moosey_man1988

Well i have done a lot of reading since my first post apparently this is a bug in chrome which basically now ignores autcomplete=off, The fields aren't the same one is email and password the other is username and password. Its a really annoying bug, apparently according to google the user requirement for ignoring auto complete is a higher requirement than what developers want on their own pages. This is now working fine in all other browsers other than chrome

bump?

These guys are right that is very out of date, I would suggest trying to use PDO rather than mysql connect, for getting a users IP address you can use the $_SERVER['REMOTE_ADDR'] although i don't think this will stop someone who proxies? if ($_POST['submit'] == ' Login ')){ $usersIP = $_SERVER['REMOTE_ADDR']; //now we have the users IP we want to log this in the database $timestamp = date('Y-m-d H:i:s'); $logUserQuery = "INSERT INTO loginIP ('ip','userName','TimeStamp') VALUES(:userIP,:userName,:timestamp)"; $UserResult = $pdo_connection->prepare($logUserQuery); $UserResult->execute(array(':userIP'=>$usersIP, ':userNAme'=>$_POST['username'], ':timestamp'=>$timestamp)); }//end of if statement

Hi everyone I am building a CRM system/invoicing system in my spare time and on this system I have 2 login pages (there is a reason but its long). one for the CRM system and one for the invoicing section. They bother work perfectly well but I have a really annoying issue, If I were to store the login information to chrome passwords for example to the CRM system It would auto suggest to the other login and vice versa. This wouldn't be a problem but the CRM login is username based, the invoicing section is login by email for additional security. they're both called login.php the two files are /htdocs/login.php and /htdocs/invoicing/login.php I added a remember me cookie to the CRM system in hope that this would get around the issue but unfortunately the chrome saved information over rides this, I also tried autocomplete="off" as I am using bootstrap as a framework. How can I get around this?

Solved it by putting some javascript If statements on button click.

Hi everyone Im having a nightmare with javascript again grrrr, I'm just not great with javascript / jquery so basically I have a table with inputs to create an invoice, the reason im using javascript to post the form is because i have to allow for infinite items to be added into the database using json stringify as an array, the problem I have is im trying to force that atleast 1 item be added to the table before posting the data. I am using bootstrap and this hasn't been a problem for all of my other forms because i can just add required to the input but because i have to do this one differently using an a href button This form just wont validate (but it will post the data to the php script) so here is my code: Table with inputs: <tbody style="" class="item ui-sortable-handle"> <tr> <td rowspan="2" class="td-icon"> <i class="glyphicon glyphicon-resize-vertical cursor-move"></i> </td> <td class="td-text"> <input type="hidden" name="invoice_id" value="<?php echo $invoiceNo;?>"> <input type="hidden" name="item_id" value> <div class="input-group"> <span class="input-group-addon">Item</span> <input type="text" name="item_name" class="input-sm form-control" required> </div> </td> <td class="td-amount td-quantity"> <div class="input-group"> <span class="input-group-addon">Quantity</span> <input type="text" name="item_quantity" class="input-sm form-control amount"> </div> </td> <td class="td-amount"> <div class="input-group"> <span class="input-group-addon">Price</span> <input type="text" name="item_price" class="input-sm form-control amount"> </div> </td> <td class="td-amount"> <div class="input-group"> <span class="input-group-addon">Item Discount</span> <input type="text" name="item_discount_amount" class="input-sm form-control amount" data-toggle="tooltip" data-placement="bottom" title data-original-title="£ Per Item"> </div> </td> <td class="td-amount"> <div class="input-group"> <span class="input-group-addon">Tax Rate</span> <select name="item_tax_rate_id" class="form-control input-sm"> <?php //this section may update based upon selections but for now We have none echo "<option value='0'>None</option>"; ?> </select> </div> </td> <td class="td-icon text-right td-vert-middle"></td> </tr> <tr> <td class="td-textarea"> <div class="input-group"> <span class="input-group-addon">Description</span> <textarea name="item_description" class="input-sm form-control"></textarea> </div> </td> <td colspan="2" class="td-admount td-vert-middle"> <span>Subtotal</span> <br> <span name="subtotal" class="amount"></span> </td> <td class="td-amount td-vert-middle"> <span>Discount</span> <br> <span name="item_discount_total" class="amount"></span> </td> <td class="td-amount td-vert-middle"> <span>Tax</span> <br> <span name="item_tax_total" class="amount"></span> </td> <td class="td-amount td-vert-middle"> <span>Total</span> <br> <span name="item_total" class="amount"></span> </td> </tr> </tbody> </table> </form> </div> </div> <!-- End of items Tables--> The Save button at the top of the page before the table: <a href="#" class="btn btn-success ajax-loader" id="btn_save_invoice"> And lastly my attempt at the javascript / jquery / ajax: <script type="text/javascript"> $('#btn_save_invoice').click(function () { $('#item_form').validate({ rules: { item_name:{ required: true, message: 'This is required' } }, }); var items = []; var item_order = 1; $('table tbody.item').each(function () { var row = {}; $(this).find('input,select,textarea').each(function () { if ($(this).is(':checkbox')) { row[$(this).attr('name')] = $(this).is(':checked'); } else { row[$(this).attr('name')] = $(this).val(); } }); row['item_order'] = item_order; item_order++; items.push(row); }); $.post("<?php echo url()."Clients/invoice_ajax.php"; ?>", { invoice_id: <?php echo $invoice_id; ?>, invoice_number: $('#invoice_number').val(), invoice_date_created: $('#invoice_date_created').val(), invoice_date_due: $('#invoice_date_due').val(), invoice_status_id: $('#invoice_status_id').val(), invoice_password: $('#invoice_password').val(), items: JSON.stringify(items), invoice_discount_amount: $('#invoice_discount_amount').val(), invoice_discount_percent: $('#invoice_discount_percent').val(), invoice_terms: $('#invoice_terms').val(), custom: $('input[name^=custom]').serializeArray(), payment_method: $('#payment_method').val() }, function (data) { var response = JSON.parse(data); if (response.success == '1') { window.location = "<?php echo url()."Clients/invoice_ajax.php"; ?>/" + <?php echo $invoice_id; ?>; } else { $('#fullpage-loader').hide(); $('.control-group').removeClass('has-error'); $('div.alert[class*="alert-"]').remove(); var resp_errors = response.validation_errors, all_resp_errors = ''; for (var key in resp_errors) { $('#' + key).parent().addClass('has-error'); all_resp_errors += resp_errors[key]; } $('#invoice_form').prepend('<div class="alert alert-danger">' + all_resp_errors + '</div>'); } }); }); </script> Please bare in mind the actual posting section of the form Works perfectly! the only issue is the inputs will not validate before post. here is what the page looks like (i have highlighted the parts that I am referring to in the post: I really am thankful for all the help i get, a huge thank you in advance to anyone who helps with this.

perfect! so i can just use PHP for the command and use this javascript to keep the 2nd tab open that was simpler than i previous thought thanks guys

there is no code yet, I first need to know whether im correct in saying this needs to be jquery / ajax for it not to affect the tab on update, and I also need pointing in the right direction for something like this :± ajax and jquery are a weakness to me.

Hi Peeps So basically im creating a "customer page" i have 2 tabs, 1 is customer info which is the primary and the invoicing tab I have a date picker in the invoicing tab which im hoping will populate a table below. I tried having the form post to php but this resets the page which then goes to the customer info tab so im guessing this will have to be done with jquery and ajax. could someone please point me in the right direction to do this? here is the current page for better explanation: All help is greatly appreciated in advance Mooseh

Wow I cant believe how simple that is! haha I even wrote this a work around function usercheck($userlevel){ if ($userlevel > 3){ echo "you are authorised to be here!"; } else { $url = url(). "/dashboard.php"; die('<script type="text/javascript">window.location.href="' . $url . '?error=you are not Authorised to be here";</script>'); } } and then just called that function but i think it would be a wiser option to put the command before the header Thanks guys, sometimes it just takes a different pair of eyes to look at something differently or properly in this case

Okay which is a bit of a problem as multiple funtionc are used by the javascript in the header :| so maybe I will have to make a redirect function instead as a work around?

Hi Guys I've across an issue With my project im working on and I cannot solve it When accessing my reports page I get this: Warning: Cannot modify header information - headers already sent by (output started at /var/www/virtual/crmtech.co.uk/minicrm/htdocs/header.php:104) in I have eliminated the issues down to my javascript scripts in the header :| but I just cannot work out why it would be causing the issue. here is the header.php <?php require ('secure/session.php'); require ('Functions/functions.php'); error_reporting(E_ALL); ini_set('display_errors', 1); ?> <!DOCTYPE html> <html> <head> <!--favicon--> <link rel="icon" href="<?php echo url();?>Images/favicon.ico" type="image/x-icon" /> <!--Style Sheets--> <link rel="stylesheet" type="text/css" href="<?php echo url();?>bootstrap/css/style.css"> <link rel="stylesheet" type="text/css" href="<?php echo url();?>bootstrap/css/bootstrap.min.css"> <link rel="stylesheet" type="text/css" href="<?php echo url();?>bootstrap/css/custom.css"> <!--Script Links--> <script src="<?php echo url();?>bootstrap/js/jquery/jquery.js"></script> <script src="<?php echo url();?>bootstrap/js/bootstrap.min.js"></script> <script src="<?php echo url();?>bootstrap/js/typeahead/typeahead.js"></script> <script src="<?php echo url();?>bootstrap/js/bootstrap-datepicker/bootstrap-datepicker.js"></script> <!-- For Displaying Modals--> <script type="text/javascript"> $(".btn-group").find(':input:checked').parent('.btn').addClass('active'); </script> <!--This is the datepicker --> <script type="text/javascript"> $('.datepicker').datepicker({ format: 'mm/dd/yyyy', startDate: '-3d' }) </script> <!--lets use the better to typeahead for search forms --> <script type="text/javascript"> $(function (){ $("#typeaheadCust").typeahead({ source: function(customer, process) { $.ajax({ url: '<?php echo url();?>Functions/Getter.php', type: 'POST', data: 'customer=' + customer, dataType: 'JSON', async: true, success: function(data) { process(data); } }); } }); }); </script> and here is the my reporting/main.php page <?php //this is going to be the main section for reporting include('../header.php'); //lets check the user is authorised to be here! if ($userLevel > 3){ echo "you are authorised to be here!"; } else { echo "you are not allowed here naughty!"; //sleep(10); echo "lets send you here ". SERVER_PATH; header('Location: ../index.php'); } ?> here is the page result, sorry i had to delete the server path Any help would be massively appreciated Thanks!

Hi guys, thanks for an excellent answer I will work on a new process as it all makes complete sense p.s there is a I forgot my password procedure

Resolved it... Face palming right now Used the $bantime variable twice which was screwing things up changed the first query to have the row as $currentBantime which worked...

Hi Everyone So I've been recently working on a script which will store login IP's and ban them on failed attempts Although I have a little problem, for some reason it doesnt redirect to the banned page when they should be, unless there is a successful login or if they come off of the login page so they can keep bruteforcing as much as they like all the time they stay on that page. Have i got something wrong? please bear in mind I haven't put in place when login successful remove the warnings count. here is the login.php <!DOCTYPE html> <?php require ('../Functions/functions.php'); require('../database/pdo_connection.php'); //first lets get the IP that logged in $login_ip = $_SERVER['REMOTE_ADDR']; securityBanCheck($login_ip); if (isset($_POST['Login'])) { //Set session timeout to 2 weeks session_set_cookie_params(1*7*24*60*60); session_start(); $error=''; // Currently A Blank Error Message $username=$_POST['userName']; //Grab the hash $selectPasswordHash = "SELECT username,secret FROM MC_users WHERE email=email=:username OR username=:username"; $hashresult= $pdo->prepare($selectPasswordHash); $hashresult->bindParam(':username', $username); $hashresult->execute(); $row = $hashresult->fetch(PDO::FETCH_ASSOC); $hash = $row['secret']; //got the hash //lets verify it if (password_verify($_POST['password'],$hash) === true){ //login correct $login_user = $row['username']; //Set the Session $_SESSION['login_user']=$login_user; // Redirect to dashboard.php header ("Location: ../dashboard.php"); } else { $error = 'Username or Password in invalid'; $error2 = 'Try Logging in with your email instead'; //Bruteforce Detection //lets check if there is already warnings $checkWarnings = "SELECT Warning_count FROM MC_login_security WHERE Warning_count > 0 AND Login_IP=:loginIP ORDER BY Timestamp DESC"; $warningsResult = $pdo->prepare($checkWarnings); $warningsResult->bindParam(':loginIP',$login_ip); $warningsResult->execute(); $warningAmount = 1; $banTime = 0; if ($warningsResult->rowCount() > 0){ $warningRow = $warningsResult->fetch(PDO::FETCH_ASSOC); $warningRowCount = $warningRow['Warning_count']; $warningAmount = $warningRowCount + 1; securityBanCheck($login_ip); } //Lets log this in the DB $insertWarning = "INSERT INTO MC_login_security (Login_user_name,Login_IP,Warning_count,timestamp) VALUES (:loginUser,:Login_ip,:warningAmount,:dateToday)"; $insertResult = $pdo->prepare($insertWarning); $insertResult->execute(array(':loginUser'=>$username, ':Login_ip'=>$login_ip, ':warningAmount'=>$warningAmount, ':dateToday'=>date('Y-m-d H:i:s'))); } } //Lastly if the user is logged in, point them back to the Dashboard if(isset($_SESSION['login_user'])){ header("location: ../dashboard.php");} ?> the security check function which is called at the start of the login page AND if the password is entered incorrectly function securityBanCheck($login_ip){ //call the url function for redirects url(); $todaysDate = date('Y-m-d H:i:s'); require (PHP_PATH .'/database/pdo_connection.php'); $checkBan = "SELECT Warning_count,Timestamp,Ban_time FROM MC_login_security WHERE Warning_count > 4 AND Login_IP=:loginIP ORDER BY Timestamp DESC"; $checkResult = $pdo->prepare($checkBan); $checkResult->bindParam(':loginIP',$login_ip); $checkResult->execute(); if ($checkResult->rowCount() > 0){ $banRow = $checkResult->fetch(PDO::FETCH_ASSOC); $warningCount = $banRow['Warning_count']; $timeStamp = $banRow['Timestamp']; $bantime = $banRow['Ban_time']; echo "did we get here?"; //if theyre banned direct them to the banned page and stop this script from going any further if ($bantime > $todaysDate){ header('Location: '. SERVER_PATH .'banned.php'); die(); } //if theyre currently not banned check their warnings and if needed add a ban. if ($warningCount == 4){ $bantime = date('Y-m-d H:i:s', strtotime($timeStamp . '+1 hour')); echo $bantime; }elseif ($warningCount == 9){ $bantime = date('Y-m-d H:i:s', strtotime($timeStamp . '+1 day')); }elseif ($warningCount == 14){ $bantime = date('Y-m-d H:i:s', strtotime($timeStamp . '+1 month')); } //ultimately if we got to this stage we would be adding a ban $insertBanTime = "UPDATE MC_login_security SET Ban_time = :banTime WHERE Login_IP = :loginIP ORDER BY Timestamp DESC"; $banResult = $pdo->prepare($insertBanTime); $banResult->execute(array(':banTime'=>$bantime, ':loginIP'=>$login_ip));; } } Any help given is greatly appreciated and i thank everyone in advance for all the support I get form this amazing forum. thanks Mooseh

Hi Muddy thanks for that, but i do need some of the data so maybe i will limit it down, each user that logs in have a "loginLevel" which is in the session restricting or allowing them to certain area's. Thank you everyone for your help I will like all the answers and mark then best on who was straight to the point Thank you

Ah! I see! thanks guys i'll fix that up right away

Hi Psycho yep don't worry that's already been done in my connection php file okay because of the security issue with MD5 I've re written a couple of pages how does this look? <?php //This section is for adding a new user if (isset($_POST['NewUserSubmit'])){ //lets get the POST information $firstname = $_POST['FName']; $LastName = $_POST['LName']; $email = $_POST['EmailAddress']; $password = $_POST['Password']; $ContactNo = $_POST['ContactNumber']; $userLevel = $_POST['userLevel']; $userName = $firstname.".".$LastName; //change the password to MD5 $password = password_hash($password,PASSWORD_DEFAULT); // okay lets see if the user exists $selectUserName = "SELECT * FROM MC_users WHERE username=:userName"; $selectResult = $pdo->prepare($selectUserName); $selectResult->bindParam(':userName',$userName); $selectResult->execute(); //is this username already exists tell them! if ($selectResult->rowCount() > 0){ echo "<div class='alert alert-danger fade in'><strong> This user Already Exists please try a different user First and Last Name</strong><button class='close' data-dismiss='alert' aria-label='dismiss'</button>dismiss</div>"; } else {//else create the user // This worked so lets place the variables into the database/mysqli_connection $insertUserQuery = "INSERT INTO MC_users (firstname,lastname,username,secret,userLevel,email,contact) VALUES (:firstname,:LastName,:userName,:password,:userLevel,:email,:ContactNo)"; $Result = $pdo->prepare($insertUserQuery); if ($Result->execute(array(':firstname'=>$firstname, ':LastName'=>$LastName, ':userName'=>$userName, ':password'=>$password, ':userLevel'=>$userLevel, ':email'=>$email, ':ContactNo'=>$ContactNo ))){ echo "<div class='alert alert-success fade in'><strong>User ".$userName." has been created</strong><button class='close' data-dismiss='alert' aria-label='dismiss'</button>dismiss</div>"; } } } ?> And the new login page to support this, it is all functional But I'd prefer to know its secure <?php require ('../Functions/functions.php'); require('../database/pdo_connection.php'); if (isset($_POST['Login'])) { //Set session timeout to 2 weeks session_set_cookie_params(1*7*24*60*60); session_start(); $error=''; // Currently A Blank Error Message $username=$_POST['userName']; //Grab the hash $selectPasswordHash = "SELECT username,secret FROM MC_users WHERE email=email=:username OR username=:username"; $hashresult= $pdo->prepare($selectPasswordHash); $hashresult->bindParam(':username', $username); $hashresult->execute(); $row = $hashresult->fetch(PDO::FETCH_ASSOC); $hash = $row['secret']; //got the hash //lets verify it if (password_verify($_POST['password'],$hash) === true){ //login correct $login_user = $row['username']; //Set the Session $_SESSION['login_user']=$login_user; // Redirect to dashboard.php header ("Location: ../dashboard.php"); } else { $error = 'Username or Password in invalid'; $error2 = 'Try Logging in with your email instead'; } } //Lastly if the user is logged in, point them back to the Dashboard if(isset($_SESSION['login_user'])){ header("location: ../dashboard.php");} ?> Thanks everyone, I really am very grateful for all of the help given

Firstly I'd like to say thank you for all your comments, I know there is a lot to be improved in this code I'll try break this down a bit Jacques:- The database has a unique key on the username, so if it fails it will tell you due to the database query failure. I've done pretty much exactly what you just said Jacques thankfully my sql understanding is better than my php, Ch0cu3r / maxxd: - Thank you for the comment on the first bit, I am facepalming as to why i didnt bind the username to a placeholder aswell... Muddy :- For md5 i'll explain below, . Also This "Needs" to have a unique username in order for me to do that I must select whats already there surely not, if not show me some magic . Just to explain I am quite newbie to php, In order for me to provide "secure" code, I must understand it before hence why this is a dev project sitting in a little box unknown to the world lol . The functionality of the query itself is not a problem, I understand MD5 is pretty much obsolete, Im looking to swap this login at some point to "salt?". But one thing at a time, Learning in my books is done in small steps, once each step is complete, I hope to end up with completely Accurate code from beginning to end of a script I just want to say again thank you to everyone for your quick responses and accurate answers, I love this forum and its community which has provided me with so much help from day one.

Hi guys I've been working on a project for a while now, after getting everything functional so far, i decided its time to start locking the system down, and my first task is SQL injection prevention I really am having a hard time understand the whole sql injection thing, im pretty sure it where someone can manipulate the query so they can steal information from the Database? I followed a guide but i want to be sure for my first query, Is this SQL injection proof? <?php //This section is for adding a new user if (isset($_POST['NewUserSubmit'])){ //lets get the POST information $firstname = $_POST['FName']; $LastName = $_POST['LName']; $email = $_POST['EmailAddress']; $password = $_POST['Password']; $ContactNo = $_POST['ContactNumber']; $userLevel = $_POST['userLevel']; $userName = $firstname.".".$LastName; //change the password to MD5 $password = md5($password); // okay lets see if the user exists $selectUserName = "SELECT * FROM MC_users WHERE username='".$userName."'"; $selectResult = $pdo->prepare($selectUserName); $selectResult->execute(); //is this username already exists tell them! if ($selectResult->rowCount() > 0){ echo "<div class='alert alert-danger fade in'><strong> This user Already Exists please try a different user First and Last Name</strong><button class='close' data-dismiss='alert' aria-label='dismiss'</button>dismiss</div>"; } else {//else create the user // This worked so lets place the variables into the pdo query using an array $insertUserQuery = "INSERT INTO MC_users (firstname,lastname,username,secret,userLevel,email,contact) VALUES (:firstname,:LastName,:userName,:password,:userLevel,:email,:ContactNo)"; $Result = $pdo->prepare($insertUserQuery); if ($Result->execute(array(':firstname'=>$firstname, ':LastName'=>$LastName, ':userName'=>$userName, ':password'=>$password, ':userLevel'=>$userLevel, ':email'=>$email, ':ContactNo'=>$ContactNo ))){ echo "<div class='alert alert-success fade in'><strong>User ".$userName." has been created</strong><button class='close' data-dismiss='alert' aria-label='dismiss'</button>dismiss</div>"; } } } ?> any help is greatly appreciated And i thank everyone in advance for your help. Mooseh Man

Hi Everyone I'm currently working on a project and im wondering on the costs of security testing my system? This will probably be a combination of brute force logging in and SQL injections, its only a small system at the moment but in the very near future i am going to need someone to do this for me. and probably with each update i make to the system. Thanks in advance

Hi QuickOldCar thanks for the response, I am using this function function url(){ return sprintf( "%s://%s/", isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off' ? 'https' : 'http', $_SERVER['SERVER_ADDR'] //$_SERVER['SERVER_ADDR'] ); } But i have to call the functions php before i can use it lol

okay thats great! you have confirmed my little lightbulb i had in the pub this evening lol. could you give me an example for the scenario i displayed above? some things i hav a bit of a mental block on :|

Hi Everyone i know this is a bit basic, but I have been working on a project and to tidy things up i have been placing them in directories. my problem is I need to know how to plan this so i dont need to call an "include" or "require" in every page. as it gets difficult when you are going back a directory and then into another directory for example: in the html folder I have index.php sessions/login.php functions/functions.php index.php can all the functions via "include ('functions/functions.php'); but if we need the login.php to require functions it needs to be ('../functions/functions.php'); this can sometimes having something like a header.php in every page as it would call the script wrong directory. would some be able to help so that i either don't need to include a script on every page, or maybe i can define functions that are a constant? please let me now if this makes no sense! as ts a little difficult to explain. Thanks in advance for any help given <3

Hi There 0x00, thanks for the reply it was perfect,Although im using bootstrap so i got away with using typeahead so some of the work was already done for me