darkfreaks

have you tried using MYSQL COALESCE function it returns non null values and it will return null if it hits a NULL value. http://blog.sqlauthority.com/2008/06/04/sql-server-create-a-comma-delimited-list-using-select-clause-from-table-column/

are you sure you have your server configured correctly http://www.docstoc.com/docs/9037451/Apache-HTTP-Server-223-and-PHP-530-and-MySQL-50-Configuration-guide

here is an updated version i found in php custom function format. function flood($name,$time) { $name = 'tmptmptmp'.$name; if(!isset($_SESSION[$name])) { $_SESSION[$name] = time(); return true; } else { if(time()-$time > $_SESSION[$name]) { $_SESSION[$name] = time(); return true; } else { return false; } } } and to use it like so..... if(flood('last_session_request', 60)) { // do something ]else { // you are posting too fast ]

first off reading in other forums other people have pointed out that if(!isset($_SESSION)) { session_start();} is abit pointless because session_start has to always be called. otherwise the $_SESSION super global array will not exist. personally i think you should invest in some freesource anti DDOSsoftware instead of a buggy php solution. http://lmgtfy.com/?q...ource anti ddos

Better Alternatives: I won’t go into too much details, but if you are serious about protecting your site from the likes of an actual DDOS or multi-service attack it would be best to look into other tools such as iptables (linux), pf (packet filter for BSD) on the software side, or a hardware firewall if your host provides one. The limit request module above will only work for floods against your site over the HTTP protocol, it will not protect you from ping floods or various other exploits.

i think this is more what the OP is looking for to use PDO to create Tables http://php.net/manua...transaction.php

@TURD is correct you cannot run PHP code inside of a HTML file you need to change it to .php

//getting absolute URL if it exists in the install file under any other folder as long as it is in install folder if(file_exists($domain.'../install/index.php')) die('test');

if(file_exists($domain.$_SERVER['REQUEST_URI'])) die('test');

i would like to add i am not too fond of the new syntax highlighting. i know as mentioned other routes are being explored. could we add something like Geshi syntax highlighter? i think it would work better than the one that came with IPB. Geshi Generic syntax highlighter

https://www.owasp.org/index.php/Unrestricted_File_Upload just read that apparently using white and black list is a piss poor method and can both be bypassed. according to OWASP standards. not sure where to go from here.

let me know when it is implemented and my ip removed and i will see if this is any better.

it is a better way to check for images versus preg_match so if you only intend to allow Jpeg and GIF take out png from the array so it only allows gif ,jpeg and jpg files and if it doesn't match, to error. $allowedexts = array('gif','jpeg','jpg'); $extension = end(explode(".", $_FILES["image"]["name"])); if($_FILES["image"]["type"]=="image/jpeg"| |$_FILES["image"]["type"]=="image/gif" && in_array($extension,$allowedexts)){ //if match JPEG/JPG or GIF run code }else { //print error here }

could try image mime types for extensions and a whitelist array of allowed extensions. $allowedexts = array('gif','jpeg','jpg','png'); $extension = end(explode(".", $_FILES["image"]["name"])); if($_FILES["image"]["type"]=="image/jpeg"| |$_FILES["image"]["type"]=="image/gif"||$_FILES["image"]["type"]=="image/png" && in_array($extension,$allowedexts)){}

@Jesi it's better than endlessly scrolling left to right *headache* reformatted the code it again much much better. <?php if(!defined('SYS_STARTED')) die('Security activated'); if (isset($_POST['server_information'])) { save_input_values($_POST); $post_data = do_request($_POST, true, ''); if (!$post_data) set_msg('B&#363;tina u?pildyti visus laukelius', 'error', $config['home_url'] . '/go/control#response'); if (strlen($post_data['title']) > 40) set_msg('Serverio pavadinimas negali b&#363;ti ilgesnis, nei 40 simboli&#371;', 'error', $config['home_url'] . '/go/control#response'); if (!preg_match("/^[A-Za-z0-9.,-_* ]+$/", $post_data['title'])) set_msg('Blogai sudarytas serverio pavadinimas', 'error', $config['home_url'] . '/go/control#response'); if (!preg_match('|^http(s)?://[a-z0-9-]+(.[a-z0-9-]+)*(:[0-9]+)?(/.*)?$|i', $post_data['web_url'])) set_msg('Blogai sudarytas serverio puslapio adresas (turi prasid&#279;ti http://)', 'error', $config['home_url'] . '/go/control#response'); $query = $db->prepare("SELECT login_server_ip FROM servers WHERE user_id = '" . read_session('user_id') . "'"); $query->execute(); if ($query->rowCount() > 0) { $server_data = $query->fetch(); if ($server_data['login_server_ip'] != $post_data['login_server_ip']) { $query = $db->prepare("SELECT id FROM servers WHERE user_id != '" . read_session('user_id') . "' AND login_server_ip = '{$post_data['login_server_ip']} '"); $query->execute(); if ($query->rowCount() > 0) set_msg('Toks serverio login IP jau naudojamas', 'error', $config['home_url'] . '/go/control#response'); } } else { $query = $db->prepare("SELECT id FROM servers WHERE user_id != '" . read_session('user_id') . "' AND login_server_ip = '{$post_data['login_server_ip']} '"); $query->execute(); if ($query->rowCount() > 0) set_msg('Toks serverio login IP jau naudojamas', 'error', $config['home_url'] . '/go/control#response'); } $query = $db->prepare("SELECT game_server_ip FROM servers WHERE user_id = '" . read_session('user_id') . "'"); $query->execute(); if ($query->rowCount() > 0) { $server_data = $query->fetch(); if ($server_data['game_server_ip'] != $post_data['game_server_ip']) { $query = $db->prepare("SELECT id FROM servers WHERE user_id != '" . read_session('user_id') . "' AND game_server_ip = '{$post_data['game_server_ip']} '"); $query->execute(); if ($query->rowCount() > 0) set_msg('Toks serverio game IP jau naudojamas', 'error', $config['home_url'] . '/go/control#response'); } } else { $query = $db->prepare("SELECT id FROM servers WHERE user_id != '" . read_session('user_id') . "' AND game_server_ip = '{$post_data['game_server_ip']} '"); $query->execute(); if ($query->rowCount() > 0) set_msg('Toks serverio game IP jau naudojamas', 'error', $config['home_url'] . '/go/control#response'); } if (!is_numeric($post_data['login_server_port']) || $post_data['login_server_port'] == 21 || $post_data['login_server_port'] == 80) set_msg('Blogai sudarytas login serverio PORT adresas', 'error', $config['home_url'] . '/go/control#response'); if (!is_numeric($post_data['game_server_port']) || $post_data['game_server_port'] == 21 || $post_data['game_server_port'] == 80) set_msg('Blogai sudarytas game serverio PORT adresas', 'error', $config['home_url'] . '/go/control#response'); if (!is_numeric($post_data['xp'])) set_msg('Blogai sudaryti serverio daugikliai (rate)', 'server_information_msg', 'error medium_plus', base64_decode($_POST['back_path'])); if (strlen($post_data['description']) > 600) set_msg('Serverio apra?ymas per ilgas, max. 600 simboli&#371;', 'error', $config['home_url'] . '/go/control#response'); remove_input_values($_POST); $query = $db->prepare("SELECT id FROM servers WHERE user_id = '" . read_session('user_id') . "'"); $query->execute(); if ($query->rowCount() == 0) { if (check_server_status($post_data['login_server_ip'], $post_data['login_server_port'])) $login_server_status = 1; else $login_server_status = 0; if (check_server_status($post_data['game_server_ip'], $post_data['game_server_port'])) $game_server_status = 1; else $game_server_status = 0; $query = $db->prepare("INSERT INTO servers SET "#@%+=FEFGT6R3987EFDF86347GR=+%@#" user_id = '" . read_session('user_id') . "', title = '{$post_data['title']}',web_url = '{$post_data['web_url']}',chronicle = '{$post_data['chronicle']}',xp = '{$post_data['xp']}',description = '{$post_data['description']}',game_server_status = '{$game_server_status}',login_server_status = '{$login_server_status}',login_server_ip = '{$post_data['login_server_ip']}',game_server_ip = '{$post_data['game_server_ip']}',login_server_port = '{$post_data['login_server_port']}',game_server_port = '{$post_data['game_server_port']}',votes = '0',last_vote_date = '0'"); "#@%+=FEFGT6R3987EFDF86347GR=+%@#" $query->execute(); set_msg('Serverio informacija i?saugota', 'success', $config['home_url'] . '/go/control#response'); } else { $query = $db->prepare("UPDATE servers SET "#@%+=FEFGT6R3987EFDF86347GR=+%@#" title = '{$post_data['title']}',web_url = '{$post_data['web_url']}',chronicle = '{$post_data['chronicle']}',xp = '{$post_data['xp']}',description = '{$post_data['description']}',login_server_ip = '{$post_data['login_server_ip']}',game_server_ip = '{$post_data['game_server_ip']}',login_server_port = '{$post_data['login_server_port']}',game_server_port = '{$post_data['game_server_port']}'WHERE user_id = '" . read_session('user_id') . "'"); "#@%+=FEFGT6R3987EFDF86347GR=+%@#" $query->execute(); set_msg('Serverio informacija i?saugota', 'success', $config['home_url'] . '/go/control#response'); } } ?>

@OP: next time run it through a php formatter before posting formatted code with phpif corrected: <?php if(!defined('SYS_STARTED')) die('Security activated'); if (isset($_POST['server_information'])) { save_input_values($_POST); $post_data = do_request($_POST, true, ''); if (!$post_data) set_msg('B&#363;tina u?pildyti visus laukelius', 'error', $config['home_url'] . '/go/control#response'); if (strlen($post_data['title']) > 40) set_msg('Serverio pavadinimas negali b&#363;ti ilgesnis, nei 40 simboli&#371;', 'error', $config['home_url'] . '/go/control#response'); if (!preg_match("/^[A-Za-z0-9.,-_* ]+$/", $post_data['title'])) set_msg('Blogai sudarytas serverio pavadinimas', 'error', $config['home_url'] . '/go/control#response'); if (!preg_match('|^http(s)?://[a-z0-9-]+(.[a-z0-9-]+)*(:[0-9]+)?(/.*)?$|i', $post_data['web_url'])) set_msg('Blogai sudarytas serverio puslapio adresas (turi prasid&#279;ti http://)', 'error', $config['home_url'] . '/go/control#response'); $query = $db->prepare("SELECT login_server_ip FROM servers WHERE user_id = '" . read_session('user_id') . "'"); $query->execute(); if ($query->rowCount() > 0) { $server_data = $query->fetch(); if ($server_data['login_server_ip'] != $post_data['login_server_ip']) { $query = $db->prepare("SELECT id FROM servers WHERE user_id != '" . read_session('user_id') . "' AND login_server_ip = '{$post_data['login_server_ip']}'"); $query->execute(); if ($query->rowCount() > 0) set_msg('Toks serverio login IP jau naudojamas', 'error', $config['home_url'] . '/go/control#response'); } } else { $query = $db->prepare("SELECT id FROM servers WHERE user_id != '" . read_session('user_id') . "' AND login_server_ip = '{$post_data['login_server_ip']}'"); $query->execute(); if ($query->rowCount() > 0) set_msg('Toks serverio login IP jau naudojamas', 'error', $config['home_url'] . '/go/control#response'); } $query = $db->prepare("SELECT game_server_ip FROM servers WHERE user_id = '" . read_session('user_id') . "'"); $query->execute(); if ($query->rowCount() > 0) { $server_data = $query->fetch(); if ($server_data['game_server_ip'] != $post_data['game_server_ip']) { $query = $db->prepare("SELECT id FROM servers WHERE user_id != '" . read_session('user_id') . "' AND game_server_ip = '{$post_data['game_server_ip']}'"); $query->execute(); if ($query->rowCount() > 0) set_msg('Toks serverio game IP jau naudojamas', 'error', $config['home_url'] . '/go/control#response'); } } else { $query = $db->prepare("SELECT id FROM servers WHERE user_id != '" . read_session('user_id') . "' AND game_server_ip = '{$post_data['game_server_ip']}'"); $query->execute(); if ($query->rowCount() > 0) set_msg('Toks serverio game IP jau naudojamas', 'error', $config['home_url'] . '/go/control#response'); } if (!is_numeric($post_data['login_server_port']) || $post_data['login_server_port'] == 21 || $post_data['login_server_port'] == 80) set_msg('Blogai sudarytas login serverio PORT adresas', 'error', $config['home_url'] . '/go/control#response'); if (!is_numeric($post_data['game_server_port']) || $post_data['game_server_port'] == 21 || $post_data['game_server_port'] == 80) set_msg('Blogai sudarytas game serverio PORT adresas', 'error', $config['home_url'] . '/go/control#response'); if (!is_numeric($post_data['xp'])) set_msg('Blogai sudaryti serverio daugikliai (rate)', 'server_information_msg', 'error medium_plus', base64_decode($_POST['back_path'])); if (strlen($post_data['description']) > 600) set_msg('Serverio apra?ymas per ilgas, max. 600 simboli&#371;', 'error', $config['home_url'] . '/go/control#response'); remove_input_values($_POST); $query = $db->prepare("SELECT id FROM servers WHERE user_id = '" . read_session('user_id') . "'"); $query->execute(); if ($query->rowCount() == 0) { if (check_server_status($post_data['login_server_ip'], $post_data['login_server_port'])) $login_server_status = 1; else $login_server_status = 0; if (check_server_status($post_data['game_server_ip'], $post_data['game_server_port'])) $game_server_status = 1; else $game_server_status = 0; $query = $db->prepare("INSERT INTO servers SET "#@%+=FEFGT6R3987EFDF86347GR=+%@#" user_id = '" . read_session('user_id') . "', title = '{$post_data['title']}', web_url = '{$post_data['web_url']}', chronicle = '{$post_data['chronicle']}', xp = '{$post_data['xp']}', description = '{$post_data['description']}', game_server_status = '{$game_server_status}', login_server_status = '{$login_server_status}', login_server_ip = '{$post_data['login_server_ip']}', game_server_ip = '{$post_data['game_server_ip']}', login_server_port = '{$post_data['login_server_port']}', game_server_port = '{$post_data['game_server_port']}', votes = '0', last_vote_date = '0'"); "#@%+=FEFGT6R3987EFDF86347GR=+%@#" $query->execute(); set_msg('Serverio informacija i?saugota', 'success', $config['home_url'] . '/go/control#response'); } else { $query = $db->prepare("UPDATE servers SET "#@%+=FEFGT6R3987EFDF86347GR=+%@#" title = '{$post_data['title']}', web_url = '{$post_data['web_url']}', chronicle = '{$post_data['chronicle']}', xp = '{$post_data['xp']}', description = '{$post_data['description']}', login_server_ip = '{$post_data['login_server_ip']}', game_server_ip = '{$post_data['game_server_ip']}', login_server_port = '{$post_data['login_server_port']}', game_server_port = '{$post_data['game_server_port']}' WHERE user_id = '" . read_session('user_id') . "'"); "#@%+=FEFGT6R3987EFDF86347GR=+%@#" $query->execute(); set_msg('Serverio informacija i?saugota', 'success', $config['home_url'] . '/go/control#response'); } } ?>

while the CGI code stops script execution it does not stop file uploads.[+1 layer of security] no where in your code does it have an array of what extension types are disallowed(blacklist). [+1 layer of security] and instead of checking images using preg_match you would be better suited using getimagesize [+1 layer of security] Securing your image upload form

can you unban my ip again?

don't forget to click topic solved

either your server is down or i am IP banned can you check

i suggest read up on the below link it explains why to use PDO versus mysql_real_escape_string and get_magic_quotes_gpc why use pdo vs mysql_real_escape_string????

might have a look at This Thread

copy from what i have read takes too long to execute. you are better off using move_uploaded_file but i hear the fastest way is by using CURL. Using CURL to upload images

i got another question? does it check if gpc_magic_quotes are on and if they aren't to use stripslashes instead also when you insert to database something like user_id you are using typecast (int) to make sure it is an integer. $sql="INSERT INTO table * WHERE user_id='".(int)$_POST['user_id']."'"; this also works for SELECT queries as well. just a reminder the integer typecast only works on integers and numeric fields.

sorry i misspelled it but i can assure you sir. that i did scan the right site.