tryingtolearn

Add names to your form fields not id (Otherwise they will be blank) also to the submit button <input type="text" class="form-control" name="name" placeholder="Name"> <label for="Email">Your Email</label> <input type="Email" class="form-control" name="email" placeholder="Email"> <label for="Message">Message</label> <textarea class="form-control" name="message" placeholder="Message"></textarea> <input type="submit" name="submit" value="Send">Send</button>

interesting So something prevents the index from working automatically the way it should. I had to actually add USE INDEX and set a WHERE clause to get it to go through. (assuming the id index is named PRIMARY) mysqli_report(MYSQLI_REPORT_ALL); try { $res = $db->query("SELECT id, name FROM tablea USE INDEX(PRIMARY) WHERE id > 0"); if ($res) { while (list($i, $n) = $res->fetch_row()) { echo "$i, $n<br>"; } } } catch (Exception $e) { echo "Error: " . $e->getMessage(); }

Good if that works Setting it to all - I wouldnt call that a problem though If used, it could be beneficial Catch those exceptions and set up some custom error handling and you can be notified of potential problems it can really help in the long run. Just my 2 cents...

It could be since mysql throws tons of warnings, setting the report to report all but not catching those warnings changes them to fatal errors Put it in a try catch block and it should no longer throw a fatal error. Just a thought.

Thanks JackTheRipper Yes, all the "standard" checks are being done, I was mainly concerned with code being inserted in an image and then being executed not a script loaded as an image. Poor choice of a title on my part I appreciate the input..

The function works when I test it so the only thing we dont see is how you are calling the function Are you getting anything with //var_dump($kataloski_broj); un commented ? at least array(0){} or something like that?

Good to know and thanks for the test (Thats what I was trying to do but couldnt seem to make it work - shameful!!) I appreciate it.

Thanks scootstah I was under the impression that the executable files could be placed in the image while leaving a valid mime type. Ill look into that but not sure how that will tell me if something is present. Yes I will disable script execution I was just wondering if there was a way to eliminate the file all together if present by recreating the image. Don't know enough about it to build a legitimate defense to it so just trying to get more informed. Thanks again.

Which message is getting echoed out? Invalid cookie? if (filter_var($_COOKIE["person"], FILTER_VALIDATE_INT)){ I dont think that is going to work for you, cookies will return string data type

Hi all I am building a tinymce image management plugin for a group I'm trying to minimize the risks as much as possible with their current setup- No database, no access outside their folder etc... But reading through the different topics I read a few posts about scripts being added inside the images that can be executed once the images is called. Now, my "Hacking skills" must not be up to par because I tried doing this on my own just to test and I cant seem to make it work.. so my question is Will uploading and resizing the image with imagecopyresampled or something reduce/remove the threat? Not exactly sure how the "malicious" scripts are carried and then executed. Thanks for any info you may be able to provide. (I have read alot of threads in the forum on upload security and seems there are a few different thoughts that differ - so Im not trying to start a debate on that! just curious about the "Hidden File" issue)

OK Im curious - what is it supposed to do? I see it resulting in this Array ( [foo1] => bar1 [foo2] => bar2 )

Good point, it is a bit more with the string functions <?php //$string = 'My dogcat is cool'; //(becomes My animal is cool) //$string = 'Wonderfuldogcatandappleappleapplecatcatcat'; //(becomes Wonderfulanimal) //$string = 'dog cat'; //(becomes animal) //$string = 'dogcatdogcatdogcatdogcatdogcatdog'; //(becomes animaldog) //$string = 'catdogcatdogcatdogcatdogcatdogcatdog'; //(becomes animaldog) //$string = 'cat cat cat'; $string = 'cat dog dog cat dog'; $start = "dog"; $stop = "cat"; $replace = "animal"; //get Start Position $startPos = stripos($string, $start); //get Stop Position $stopPos = strripos($string, $stop); if($stopPos === false || $startPos === false){ echo "Sorry, We couldnt find a string to replace!<br /> $string"; }else{ echo substr_replace($string, $replace, $startPos, ($stopPos+strlen($stop))) . "<br />\n"; } ?> If it can be done w/ string functions I tend to lean that way Guess its the intimidation factor

Didn't even think of using regular expressions for the example posted Seemed a straight forward use for the functions I listed..

Guess you are right, missed that in the title...

Yes I can see that. Lots of factors will play in your mail getting sent to a junk folder, most of which are out of your control. Just wanted to see if you got the same result with a basic mail() setup. You know - sort of like a place to start trying to track down a problem. Maybe your server is blacklisted Maybe your ip is blacklisted Maybe its a dynamic ip address Could be a problem with the DNS record etc... You can read about spf records in cpanel under email authentication.

did you try the example I posted in #3 above? What was the result from that? did it get delivered or sent to junk mail?

Your goal actually spells it all out for you! beginning with the first instance of "dog" = stripos [Find the position of the first occurrence of a case-insensitive substring in a string] the last instance of "cat" = strripos [Find the position of the last occurrence of a case-insensitive substring in a string] replace anything ... with the word "animal." = substr_replace [Replace text within a portion of a string] I would also look into strlen when you get to strripos.

it wont be for easy for anyone without seeing the all the code is field_3 value supposed to be the abbreviation? What is getting passed for the value now? probably need to see the phpfmg_hsc() function and the form processing part of your code. When you post it, put the code in the code tags ( <> symbol in the editor toolbar)

if you try using mail() does it give the same result? Here is a basic example from the manual. (Just change the $to and header addresses ) <?php $to = '[email protected]'; $subject = 'the subject'; $message = 'hello'; $headers = 'From: [email protected]' . "\r\n" . 'Reply-To: [email protected]' . "\r\n" . 'X-Mailer: PHP/' . phpversion(); mail($to, $subject, $message, $headers); ?>

Check the headers on the message and take a look at Return Path: From: are they the same domain names or different? Also What does it say by Received-SPF

Yes it would work it will simply display the blank page in the viewers browser instead of the file directory of that folder.

Are you looking for a way to prevent the folder list from appearing in the browser if someone types in a direct url to a plugin folder or include folder? Yes, you can just add a blank file called index.php and it will load instead of the folder list. The //silence is golden part is not needed. There may be more sophisticated ways of doing it but a blank file will work if its called index.

Are they files created on your site? like a .csv or .txt and there are extra lines inside the file?

your img tag also is missing the opening ' and closing ' <?php echo images/advisory/'.$row["ad_img"].'; ?> maybe try <?php echo '/images/advisory/'.$row['ad_img'].''; ?> View the output source and see what you are getting as the image path. Might be a good place to start tracking the problem.

it is and yes you have to make it functional I would do something like this, Create an array to hold error messages (Since you could possibly have two - 1 for a wrong extension and 1 for a file that's too large) Check to make sure the file meets the criteria $errors = array();//make an array to hold error messages $maxsize = 100000;//set your max upload size if($_FILES['file']['size'] > $maxsize) { $errors[] = 'Error - File must be less than xx megabytes.'; } if (!in_array($extension,$allowedExts)){ $errors[] = 'Error - Invalid File Name'; } if(count($errors) === 0) { //process your file upload here } else { foreach($errors as $error) { echo ''.$error.'<br />'; } }