-Cookie (.*) "$1; SameSite=Strict" php.ini session.name = __MySession session.save_path = /path-to-sessions session.hash_function = sha512 session.gc_maxlifetime = 3600 session.gc_probability = 1 ; session.gc_divisor = 100 session.cookie_lifetime = 0 session.use_only_cookies = 1 session.use_trans_sid = 0 session.cookie_secure = 1 session.use_strict_mode = 1 session.cookie_httponly = 1 session.use_cookies = 1 session.referer_check = http://www.my-domain.com/ session.cache_limiter = nocache sessions function <?php function mySiteSession() { $session_name = '__MySession'; $cookie_domain = "www.my-domain.com"; if (strpos($_SERVER['REQUEST_URI'], 'secured-area')) { $cookie_path = "/secured-area/"; $saved_path_location = '/path-to-sessions'; ini_set('session.save_path', $saved_path_location); } else { if (strpos($_SERVER['REQUEST_URI'], 'contact-us-now') && !strpos($_SERVER['REQUEST_URI'], 'secured-area')) { $cookie_path = "/contact-us-now/"; $saved_path_location = '/path-to-sessions'; ini_set('session.save_path', $saved_path_location); $max_life_time_seconds = 3600; $_SESSION['created'] = time(); $session_life_time_seconds = time() - $_SESSION['created']; if ($session_life_time_seconds > $max_life_time_seconds) { session_destroy(); session_unset(); } } else { $cookie_path = "/secured-area/"; $saved_path_location = '/path-to-sessions'; ini_set('session.save_path', $saved_path_location); } } $cookie_secure = false; // website is not live and no https yet $cookie_httponly = true; $cookieParams = session_get_cookie_params(); session_set_cookie_params($cookieParams["lifetime"], $cookie_path, $cookie_domain, $cookie_secure, $cookie_httponly); session_name($session_name); secureSession(); session_write_close(); $cleanSession = @secureSession(); if (!$cleanSession) { session_regenerate_id(true); secureSession(); } session_regenerate_id(true); } function secureSession() { if (isset($_COOKIE[session_name()]) && preg_match('/^[-,a-zA-Z0-9]{1,128}$/', $_COOKIE[session_name()])) { session_start(); } else if (isset($_COOKIE[session_name()])) { unset($_COOKIE[session_name()]); session_start(); } else { session_start(); } } ?> Web Page Layout <?php ob_start(); // some pages have this but not all mySiteSession(); // my sites code and html ob_flush(); // some pages have this but not all ?> I hope that this is enough information, as I am not sure how to get to the bottom of this.
  17. Do you mean PDO connection? DNS connection is completely different. We can't tell you if your PDO connection works at all if you don't provide any error messages you received when you submit the form. As with your Connection.php file, the code in there should be something similar to: <?php $host = 'localhost'; $db = 'my database name'; $user = 'my database username'; $pass = 'my database password'; $charset = 'utf8mb4'; $dsn = "mysql:host=$host;dbname=$db;charset=$charset"; $options = [ PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION, PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC, PDO::ATTR_EMULATE_PREPARES => false, ]; try { $conn = new PDO($dsn, $user, $pass, $options); } catch (\PDOException $e) { throw new \PDOException($e->getMessage(), (int)$e->getCode()); } ?>
  18. I did a good bit of research on that. The remote port was the wrong solution with this case. The more ports one adds to the list the longer it will take to finish. I have 0.1s set which is the same as 100ms, this means that it takes 100ms per port. If it takes the RTT (round-trip time) 0.3ms seconds per port and 44ms for TCP sync to all ports (65,536 of them) with a total of 44.3ms, then the 100ms set in my connection is well over that time per port which surely should be enough time. Am I going in the wrong direction in my thinking of this?
  19. I understand that I can't block them all. What i'm trying to do is block those that are most common if not most of them. I'm avoiding the blacklist services with api's for the moment. Isn't the following code a better solution to getting the port from the user and quicker without continually doing a scan: <?php $_SERVER['REMOTE_PORT'] ?> Which in turn can be placed as: <?php $ports = array(80, 81, 553, 554, 1080, 3128, 4480, 6588, 8000, 8080); $port = $_SERVER['REMOTE_PORT']; if (in_array($port, $ports)) { header("Location: /proxy-not-allowed/"); die; } ?> As for the services, even if its developers with wamp, lamp etc, gamers and so on using different ports. I'm not interested in these users as customers.
  20. Hi, I'm trying to understand any how I can block all users trying to view my website through proxies. With the following code, what I have done is a quick version through php (with headers and ports) and not the firewall which isn't exactly the best way but still stops a lot of them. <?php $user_ip = $_SERVER['REMOTE_ADDR']; $headers = array('CLIENT_IP','FORWARDED','FORWARDED_FOR','FORWARDED_FOR_IP','VIA','X_FORWARDED','X_FORWARDED_FOR','HTTP_CLIENT_IP','HTTP_FORWARDED','HTTP_FORWARDED_FOR','HTTP_FORWARDED_FOR_IP','HTTP_PROXY_CONNECTION','HTTP_VIA','HTTP_X_FORWARDED','HTTP_X_FORWARDED_FOR'); foreach ($headers as $header) { if (isset($_SERVER[$header])) { header("Location: /proxy-not-allowed/"); die; } } $queryIP = "SELECT `user_ip_address` FROM `my_table` WHERE `user_ip_address` = :user_ip_address AND `user_blocked` = :user_blocked LIMIT 1"; $queryIP1 = $pdo->prepare($queryIP); $queryIP1->execute(array(':user_ip_address' => $user_ip, ':user_blocked' => 'No')); $queryIP2 = $queryIP1->rowCount(); if ($queryIP2 === 0) { $ports = array(80, 81, 553, 554, 1080, 3128, 4480, 6588, 8000, 8080); foreach ($ports as $port) { $connection = @fsockopen($user_ip, $port, $errno, $errstr, 0.1); if (is_resource($connection)) { header("Location: /proxy-not-allowed/"); die; } } } ?> The headers script blocks any proxy sending those headers while the ports script blocks those using any assigned ports I add. I have tested this which seems to be good, though it won't block all proxies due to the assigned one I have. Is this the best way to go about blocking scripts if I don't have access to the firewall? What I am trying to do is allow users to view my HTTPS website normally and block all proxies. Even if I have some users blocked, I do not want them to be cheeky and use a proxy or even register on my website through a proxy. I was thinking of just using the 443 port as my website is https (is that wise?). Any advice would be great.
  21. I wasn't expecting this reply. But I will answer them anyways, the $items_on_each_page is the default number I set (eg. 50) as of how many items are allowed on each page. Before we get the $started_page, we need the $page_number which is coming from the $_GET variable in the browsers link which will either be 1 or greater. Never 0 or a non number. As for SQL injections, thats the user injecting malicious code into the user inputs which in turn can exploit the database. But with PDO done right, filtering, sanitising and validating user input, the system can be safe from SQL injection. From what I know and how you went about your reply, it seems like the LIMIT is safe to use the way I have it. I just wasn't sure if thats the case with PDO as the LIMIT was outside the query. Thanks requinix
  22. I have searched for a solution to a code that I wrote, with unique numbers in the SQL statement of LIMIT at the end and using execute(). I have also set PDO::ATTR_EMULATE_PREPARES, false I know that there is ways to use bindValue() or bindParam() instead of execute() for this. However, the way I have it set up works, but is there a security flaw with the way I am using LIMIT and should I be using bindParam() instead of execute()? <?php if ($numbered_row == 0) { $limitation = ''; } else { $started_page = ($page_number - 1) * $items_on_each_page; $limitation = ' LIMIT '. $started_page . ',' . $items_on_each_page; } $sql_query = "SELECT * FROM `myTable` WHERE `id` = :id AND `group` = :group AND `name` LIKE :name AND `country` = :country ORDER BY `date` DESC" . $limitation; $query_result = $pdo_connecting->prepare($sql_query); $query_result->execute(array(':id' => '73', ':group' => 'Furniture', ':name' => '%'.$name.'%', ':country' => $country)); ?>
  23. Thank you for the very clear explanation. I can understand how preg_match will be repeated by keep looking for matches in long textareas especially for those used for messages or with content editors used for a summary section or bio. I don't seem to know of a quicker solution than using preg_match for validation as i am filtering, sanitizing and using preg_replace before it. As with lengths similar or even much bigger than the {2,100}+, I am also using strlen before it so I thought that having it's min/max length also in the preg_match will help performance (but believe it's not required if i'm using strlen before it). Is there a solution to using something better than preg_match for long textareas like messages or content editors as I wouldn't want it to become slow or stall?
  24. Thank you very much. I think I used double backslashes because of it crashing or not working due to some of the special characters and got carried away on the others using the same thing. I can see that you have the single backslash before the 3 below: /,- apart from the above 3 and: \s \r \n \d Is there any other special characters that requires the backslash without crashing? Or an online reference to this?
  25. Hello, Can you please help with 3 regex codes I have as I am in experienced with this but they do seem to work fine. What I do not understand is if they do avoid a ReDOS attack as I do not know how to test them. <?php preg_match("/^[A-Za-z0-9.\-\,\!\'\s\r?\n]{2,100}+$/", $mycontent) preg_match("/^[A-Za-z0-9\\!\\@\\)\\-\\_\\#]{8,10}$/D", $mycontent) preg_replace("/[^A-Za-z0-9\\<\\>\\.\\/\\,\\'\\;\\:\\&\\!\\%\\s]/", "", $mycontent) ?> Are the two backslashes acceptable in this? Or is it designed wrong?
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.