s0c0

I am pen testing a clients system (I did not write the orignal code) and I am able to login as a customer using a SQL injection hack due to some poorly written SQL and other issues. My question is if its possible to execute to multiple queries using PHPs mysql_query and/or mysqli_query functions, for instance: The query written by developer A looks like this: $sql = " SELECT * FROM clients WHERE username='$user' AND key='$password' "; $result = mysql_query($sql); My hack turns the query into this: $sql = " SELECT * FROM clients WHERE username='$user' AND key='' OR ''='' "; $result = mysql_query($sql); My question is if its possible to pass in 2 queries and have it properly execute and return a result set. For instance the end query would look something like this after the injection: $sql = " SELECT * FROM clients WHERE user='$user'; SELECT * FROM customers; "

Eh, I'll give it a month or two before taking any action and see if the problem corrects itself. Most of my business is word of mouth or from other sources anyways, I was only getting about 1 lead per month from the site. I'm not hurting on business, thanks for your responses. Especially your colorful one 448191.

I only check Google. Aside from the directory submissions I've been occasionally replying (not spamming) to blogs in an effort to obtain back links. This is the first time I've used a directory submission service. Prior to that I had submitted my site by hand to maybe 10-20 directories. The only other changes made have been very minor changes to text, very nominal changes.

Yeah I use an include. I advised him to go with an iframe instead since google will not look at an iframe. Yes it's pretty severe the form appears on over 50,000 pages.

I was ranking on the 2nd page for Utah Web Development and Salt Lake Web Development on Google. Now my site cnizz.com is no where to be found? The only thing I've done is submit my site to about 200 paid-for directories that yes do look like SPAM directories. Good this have caused me to lose my rankings? Any ideas? What am I doing wrong? Please advise.

I read an article on this in PHP Architect and the author of the article made it sound pretty sweet. My question would be is this more glitz and glamor or will it reduce the amount of work I have to do and speed up development? Has anyone used it, what are your thoughts?

I have a client requesting that I change all his froms from an HTML based submit input type, to a javascript based submit button. Here is the difference in case you are confused: <form name="frm" method="post" action="somepage.php"> <input type="submit" value="submit" name="submit" /> </form> <form name="frm"> <input type="button" value="submit" name="submit" onclick="document.form.frm.submit()" /> </form> He says there is an SEO benefit to this cause the form looks like duplicate content the way it is currently setup (the form is included on virtually every single page on the site). I told him I don't see how this will make a difference. Am I incorrect? If so why?

I would be talking about the first version that appeared being the arcade version in 1972 I think. We were debating this at work, yes I know geeks, and 2 of us settled on assembly, but I can't find the answer using Google. Do you know?

JavaScript would not be an option, and JavaScript triggers do not exist. Do you want to log when a database user connects to the database or when a user defined in one of your tables (like the user of your application) logs in?

Why is it not secure? It sends an email, there is no risk of SQL injection. Thank you for making me aware of the filter_var function though, I had no idea it existed.

I assume you're Tim. In any case thanks. I figured it worked, just need to work on SEO and marketing when I get some down time. No need to send any more tests folks, thanks!

Since I implemented a spam stopper I have not been receiving any emails via my contact form. Now I usually only received about 1 per month, but it was picking up in both legitimate and non-legitimate (spam) submissions recently until I implemented a simple security question "is this sun hot or cold" to stop spammers. http://www.cnizz.com/ Please go to this page, then click the contact link, and send an email. I'll reply to this post when i'd like you folks to stop testing it. Thanks in advanced.

Yes it checks first to see if the file exists and if it does, it then forces a download....

Here: function download($file) { if(file_exists($file)) { header('Content-Description: File Transfer'); header('Content-Type: application/octet-stream'); header('Content-Disposition: attachment; filename='.basename($file)); header('Content-Transfer-Encoding: binary'); header('Expires: 0'); header('Cache-Control: must-revalidate, post-check=0, pre-check=0'); header('Pragma: public'); header('Content-Length: ' . filesize($file)); ob_clean(); flush(); readfile($file); } }

I want to design a relatively simple CMS to deploy for clients. This will facilitate the basic content management side and since I will know the code it will be easy to customize for each client. I am using the Mocha UI and MooTools framework with PHP and MySQL. For editing the websites actual content I was thinking about using FTP and parsing the file based on meta tags, title tags, and special DIV IDs to determine a given section. Title and Meta info would be plugged into some text fields allowing the user to have unique meta tags for each page (or they could stick with defaults). I would have a special div id that my text parser would read into something like the FCK or TinyMCE editor. The thing I like about this model is there is far less database overhead with this approach. I am wondering if this a good approach or is it more on the novel to horrible side of things?

Really you should be using PHP 5's built in support of XML and RSS stuff. It will drastically reduce the lines of code you use plus cure any headaches and gray hair you may get from the way you are doing it now. I dug up this from back-in-the-day, its way basic, but it will give you a good starting point. php.net is your friend application: http://cnizz.com/code/php/simplexml-file-load.php code: http://cnizz.com/code/php/simplexml-file-load.phps

Now that we've improved some of your coding practices, how about an update on the original problem lol? Once you get that fixed I advised you to read up on object oriented programming in PHP 5. That is definitely a coding practice I see drastically lacking in the PHP community. You can find examples of OOP on phpclasses.org

Strike Iron costs $200 and that allows you to perform 200,000 operations on the API I believe. Ameritrade is the best as you get the API free with your Ameritrade account which is only $9.99. Not sure how Strike Iron intends on making money. The one caveat with Ameritrade is that they require you to sign an NDA for some reason. We'll you can thank me for all my hard work by showing some love on my blog Good luck friends.

Okay here is what I dug up: http://www.strikeiron.com/ Specifically with them I am interested in the following: http://www.strikeiron.com/ProductDetail.aspx?p=427 http://www.ameritrade.com/ I am interested in this one: http://www.tdameritrade.com/tradingtools/partnertools/api_dev.html http://www.xignite.com I am interested in this one: http://preview.xignite.com/xGlobalQuotes.asmx An interesting site as well is: http://www.programmableweb.com/apis/directory/1?apicat=Financial&sort=name which is just a list of financial APIs. If you guys get contacted by any of those companies let me know as I really need to come through on this. I sent emails to all of them and will call them directly if I don't hear anything back by friday.

Start echoing out data from the beginning of receiving the upload to the end point where you insert the data. Thats how I debug these nasty little glitches. FYI, you don't need to set $_FILES or $_POST or $_GET or any global variables like that to your own variable. You can access this just fine without that. For instance there is no need for this: $fileName = $_FILES['userfile']['name']; $fileSize = $_FILES['userfile']['size']; You can access this just fine by referencing: $_FILES['userfile']['name']; $_FILES['userfile']['size']; Not sure where folks get the idea that its some how bad to directly reference global variables. Just trying to save you some lines friend. Also another thing that will save you time is doing this: INSERT INTO user SET user='$firstName',last='$lastName',email='$Email'; Instead of this: INSERT INTO user (first,last,email) VALUES ('$firstName','$lastName','$Email') Both work the same, one is just less key strokes and I feel it is easier to read, especially when dealing with large tables.

I believe you will need to use javascript for scrolling or dare I say a marquee tag.

First off, I know how people jump to conclusions. NO, I am not asking for any of you to write this for me. I am not even sure if RFP is even the right term. Basically I have a potential client that is looking to have their website redesigned, SEO'd, and have a simple application built for their customers. My business is growing and I feel its time that I start getting more official about the way I approach clients. Can anyone point me to some good resources. Mainly I just want a nice real world example that someone has presented a client themselves. So can you either point me to a link or maybe private message me a link to an RFP you yourself have written or received that you feel is well written. Thanks in advanced freaks.

Sounds like there is a market out there for a stock quote API. Hmmm.... Anyways no one from sales every got back to from any of those companies. I guess they either don't offer it, don't care about me, or don't want my business as my client was willing to pay GOOD money for access to an API like that. Well back to the drawing board.

I am looking for a stock quote API that can be accessed with PHP,POST, etc... I am willing to pay for a service that is very close to or is real-time. I know I can use Yahoo and Google but they are delayed up to 15 minutes. I have already emailed bloomberg and rueters hoping they provide some sort of service like this. Any ideas? And yes, I have been googling for last 30 minutes so don't JFGI me okay folks.

Okay I figured out the easier way: http://blog.cnizz.com/2008/11/11/moving-innodb-tables-database-to-a-new-server/