Jump to content

Swarfega

Members
  • Posts

    38
  • Joined

  • Last visited

Everything posted by Swarfega

  1. Hello. I am unsure if this is even possible, but I was wondering if there's any way to pass a parameter from a PHP file when Running a .SQL File using shell_exec? Something like $PassParameter = "Test"; $cmd = "mysql -uName -pHidden -h hostIP -D dBName $PassParameter < script/path/here"; $out = shell_exec($cmd . '/file.sql'); And let's say the SQL file is something like INSERT INTO test VALUES('1', '2', '@PASSED-PARAMETER@'); Reason I need to pass a parameter to an .SQL File before running it, is because using PHP to insert into a table that's using a Blob column (I have the Blobs Saved) does not work. It only inserts part of the Blob, and therefor I cannot use that method, but running an .SQL File inserts the entirety of the Blob, and can therefor be used, if I can pass a parameter. Any ideas?
  2. Hey. Making a simple while loop with an Array to bring me the required MSSQL querys, but it's resulting in Unexpected T_Variable and I can't find the problem as the same script worked in the past. Here's the code <?php $array = array (32, 80, 96, 112, 128, 144, 160, 176, 192, 208, 224, 240, 256, 272, 288, 464, 480, 496, 512, 2608, 2640, 2736, 3360, 3424, 3488, 3504, 3520, 3584, 3648, 3680, 3712, 3760, 3792, 4000, 4032, 4096, 4128, 4176, 4192, 4208, 4288, 304, 320, 336, 352, 368, 384, 400, 416, 432, 448, 528, 554, 560, 576, 592, 608, 624, 640, 656, 672, 688, 704, 720, 736, 752, 768, 784, 816, 832, 848, 864, 880, 896, 912, 928, 944, 960, 976, 992, 1008, 1024, 1040, 1056, 1072, 1088, 1104, 1120, 1136, 1168, 1184, 1200, 1216, 1232, 1248, 1264, 1280, 1312, 1328, 1344, 1360, 1376, 1392, 1408, 1424, 1440, 1456, 1472, 1504, 1520, 1536, 1552, 1568, 1584, 1600, 1696, 1712, 1744, 1760, 1792, 1808, 1824, 1840, 1856, 1872, 188, 1904, 1920, 1936, 1952, 1984, 2000, 2016, 2032, 2048, 2064, 2080, 2096, 2112, 2128, 2144, 2160, 2192, 2208, 2224, 2256, 2272, 2304, 2320, 2336, 2352, 2368, 2384, 2400, 2416, 2432, 2448, 2464, 2480, 2496, 2512, 2528, 2544, 2560, 2576, 2592, 2624, 2656, 2672, 2688, 2704, 2720, 2752, 2768, 2784, 2800, 2816, 2832, 2848, 2880, 2912, 2928, 2944, 2960, 2976, 2992, 3008, 3024, 3040, 3056, 3072, 3088, 3104, 3120, 3136, 3152, 3168, 3184, 3200, 3216, 3232, 3280, 3296, 3312, 3328, 4320, 3268, 4400, 4416, 4608, 4640, 4672, 4688, 4720, 4768); $i = 31; $x = 5000; while($i < $x) { if(in_array($i, $array)) { echo "Exec dbo.hiddenprocedure '".$i ."', 350000 <br/>"; } $i = $i + 1; } ?> This is the error code Parse error: syntax error, unexpected T_VARIABLE Now the really stupid part is that I'm getting the same problem even if I use something like this <?php echo 'hi'; ?> So my first thought was the PHP tag, but that seems fine as well. Any ideas?
  3. Thanks, I got it working after doing what you said. Was more or less concerned about someone injecting in order to release all the database data publically on some random forum. Going to spend my night implementing this into a Site of 357 PHP Files, woo, funtimes!
  4. Yes, I read up a little bit on intval and I get what you mean. It's working on most of the site, but when it comes to the individual-user Albums displaying enlarged-pictures, it does not. &targetid=x&albumid=x&imageid=18 ^^^^^^ Displays Image properly &targetid=x&albumid=x&imageid='18 ^^^^^^ Does not display any image and instead gives this Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in public_html/user/album/visa.php on line 561 Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in public_html/user/album/visa.php on line 566 Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in public_html/user/album/visa.php on line 637 Using $imid = intval($_GET['imageid']) before the query and using $imid in the query.
  5. I have never heard of intval Method before, I'll look it up! Also, I had the same issue with Profile.php?uid=XX (Total Reg Count over 1000 so 1000 possible SQL Injections) but on this one I went with an experiment: $_GET['uid'] = str_replace("'", "", $_GET['uid']); So it replaces all ' with nothing-ness, and it's working. Is that an OK way to treat the Profile in this matter? I'm going to do some reading on the intval now!
  6. $l = 0; switch($_GET['id']) { case 1: $l = 1; break; case 2: $l = 2; break; case 3: $l = 3; break; case 4: $l = 4; break; case 5: $l = 5; break; case 6: $l = 6; break; case 7: $l = 7; break; case 8: $l = 8; break; case 9: $l = 9; break; case 10: $l = 10; break; case 11: $l = 11; break; case 12: $l = 12; break; } $sql = "SELECT * FROM games WHERE id=$l"; $query = mysql_query($sql); $rowcount = mysql_num_rows($query); Doing this stops the injection possibility but isn't a very smooth way to go by it I'm guessing.
  7. Hey so I've got this small "Game-Corner" part of my website, loading the Games through $_GET id=number, and it's currently a possible spot to do an SQL injection, and I want to stop this, but I can't. I've personally tried to inject it to see how I would stop it myself, but no matter how hard I try, I can't manage to use the vulnerability properly. http://domainname.nu/game.php?id=8 <<< Results in loading game http://domainname.nu...e.php?id=8' <<< Results with: Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /public_html/user/game.php on line 246 Invalid Game ID. Click Here to continue. Query + Line 246: $sql = "SELECT * FROM games WHERE id='".$_GET['id']."'"; $query = mysql_query($sql); $rowcount = mysql_num_rows($query); [b]<<<< Line 246[/b] I know using PDO is much more efficent, but I'm still learning PDO and I'd like a temporary fix for the injection issue until I'm more comfortable with PDO. Any ideas?
  8. Thanks for the quick reply! My host seems to have eventscheduals disabled & only allowing 'Super' priveliges to enable/disable and/or add-new/modify events, but I'll contact them about that. Thanks again!
  9. Hey. I've only been using MySQL/PHPMyAdmin for about a week now, so I'm still kind of fragile on all of the features they provide, but I wanted to ask if there's a way to create a Query which is Run everyday at a specific time, like let's say Midnight (00:00:00) ? IE: "DELETE * FROM tablename"; <<-- Everyday at Midnight I've been looking around but found no real answers to my question. Thanks!
  10. Well I decided to simply add another Column for the Current Date Year-Month-Day, and add that to the While loop of logout-timer, so it selects only where the date=current date.
  11. Hey. Recently did this to my site: 1 - Added a new Column to the Users Database using Hour-Minute-Second 2 - New PHP which runs everytime a user Loads a page = Updates the last_activity column 3 - New PHP Which runs everytime a suer Loads a page = Checks for Offline users and marks them as offline This works, to some degree. I'm having an issue tho. If a user doesn't logon for, lets say, 12 hours or a whole day, the system does not recognize them as having been oflfine that long, because their last saved Activity would still be something like "15:03:52" and because of this the System randomly puts them online when they're not really online. I was wondering if anyone has a decent fix for this? These are the two PHPs I'm using update_timer.php <?php session_start(); require_once('config.php'); $link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD); if(!$link) { die('Failed to connect to server: ' . mysql_error()); } //Select database $db = mysql_select_db(DB_DATABASE); if(!$db) { die("Unable to select database"); } $getdate = date('H:i:s'); $SQL = "UPDATE potatis SET last_activity='".$getdate."' WHERE uid='".$_SESSION['SESS_MEMBER_ID']."'"; mysql_query($SQL) or die(mysql_error()); ?> logout_timer.php <?php require_once('config.php'); $link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD); if(!$link) { die('Failed to connect to server: ' . mysql_error()); } //Select database $db = mysql_select_db(DB_DATABASE); if(!$db) { die("Unable to select database"); } $getdate = date("H:i:s"); $date = explode(":", $getdate); $date[0] = $date[0] * 60 * 60; $date[1] = $date[1] * 60; $totalsecondsnow = $date[0] + $date[1] + $date[2]; $SQL = "SELECT uid, last_activity FROM potatis"; $RESULT = mysql_query($SQL); while($row = mysql_fetch_assoc($RESULT)) { $thendate = explode(":", $row['last_activity']); $thendate[0] = $thendate[0] * 60 * 60; $thendate[1] = $thendate[1] * 60; $totalsecondsthen = $thendate[0] + $thendate[1] + $thendate[2]; $totalsecondsallowed = $totalsecondsthen + 900; if($totalsecondsnow > $totalsecondsallowed) { $qry = "UPDATE potatis SET connected='offline' WHERE uid='". $row['uid'] . "'"; mysql_query($qry) or die(mysql_error()); } } ?>
  12. Wow, can't believe i missed that... But yeah it seems to be working properly now, hope it stays that way.. Thanks!
  13. Hey. I've made a script that would auto-logout users have they not been active for 15min, but it seems to not be working properly.. I've included these two files in ALL my php's that display data, so that each and every single user contributes to the Currently-Online-Members script whenever they click one of the links. update_timer.php <?php session_start(); require_once('config.php'); $link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD); if(!$link) { die('Failed to connect to server: ' . mysql_error()); } //Select database $db = mysql_select_db(DB_DATABASE); if(!$db) { die("Unable to select database"); } $getdate = date('H:i:s'); $SQL = "UPDATE potatis SET last_activity='".$getdate."' WHERE uid='".$_SESSION['SESS_MEMBER_ID']."'"; mysql_query($SQL) or die(mysql_error()); ?> logout_timer.php <?php require_once('config.php'); $link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD); if(!$link) { die('Failed to connect to server: ' . mysql_error()); } //Select database $db = mysql_select_db(DB_DATABASE); if(!$db) { die("Unable to select database"); } $getdate = date("H:i:s"); $date = explode(":", $getdate); $date[0] = $date[0] * 60 * 60; $date[1] = $date[1] * 60; $totalsecondsnow = $date[0] + $date[1] + $date[2]; $SQL = "SELECT uid, last_activity FROM potatis"; $RESULT = mysql_query($SQL); while($row = mysql_fetch_assoc($RESULT)) { $thendate = explode(":", $row['last_activity']); $thendate[0] = $thendate[0] * 60 * 60; $thendate[1] = $thendate[1] * 60; $totalsecondsthen = $thendate[0] + $thendate[1] + $thendate[2]; $totalsecondsallowed = $totalsecondsthen + 900; if($totalsecondsnow > $totalsecondsthen) { $qry = "UPDATE potatis SET connected='offline' WHERE uid='". $row['uid'] . "'"; mysql_query($qry) or die(mysql_error()); } else { $qry = "UPDATE potatis SET connected='online' WHERE uid='". $row['uid'] . "'"; mysql_query($qry) or die(mysql_error()); } } ?> But it does not seem to work properly.. One person signed on at 13:53 my time, the time when I checked the database, her last_activity was 13:53:43 or something, and the current time was 13:55:23, yet it still showed her being offline, is that not just very wrong? Where did I go wrong in the script to make that happen? Edit: It does however not put MY user as Offline when I click on a link, my last_activity was 14:01
  14. Yes, but even if I do that, it wouldn't really work out would it? Unless I convert literally everything to Seconds I guess.. $getdate = date("H:m:s"); $date = explode(":", $getdate); $date[0] = $date[0] * 60 * 60 $date[1] = $date[1] * 60 $totalsecondsnow = $date[0] + $date[1] + $date[2]; $thendate = explode(":", $row['last_activity']); $thendate[0] = $thendate[0] * 60 * 60 $thendate[1] = $thendate[1] * 60 $totalsecondsthen = $thendate[0] + $thendate[1] + $thendate[2]; $totalsecondsallowed = $totalsecondsthen + 900; if($totalsecondsnow > $totalsecondsthen) { //SQLDataUpdate //LogoutUser //KillSession } Is this what you mean?
  15. Yes, I've diverted over to a point where I decided to use a whole new PHP and use the require_once function where its needed, to check if the user is active or not. I do have a problem tho. By doing this I am unsure how to proceed. I have: 1. Created a new check_activity.php 2. Created a new Column called last_minute 3. Able to insert the data of each user when they enter a page (using date('m')) which updates their last activity by Minutes by including check_activity.php 4. Conclusion that I want to set a max 15 min timeout. 5. I do NOT understand how the Math is meant to be for auto_logout. $now = date('m'); $then = $row['last_minute'] + 15 if($then < $now) { } That would only work if it is between xx:01-xx:59 , but if it turns into xx:59-xx:03 it wont'. All I need is to understand the math, which I don't.
  16. Hi. Now I've stumbled across another issue, I'm trying to make a timed Auto-Logout script by checking if Sessions using SESS_MEMBER_ID = MySQLTableUserID is active or alive. Here's what I tried (Yes I know its probably very wrong) <?php require_once('config.php'); $link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD); if(!$link) { die('Failed to connect to server: ' . mysql_error()); } //Select database $db = mysql_select_db(DB_DATABASE); if(!$db) { die("Unable to select database"); } $sql = "SELECT id FROM potatis"; $query = mysql_query($sql); $rowcount = mysql_num_rows($query); $i = 1; while($row = mysql_fetch_assoc) { if(isset($_COOKIE['SESS_MEMBER_ID']) != $i ) $qry = "UPDATE potatis SET connected='offline' WHERE uid='".$i . "'"; mysql_query($qry) or die(mysql_error()); $i = $i + 1; } ?> Currently, that piece of code sets EVERY user offline, regardless of them already being online. So my questions are the following: 1. How would I fix this to ONLY update the MySQL Database Connected='offline' IF the SESSION of userID X is not active? 2. How would time this script properly? Currently only the logout.php resets a users session and updates the database, but I wanted it to auto-log them out and auto-update the database when they close the webbrowser window, but that seemed a bit difficult so I wanted to try this approach, but if someone knows a neat way to do that as well, I'm game.
  17. I figured it out. Quite a silly mistake on my part, actually. But I'm new to Arrays, so meh. Basically $i was being calculated as amount of entries added to the array, while an array starts at 0 not 1, one has to include a $i = $i -1; below the while loop.
  18. Hey. I'm trying to make a simple <a href> tag to Randomly take the user to a Random image from a Random user's album. It works, in a way, but sometimes the values from the array returns as absolutely nothing, as in a NULL value, not even a '0'. Here's the code <?php $getimagecountsql = "SELECT id FROM images"; $getimagecountquery = mysql_query($getimagecountsql); $getimagecountrows = mysql_num_rows($getimagecountquery); $getminimumsql = "SELECT MIN(id) FROM images"; $getminimumquery = mysql_query($getminimumsql); $getminimumdata = mysql_fetch_assoc($getminimumquery); $minimum = $getminimumdata['id']; $randomimagearray = array(); $i = 0; while($hehe = mysql_fetch_assoc($getimagecountquery)) { array_push($randomimagearray, $hehe['id']); $i = $i + 1; } $randomimage = $randomimagearray[rand(0, $i)]; echo "RIMAGE: ".$randomimage; $getusersql = "SELECT albumid, uid FROM images WHERE id='".$randomimage."'"; $getuserquery = mysql_query($getusersql) or die(mysql_error()); $getuserdata = mysql_fetch_assoc($getuserquery); $uid = $getuserdata['uid']; $albumid = $getuserdata['albumid']; echo'<br>>> <a href="album/visa.php?targetid='.$getuserdata['uid'].'&albumid='.$getuserdata['albumid'].'&image='.$randomimage.'">Slumpa Bild</a>'; echo "Användarid: " .$getuserdata['uid']; echo "Albumid: ". $getuserdata['albumid']; ?> Even after assigning the randomimage to take a random value between 0 and $i ($i being amount of records the array holds) it sometimes results in a null value. (So it would be value of $randomimagearray[0] or $randomimagearray[$i]) Where did I go wrong?
  19. Hi. I've established a possible SQL Injection on my site, and I'm curious as to what the best type of fix would be for it. Here's the SQL Error on the Page: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '.$_SESSION['SESS_MEMBER_ID'].'', 'Klotterplanket')' at line 1 And here's the query $deletedmessage = $getdata['message']; $sql = "DELETE FROM klotterplanket WHERE id='".$_GET['id']."'"; mysql_query($sql) or die(mysql_error()); $sql = "INSERT INTO adminlogs(uid, name, message, vart) VALUES('".$_SESSION['SESS_MEMBER_ID']."', '$fullname', '".$deletedmessage."', 'Klotterplanket')"; $query = mysql_query($sql) or die(mysql_error()); if($query) { header("Location: klotterplank.php"); echo '<script>alert("Meddelande Borttaget!")</script>'; } else { echo '<script>alert("Något gick snett!") </script>'; header("Location: klotterplank.php"); } The Deletion part works flawlessly, since that does not include the textarea of the Form. $getdata['message'] = form textarea value. My first thought was to use str_replace on the textarea if the string contains '.$ or '. $ or ' . $ or ' .$ but I was wondering if anyone knows some better ideas?
  20. Cheers Jessica, I had forgotten to declare the $data = NULL; , silly mistake. :/
  21. Hey. I've just setup the Comment-Part of my custom-scripted Foto Album system, and it's working properly, apart from one issue which I simply cannot find in the while loop. Either it's something easy and I'm missing it or there's something hidden that I can't find. When I mean "Random 'Array' Echo" I don't mean an actual Array Printing data, what I mean is that the word 'Array' itself is printed. Here's what happens without a comment: http://i.imgur.com/NNbFy.png Here's what happens with a comment: http://i.imgur.com/16mbM.png And here's the code processing the Data: $sql = "SELECT * FROM imagecomments WHERE imageid='".$_GET['imageid']."' AND targetid='".$_GET['targetid']."' ORDER BY UNIX_TIMESTAMP(timehappen) DESC LIMIT ".$min.", ".$limit; $query = mysql_query( $sql ); $rows = mysql_num_rows( $query ); while($row = mysql_fetch_array($query)) { $data .= "<tr>"; if($durp == 0) { $data .= "<td class='cellone'><img src='".$row['profilepic']."' ></td>"; } else { $data .= "<td class='celltwo'><img src='".$row['profilepic']."' ></td>"; } if($row['connected'] == "online") { if($durp == 0) { $data .= "<td class='cellone' style='max-width: 600px; overflow:auto; word-wrap:break-word;'><img src='online.png' width='5' height='5'> <a href='profile.php?uid=".$row['uid']."'>" . ucfirst($row['sender']) . "</a> - <font color='green'>". $row['timehappen'] . "</font> <br/> ".$row['message']."</td>"; $durp = 1; } else { $data .= "<td class='celltwo' style='max-width: 600px; overflow:auto; word-wrap:break-word;'><img src='online.png' width='5' height='5'> <a href='profile.php?uid=".$row['uid']."'>" . ucfirst($row['sender']) . "</a> - <font color='green'>". $row['timehappen'] . "</font> <br/> ".$row['message']."</td>"; $durp = 0; } } else { if($durp == 0) { $data .= "<td class='cellone' style='max-width: 600px; overflow:auto; word-wrap:break-word;'><img src='offline.png' width='5' height='5'> <a href='profile.php?uid=".$row['uid']."'>" . ucfirst($row['sender']) . "</a> - <font color='red'>". $row['timehappen'] . "</font> <br/> ".$row['message']."</td>"; $durp = 1; } else { $data .= "<td class='celltwo' style='max-width: 600px; overflow:auto; word-wrap:break-word;'><img src='offline.png' width='5' height='5'> <a href='profile.php?uid=".$row['uid']."'>" . ucfirst($row['sender']) . "</a> - <font color='red'>". $row['timehappen'] . "</font> <br/> ".$row['message']."</td>"; $durp = 0; } } $data .= "</tr>"; } echo $table1_start . $table_start . $data . $table_end . $table1_end; I know the code itself is very sloppy, but I tend to fix that after everything's already working properly, which currently it is not. I have spent hell of a lot of time trying to find out why it's printing the 'Array' Text/String, but I can't find it. It's evidentally in the $data value but I can't find where. Edit: I'm also using the same Data-Printing system for the User-Individual Guestbooks & the Chat System, and they all work properly, apart from this 'Array' echoing.
  22. Issue Resolved It's simple. Don't be an idiot and try to use a Quality setting of '100' on an already high-quality format such as .PNG. No wonder the engine couldn't write the new image! Marked as Solved.
  23. It seems the issue is not resolved. If the format is .PNG the issue still keeps happening..
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.