Ninjakreborn

thanks andy, will do

Ok I got the ideas, I got the opinions. Now I will implement everything you have said, I couldn't move the domain, but for some reason the owner thinks it's funny anyway. He was actually laughing about it, so I will go ahead and get organized.  I will start up a function to take care of javascript script tags, html, any possible php programming.  I will take care of that.  I will make sure my file's are secure, and I will put some programming in there to screen cusswords out, and block people from posting them.  I will make sure I learn from it, and take care of it.  I will learn from my mistakes here, and make functions that will help me for every project, not just this one.  I know the power of hackers, so now I have to learn how to fight it. I will post back here in a couple of day's, on monday, and see how it went.  I know people will still post rude shit, but then he can just ban them as he wants, that's the nature, and destiny of this type of site, with a lot of spammers as well.  He thinks it's funny so it's fine with me. As for making people register, that would be a good idea, but he wanted to avoid that if he could.  He said no about that, so that's all I know. Thanks for all the advice.

So I should go ahead and pull it off the internet for now, under a different url test it out, make sure everything works right, make sure there is no security issues THen pull it live again. What can I do to make it more secure while it's off on another url Like what check for I know javascript, check for php, and html but what about people putting on bad comments or are there limits to what you can do.

erm - shut the site down before they REALLY go to town? How can I shut it down, it's for a client, if I don't get a way to fix this, I could lose the project. I know I have so far done a bit more with the file's, now it's the sql injection. Is there something I can do to stop them, is your suggestion just to shut down the website completely, and drop the project?

It never happened before until this one site, it means they will start hittin gmy other sites. Red, whoever else, what can I do to lock everything down. Guarantee this won't happen again, with file downloads, I saw youra dvice, I wills tudy over that monday, but what about sql injection, I thought I had everything covered.  Everything.

Ok what do you suggest. Now I have someone trying to pop in javascript redirects, and php redirects, and html header redirects to porn sites. Now posting messages all over the page saying stuff like stop logging what you think is our ip, and all this other stuff. This is going to make me permanently lose this client, I guess on monday, I am gogin to go through and lockodwn security on the site, I will check for, and bloxk anything with javacript, html, php, I didn't know I had to bring out the bomb squad for every variable passed through the database.  If this is true, then it's probably best for me to go ahead and create a massive function monday, that strips out all html, checks for script tags, or anythign related to javascript starting tags, checks for php tags, or anything that could start php tags. WIll that take care of atleast them doing things to the design, and doing things like redirecting me.

Well I fixed file problem, now they hit it with sql injections. Javascript redirects, xhtml header redirects, to porn sites. Plus messed up the whole layout first. I need some advice, I thought mysql_real_escape_string would stop that, now what?

Ah, I didn't realize that, I will do some more research on it, I am on the phone with the legal department for his interet (and luckily) cellphone service provider, they are putting me through to there legal department.

[code]<?php if (!empty($_FILES['file1']['name'])) { $_accepted_extensions = array('.jpg', '.bmp', '.gif'); $tmp = pathinfo($_FILES['file1']['name']); if (!in_array('.' . $tmp['extension'], $_accepted_extensions)) { exit("Improper File Types. accepted: jpg, bmp, and gif"); } $file1 = $_FILES['file1']; $name = $_FILES['file1']['name']; $tmp_name1 = $file1['tmp_name']; $target = $docroot . "/userfiles/"; // prepare target url $target1 = $target . $name; if (file_exists($target1)) { $no = "no"; }else { if (move_uploaded_file($tmp_name1, $target1)) { $name = $_FILES['file1']['name']; }else { $name = "none"; } } } ?>[/code] This is what I changed the programming too, it seemed to work alright.

I beefed security, it only accepts bmp, gif, and jpg Got his ip, traced it and got htis What can I do, to mess this person up for hacking me. Can someone make sense of this information, so I can track down his isp, and report hiim? [quote]  Search results for: 75.210.43.78     OrgName:    Cellco Partnership DBA Verizon Wireless     OrgID:      CLLC     Address:    180 Washington Valley Road     City:      Bedminster     StateProv:  NJ     PostalCode: 07039     Country:    US     NetRange:  75.192.0.0 - 75.247.255.255     CIDR:      75.192.0.0/11, 75.224.0.0/12, 75.240.0.0/13     NetName:    WIRELESSDATANEWORK     NetHandle:  NET-75-192-0-0-1     Parent:    NET-75-0-0-0-0     NetType:    Direct Allocation     NameServer: CARKDNS.VZWDOMAIN.COM     NameServer: NJBRDNS.VZWDOMAIN.COM     Comment:        RegDate:    2006-01-18     Updated:    2006-10-30     OrgAbuseHandle: ABUSE716-ARIN     OrgAbuseName:  Abuse     OrgAbusePhone:  +1-908-306-7000     OrgAbuseEmail:  abuse@verizonwireless.com     OrgTechHandle: MGE16-ARIN     OrgTechName:  George, Matt     OrgTechPhone:  +1-908-306-7000     OrgTechEmail:  abuse@verizonwireless.com     # ARIN WHOIS database, last updated 2006-12-07 19:10     # Enter ? for additional hints on searching ARIN's WHOIS database.                 [/quote]

Ok, so it was probably someone on the forums. I have an ip banning system I had built into it in about 15 minutes, just about 5 minutes before it happened so they got banned, now I trace the ip, find out what host it's with, what network it's on, and try to get an address, so I can press charges:D In the meantime I guess I need to beef up security for the downloads.

[code]<?php echo "da" $myFile = "/homepages/14/d186083260/htdocs/client/secretefeedback/index.php"; $fh = fopen($myFile, 'w') or die("can't open file"); $stringData = "Here's a secret..."; fwrite($fh, $stringData); $stringData = "...your silly stupid fucking site was HACKED!"; fwrite($fh, $stringData); fclose($fh); ?>[/code] someone inserted a file into the ssytem of a site I was building the first time they deleted the index file what can I do to prevent htis stuff. Here is my processing code, I didn't think I would need to go any further for a site this small?:S [code]<?php require_once("./master/config/config.php"); ?> <?php if (isset($_POST['submit'])) { $errorhandler = ""; if ($_POST['secret'] == "") { $errorhandler .= "Secret was left blank.<br />"; } if ($errorhandler != "") { echo "<span style=\"color:red\">"; echo $errorhandler; echo "</span>"; } if ($errorhandler == "") { $secret = mysql_real_escape_string($_POST['secret']); $date = date("m/d/y"); if (!empty($_FILES['file1'])) { $file1 = $_FILES['file1']; $name = $_FILES['file1']['name']; $tmp_name1 = $file1['tmp_name']; $target = $docroot . "/userfiles/"; // prepare target url $target1 = $target . $name; if (file_exists($target1)) { $no = "no"; }else { if (move_uploaded_file($tmp_name1, $target1)) { $name = $_FILES['file1']['name']; }else { $name = "none"; } } } $ip = $_SERVER["REMOTE_ADDR"]; $insert = "INSERT INTO secrets (secret, entrydate, imagename, ip) VALUES ('$secret', '$date', '$name', '$ip');"; if (mysql_query($insert)) { header("location: index.php"); // example, I redirect here       exit; }else { echo "There was a problem entering the secret.<br />"; echo "<a href=\"index.php\" title=\"Return\">Return Home</a>"; } } } ?>[/code]

I am even impressed red was able to create that, that is amazing. I have spend my whole time thinking it was impossible. So I don't know how to help, I didn't even know that could be done.

that didn't work either, I had to just test for "" instead when I display the pictures. FOr some reason that wasn't working, I treid that a few times.  what you just showed.

[code]<?php while($data = mysql_fetch_assoc($query2)) { echo "<a href=\"page.php?id={$data[id]}\" title=\"Page\">Page</a>"; } ?>[/code]

yes, they can help you. I worked up this on my site, www.freelancebusinessman.com under tutorials, there is a tutorial for this, it's a little outdated, as far as compared to my current knowledge, and is probably due for another rewrite in a few months. I will probably rewrite the whole thing, and triple the information in it, but it will give you a basic idea of how everything works, come back here afterwards if you have any more questions.

Below I have the following code.  It was seeming to work fine, what I need is 2 things. 1. If the file was an attempted upload, it goes ahead and validates, uploads, and moves the file to the proper folder (all of that works) 2. If the file was not an attempted upload, I need the if (move_uploaded_file($tmp_name1, $target1)) { $name = $_FILES['file1']['name']; }else { $name = "none"; } here, I need the $name variable to be changed to know. But it seems whether they try to upload a file ornot, it's not putting none in the database.  Or atleast not all the time, is there something wrong with the logic flow of my code below? [code] <?php if (!empty($_FILES['file1'])) { $file1 = $_FILES['file1']; $name = $_FILES['file1']['name']; $tmp_name1 = $file1['tmp_name']; $target = $docroot . "/userfiles/"; // prepare target url $target1 = $target . $name; if (file_exists($target1)) { $no = "no"; }else { if (move_uploaded_file($tmp_name1, $target1)) { $name = $_FILES['file1']['name']; }else { $name = "none"; } } } // end file working ?> [/code]

Hmm thanks that solves a problem I have ran into MANY times.  THere were so many time's, I came up with an elaborate work around type system, as opposed to the way I wanted, this will help a lot later, thanks red.

anybody?

Ok it worked, thanks, I will keep that in mind for later. Thanks again.

Yes that is how I do if, for example. at the top of the page of the same form, if it's single page I have something like indenting off some because it's in the forum though [code]<?php if (isset($_POST['submit'])) {   $errorhandler = "";   if ($_POST['firstname'] == "") {       $errorhandler .= "First name was left blank.<br />";   }   if ($_POST['lastname'] == "") {       $errorhandler .= "Last name was left blank.<br />"   }   validate_email($_POST['email'], 1);   if ($_POST['field1'] == "") {       $errorhandler .= "Field 1 was left blank.<br />";   }   // more validation of whatever type or kind is needed like above   errorhandler($errorhandler, $url); // this is the function I use to display my error messages, if the   // error handler is set, it displays it, as well as a url (if it's on a different page), to go back and fix   // errors   if ($errorhandler == "") {     // here I do my mysql_real_escape_string or whatever other preperation before database entry     // db variables (insert, query excetera)     if (mysql_query($insert)) {       header("location: redirect"); // example, I redirect here     }else {       echo "Problem inserting into database";     }   } } ?>[/code] probably a few errors there, just an example. That is how, i needed it to resurrect at that point, if it was successfully and if there were no errors.

yes, firefox is perfect too, and I just checked opera, it's perfect there too but in ie let me double check in Ie version 6 (which is what he is using) it shows the 2 content boxes (only) both floated left, the same spacing in between the left and right column, and hte same spacing between the header and the 2 boxes, but they are aligned to the right in ie instead of the center, like the other browsers.

anybody have any advice on this new problem?

Ah, now I understand.  Thanks that will make somethings easier, wait. Ok, from now on, it opens up new doors now, thanks again.

Ok good point.  Based on what I had read throughout php freaks, and on other sites.  I was under the impression that scrollbars for anything was a bad solution.  So I have avoided them thus far, like the plague.  Why do I see so many bad things about that, in website critique, everytime someone uses scrollbar, someone tells that they should take that out.