Jump to content

PFMaBiSmAd

Staff Alumni
  • Posts

    16,734
  • Joined

  • Last visited

  • Days Won

    9

Everything posted by PFMaBiSmAd

  1. @White_Lily, I hope that isn't the code you are using, because it is not secure. Without an exit; statement after the header() redirect, the rest of the code on the page runs while the browser is performing the redirect and a hacker or bot script simply needs to ignore the redirect and he/it can access the page the same as if that code wasn't even present.
  2. If your files don't contain any UTF-8 encoded characters, you would want to use/try ASCII encoding.
  3. You need to have php's error_reporting set to E_ALL and display_errors set to ON in your master php.ini on your development system so that php will help you by reporting and displaying all the errors it detects. You would be getting a php error message where the problem is at that would help you fix it yourself. Hint: look at the other literal strings in your code and compare them with the $logo assignment statement.
  4. The code you have is not validating the submitted request/data. There's even an error in one of the variable names in the validation you do have, so it would never pass anyway. Here's some minimum validation logic you should use before you even make a database connection or touch any of the submitted data - <?php $log_file = 'some_file_name.txt'; // where to log your own errors/messages if($_SERVER['REQUEST_METHOD'] != 'POST'){ // not a post method request $message = date('Y-m-d H:i:s') . " - non-post request, from: {$_SERVER['REMOTE_ADDR']}\n"; error_log($message ,3,$log_file); die; // stop processing the request } // expected fields $fields = array("to_address","amount","btc_amount","confirmations","txhash","block","signature"); $errors = array(); // validation errors foreach($fields as $field){ if(!isset($_POST[$field])){ // an expected field is not set $errors[] = "$field is not set"; } else { // is set, check for empty if(trim($_POST[$field]) == ''){ // an expected field is empty $errors[] = "$field is empty"; } else { // field is set and not empty, depending on how important the data is, perform additional filtering/validation tests here } } } if(!empty($errors)){ // validation failed $message = date('Y-m-d H:i:s') . " - validation failed, from: {$_SERVER['REMOTE_ADDR']}, errors: [".implode('],[',$errors)."]\n"; error_log($message ,3,$log_file); die(); // stop processing the request } // if you are at this point an expected post request has been received, test/use the submitted data $to_address = trim($_POST["to_address"]); $amount = trim($_POST["amount"]); $btc = trim($_POST["btc_amount"]); $confirmations = trim($_POST["confirmations"]); $txhash = trim($_POST["txhash"]); $block = trim($_POST["block"]); $sig = trim($_POST["signature"]); $mysig = sha1( $to_address . $amount . $confirmations . $txhash . $block . "abcdefg...." ); if ($mysig !== $sig){ // data signature doesn't match $message = date('Y-m-d H:i:s') . " - data signature failed, from: {$_SERVER['REMOTE_ADDR']}, data: [".implode('],[',$_POST)."]\n"; error_log($message ,3,$log_file); die(); // stop processing the request } // your actual processing code starts here...
  5. Since any echo statements or php error display won't be seen when your script is requested by the actual event service (I'm assuming you have a html form for testing and that is how you are submitting the test event data), how do you know if or what your code is doing? You need to use one of the following methods to log errors and informational messages - 1) Php's error_reporting needs to be E_ALL and log_errors needs to be ON. This will log php detected errors to the server's error log file. You would also need to use trigger_error statements, instead of echo/print statements to send your application error and informational messages to the error log too. By using trigger_error you can easily switch from logging your application errors/messages to displaying them simply by setting php's log_errors/display_errors settings. 2) Use error_log to log information to your own log file. 3) As a last resort, you could use output buffering in your code to capture all the existing output and write that to a log file using error_log You also need to add error checking logic to every query and database connection so you know if any of them fail due to an error.
  6. @cyberRobot, at the top of the page, means before you output anything to the browser - Your code worked, because php has a setting, mentioned by kicken in this thread, that hides incorrectly coded pages, but results in code that is not portable between different server configurations and should be avoided.
  7. If you don't want the query/pagination logic to run unless the search form has been submitted with a non-empty search term, just enclose all the relevant logic inside the test for the search term by moving the closing } down to the end of the logic - if($search != ''){ // form a simple LIKE '%serach term%' comparison $where_clause = sprintf("WHERE your_column LIKE '%%%s%%'",mysql_real_escape_string($search)); } <------ move this to after the end of the posted logic
  8. The only thing in this thread that requires any specific php knowledge would be the actual syntax for the echo statement - echo mysql_error();
  9. The ones matching the file and line numbers listed in the error messages.
  10. The next step would be - By copy/pasting the function definition into the files where it is called, is only fixing a symptom, the one error message. The actual problem remains. The other things in that file are needed by the application, otherwise they wouldn't have been present in that file along with the themeheader() function definition. Is that file present on the server? Is the file on the server identical to the file in the backup? Where and how is that file being included by the main/other files making up the application?
  11. By finding out why the parameter you are passing into the mysql_num_rows function is a boolean instead of a resource. A SELECT query that runs without any errors will return a result resource. The error you are getting is typical of a SELECT query that failed due to an error and you don't have any error checking logic in your code to test if the query worked before using the result in following statements. You can echo mysql_error() after the point where you execute your query to find out why the query is failing.
  12. The step after finding the file where the function is defined, would be to find out why that particular file is not being included by the rest of the code or why the code in that file is not being seen as being php code. In the file where you found the function definition, were all the opening php tags full ones <?php or where they short ones <?
  13. You need to download (FTP) a copy of all the current files so that you can perform searches and/or get the site running on a local development system. Edit: Actually, since you have a previous backup copy of the files, you should be searching the backup files to find where the function is defined at. Edit2: A programming editor, like notepad++, will have a "search all files within folder" function that you can use to find where the function is defined, assuming the name in the function call has not be altered.
  14. filter_var returns the filtered data, or FALSE if the filter fails. The returned url isn't exactly a bool true type, so the === fails. It is a true using the == comparison.
  15. In your form processing code, add the following line to display the actual data being submitted - echo '<pre>',print_r($_POST, true),'</pre>';
  16. And, the name=',,,' attribute for each radio button in a set must be the same name. You can currently click on both radio buttons in a set and both will remain set (no pun intended there.)
  17. The form you posted already had values. It would probably help if you posted your current code.
  18. In programming, automatic means that someone wrote code to do it. You need to write your query statement so that it joins the information you want ON/USING the corresponding columns in the tables.
  19. To use a multi-value INSERT or REPLACE query, you would typically form a query with 5k-10k rows at a time (the limit is the mysql max_allowed_packet setting, default is 1MB, which can be changed if needed.)
  20. What exactly doesn't the first one do? Is it missing entirely from the form? Is the hidden field in the form incorrect? It doesn't update? It produces an error when the update query runs? BTW - you should not execute one query, then loop over the result from that query and execute another query in the loop to just get data the first query should have already selected.
  21. That's not shown in the code you posted and we only see the information that you post.
  22. Nope. By injection sql with something like ' OR id=1, a hacker can make your query match any row in your table. Your query would become - SELECT * FROM users WHERE token='' OR id=1
  23. ^^^ That would imply that you are trying to put the posted code onto a web page. You cannot output anything on a web page besides the html/css/javascript. Any force-download/dynamic image must be output as a completely separate response by putting a link to the force-download .php code into your html markup on a web page. What's the actual code on the page that doesn't work? Also, how exactly did you turn on error_reporting/display_errors and did you confirm that they actually got changed by intentionally producing an error?
  24. The general fix for your logic would be to put the form processing code into a specific section of code that - tests if the form has been submitted, validates the inputs, then saves the submitted post data to session variables. Empty post data would be saved as an empty string to the corresponding session variable. In the form code for the value='...' attributes, if the corresponding session variable isset, meaning that the form has been submitted one or more times, you would use it's value, which could be an empty string, else use an empty value.
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.