Koobazaur

Bumpalooie

My index.php wouldn't really tell you much as all it does is include a file and call it's function. Hence, all my website is visible through that one index file in my public_html Essentailly, my problem is that I am embedding a flash file not in the current directoy (my src may be something like "somedir/flash/myfile.swf") and my flash file wants to stream an mp3 located in the current directory. However, this means having to put every mp3 for every flash that does that in my public_html, which I don't really want to do. Hence why I am wonder if there's any way to make the flash file think we are in the "somedir/flash/" instead of root dir.

Greetings. On my website I use PHP to generate pages from a single index.php. This means that the directory base directory is wherever the index file is. The problem arises when I embed flash files from different directories - some of theme need to use a streaming audio file that is placed in the same directory as the flash file. Problem is, since I am embeding them from index, the flash looks for the streaming audio from the base directory, not the directory where it is placed. Is there any way I can somehow change my executing directory or where the flash looks for the files? Otherwise I'll have to flood my public_html with all sorts of audio files... Thanks!

I realize this is a weird place to ask this, but figured what the heck. Basically I am working on my school's newsletter website, posting up articles and whatnot. I wanted to automate the system to allow the departments to post articles directly themselves instead of having to go through me. So something like Wordpress works perfect! Problem is... my school does not support PHP, but only ASP.NET... hence I am wondering if there is anything similar for ASP. Thanks for any suggestions.

Greetings, I am working on some online interactive content which main feature is tracking progress of my users. That is, I may have some 10 input textfields into which a user puts some data and clicks "save" to store it in a database. These interactive bits will be scattered all over my pages, so I wanted to implement an easy and universal method of doing it. I already got my model down, but I just wanted to get some opinions on if it has any security issues I am missing on... Basically, each bit will have a set of input fields where each field's id will be a name of a column in my database (MySQL). Then I will also have a hidden input field called "tablename" or something that would give the name of the table. Thus, when a user clicks save, I would take all the data and build my query such as UPDATE tablename SET textfield1 = value1, textfield2 = value2, textfield3 = value3 etc... Now I am not worried about the input (I already check it for injections), what I am worried about is someone editing my page code and actually changing the tablename and textfield ids to inject code. Obviously I would also run those through my injection checker which would basically limit these values to only alphanumeric characters (meaning you couldn't put spaces or ; to inject a new command). However, I am still not sure if this would be safe enough. I could make it safe by checking the actual names in my php code with some pre-built array to ensure they weren't tempereded with, but I want to make this whole system as simple and easy to use implement as possible. Thanks

You misunderstood, I AM storing its reference. Here's how it basically works: class a { private $rB; function __construct(&$rObjectB) { $this->SetB($rObjectB); } function SetB(&$rObjectB); { $this->$rB = &$rObjectB; } function __destruct() { $this->$rB->DoSomething(); } } $ObjectA = new a($ObjectB); (note: I know using SetB() seems redundant, but I do it this way since my class inherits from another, and its the parent that sets that reference, so I need to call the parents function to set the variable)

Thanks for the tips. I don't want my user to have to manually download a key / browser plugin as that's just a lot of hassle. As for Javascript encoding, wouldn't it be true that someone who simply looks up the page source code could figure out all the details of how the encryption works and, thus, easily crack it?

Objects that depend on each other get their reference passed to them in the constructor (I also ensure they are created in a proper order). So for instance: $MyDatabase = new cDatabase(Username, Password ...); $MyObject = new cObject($MyDatabase, Other settings...); When I set $MyDatabase to connect itself in a constructor, and disconnects itself in the destructor, then my $MyObject, which uses it in its own destructor, throws an error.

Hey, I have several classes in my program that do various thing in their destructors. Problem is, some depend on each other, so if the destructors are not called in a proper order, then I get errors since one object is trying to do something (in its destructor) with an object that was already destroyed. An example of this is my Database which a lot of objects rely on; I wanted to have it connect in constructor and disconnect in destructor (instead of connecting/reconnecting several times through the script), but due to the above mentioned issue, this solution produces errors. Is there any way to control when destructors get called? Or do I need to use a workaround? One solution I thought of was to make my objects members of another object and have that object call the constructors/destructors manually in proper order in its own construct/destruct functions. This solution is a pain, however, as it means I need to practically re write large portions of my code ><

Greetings, Just as in many other web applications, I am faced with creating a secure login applet for my users. Naturally, the first thing that comes to mind is SSL. However, implementing that on my webhost is somewhat of a nuisance, so I was wondering about other protection methods I could implement. I have noticed that a lot of websites (facebook, this forum etc.) don't use SSL. I am curious as to how that is achieved, as implementing secure login without SSL whatsoever would make the whole process much easier (and cheaper). Any suggestions on how to achieve that / how all these other sites manage to be secure without SSL ? Scooping up the page source code, I noticed that one webforum dynamically encoded the passwords with md5 via javascript and sent the encoded stuff via POST. Sounds like a great choice, but still easily hackable, if I understand. I mean, the biggest reason behind using SSL is to prevent someone reading the network traffic from getting the username/password. So if someone sees an encrypted password being transfered, it's useless to him since it's encrypted, right? Well, wrong. He could simply take the encrypted password and send it directly via POST (with the username) and he would, likewise, get access to the site. He wouldn't even need to know what the decrypted password is. Of course, I could also check to make sure the referer came from my own site to ensure someone can't do that, but then they could simply plug in the encrypted password in the login box and disable javascript in their browser (to prevent double-encryption) and would get in like that. Any suggestions?

Hi, I have several PHP files that create global objects and refers to some global objects. I wanted to create a function that would allow me to dynamically include those files at any point in the code. However, the problem is that the created objects are then created within the scope of the function (hence essentailly useless since they're not available outside) and I can't even initialize some of the objects because they require other global objects which, since the file is included via a fuctnion, are no longer in scope. I was wondering if there was any easy way to change the scope of a function to global or change the scope of the included file to global without having to define every single variable as global in the function or the included files. Thanks!

Why exactly is my solution "sloppy," assuming that multiple file accessing is allowed...?

Greetings, I have created an error logger that logs all errors to a text file on my server. Basically, when I include it, the constructor opens the file (with the "a" attribute) and when the deconstructor closes it. Hence I can write errors easily throughout my whole script. Now, something rather obvious occured to me lately. What if two users open a page at the same time and the error logger is executed simultaneously? While the file is open by one logger, wouldn't that block the second one from opening? Meaning, whatever errors the second logger would want to write, it would fail and, thus, I would end up missing some errors? I am not sure how exactly PHP deals with opening already open files, could someone please clarify. If my concerns are correct, I guess the best solution would be to open/close the file on every error log (not in contruct/destruct) and if it fails, then keep retrying for a few seconds in hopes the file gets freed. Or is there a better solution?

Buyocat, thanks for the reply. Your idea is interesting, but I can see one flaw. You say that "If the ip, session id changed you would delete the row thus logging out the user." However, this means that if someone else tried to log into that account it would then erase this information, thus logged the original person out of his account - not a desirable outcome. And the IP changing frequently is a concern since my website will be targeting college students which will most likely have dynamic IPs. Also, wouldn't your solution require me to access the database each pageload in order to verify that the log in is still correct and not expired? Currently all this is done via session variables without any database access (aside from logging in and out) and I would like to keep it that way so to minimize the database traffic. Or am I simply being too careful and should allow database access to verify session info each pageload without any serious slowdown? (I use MySQL) 448191 - I didn't think of that, I suppose that could also be a viable solutions. Does it have any drawbacks / security issues though (I can't think of anything that would make storing a session id permantently any less secure than my login key idea)? It's the important group that is really... well, important. And what published solutions are you speaking of? Any links?

Hello, I searched for this topic but did not get too many results. Basically I have a system that allows users to register an account and log in. I want to give them the option of rembering thier login so they don't need to re-type it every time. One solution I found was to simply store login/username in a cookie and retrieve that when login page loads. That, however, seems like a huge security risk, so I am looking for a better solution. One idea I had was to, when a user logs in (and chooses "Remember me" checkbox), he is then sent a cookie with a randomly generated "Login Key." This key is also stored in the database. When a user comes back and enters the login page, the code tries to find the login key in the database and if a match is found, it then logs the user accordingly. Of course, on logout, such cookie would be destroyed. Is this a good way to go about it or does anyone have better ideas? ------------------------ Another thing I need to implement is to allow only one logged user per username. That is, if someone logs into his username, I do not want to allow anyone else to log in from another computer into the same username. Naturally, I cannot simply set some flag in my DB when user logs in and unset it when he logs out because there is no guarantee my user will actually log out every time (he may simply close the browser window, thus losing the Session Cookie, losing access to his account but unable to re-login due to the set flag). Thus a more complex system is needed. I thought I could set an entry in my database to mark the user has logged in and additionally assign some random key to go with that, which would be also sent as a cookie to the user. If the user attempts to log in and the database already marked him as logged, then he will be allowed to log in only if he has the cookie with appropriate key. Of course, when he logs out, the logged flag, key and cookie would all be erased to allow a fresh login from any place. The only flaw of this system is if the user accidentally deletes his cookie with the key and shuts down the browser, losing his session information. In such case, he would need to wait for the session to expire before he can log in again (a fixed amount of time which I haven't decided upon, but may be something like 24 hours). This would create a wait period which the user would have to wait out before he can log in again. I cannot shorten this priod via idling-out mechanism as the way my session handling is implemented it does not require database access once the user is logged in, in order to minimize used traffic and database time. Any suggestions are much welcome!