leesiulung
Members-
Posts
83 -
Joined
-
Last visited
Never
Everything posted by leesiulung
-
Need book recommendation for programmer familiar with PHP
leesiulung posted a topic in Miscellaneous
I'm starting a project that I want to be highly thought out and scalable. PHP is not my first choice, but seems to be the one with the most resources available. Unfortunately, PHP is also one of the languages that has the most security vulnerabilities due to bad coding. As an effort to balance this, I would need a good book on: - PHP security (I anticipate enough users that I will get attempted hacks from script kiddies & etc.) - Enterprise type implementations - Good code design (design patterns) - Focuses on potential performance issues/bottlenecks I consider myself a good programmer with enough knowledge of PHP to create smaller web sites (meaning not enterprise or large scale alas facebook or youtube), and have a Computer Science degree. Anyone can suggest me a book or two? -
[SOLVED] Prevent SQL injection in ODBC and MS Access? Help!
leesiulung replied to leesiulung's topic in PHP Coding Help
Barand's clean() function for Access worked like a charm. Tested it on GoDaddy's servers. Thanks Barand!!! I very much appreciate your help. -
Challenge! Sending GET request in PHP code?
leesiulung replied to leesiulung's topic in PHP Coding Help
To those trying with the same issue with GoDaddy hosting, my solution ended up being to use an ASP page and post the information to this page. On errors, I would send a GET message back to the original PHP script. As far as I know, PHP at GoDaddy is running on Safe Mode and is not officially supported on Windows platform. It also does not display errors in PHP scripts, even when you try to enable them in code. -
[SOLVED] ODBC and committing a transaction? Help!
leesiulung replied to leesiulung's topic in PHP Coding Help
This worked. Thanks! For those wondering this was with GoDaddy's Windows Deluxe hosting. I highy recommend AVOIDING GoDaddy if you need PHP on Windows hosting. They do not officially support PHP on Windows. While testing the code I found a bug and indeed the transaction was rolled back. Thanks! -
Challenge! Sending GET request in PHP code?
leesiulung replied to leesiulung's topic in PHP Coding Help
That would work, but that means the client "can" know what I'm sending in the GET/POST since it would have the GET/POST data has to be sent to the client and then from the client back to the server. I might have to just use a different scripting language... It seems like this is an impossible challenge.... -
Challenge! Sending GET request in PHP code?
leesiulung replied to leesiulung's topic in PHP Coding Help
I do not see fopen in the list of disabled functions. Do you mind posting a little code to save me a few hours of reading the help file and trying it out? I'm stuck with godaddy. I just did not realize that their Windows hosting was that limited.... Dedicated or even virtual dedicated server would be best. -
Challenge! Sending GET request in PHP code?
leesiulung replied to leesiulung's topic in PHP Coding Help
curl do not seem to work with the server. Everytime I try to run curl_init() it always returns nothing (printed out on screen). I think this is equivalent of false. Since I do not see error messages (turned off and unable to turn on), I have no idea what is wrong. Any other suggestions? -
Challenge! Sending GET request in PHP code?
leesiulung replied to leesiulung's topic in PHP Coding Help
Unfortunately, that does not work because it would redirect the browser to a different page too. I need it to silently make the GET or POST in the background. -
Challenge! Sending GET request in PHP code?
leesiulung replied to leesiulung's topic in PHP Coding Help
I'm not sure what socket function you are talking about? I do not see this socket function as part of the disabled list I provided. I grabbed this list of phpinfo();. Unfortunately, PHP hosting with Windows at GoDaddy leaves a lot to be desired. PHP on Linux does not support MS Access. MS Access support and PHP was a requirement.... -
Is there a way to send a GET request via PHP code? I need to send it to a url as follows: http://www.mydomain.com/index.asp?email=emailaddress The following is disabled: getmyinode, getopt, getrusage, extension_loaded, dl, mysql_pconnect, crack_check, crack_closedict, crack_getlastmessage, crack_opendict, fsockopen, pfsockopen, mysql_list_dbs, mysql_stat, ini_get, ini_get_all, ini_alter, ini_set, get_current_user, get_defined_constants, get_include_path, php_ini_scanned_files, php_uname, phpcredits, restore_include_path, set_include_path, set_time_limit, version_compare, zend_version, getmypid, getmyuid, getmygid, assert_options, assert, fopen, fwrite, fread, file, fpassthru, file, mail, opendir, readdir, closedir I'm on PHP4 on Windows. I cannot use curl with the following code: <?php $ch = curl_init('http://www.mysite.com/index.php?option=com_content&task=blogcategory&id=24&Itemid=55'); curl_exec ($ch); curl_close ($ch); ?> This suggest that I cannot use curl and is a limitation of my hosting company, GoDaddy.... Any programmers want to take me on the challenge and help me out?
-
[SOLVED] Prevent SQL injection in ODBC and MS Access? Help!
leesiulung replied to leesiulung's topic in PHP Coding Help
Thanks! -
[SOLVED] Prevent SQL injection in ODBC and MS Access? Help!
leesiulung replied to leesiulung's topic in PHP Coding Help
Barand, I'm not sure I understand. When pulling the date from the database, what should I do? Do I need to revert what was done when inserting the data into the database? Please elaborate. -
[SOLVED] Prevent SQL injection in ODBC and MS Access? Help!
leesiulung replied to leesiulung's topic in PHP Coding Help
Barand, I am assuming that there is no need to reverse the process? For Access it is indeed double quotes to escape a single quote. -
[SOLVED] Prevent SQL injection in ODBC and MS Access? Help!
leesiulung replied to leesiulung's topic in PHP Coding Help
Barand, Unfortunately, I'm not as familiar with stored procedures and could not get it to work. I read on a web page that Access do not support stored procedures, but who knows.... What things should I escape or disallow other than single quotes? -
[SOLVED] Prevent SQL injection in ODBC and MS Access? Help!
leesiulung replied to leesiulung's topic in PHP Coding Help
Barand, I'm getting pretty frustrated with PHP. It is the bane of my existence as I cannot stand the language. It is a love hate relationship. I love the fact that there is so much support for it, unfortunately the language in my personal opinion is terrible. Anyhow, I have been unsuccessful in figuring out how to use stored procedures in MS Access using PHP. Can you or anyone help me out on how to sanitize the input for Access? It should have been as easy as applying a function to the argument... here I am spending hours digging up information. I would really appreciate it if anyone could help me. #!@$!@$@#%#@Q%#@TW$%^%&^%*$^#$#@%%@$!@ -
To make the code more robust, I would strip anything out that isn't a digit even if your number is guaranteed to be of that format. People do dumb things sometimes. Might take a small peformance penalty, but how often do you do inserts? Hopefully not as often as selects....
-
[SOLVED] Prevent SQL injection in ODBC and MS Access? Help!
leesiulung replied to leesiulung's topic in PHP Coding Help
To be honest, the reason I summarized those was that none of them seemed the correct way to handle it. In practice, one should not rely on a function intended for a different purpose be used for another purpose simply because it has the correct effect. Thus, I think if I can get stored procedures to work it would solve all these issues in one go. I believe this is the proper way of handling SQL injections in general. It is just that PHP is a complete hack as a language and it isn't clear when and where you can use functions because frequently have caveats. Simply put, even after extensive testing I do not feel confident about my code. -
[SOLVED] Prevent SQL injection in ODBC and MS Access? Help!
leesiulung replied to leesiulung's topic in PHP Coding Help
So to summarize: 1. Remove all characters of the type: * @ ! = & (){};'"`~/-+ or more accurately, only allow certain characters, but make sure those are not in the set of allowable characters 2. use htmlentities() and html_entity_decode() 3. use urlencoding() and urldecoding() I'm not sure I understand why 2) and 3) above prevents SQL injection attacks? Why do PHP not have something like mysql_real_escape_string() for Access? Certainly would be easier.... -
[SOLVED] ODBC and committing a transaction? Help!
leesiulung replied to leesiulung's topic in PHP Coding Help
What is the best way to test this? Test it with a sequences of inserts, but have one of them fail and check the tables? -
[SOLVED] Prevent SQL injection in ODBC and MS Access? Help!
leesiulung replied to leesiulung's topic in PHP Coding Help
Is there not different vulnerabilities depending on the database and how it interprets certain characters though? Anyhow, after using addslashes() to insert data into databse do you use stripslashes() to return to normal state? -
I'm on a GoDaddy Windows hosting using PHP and MS Access. It is well documented how to prevent SQL injection with MySQL, but how do one prevent SQL injection with ODBC and MS Access? Any suggestions would be much appreciated. Seems like Access with PHP is fairly rare and not much information on the net is written about it.
-
[SOLVED] ODBC and committing a transaction? Help!
leesiulung replied to leesiulung's topic in PHP Coding Help
It will work most of the time, but it could potentially mix up peoples' account. Thus, it is a good idea to fix it. Basically, I need to insert a new account and keep track of the primary key which is numeric. Since, I do not want autoincrement on in Access I do the following: 1. start commit 2. find new unused primark key (userid) by number of records + 1 3. insert new record with userid 4. commit 5. insert additional records into other tables with using primary key as foreign key Any other suggestions? -
I'm on a Windows hosting environment with GoDaddy. I normally prefer MySQL, but am stuck with MS Access. Anyhow, how do you one start and committ a transaction? I use odbc_connect and odbc_exec to run my queries, but do not understand the documentation for odbc_commit. Anyone have any clues? Kind of lost here....
-
header() does not seem to work correctly (read the stickey)
leesiulung replied to leesiulung's topic in PHP Coding Help
Yeah, it is installed as a CGI. However, in my case the header returned is: header("HTTP/1.0 301 Moved Permanently"); -> "HTTP/1.0 301" Incomplete header... Is that the same problem as the '404 ok' error header you suggested? -
I think it is, however, only 2 slashes though. I still wonder if there is any reason to use server side includes (SSI) instead of include() or require(). Any1?