PFMaBiSmAd

We have a question - what operating system, web server and version, and php version was exploited?

As you can probably imagine the word database (the start of the part of the query that was printed in the error message) probably has special meaning to a database query language. Ref: http://dev.mysql.com/doc/refman/5.0/en/reserved-words.html You either need to use a different name for your table or you need to enclose database in back-ticks ` everywhere it gets used in a query.

The most enjoyable exchange I ever had on a programming help forum was when a guy was writing a golf scorecard record system. He was either a golfer picking up programming as he was trying to develop this for real or it was a programming course assignment. He knew what he wanted the end result to be (planning, defining, and designing before you write any code is always the most efficient method), he had actually tried to find out why his code was not working but was stuck with one problem. Without anyone needing to tell him, he posted just the relevant code (and labeled what each piece was), posted the data from his database, posted the link he was using that contained the values he was trying that did not give the correct results, posted the results he was getting, posted at what point in the code he was getting the expected results and at what point he was not, and what the expected results should have been. It was a joy to actually look through his code, which was more than just a few lines, in order to help him. I actually posted a thank you to him for how he had presented his problem. The key here is that even though he was not an experienced programmer HE did all of that and only needed some HELP in solving a programming related problem. Once I wrote what was causing the problem, he did not need to ask where or how to "put that into my code." He took the direction given and because he knew what his code was meant, he was able to change the relevant lines of code himself. [rant] Was this guy an exception? Perhaps, but we are not trying to potty train three year olds here either. Everyone having access to this forum should be a young-adult or older. Defining, writing, testing, and debugging code is really all just problem solving but is done in a different language (and before you do any defining, writing, testing, and debugging of code you have got to learn enough of the language so that you can at least follow along with what you are looking at or understand a reply or be willing to go and research something that you did not understand.) Basic programming is not that hard if you actually think about what you are doing and what you see in front of you when you try something (no it is not magic), but it is one of the most detail orientated activities there is. So, if you are not detail oriented or you are sloppy or go into programming thinking you will take short-cuts and do the minimum necessary to accomplish any task, you won't succeed at it. [/rant]

The error message indicates that there are probably two blank lines before the opening <?php tag.

And for the example code you posted, here is a basic framework you could start with - <?php // basic code to do the confirmation and deletion when the 'delete' button for any item is selected $url_action = isset($_GET['action']) ? strtolower($_GET['action']) : ''; $url_id = isset($_GET['id']) ? strtolower($_GET['id']) : ''; // process any get action= switch ($url_action){ case 'confirm': $content = <<< EOT Delete Record with id: {$url_id} ? <form action="?action=delete&id={$url_id}" method="post"> <input type="Submit" name="delete" value="Yes"><input type="Submit" name="delete" value="No"> </form> EOT; break; case 'delete': if($_POST['delete'] == 'Yes'){ // your code to actually delete the record $content = "You have deleted the record with id = {$url_id}<br />"; } else { $content = "You picked No<br />"; } break; default: } echo $content; // display the edit/delete links/forms - $arr['id'] = 123; // dummy id for demo echo <<< EOT What do you want to do with the record with id: {$arr['id']} <form action="?action=confirm&id={$arr['id']}" method="post"> <input type="Submit" name="submit" value="Delete"> </form> EOT; $arr['id'] = 124; // dummy id for demo echo <<< EOT What do you want to do with the record with id: {$arr['id']} <form action="?action=confirm&id={$arr['id']}" method="post"> <input type="Submit" name="submit" value="Delete"> </form> EOT; ?>

In your previous thread on this, someone already mentioned how you could use a unique key -

The first step to achieve that is to make the form and the form processing code be part of the same page. The second step is to incorporate the form/form processing code as a 'unit' into any page that needs to use it. See the example code posted at this link - http://www.phpfreaks.com/forums/index.php/topic,269340.msg1271304.html#msg1271304 for how you might do this (you don't need to use functions/OOP, but it helps.) Basically, by using an ?action= parameter on the end of the URL that gets changed depending on which 'step' you are at, you can modify the code posted at that link to let you do anything in the order that you want it.

For that short bit of code, finding and eliminating the output that is causing the header error would be simple, except that it would take seeing the actual error message as that states where the output is occurring at. xxxxx out any sensitive information in the error message, but you have got to supply all the relevant information if you want someone else to help find the cause of the problem.

No, that does not make 'computer' sense. After you have a few thousand lines of data, you should migrate it to a database and let the database engine do the work for you.

A header() redirect must come before any other output is sent to the browser. If you could actually send output to the browser, then redirect, it would waste your hosting bandwidth every time it did it, so, you are actually lucky that you cannot send output before a header. The specific error message that you get tells you where the output is being started at that is preventing the header() from working. You must find and either eliminate the output (some times it is due to an incorrectly saved file format) or move the output so that it occurs after the header() or move the header() so that it is before any output.

The \ escape characters in - name=\"reply\" cause the POST index name to literally contain the double-quote characters. Why are those \ escape characters in there? You don't have them on any of the other name="..." attributes that do work.

I'll bet that the OP is using *nix and that is it is an Apache issue.

I just tested this using Apache 2.2.x under Windows. When Apache is configured to parse .php files, a file such as Defacer.PHP.FLV will be parsed as php. Apparently the web server only looks at the file name up to the first extension it finds. This certainly does explain the great number of web sites that are being easily taken over. Another reason to only store uploaded files in a folder that is not accessible through a http request.

The code: if (!$_POST['submit']) causes the the post variable to be evaluated. However, when the variable does not exist (your form has not been submitted yet) that generates an error. You need to use isset() to prevent that specific error for a variable that optionally might not exist - if (!isset($_POST['submit']))

The limits that hosting companies use normally apply to the total of all the databases, not to each database, because what matters to them is the total amount of storage you are paying for. It is likely that splitting data between multiple databases won't accomplish anything relative to your web hosting restriction and it will make the queries take x times longer, where x is the number of different databases that are being queried to find any piece of information.

The previous example that someone gave you that contained - WHERE DATE(sqtime) BETWEEN 'some_start_date' AND 'some_end_date' GROUP BY DATE(sqtime) was a generic example to get the values over a range of dates, group the posts by each day, and get a count of the posts made on each day in the range. Which is what you basically asked. What you are doing - WHERE DATE(sqtime) BETWEEN '2009-07-12 00:00:01' AND '2009-07-12 23:59:59' makes no logically sense because '2009-07-12 00:00:01' is not a date and won't compare with DATE(sqtime), which is a date.

Is the following your actual code or code you think would work - And, no the above code would not have stopped a file named Defacer.PHP.FLV from being uploaded. It would actually be best if you - A) Found exactly where and how the script got placed onto the server and how it got executed, and B) Posted your existing upload code as that would let someone find exactly how it was bypassed.

The C99 shell script is a php script. It would normally be uploaded as a .php file and then it gets browsed to in order to execute it. It would only be possible to execute it on your server if the file extension that it was uploaded as was one that the server has been configured to parse as php code. Has your server been configured to parse .flv files as php or has any other extension besides .php been configured to be parsed as php? I rather suspect that the .flv file you found was just one of the files containing the script and it may in fact not be the actual one what was used. Have you examined (searched) all the .php files for the c99 shell code?

Edit in response to your edit adding the php errors messages - the undefined constant messages are because one of the posted alternatives did not include necessary quotes around the index names. As to the actual undefined index errors, see my previous post.

mod is a reserved keyword and should not be used for a table or column name. Either rename your table to something else or put back-ticks ` around the table name. Just changing the syntax of the post variables between the three equivalent methods won't solve the fact that the index names don't exist. The first syntax, while not the best, was technically correct. The undefined index errors are because at the time your script was executed, those post variables did not exist.

http://dev.mysql.com/doc/refman/5.0/en/date-and-time-functions.html#function_from-unixtime

Using a DATETIME data type would simplify and greatly speed up every query involving dates - SELECT *,count(*) FROM your_table WHERE DATE(your_DATETIME_column) BETWEEN 'some_start_date' AND 'some_end_date' GROUP BY DATE(your_DATETIME_column) Doing the above with a Unix Timestamp would involve a costly conversion just to find and group the data sharing the same date.

It's likely that the application is not using current recommend php.ini settings. However, without any specific information from you what so ever about what you saw in front of you that leads you to believe "i cant seem to run my app..", no one can offer any specific suggestions. You need to provide symptoms and the relevant code causing those symptoms for anyone else to be able to help troubleshoot what is going on. Also, are you developing and debugging this php code on a system with error_reporting set to E_ALL and display_errors set to ON in your php.ini so that php would help you by displaying all the errors it detects? Stop and start your web server to get any change made to php.ini to take effect and use a phpinfo() statement to confirm that the settings were actually changed in case the php.ini that you are changing is not the one that php is using.

Which two do you want? The first two alphabetically? The two with the lowest city_id? Two random ones? You have got to be specific when you ask a question involving programming and data.