kaliok

Thanks for your quick response. I know zipping the file would solve the problem, but would prefer not to do that. Could you point me in the right direction for using php to give the user the ability to download the files. Thanks again.

Hi Hopefully someone can help answer this. I would like to give people the ability to download wmv and mp3 files from my site. They are already embedded and play fine through various players but I ALSO want to have a plain text link that users can click to download the files to their own computer. Having the file open in a new window obviously doesn't work since it just plays the file in that new window. I want it to directly download the file, without the need to right click or do anything but click a link. I also don't want to have to zip the file. Is this possible, if so, how do I do it. Thanks for any help in advance.

I am trying to come up with a solution that would work like substr_replace but only replace certain characters in the string. Having trouble getting my head around it though: Say, I have a string (including the quotes): "brown fox" +jumped over the +"lazy dog" and I want to replace the spaces between the words with underscores ONLY if they are between the quotes. I have already got the positions of all the quotes into an array and I can therefore work out the number of characters but what I am stumped on is how to use substr_replace or str_replace to do this. Was looking for help creating a function that could do this. The string doesn't always follow the same format, the quotes could appear anyway in the text. The above example should end of looking like this: "brown_fox" +jumped over the +"lazy_dog" Perhaps what I want to do can not be done with these two functions, in which case perhaps someone could suggest an alternative. Any help is greatly appreciated...

Thanks for your help. I am not quite sure I want to do this. How is this done normally? When someone logs in to their favorite website and their username stays at the top the site when they move between http and https what system is generally being used? If I don't want to use cookies, do I therefore have to use post variables instead of session variables? If so what would I change the following code to: if (!isset($_SESSION['agent']) OR ($_SESSION['agent'] != md5($_SERVER['HTTP_USER_AGENT'])) ) Thanks for your help again.

Hi I hope someone can help. I guess I am not putting the right search criteria in to find this topic if this type of question has been answered before. Hopefully someone can suggest what the best practice is to fix this. Thanks for any help inadvance. I am using a SSL certificate on the server. I have some session variables I want to pass between http and https. Username,Email,Level,etc It is my understanding that session variables are deliberately set up so they won't pass to each other like this. The following is the code I use but when a user is logged it is fine when I move between http pages but when I try and move to the https page(s) it looses the session variables. I use the function below on every page. If I log in using the https and then try and move into the http pages it does to the opposite and looses the session variable data when I move to the non-secure pages. An example of the urls I am using is: http://www.mywebsite.com and https://secure.mywebsite.com session_start(); function auth_frontend($role = '') { global $custname; $_SESSION['name'] = "BOB"; $ok=true; if (!isset($_SESSION['agent']) OR ($_SESSION['agent'] != md5($_SERVER['HTTP_USER_AGENT'])) ) { $ok=false; } if ($ok) { if(isset($_SESSION['user_id'])) { $custname=$_SESSION['user_id']; if ($custname=="") { $_SESSION = array(); $custname="Guest"; return $custname; } //the session is valid else { return $custname; } } else { $custname="Guest"; return $custname; } } else { $custname="Guest"; return $custname; } exit(); }

Actually it appears I do need to use both stripslashes and mysql_real_escape_string to allow me to use quotes (as in the example in the original question). From what I can see on the examples given on the php.net site this shouldnt be a problem. At any rate I am still confused as to whether the code I have used is sufficient to stop an attack.

Ok. Thanks. So I'll remove one or tother of those. Is the code still and/or now vulnerable? .... $thesearch=trim(mysql_real_escape_string(@$_POST['ud_mysearch'])); $thesearch=strtr($thesearch,',/&()$%^@~`?;',''); $queryGC="SELECT *,MATCH(keywords) AGAINST ('$thesearch' IN BOOLEAN MODE) AS score FROM images WHERE MATCH(keywords) AGAINST ('$search' IN BOOLEAN MODE)"; ....

Hi All I just wanted to get some feedback on some code I am planning on using to stop SQL injection (if it is at all possible with the following code). The scenario would be the user would input some search criteria. The search criteria would be somewhat Googlesk in nature, for example: pet* +dog -cat -"golden retriever" So I need to allow: backslashes,stars, and plus signs so that the user can use some of the capabilities of the boolean mode search. Is the following secure enough to stop a sql injection, I have done some tests but perhaps someone could have a look and point out any flaws and fixes please. .... $thesearch=trim(stripslashes(strip_tags(mysql_real_escape_string(@$_POST['ud_mysearch'])))); $thesearch=strtr($thesearch,',/&()$%^@~`?;',''); $queryGC="SELECT *,MATCH(keywords) AGAINST ('$thesearch' IN BOOLEAN MODE) AS score FROM images WHERE MATCH(keywords) AGAINST ('$search' IN BOOLEAN MODE)"; .... Thanks.

Ahh. OK DES... that's what I was looking for...didn't know what it was called. Thanks.. I think I may have got it working.

I am having some trouble protecting a folder of movie files.I am using htaccess and htpasswd to do this. I need to have the ability to add additional users to the list, but I need to give the admin person the ability to do this. The method I thought I could use was to have a php script that would take the new username and password that are entered and then write that to the htpasswd file. I have not been able to locate a php script that generates a 13 character password. There are several places I have found that have a form to generate these types of passwords but I would like the php to do this for me. $pwFile = "../private/.htpasswd"; $fh = fopen($pwFile, 'a') or die("can't open file"); $rawpassword = ($enteredpassword); $password = crypt($rawpassword); $myNewCombo = "$UserName:$password"; fwrite($fh, $myNewCombo); fclose($fh); The above code generates a password that is too long, I am guessing it is something I am doing wrong with crypt, perhaps it is the wrong function to use. Any help advice is much appreciated.

Thanks for your help...Ok... So I think that is finding the file data but it might not be processing it right.. The following is the code I am using. I am suffering from two errors. The first is a problem with the getting the file to embed in an html page. It is downloading the entire php file with the embedded code in it, I think that is because of the php header function, but I believe I still need it for the fopen and fpassthru commands: <? $fp = fopen("/private/privateimage.jpg", "r"); header("Content-type: application/jpg"); fpassthru($fp); fclose($fp); ?> I get the following error when I go and look at the code - it actually downloads the php file! Warning: fopen(/private/newwebsite.jpg) [<a href='function.fopen'>function.fopen</a>]: failed to open stream: No such file or directory in /home/linux/myurl.com/user/htdocs/myphpfile.php on line 33 Now that I am looking at file that was downloading I notice that if I do leave the ../private in there I get a lot of mess (lots of characters and ascii code) being put into the file as if it were not passing the file correctly. I could see Adobe Photoshop in amongst the mess of characters so I guess it got to the file and was reading it. Perhaps I am not using fpassthrou correctly Ultimately I am trying to get this to work for movie files, so perhaps before we go any further with this and the data has to be fixed in some way I thought I would add that into the pot. Perhaps too, I am going about this the wrong way, I really just want to stop people from accessing files in multiple folders without having the right password (I can make the login system and check to see if someone is logged in using php) but if people work out the full url to the folder and file, they will not have to go through the login procedure. I didn't go down the htaccess route because I would have had to rewrite the file every time a user is added,deleted or edited. So I came to the conclusion that placing the files in a folder above the webdir would be the best solution. Thanks again for help.

Sorry. The script is sitting in a file directly in the webdir. So it would be webdir/myphpscript.php The image would be here: privateimagesfolder/myimage.jpg I have found what is referred to as "path for scripting" in the hosts control panel area - it looks something like this: /home/linux/thenameofmyurl.com/user/ (user has not been changed - it is the word the hosts have in the path - and it is NOT me hiding my real username) fopen is allowed by the host, and I assumed the path would be something like this: fopen("/home/linux/thenameofmyurl.com/user/private/newwebsite.jpg", "r"); OR fopen("../home/linux/thenameofmyurl.com/user/private/newwebsite.jpg", "r"); Thanks again for any help.

Thanks for your responses... I am afraid I am still somewhat at a loss here, my directory structure looks something like this: webdir somefolder someotherfolder privateimagesfolder I have placed the image in the privateimages folder, I can't use ../privateimagesfolder/myimage.jpg in an html img tag to step up a level because of course it keeps the structure of the domain in front of the url. So perhaps there is a way to do this with a php function that grabs the file using the absolute path etc. I have tried using fopen and fpassthru but have not been able to get the hang of them nor am I sure that they are the right functions to use. Any further help is much appreciated....

Hi I am having trouble locating an answer to the exact question but I am trying to do the following: Place video/image files in a folder outside the web directory so that there is no direct access to the files in that folder. I believe that this would be the case if I place it outside the web directory. If I wrong, please feel free to correct me on that too. However, I would like to create a php script that can access the files. Is this possible? If so, how would I acheive this and what functions would I use to access them? I would prefer to not have to use the htaccess file. Thanks in advance for any advice...

Hi Guys . That's a tad annoying. I just tested it with a few more real emails that were real and it failed them. Although the real hotmail addresses I tried all passed! I think that there needs to be some kind of gauge or ranking that the email gets. I have seen this on an ASP function. I found this on http://centralops.net/co/EmailDossier.vbs.asp - it seems to do a more comprehensive check and passed or almost passed more emails than the one on howtocreate. Not good at translating asp to php though...