kmaid

Hi guys, I am trying to improve my sanatizing function to allow me to send single elements and arrays to be sanatised however i am running into issues. The stripslashes function does not appear to be working as when i put a string like "Test\" it comes out with "Test\\". $input_arr = array(); foreach ($Data as $key => $input_arr) { $Data[$key] = stripslashes($Data[$key]); $Data[$key] = htmlentities($Data[$key]); $Data[$key] = mysql_real_escape_string($Data[$key]); } return $Data;

I know about session Hijacking but how can you edit session variables? Surely being able to do this makes the entire thing pointless as i would have to put their username and password into the session that can then be edited. I hope you do not mind Andy-H, I have attempted to add you onto msn in the hope i could talk to you about this further to gain a better understanding.

Because i dont query the database. I use the following code to just check that they had a session made and that they have the correct userlevel to use the page. From what i have read it is safe to do this because the user cant touch these variables unless i am greatly mistaken. function libSecurity($RequiredUserLevel) { session_start(); if(isset($_SESSION["UserName"])) { if ($_SESSION["Level"]>=$RequiredUserLevel) { return true; } } if (isset($_SERVER['HTTP_X_REWRITE_URL'])) { $_SERVER['REQUEST_URI'] = $_SERVER['HTTP_X_REWRITE_URL']; } $_SESSION['RequestedURL']=$_SERVER['REQUEST_URI']; header("Location: Login.php"); exit(0); return false; } [/Code]

I understand that however i was looking to avoid querying the database for user infomation every time they load a new page for somthing that wont happen that often. I guess i will have to query the DB everytime or set a session variable and check every 10 mins or somthing. Thanks for the help guys. I am not going to mark the post as solved as i am still hopefull for some reason ^^.

Hmmmm, I was under the impression that the user gets the ID to their session in a cookie and the data of the session is stored server side. What i want to do is unset the data serverside so the session becomes invalid and they have to login however their account being suspended they will not be able to.

Yo Jaret guess who! Just load all the userids into an array and then use the imlpode function. while($getusersonline3=mysql_fetch_array($getusersonline2)) { $UserIDs = $getusersonline3[user]; } echo implode(',',$UserIDs ); edit Haha, I was beaten twice and missed the []s off UserIDs ^^;

Hi all, I am making a user system where I can suspend users. I suspend a user by preventing their login however it does not terminate their current session. Rather than checking the user is still allowed to be login each time a page is loaded I was wondering if I could store the Session ID and then just delete/unregistered it server side. Thanks Kmaid

Well it worked perfectly right up until i realised that i needed to take their account status into account with the login script so i needed the userdata which isnt returned in an update :<! Oh well it was a nice idea teach me to optimise before its done lol!

Hi guys, My login system has a database field called “LastActivity” which I use to clear out old accounts. At current when a user logs on i run the msql query SELECT * FROM `Users` where `UserName` = ‘$UserName’ and `Password` = ‘Password’ LIMIT 1 and then I run an update query to set last activity to the current date time. UPDATE `users` Set `LastActivity` = NOW() where `UserName` = ‘$UserName’ and `Password` = ‘Password’ LIMIT 1 It occurred to me today if I could get away with using just update query and check the number of rows affected to see if they were found. In my mind it should work nicely however as it’s a login system I decided I should check ^^; Kmaid

Sorry I dont understand why it would be a bad idea. My intention was to just make their IP address as a session variable so should someone attempt to hijack the session when it compared the IP addresses it would expire the session and make them login. The only time it would be is if the user changed IP address everytime they requested the site. How often does that happen?

Hello all, I am currently creating a login system and have been trying to understand exactly how sessions work so I can make the script secure. So far i have understood that session data is always stored on the sever and the client is given a cookie with the unique ID relating to the data stored on the server. How long is this information kept for and how can you alter it on a per session basis like phpfreaks does? Should I write a check to make sure that the IP address is the same as the original session starter and are there any drawbacks to doing so? Thanks Kmaid

Thankyou both my question is answered and is nolonger an issue!

Ah, I think you have missed when i said the data is not put into the database rather just flagged as wrong and returned to the user as the values of the edit boxes to allow the user to change the data to be valid. Thank you for your concern though

How could it be a security risk? If one receives his own input, and no one else is exposed to whatever he had entered, I can't see what harm could be done. Orio. This was my understanding aswell however i felt i should check. The only one who could be effected by the injected code would be the one injecting it which seems rather pointless. All the GET fields are validated in a diffrent way and would not be outputed.

I am probably over careful (or wasteful depending on your view) in the way that i validate everything to make sure it’s the “correct” input and then run the following function just in case. function libStripInputSlashes() { $input_arr = array(); foreach ($_REQUEST as $key => $input_arr) { $_REQUEST[$key] = htmlentities($input_arr); $_REQUEST[$key] = mysql_real_escape_string($input_arr); } } However it doesn’t appear to be working as the problem is still present although ‘s are escaped.

Hello, I am a little worried by some possible XSS on my site. When a user edits their account details and includes invalid characters my script lists the errors they made and puts whatever they posted back into the submit fields to allow them to change the data they submitted to be valid. I have since noticed if you put in '"<B>' it changes the rest of the page to bold. Does this pose any security risks as no data is placed into the database and will only occur if the user submits the data in the first place? How do you deal with this? Thanks Kmaid

Need help filtering out XSS and SQL injection currently I validate all my user input using regular expressions but I am worried it may still leave some room for JavaScript or possibly mysql special characters. Currently to make sure I use function libStripInputSlashes() { $input_arr = array(); foreach ($_REQUEST as $key => $input_arr) { $_REQUEST[$key] = htmlspecialchars($input_arr); $_REQUEST[$key] = mysql_real_escape_string($input_arr); } } Are there any better solutions than using this? Thanks Kmaid

ThebadBad, Good spot i have adjusted accordingly :3 Thank you both

Looks perfect and is working for all the test data i can come up with. Thank you ProjectFear!

Hello I could use some help with regex validating a string. The string is hexadecimal (uses 0-9 a-f character set) and 36 characters long broken up with dashes into 5 sections eg: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx Here are some examples of valid keys: a822ff2b-ff02-461d-b45d-dcd10a2de0c2 f63f298d-0989-49ff-8aa3-5897e259e767 8e589107-5f97-4e60-8194-11fcda76c194 c428132b-fd96-4b34-9bbe-9e627a5a50e4 2ceb9b3e-cf25-446b-b04a-dccae9d0a77a A regex expression that can validate the correct character set, format and number of characters would be very helpful and be interesting to compare against what I am playing with. Thanks Kmaid

Heh ^^; Dowdy is my colleague i hadn’t realised he already posted on the subject here. I am currently googling about what you suggested but and was wondering if you knew of any good simple examples of these systems for me to have a look at. Thanks Kmaid

Hello, I could use some help. I am currently trying to code a decision tree into PHP where by the user answers a question and the next set of questions is given to them based on their previous answer(s). Currently I am storing all the user’s answers in a database and running it all through case statements each time however in all honesty I would like to do it another way as I think it is a pretty poor approach. So far I have read about “Expert Systems” which are border line AI and very complicated for this situation. The other thing I was thinking *could* work is using parent child method to build the menus and store all the answers and upon running out of questions simply if through every possible outcome which is only marginally better. Thanks for reading Kmaid

I just opened up the direct link to the quicktime file in VLC and it didnt stream as perfectly as it should however I then used the direct link in the offical quicktime player and it was fine. I then tried using the php file in VLC which wouldnt work at all. Using quicktime it bufferd and was at the slow 30ish kbs rate. The movie is about 4mins 30 and only 18.4 MB so streaming it at normal broadband speeds shouldnt be an issue i can promise this is down to somthing in my script or webserver configuration x.X! I am going to try installing xampp on one of my other dedis and see if a diffrent php configuration makes a diffrence.

Nah im afraid its one of the first things i tried. Would the memory limit of the php script make a big diffrence? i am just using a default plesk configuration on the server hosting the video or are there any limits which slow the scripts down?

I tried fsocketopen and it didnt appear to make much diffrence. I see othersites offering normal speeds and when i download the "Trailer.mov" i max out my connection. There just has to be some setting or somthing as i see othersites providing normal speeds through phpscripts. Has anyone else had this issue or is this somthing strange? Thanks again for the help so far -Kmaid