NotionCommotion

Execute the following script. <?php $json='{ "high":"8650.00", "last":"8500.00", "timestamp":"1410341807", "bid":"8310.00", "vwap":"8414.15", "volume":"107.05882350", "low":"8480.00", "ask":"8500.00" }'; $array=json_decode($json); echo('<pre>'.print_r($array,1).'</pre>'); ?>

Ginerjm, I don't think the OP is asking for total access, only access to files/directories in a given directory. I expect the server code will define a base directory such as /some/directory/to/locate/user/files/ Then you are given a user input such as some/specific/directory. Would just removing all periods do the trick? This would prevent a directory named bla.bla, so maybe just two periods or a period next to a forward slash?

WHAT PART DOESN'T WORK?

Looks like JSON to me. Look into http://php.net/manual/en/function.json-decode.php

I like mac_gyver's solutions.

Do what makes most sense to you, and what gives you the most flexibility.

You could have your server generate two different error variables, and add <span class="error"><?php echo $captchaErr;?></span> wheree ver you want.

You have it correct. Your narrative stated to use the "inc" extension such as links.inc, however, either php or inc will work (I originally used inc, but now just use php). I would also use require instead of include unless you want it to work if the file doesn't exist (can't see why you would ever want this). Most often, I recommend absolute paths (use include '/var/www/my_include_files/links.php'). You could also include PHP in the include file (just put tags around it). You might want to use a loop to create your list.

I agree one doesn't need to use them, but then again, I am NotionCommotion

Thanks again for the help regarding http://forums.phpfreaks.com/topic/294335-why-is-firefox-hitting-my-server-twice/. Some of my issues are fixed. I still get some mystery hits to my server, and this time it has nothing to do with FireFox and images without src attributes. I think I have a theory, and would like confirmation. I have a virtualhost /var/www/main/html which is used for IDE development only. In it, I change $_SERVER['HTTP_HOST'] from 192.168.1.200 to something like test.sites.example.com and have a require statement which changes control to another file served by another virtualhost. This is what confused me as I would browse through the second virtual host, and see these mystery server hits. So, it appears that the script I was utilizing had nothing to do with the mysterious hits, but that the IDE would periodically send some request to the server maybe to ensure it was up and running. You know, through the process of writing this post, I am sure that is what was happening. I thought about not even posting it, however, it was mostly written and maybe it will keep someone from thinking they are going crazy. Mystery $_SERVER array Array( [HTTP_HOST] => 192.168.1.200 [PATH] => /sbin:/usr/sbin:/bin:/usr/bin [SERVER_SIGNATURE] => <address>Apache/2.2.15 (CentOS) Server at 192.168.1.200 Port 80</address> [SERVER_SOFTWARE] => Apache/2.2.15 (CentOS) [SERVER_NAME] => 192.168.1.200 [SERVER_ADDR] => 192.168.1.200 [SERVER_PORT] => 80 [REMOTE_ADDR] => 192.168.1.1 [DOCUMENT_ROOT] => /var/www/main/html [SERVER_ADMIN] => root@localhost [SCRIPT_FILENAME] => /var/www/main/html/index.php [REMOTE_PORT] => 48417 [GATEWAY_INTERFACE] => CGI/1.1 [SERVER_PROTOCOL] => HTTP/1.1 [REQUEST_METHOD] => GET [QUERY_STRING] => [REQUEST_URI] => / [SCRIPT_NAME] => /index.php [PHP_SELF] => /index.php [REQUEST_TIME_FLOAT] => 1423058984.084 [REQUEST_TIME] => 1423058984 ) Normal $_SERVER array Array ( [REDIRECT_HTTPS] => on [REDIRECT_SSL_TLS_SNI] => test.sites.example.com [REDIRECT_STATUS] => 200 [HTTPS] => on [SSL_TLS_SNI] => test.sites.example.com [HTTP_HOST] => test.sites.example.com [HTTP_USER_AGENT] => Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 [HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 [HTTP_ACCEPT_LANGUAGE] => en-US,en;q=0.5 [HTTP_ACCEPT_ENCODING] => gzip, deflate [HTTP_REFERER] => https://test.sites.example.com/administrator/index.php?cid=3 [HTTP_COOKIE] => BACKSESSID=n6fgecgcd58aqujjtukf9gah86; PREVSESSID=9pnbb1eiighi1aantuqf2j3ei4 [HTTP_CONNECTION] => keep-alive [HTTP_CACHE_CONTROL] => max-age=0 [PATH] => /sbin:/usr/sbin:/bin:/usr/bin [SERVER_SIGNATURE] => Apache/2.2.15 (CentOS) Server at test.sites.example.com Port 443 [SERVER_SOFTWARE] => Apache/2.2.15 (CentOS) [SERVER_NAME] => test.sites.example.com [SERVER_ADDR] => 192.168.1.200 [SERVER_PORT] => 443 [REMOTE_ADDR] => 192.168.1.1 [DOCUMENT_ROOT] => /var/www/main/html_sites [SERVER_ADMIN] => root@localhost [SCRIPT_FILENAME] => /var/www/main/html_sites/index.php [REMOTE_PORT] => 58408 [REDIRECT_QUERY_STRING] => admin=administrator/index.php&cid=4&controller=list [REDIRECT_URL] => /administrator/index.php [GATEWAY_INTERFACE] => CGI/1.1 [SERVER_PROTOCOL] => HTTP/1.1 [REQUEST_METHOD] => GET [QUERY_STRING] => admin=administrator/index.php&cid=4&controller=list [REQUEST_URI] => /administrator/index.php?cid=4&controller=list [SCRIPT_NAME] => /index.php [PHP_SELF] => /index.php [REQUEST_TIME_FLOAT] => 1423057852.769 [REQUEST_TIME] => 1423057852 )

It's hard to believe you couldn't just use the appropriate SELECT query without needing the UPDATE queries.

Might wish to consider http://php.net/manual/en/function.password-hash.php instead.

I am not sure using stored procedures is silly if you have someone else creating those stored procedures for the application programmer. And your second and third comment appear to contradict, but I think we both agree and I am misreading it. Escape inputs for SQL injections, and escape outputs for XSS.

Mostly, you should be concerned about user inputs. And while there are many more, some of the most notorious are: SQL injection. You could use stored procedures, but if you are a one man shop, don't bother but be religious with PDO prepared statements. Similarly, when passing arguments to shell commands, use the appropriate escaping functions. A template engine such as Twig could make things easier. When presenting content to your users, make sure everything is properly escaped to prevent XSS. Typically, I don't remove/escape this from being in the DB, but only when presenting. Validate your incoming data always serverside, and sometimes also client side if you want to improve the UX. Again, there are more and it could sometimes be rather daunting. While many will disagree with me, I think a risk assessment approach should be used to determine how far you should go (but always do the three I listed and surely several others as well).

Thanks scootstah, Does Varnish seem to do a good job knowing which files should be cached?

Thanks Kicken!!!!! src attribute was to be provided via ajax. Any reason I shouldn't use src="some-file-that-does-not-exist.png"?

With only FireFox, I am getting some strange extra hit to my server soon after the first one. It seems simlar to when the browser is looking for favicon.ico, but I have an empty file in my public root. For troubleshooting, I added the following to my script, and have posted the results. The culprit appears to be: [HTTP_ACCEPT] => image/png,image/*;q=0.8,*/*;q=0.5 What could be causing this? Even if you don't have an exact answer, any suggestions on what to look for would be appreciated. $old_server=isset($_SESSION['server'])?$_SESSION['server']:$_SERVER; $difference = array_diff_assoc($_SERVER, $old_server); $difference2 = array_diff_assoc($old_server,$_SERVER); $_SESSION['server']=$_SERVER; echo('$_SERVER<pre>'.print_r($_SERVER,1).'</pre>'); echo('$old_server<pre>'.print_r($old_server,1).'</pre>'); echo('$difference<pre>'.print_r($difference,1).'</pre>'); echo('$difference2<pre>'.print_r($difference2,1).'</pre>'); syslog(LOG_INFO,print_r($difference,1)); $_SERVER Array ( [REDIRECT_HTTPS] => on [REDIRECT_SSL_TLS_SNI] => test.sites.example.com [REDIRECT_STATUS] => 200 [HTTPS] => on [SSL_TLS_SNI] => test.sites.example.com [HTTP_HOST] => test.sites.example.com [HTTP_USER_AGENT] => Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 [HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 [HTTP_ACCEPT_LANGUAGE] => en-US,en;q=0.5 [HTTP_ACCEPT_ENCODING] => gzip, deflate [HTTP_REFERER] => https://test.sites.example.com/administrator/index.php?cid=2&controller=sell&id=643341356 [HTTP_COOKIE] => BACKSESSID=5il7gj9p1f3etu37l8vk8tvur1 [HTTP_CONNECTION] => keep-alive [HTTP_CACHE_CONTROL] => max-age=0 [PATH] => /sbin:/usr/sbin:/bin:/usr/bin [SERVER_SIGNATURE] => Apache/2.2.15 (CentOS) Server at test.sites.example.com Port 443 [SERVER_SOFTWARE] => Apache/2.2.15 (CentOS) [SERVER_NAME] => test.sites.example.com [SERVER_ADDR] => 192.168.1.200 [SERVER_PORT] => 443 [REMOTE_ADDR] => 192.168.1.1 [DOCUMENT_ROOT] => /var/www/example/html_sites [SERVER_ADMIN] => root@localhost [SCRIPT_FILENAME] => /var/www/example/html_sites/index.php [REMOTE_PORT] => 63989 [REDIRECT_QUERY_STRING] => admin=administrator/index.php&cid=2&controller=sell&id=643341356 [REDIRECT_URL] => /administrator/index.php [GATEWAY_INTERFACE] => CGI/1.1 [SERVER_PROTOCOL] => HTTP/1.1 [REQUEST_METHOD] => GET [QUERY_STRING] => admin=administrator/index.php&cid=2&controller=sell&id=643341356 [REQUEST_URI] => /administrator/index.php?cid=2&controller=sell&id=643341356 [SCRIPT_NAME] => /index.php [PHP_SELF] => /index.php [REQUEST_TIME_FLOAT] => 1422985053.698 [REQUEST_TIME] => 1422985053 ) $old_server Array ( [REDIRECT_HTTPS] => on [REDIRECT_SSL_TLS_SNI] => test.sites.example.com [REDIRECT_STATUS] => 200 [HTTPS] => on [SSL_TLS_SNI] => test.sites.example.com [HTTP_HOST] => test.sites.example.com [HTTP_USER_AGENT] => Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 [HTTP_ACCEPT] => image/png,image/*;q=0.8,*/*;q=0.5 [HTTP_ACCEPT_LANGUAGE] => en-US,en;q=0.5 [HTTP_ACCEPT_ENCODING] => gzip, deflate [HTTP_REFERER] => https://test.sites.example.com/administrator/index.php?cid=2&controller=sell&id=643341356 [HTTP_COOKIE] => BACKSESSID=5il7gj9p1f3etu37l8vk8tvur1 [HTTP_CONNECTION] => keep-alive [PATH] => /sbin:/usr/sbin:/bin:/usr/bin [SERVER_SIGNATURE] => Apache/2.2.15 (CentOS) Server at test.sites.example.com Port 443 [SERVER_SOFTWARE] => Apache/2.2.15 (CentOS) [SERVER_NAME] => test.sites.example.com [SERVER_ADDR] => 192.168.1.200 [SERVER_PORT] => 443 [REMOTE_ADDR] => 192.168.1.1 [DOCUMENT_ROOT] => /var/www/example/html_sites [SERVER_ADMIN] => root@localhost [SCRIPT_FILENAME] => /var/www/example/html_sites/index.php [REMOTE_PORT] => 63970 [REDIRECT_QUERY_STRING] => admin=administrator/ [REDIRECT_URL] => /administrator/ [GATEWAY_INTERFACE] => CGI/1.1 [SERVER_PROTOCOL] => HTTP/1.1 [REQUEST_METHOD] => GET [QUERY_STRING] => admin=administrator/ [REQUEST_URI] => /administrator/ [SCRIPT_NAME] => /index.php [PHP_SELF] => /index.php [REQUEST_TIME_FLOAT] => 1422985038.5 [REQUEST_TIME] => 1422985038 ) $difference Array ( [HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 [HTTP_CACHE_CONTROL] => max-age=0 [REMOTE_PORT] => 63989 [REDIRECT_QUERY_STRING] => admin=administrator/index.php&cid=2&controller=sell&id=643341356 [REDIRECT_URL] => /administrator/index.php [QUERY_STRING] => admin=administrator/index.php&cid=2&controller=sell&id=643341356 [REQUEST_URI] => /administrator/index.php?cid=2&controller=sell&id=643341356 [REQUEST_TIME_FLOAT] => 1422985053.698 [REQUEST_TIME] => 1422985053 ) $difference2 Array ( [HTTP_ACCEPT] => image/png,image/*;q=0.8,*/*;q=0.5 [REMOTE_PORT] => 63970 [REDIRECT_QUERY_STRING] => admin=administrator/ [REDIRECT_URL] => /administrator/ [QUERY_STRING] => admin=administrator/ [REQUEST_URI] => /administrator/ [REQUEST_TIME_FLOAT] => 1422985038.5 [REQUEST_TIME] => 1422985038 )

Doing some troubleshooting, and I see that the value of $_SERVER['REMOTE_PORT'] changes on every request. Per http://php.net/manual/en/reserved.variables.server.php: Is this normal?

EDIT. When starting this post, I thought it was causing the browser to make an extra request to the server. I've since found this wasn't the case, however, didn't change the title of this post, and can't seem to change it to something like "Critique of file caching script" I am trying to cache a file, and put together the following script. I put the following in the browser: https://test.sites.example.com/administrator/index.php?cid=2&controller=sell&id=643341356 ... and Apache will rewrite as: https://test.sites.example.com/index.php?admin=administrator&cid=2&controller=sell&id=643341356 index.php includes the following line: <script src="/lib/js/clientConstants.php?b=1" type="text/javascript"> I know I am asking a lot, but would appreciate if someone could review the below code and give me opinions or custructive critism. One thing I noticed is the check to see if the client should use its local cached file never gets executed by the server. Maybe modern browsers just "know" when they don't need to request a copy from the server? Thank you /lib/js/clientConstants.php <?php require_once(dirname(dirname(dirname(__DIR__))).'/application/classes/cache.php'); $cache=new cache(__FILE__); $cache->content_type="text/javascript"; $cache->callback=function($root) { echo('some text from the database'); }; $cache->invoke(); ?> /application/classes/cache.php <?php class cache { public $cacheDir='/var/www/cache/'; //Where to cache /** * Default content type * @var string */ public $content_type="text/html"; /** * Default time to cache equal to 60*60*24*12 * @var string */ public $cachetime=1036800; /** * $callback * @var string */ public $callback; /** * File to cache * @var string */ private $originalfile; /** * $cachefile * @var string */ private $cachefile; /** * __construct to store in $this */ public function __construct($file) { $this->originalfile=$file; } /** * If file doesn't exist, create file. Download the file */ public function invoke() { date_default_timezone_set('UTC'); //Be sure info from client is okay $this->cachefile = (strpbrk(basename($_SERVER['REQUEST_URI']), "\\/%*:|\"<>") === FALSE)?$this->cacheDir.basename($_SERVER['REQUEST_URI']):null; $fileExists=file_exists($this->cachefile); $filetime=filemtime($fileExists?$this->cachefile:$this->originalfile); if (isset($_SERVER['HTTP_IF_MODIFIED_SINCE']) && (@strtotime($_SERVER['HTTP_IF_MODIFIED_SINCE']) == $filetime)) { //Use file on client syslog(LOG_DEBUG,'Use cached file on client'); header('Last-Modified: '.gmdate('D, d M Y H:i:s', $filetime).' GMT', true, 304); } else { //Not yet cached on client header( 'Content-type: '.$this->content_type); header('Pragma: public'); header('Cache-Control: public, maxage='.$this->cachetime); header('Expires: ' . gmdate('D, d M Y H:i:s', time()+$this->cachetime) . ' GMT'); header('Last-Modified: '.gmdate('D, d M Y H:i:s', filemtime($this->originalfile)).' GMT', true, 200); if ($fileExists && (time() - $this->cachetime < filemtime($this->cachefile))) { // Serve from the cache if it exists and is younger than $cachetime syslog(LOG_DEBUG,'Use cached file on server'); include($this->cachefile); switch($this->content_type) { case 'text/html': echo "<!-- Cached ".date('jS F Y H:i', filemtime($cachefile))." -->";break; case 'text/javascript': echo "/* Cached ".date('jS F Y H:i', filemtime($this->cachefile))." */";break; //No comments for other file types } } else { //create new file ob_start(); //Pass web directory to call back if it needs it call_user_func($this->callback,dirname(dirname(__DIR__))); syslog(LOG_DEBUG,"create new cache file"); $fp = fopen($this->cachefile, 'w'); // open the cache file for writing fwrite($fp, ob_get_contents()); // save the contents of output buffer to the file fclose($fp); ob_end_flush(); // Send the output to the browser } } } } ?>

Before calling godaddy, see what phpinfo() says.

I would start looking in $_SERVER to see if there is anything which indicates the browser so that you could determine the appopriate number or rows to display. If not, then use JavaScript to send a request to provide this information, store it in a session, and use this value to determine the course of action.

I didn't look at the script, but he did say it works under /session/ but not the homepage (/).

Likely, the cookie associated with your cookie is only available to /session/ and other children directories. Try using something like session_set_cookie_path() or session_save_path().

Have you talked to stramline.net?

Thank you Jacques, I understand that the concern are not my cookies but about others maliciously setting them, however, I must admit I don’t know fully how to deal with it. For my specific circumstances, I believe, try as I might to make them, both frontend and backend users will not always utilize strong passwords. I also don’t think the site will be a target for sophisticated international hackers, but local amateurs might attempt to gain inappropriate access by guessing common passwords. Furthermore, frontend users are not able to post content to the frontend reducing the treat of XSS attacks. Lastly, I believe HTTPS is required for the microsites from a security as well as marketing prospective. A crutch for weak backend user passwords is making the admin section site specific. For instance, if public access is bobs-site.public.mysite.com, I don’t want every admin section to use the same key work (for instance “admin”) such as bobs-site.admin.mysite.com. However, it appears that CA SSL certificate like *.*.sites.mysite.com are not available or are cost prohibited. Putting the admin area behind a path like /admin or /blabla allows me to do so, however, results in possible XSS vulnerability. So it appears that I am damned if I do and damned if I don’t, and have to chose the path of least evil.