secweb
-
Posts
29 -
Joined
-
Last visited
Posts posted by secweb
-
-
Yeah knackard, I'll sort you Saturday
-
No expert on this but looks like you need the COLATE keyword
http://dev.mysql.com/doc/refman/5.0/en/case-sensitivity.html
http://stackoverflow.com/questions/6448825/sql-unique-varchar-case-sensitivity-question
The second link has an example:
CREATE TABLE WORDS ( ID BIGINT AUTO_INCREMENT, WORD VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_cs NOT NULL UNIQUE, PRIMARY KEY(ID) ); -
A 20 minute video about CSP at DefCon:
-
Just tried to send you a PM but you not accepting... or not allowed.
If no-one else has done this for you by tonight, I'll have a crack. I'm at work and this requires me to spend some time and start a project, which I can't at the moment.
-
What code do you have so far?
-
You're still using the session stuff, the IPN backend process will have a separate session, so all this will be in error
So at the top of your code it looks like this:
$account = $_SESSION["acc"]; if ($_SERVER['REQUEST_METHOD'] == "POST") { if ($account == "111111" || $account == "1") { $error='Dla bezpieczeństwa ten numer jest zablokowany!'; } elseif (empty($account)) { $error='Podaj Numer Konta!'; } elseif (!is_numeric($account)) { $error='Numer konta może składać się wyłącznie z cyfr!'; } if (empty($error)) {$query=mysql_query('SELECT * FROM accounts WHERE (id = '.$account.')'); if (mysql_num_rows($query) == 0) {$error= "Numer nie istnieje";} } $query2 = mysql_query("SELECT `bonus` FROM `accounts` WHERE (`id` = '$account') ") or die(mysql_error()); ...On my test server here if I try to access a non existent $_SESSION variable I get an error printed to screen,in your case that'll break the whole process because its sending output back to PayPal that it isn't expecting, so they won't then confirm it.
$account = $_SESSION["acc"];
When I did this I made a new database table that I dumped feedback to, or in the PayPal example I believe they log to a file.
-
For my purposes hidden files are fine and allowed, also dot n double dot are handled elsewhere (and in my file manager are actually used).
I like your name list, I will really look into that, but other checks are made as parsing the potential list which filter out empties and such.
I'm hearing you on the passwords and will change it.
All the tests are in a single function because this is part of a larger chain (form class, custom $_REQUEST wrapper), so in many cases the logic of deciding which test would be replicated elsewhere. I do however have the intent to change the strings to some form of enum, either via a class with constants or using defines (messy).
Thankyou
-
Do you need to know that files are new or could you just rebuild the list each time?
In reality, the script would only need to use say scandir(), there's some examples on the manual page:
-
mysqli_result Object ( [current_field] => 0 [field_count] => 1 [lengths] => [num_rows] => 0 [type] => 0 )
To me this is saying its finding no results for the query...
I'm of the type who doesn't like using PHP objects in strings... so the following looks odd to me:
$sql2 = "SELECT O_ID FROM owners WHERE name = '$_POST[name]'";
The string 'name' is a string to me and should be quoted as such... but I will yield to wiser users, but try instead:
$sql2 = "SELECT O_ID FROM owners WHERE name = '".$_POST['name']."'";
If still no joy, try echo'ing out $_POST['name'] to check if its what is expected...
-
test it by having a little look see:
print_r($result1);
-
Try changing it to how you do it above...?
$sql2 = "SELECT O_ID FROM owners WHERE name = '$_POST[name]'"; $result1 = mysqli_query($conn , $sql2); if ($result1==false) { die("failsd".$conn->error); } $row = mysqli_fetch_array($result1)) $own = $row['O_ID']; -
We were all there once, its a funny old game
-
The results returned from the following aren't single variables but a mysql result:
$sql2 = "SELECT Owner_ID FROM owners WHERE name = $_POST[آName]"; $sql3 = "SELECT Pr_ID FROM property WHERE PR_num = $_POST[PR_num]"; $own = mysqli_query($conn , $sql2); $pro= mysqli_query($conn , $sql3);
Here's the manual: http://php.net/manual/en/mysqli.query.php
First you need to get the result array:
$result = mysqli_query($conn , $sql2); $row = $result->fetch_object()
And then you can access the variable(s):
$own=$row->Owner_ID;
Or something like that lol, so long since I've not used my wrapper class
-
Just put into practice and I got issues, mainly because I don't use a schema on my links (http / https). So after rawurlencode did its thing, it then treat the link as relative rather than absolute.
return htmlspecialchars($link."?".http_build_query($args), ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5, 'UTF-8');
-
For X-Frame-Options yes, but for CSP using DENY didn't work for me whereas NONE did
-
Oh and here's how I called that:
function cron_e($mins,$hours,$days,$months,$weekday,$path){ return array('mins'=>$mins,'hours'=>$hours,'days'=>$days,'months'=>$months,'weekday'=>$weekday,'path'=>$path); } $a=array(); $a[]=cron_e("*","*","*","*","*","/usr/bin/php /var/www/html/tuts/php/cron/handler.php"); //echo $a[0]['mins']."<br />"; cron_manage($a);From looking you'll want to change the "/usr/bin/php /var/www/html/tuts/php/cron/handler.php" to, well whatever / however you want to call your script (i.e. it doesn't need to be on a server, or even PHP)
-
Since its a local server you could set the cron job manually once and then that'll just use (say) wget to call a page on the server which would do its job.
As for crontab details it all depends on what OS you're using.
Incorporating crontab into your website, when I last looked I gave up and wrote my own I think. It went something like using exec() to call crontab without arguments, grabbing the output, then passing it back again with my stuff appended within some special comments that I could grep next time.
My lunch is over so here's what I can see as the main test function I did... and it appears I wrote the data to a tempfile and passed that to crontab:
function cron_manage($a){ // READ EXISTING CONTENTS $orig=shell_exec('crontab -l'); // CHECK FOR OUR TAG & STRIP OUT $orig=preg_replace('/#RXCMS_START(.*)#RXCMS_END\n/is', "",$orig); // PREPARE OUR STATEMENTS $s="#RXCMS_START".PHP_EOL; foreach($a as $e){ $s.="".$e['mins']." ".$e['hours']." ".$e['days']." ".$e['months']." ".$e['weekday']." ".$e['path']." ".PHP_EOL; } $s.="#RXCMS_END"; // APPEND $s=$orig.$s; // WRITE TO TEMP & EXECUTE CRONTAB $fn='/tmp/crontab.txt'; if(file_put_contents($fn, $s.PHP_EOL)===false){ echo "write failed<br />"; }else{ echo exec('crontab '.$fn); } } -
Thankyou
So here's my new wrapper function and tests:
if(count($_GET)>0){ foreach($_GET as $k=>$v){ echo "GET['".$k."']: ".$v."<br />"; //echo "GET['".$k."']: ".urldecode($v)."<br />"; } } $link="test3.php"; echo "<br /><br />"; echo "<a href='".rx_url("")."'>test 1</a><br />"; echo "<a href='".rx_url($link)."'>test 2</a><br />"; echo "<a href='".rx_url($link,array("one","two"))."'>test 3</a><br />"; echo "<a href='".rx_url($link,array("one"=>"a's","two"=>"b"))."'>test 4</a><br />"; echo "<a href='".rx_url("",array("one"=>"a's","two"=>"b"))."'>test 5</a><br />"; echo "<a href='".rx_url("",array("one"=>"a's","two"=>null))."'>test 6</a><br />"; echo "<a href='".rx_url("",array("one"=>"a's","two"=>array(1,2,3)))."'>test 7</a><br />"; echo "<br /><br />"; function rx_url($link,$args=array()){ return htmlspecialchars(rawurlencode($link)."?".http_build_query($args), ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5, 'UTF-8'); }Not that it matters to me really but test 7 fails even though there is an example on the manual page of a similar nature. I did also try with a prefix too.
Oh, again, it appears you don't have to use urldecode() and that its handled automatically, is that true for all instances or just my install?
-
How are new files uploaded? If via PHP then update as and when...
If not then you may want to set up a "cron" (crontab) to call apage script which checks the directory.
Or, as a RSS request is made do the check? (if the request to update ratio leans towards the request rather than upload then this may waste resources, butif the directory doesn't contain much then its not much of an issue)
-
Thankyou...no-one even lists "none" as an option! But it works for whatever reason.
I'll look into further tonight, however this works from within PHP in my quick test:
header("Content-Security-Policy: frame-ancestors 'none'");Some of the better links with examples I found:
https://www.owasp.org/index.php/Content_Security_Policy_Cheat_Sheet
http://content-security-policy.com/
http://www.html5rocks.com/en/tutorials/security/content-security-policy/
Again, many thanks
-
More hardening...
Should you always use urlencode / rawurlencode for links and GET requests?
Is one better than the other?
It appears you don't have to decode, is that true?
Test Play:
if(isset($_GET['cmd'])){ if($_GET['cmd']=="harp's"){ //if(rawurldecode($_GET['cmd'])=="harp's"){ echo "true<br />"; } else{ echo "false<br />"; } } $s1="harp's"; echo "<br /><br />"; echo "s1: ".$s1."<br />"; echo "<br /><br />"; echo "<a href='?cmd=".$s1."'>Test 1</a><br />\n"; echo "<a href='?cmd=".rawurlencode($s1)."'>Test 2</a><br />\n"; -
And what code do you have?
-
I'm using the following function to test for initial variable sanity, how does it fair?:
function rx_valid_data($data,$type){ // type: email,pass,name,names,filename,words,text,title,digits,int,dec,hex // The special regular expression characters are: . \ + * ? [ ^ ] $ ( ) { } = ! < > | : - if($type=="email"){ //if(eregi("[A-Z0-9._%-]+@[A-Z0-9.-]+\.[A-Z]{2,4}",$email)){ return true; }else{ return false; } if(filter_var($data, FILTER_VALIDATE_EMAIL)) { return true; }else{ return false; } }elseif($type=="pass"){ //if(preg_match('/^[:# !£$\._a-z\d]+$/i', $data)){ // has only chars & digits and #: !£$._ if(preg_match('/^[:# !£$\.\w]+$/i', $data)){ // has only chars & digits and #: !£$._ return true; } //if(preg_match('/[a-z]/i', $string))){} // has at least one char //if(preg_match('/\d/', $string))){} // has at least one digit return false; }elseif($type=="name"){ //if(preg_match('/^[_a-z\d]+$/i', $data)){ // has only chars & digits and underscores if(preg_match('/^[\w]+$/i', $data)){ // has only chars & digits and underscores return true; } }elseif($type=="names"){ // NAME LIST //if(preg_match('/^[, \t_a-z\d]+$/i', $data)){ // has only chars & digits, underscores, comma, space, tab if(preg_match('/^[, \t\w]+$/i', $data)){ // has only chars & digits, underscores, comma, space, tab return true; } }elseif($type=="filename"){ //if(preg_match('/^[-0-9A-Z_\.]+$/i', $data)){ // has only chars & digits, underscores and periods if(preg_match('/^[-\w\.]+$/i', $data)){ // has only chars & digits, underscores and periods return true; } }elseif($type=="words"){ if(preg_match('/^[\._ \'\"\!£\$%&\*\(\)\+\-\<\>\|\:;\?\=\[\]\{\}\^\\/\s\tA-Za-z\d]+$/im', $data)){ // return true; } }elseif($type=="text"){ // ALLOWS EVERYTHING THROUGH AT THE MOMENT //if(preg_match('/^[_ \'\"\!£\$%&\*\(\)\+\-\<\>\|\:;\?\=\[\]\{\}\^\\/\s\tA-Za-z\d]+$/im', $data)){ // return true; //} }elseif($type=="title"){ if(preg_match('/^[\._ \!£\$%&\*\(\)\+\-\<\>\|\:;\?\=\[\]\{\}\^\\/\'\"a-z\d]+$/i', $data)){ // return true; } }elseif($type=="digits"){ if(is_int($data)|ctype_digit($data)){ return true; } // is only digits, 0, 123, etc... }elseif($type=="int"){ //if(is_numeric($data)){ return true; } // if(filter_var($data, FILTER_VALIDATE_INT)){ return true; } }elseif($type=="dec"){ //if(is_numeric($data)&&strpos($data,'.')===false){ return true; } // if(is_numeric($data)){ return true; } // }elseif($type=="hex"){ if(ctype_xdigit($data)){ return true; } // is hex } return false; }Here's a sort of unit test. The int one fails with leading zeros, the email tests are from the filter_var() php.net page, are they ok to ignore?:
echo "Initialised".BL; $err_tot=0; unit_test_funcs_01(); echo "FUNCS TOTAL ERRORS: ".$err_tot.BL; function unit_test_funcs_01(){ echo "TESTING: rx_valid_data".BL; //rx_valid_data($data,$type) // type: email,pass,name,names,filename,words,text,title,digits,int,dec,hex /* 'localpart.ending.with.dot.@example.com', '(comment)localpart@example.com', '"this is v@lid!"@example.com', '"much.more unusual"@example.com', 'postbox@com', 'admin@mailserver1', '"()<>[]:,;@\\"\\\\!#$%&\'*+-/=?^_`{}| ~.a"@example.org', '" "@example.org' */ // PASS TEST: email $a_pass=array("a@b.com","a@b.cow","уникум@из.рф",'localpart.ending.with.dot.@example.com','postbox@com','admin@mailserver1','"()<>[]:,;@\\"\\\\!#$%&\'*+-/=?^_`{}| ~.a"@example.org','" "@example.org'); // ,'(comment)localpart@example.com','"this is v@lid!"@example.com','"much.more unusual"@example.com' $a_fail=array("ab.com","a^@b.com"); do_test("email",$a_pass,$a_fail); // TEST: pass // has only chars & digits and #: !£$._ $a_pass=array("password","123","abc_def","#: !£\$a0"); $a_fail=array("pass*word","","hkjhkl%jh","hkjh^"); do_test("pass",$a_pass,$a_fail); // TEST: name // has only chars & digits and underscores $a_pass=array("name","name_0","abc_def"); $a_fail=array("my*name","","hkjhkl%jh","hkjh^"); do_test("name",$a_pass,$a_fail); // TEST: names // has only chars & digits, underscores, comma, space, tab $a_pass=array("name","name_0, name_1","name name","name,name","name name"); $a_fail=array("my*name","","hkjhkl%jh","hkjh^"); do_test("names",$a_pass,$a_fail); // TEST: filename // has only chars & digits, underscores and periods $a_pass=array("name.xyz","name_0","test0.jpg"); $a_fail=array("my*name","","hkjhkl%jh","hkjh^"); do_test("filename",$a_pass,$a_fail); // TEST: words // $a_pass=array("name.xyz","name_0","test0.jpg"); $a_fail=array("my\nname",""); do_test("words",$a_pass,$a_fail); /* // TEST: text // $a_pass=array("name.xyz","name_0","test0.jpg"); $a_fail=array("my\nname",""); do_test("text",$a_pass,$a_fail); */ // TEST: title // $a_pass=array("name.xyz","cow's","test0.jpg"); $a_fail=array("my\nname",""); do_test("title",$a_pass,$a_fail); // TEST: digits $a_pass=array("1","0000002"); $a_fail=array("name","","0.1"); do_test("digits",$a_pass,$a_fail); // TEST: int $a_pass=array("1","0000002","-33"); $a_fail=array("name","","0..1","0.1"); do_test("int",$a_pass,$a_fail); // TEST: dec $a_pass=array("1","000000.2","-33"); $a_fail=array("name","","0..1"); do_test("dec",$a_pass,$a_fail); // TEST: hex $a_pass=array("abc","ff00ff","A2E"); $a_fail=array("my_name","","g0"); do_test("hex",$a_pass,$a_fail); } function do_test($type,$a_pass,$a_fail){ // PASS TEST: $n=0; foreach($a_pass as $e){ if(!rx_valid_data($e,$type)){ err_report("rx_valid_data() PASS TEST",$type.":".$n.": ".$e); } $n++; } // FAIL TEST: $n=0; foreach($a_fail as $e){ if(rx_valid_data($e,$type)){ err_report("rx_valid_data() FAIL TEST",$type.":".$n.": ".$e); } $n++; } } function err_report($s,$ref){ global $err_tot; $err_tot++; echo "FUNCS error(".$ref."): ".$s.BL; } -
You'd start the call like this, then use the element passed to function to get the current "value".
echo '<select name="class_drop_down" onchange="myfunc(this)">';
PDF Report
in PHP Coding Help
Posted
Its on my list of things to do...
But from a quick search and everybody else seems to always pass 7 arguments whereas you have 6, I dunno if that's the issue or not though
http://stackoverflow.com/questions/13407085/how-do-you-make-a-table-like-this-with-fpdf-using-php
http://www.fpdf.org/en/script/
Then again, in the doc's this line is commented:
http://www.fpdf.org/en/doc/cell.htm
But then again, your header has different widths than the following cells?