Jump to content

leesiulung

Members
  • Posts

    83
  • Joined

  • Last visited

    Never

Everything posted by leesiulung

  1. I'm starting a project that I want to be highly thought out and scalable. PHP is not my first choice, but seems to be the one with the most resources available. Unfortunately, PHP is also one of the languages that has the most security vulnerabilities due to bad coding. As an effort to balance this, I would need a good book on: - PHP security (I anticipate enough users that I will get attempted hacks from script kiddies & etc.) - Enterprise type implementations - Good code design (design patterns) - Focuses on potential performance issues/bottlenecks I consider myself a good programmer with enough knowledge of PHP to create smaller web sites (meaning not enterprise or large scale alas facebook or youtube), and have a Computer Science degree. Anyone can suggest me a book or two?
  2. Barand's clean() function for Access worked like a charm. Tested it on GoDaddy's servers. Thanks Barand!!! I very much appreciate your help.
  3. To those trying with the same issue with GoDaddy hosting, my solution ended up being to use an ASP page and post the information to this page. On errors, I would send a GET message back to the original PHP script. As far as I know, PHP at GoDaddy is running on Safe Mode and is not officially supported on Windows platform. It also does not display errors in PHP scripts, even when you try to enable them in code.
  4. This worked. Thanks! For those wondering this was with GoDaddy's Windows Deluxe hosting. I highy recommend AVOIDING GoDaddy if you need PHP on Windows hosting. They do not officially support PHP on Windows. While testing the code I found a bug and indeed the transaction was rolled back. Thanks!
  5. That would work, but that means the client "can" know what I'm sending in the GET/POST since it would have the GET/POST data has to be sent to the client and then from the client back to the server. I might have to just use a different scripting language... It seems like this is an impossible challenge....
  6. I do not see fopen in the list of disabled functions. Do you mind posting a little code to save me a few hours of reading the help file and trying it out? I'm stuck with godaddy. I just did not realize that their Windows hosting was that limited.... Dedicated or even virtual dedicated server would be best.
  7. curl do not seem to work with the server. Everytime I try to run curl_init() it always returns nothing (printed out on screen). I think this is equivalent of false. Since I do not see error messages (turned off and unable to turn on), I have no idea what is wrong. Any other suggestions?
  8. Unfortunately, that does not work because it would redirect the browser to a different page too. I need it to silently make the GET or POST in the background.
  9. I'm not sure what socket function you are talking about? I do not see this socket function as part of the disabled list I provided. I grabbed this list of phpinfo();. Unfortunately, PHP hosting with Windows at GoDaddy leaves a lot to be desired. PHP on Linux does not support MS Access. MS Access support and PHP was a requirement....
  10. Is there a way to send a GET request via PHP code? I need to send it to a url as follows: http://www.mydomain.com/index.asp?email=emailaddress The following is disabled: getmyinode, getopt, getrusage, extension_loaded, dl, mysql_pconnect, crack_check, crack_closedict, crack_getlastmessage, crack_opendict, fsockopen, pfsockopen, mysql_list_dbs, mysql_stat, ini_get, ini_get_all, ini_alter, ini_set, get_current_user, get_defined_constants, get_include_path, php_ini_scanned_files, php_uname, phpcredits, restore_include_path, set_include_path, set_time_limit, version_compare, zend_version, getmypid, getmyuid, getmygid, assert_options, assert, fopen, fwrite, fread, file, fpassthru, file, mail, opendir, readdir, closedir I'm on PHP4 on Windows. I cannot use curl with the following code: <?php $ch = curl_init('http://www.mysite.com/index.php?option=com_content&task=blogcategory&id=24&Itemid=55'); curl_exec ($ch); curl_close ($ch); ?> This suggest that I cannot use curl and is a limitation of my hosting company, GoDaddy.... Any programmers want to take me on the challenge and help me out?
  11. Barand, I'm not sure I understand. When pulling the date from the database, what should I do? Do I need to revert what was done when inserting the data into the database? Please elaborate.
  12. Barand, I am assuming that there is no need to reverse the process? For Access it is indeed double quotes to escape a single quote.
  13. Barand, Unfortunately, I'm not as familiar with stored procedures and could not get it to work. I read on a web page that Access do not support stored procedures, but who knows.... What things should I escape or disallow other than single quotes?
  14. Barand, I'm getting pretty frustrated with PHP. It is the bane of my existence as I cannot stand the language. It is a love hate relationship. I love the fact that there is so much support for it, unfortunately the language in my personal opinion is terrible. Anyhow, I have been unsuccessful in figuring out how to use stored procedures in MS Access using PHP. Can you or anyone help me out on how to sanitize the input for Access? It should have been as easy as applying a function to the argument... here I am spending hours digging up information. I would really appreciate it if anyone could help me. #!@$!@$@#%#@Q%#@TW$%^%&^%*$^#$#@%%@$!@
  15. To make the code more robust, I would strip anything out that isn't a digit even if your number is guaranteed to be of that format. People do dumb things sometimes. Might take a small peformance penalty, but how often do you do inserts? Hopefully not as often as selects....
  16. To be honest, the reason I summarized those was that none of them seemed the correct way to handle it. In practice, one should not rely on a function intended for a different purpose be used for another purpose simply because it has the correct effect. Thus, I think if I can get stored procedures to work it would solve all these issues in one go. I believe this is the proper way of handling SQL injections in general. It is just that PHP is a complete hack as a language and it isn't clear when and where you can use functions because frequently have caveats. Simply put, even after extensive testing I do not feel confident about my code.
  17. So to summarize: 1. Remove all characters of the type: * @ ! = & (){};'"`~/-+ or more accurately, only allow certain characters, but make sure those are not in the set of allowable characters 2. use htmlentities() and html_entity_decode() 3. use urlencoding() and urldecoding() I'm not sure I understand why 2) and 3) above prevents SQL injection attacks? Why do PHP not have something like mysql_real_escape_string() for Access? Certainly would be easier....
  18. What is the best way to test this? Test it with a sequences of inserts, but have one of them fail and check the tables?
  19. Is there not different vulnerabilities depending on the database and how it interprets certain characters though? Anyhow, after using addslashes() to insert data into databse do you use stripslashes() to return to normal state?
  20. I'm on a GoDaddy Windows hosting using PHP and MS Access. It is well documented how to prevent SQL injection with MySQL, but how do one prevent SQL injection with ODBC and MS Access? Any suggestions would be much appreciated. Seems like Access with PHP is fairly rare and not much information on the net is written about it.
  21. It will work most of the time, but it could potentially mix up peoples' account. Thus, it is a good idea to fix it. Basically, I need to insert a new account and keep track of the primary key which is numeric. Since, I do not want autoincrement on in Access I do the following: 1. start commit 2. find new unused primark key (userid) by number of records + 1 3. insert new record with userid 4. commit 5. insert additional records into other tables with using primary key as foreign key Any other suggestions?
  22. I'm on a Windows hosting environment with GoDaddy. I normally prefer MySQL, but am stuck with MS Access. Anyhow, how do you one start and committ a transaction? I use odbc_connect and odbc_exec to run my queries, but do not understand the documentation for odbc_commit. Anyone have any clues? Kind of lost here....
  23. Yeah, it is installed as a CGI. However, in my case the header returned is: header("HTTP/1.0 301 Moved Permanently"); -> "HTTP/1.0 301" Incomplete header... Is that the same problem as the '404 ok' error header you suggested?
  24. I think it is, however, only 2 slashes though. I still wonder if there is any reason to use server side includes (SSI) instead of include() or require(). Any1?
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.