CMC

Hi, Right so tonight I was working on my installer script, and I've run into a problem. Part of my installer script takes data inputted through a form and writes it to a config file. Since the config file already has data in it, I set fwrite to r+. The problem is, the written data from the install form overwrites some of the existing data in the config file. Ideal Here is what the finished copy of the config file should look like (after being written too) <?php $db_host = 'localhost'; $db_user = 'data'; $db_passwrd = 'data'; $db_name = 'data'; $vb_prefix = 'vb'; $vb_dir = '/data/vb/'; $ga_dir = '/data/ga/'; $html_title = 'Gangsta Giveaways'; $site_name = 'MAXGames'; $connect = mysql_connect($db_host,$db_user,$db_passwrd); if(!$connect){ $gen_message = 'An error was encountered while accessing the database. The connection to the database failed. Please try again later.'; $email_message = $gen_message."\n".mysql_error(); #ReportAdmin($admin_email,$email_message); die($gen_message); } blah blah blah... rest isn't important as it shows up fine ?> Initial config (before data is written) $connect = mysql_connect($db_host,$db_user,$db_passwrd); if(!$connect){ $gen_message = 'An error was encountered while accessing the database. The connection to the database failed. Please try again later.'; $email_message = $gen_message."\n".mysql_error(); #ReportAdmin($admin_email,$email_message); die($gen_message); } ?> Reality: Final config: Here is the problem. the fwrite cuts of part of the data already in the config file. $db_host = 'localhost'; $db_user = ''; $db_passwrd = ''; $db_name = ''; $vb_prefix = 'vb'; $vb_dir = '6'; $ga_dir = '/ho'; $html_title = 'Gangsta Giveaways'; $site_name = 'MAXGames'; ge = $gen_message."\n".mysql_error(); #ReportAdmin($admin_email,$email_message); die($gen_message); } See the [icode]ge = $gen_message."\n".mysql_error();[/icode]. It should start with [icode]$connect = mysql_connect...[/icode]. Not sure what's going on. install.php with fwrite $config_data = "<?php\n\$db_host = '{$clean['host']}';\n\$db_user = '{$clean['user']}';\n\$db_passwrd = '{$clean['passwd']}';\n\$db_name = '{$clean['name']}';\n\n\$vb_prefix = '{$clean['vbpre']}';\n\$vb_dir = '{$clean['vbdir']}';\n\$ga_dir = '{$clean['gadir']}';\n\n\$html_title = '{$clean['title']}';\n\$site_name = '{$clean['sname']}';\n\n\n"; $fwrite = fwrite($fh,$config_data,strlen($config_data)) or die('Config file was opened but not be written to.'); I've used this method before with installers and I'vee never encountered this problem. Anyone have any ideas? Thanks -CMC

Hello everyone, I'm working on a site that will have user input which will then be outputted back (as most sites do) and all data will be stored in a database. I'd just like to hear your thoughts on the following question: should I filter data on input or output, or both? Just like to clarify exactly what I mean by filtering (to me filtering is different than securing data). Filtering = converting input to various types (BBCode to HTML, newlines to HTML, htmlentities(), word matching etc.) Securing data = type checking (int when it is supposed to be int) and blanks, mysql_real_escape_string. I've always been filtering it on input, and storing it in the DB ready for immediate output. However, I have read a few posts around here about security and I've seen a few recommendations to filter on data output. Of course, SQL injection filtering would need to be done on input, but is there any advantage to doing the rest on data output (say converting BBCode, caps, etc.). The only advantage I can think of would be perhaps a smaller database size overall. Thoughts?

Why don't you just delete all the records from the database and make a script that will go through the directory, automatically adding each file to the database? That way you know for sure that all the files will be in the database. Probably the easiest method too.

Here, download this PDF tutorial. I couldn't find the link (site is www.scanit.be) I originally downloaded it from so I just re-uploaded onto one of mine. When I created my first upload script I followed the security measures shown in the tutorial. Basically, the size, file headers, file extensions are checked. Here's the download http://www.flawclan.com/dc/?cat_id=misc&file_id=32

Ah thanks, I was just actually thinking of trying exactly that

Hi, Is there a built-in function to add 1 to a row without having to query the db, return a value, add 1 to it, and update the row? I've been looking all over but I haven't been able to efficiently phrase my question so I get optimal results on a search engine :/ Thanks for any input

Thank you very much! The answer is so much simpler than I thought it would be. Thanks foxtrowhiskey

Hi, I've made an image upload/view script that works nicely but now I'm trying to have the view script generate nice URL's. i.e: instead of view.php?id=some_id have something like /images/some_id.file_extension (/images/23.gif). The files are stored in a database. Does anyone know if this is possible? I've been looking around and doing a lot of reading but I haven't found anything suggesting if it's possible. I haven't tried either because I am unsure of how to approach the coding aspect. I have basic mod_rewrite knowlede but what is stumping me is how to pass the .gif part. The .gif part will not be used in retrieving the actual image, it's just there to make the URL look nice Also, everything is dynamic; so if the image was a PNG then it would be /images/24.png. Am I making sense?

Post the code you have so far.

Here is the documentation for exactly that. I've integrated my site with SMF and it was very easy. http://docs.simplemachines.org/index.php?topic=789

mysql_query("UPDATE Ysers SET Comments='$CF $Commy' WHERE email='$Friend'"); That's because you're updating the columns instead of adding new ones. Is that what you mean?

echo "onclick=\"location.href='http://www.ezarttrader.com/sellart.php'\"";

You could create a script that would dump your database, and then have that script run by a cron job at timed intervals. The system function mysqldump() can dump the DB info into a file for you and save it to a directory of your choosing (preferably out of access) That's what I do to backup my databases. http://dev.mysql.com/doc/refman/5.0/en/mysqldump.html

as Barand helpfully pointed out: Maybe you want repeated values. $array = array("apple" => "green", "apple" => "red", "strawberry" => "red" ); Are you trying to see how many times apple is in the array, or red? apple = key red = value

You've got part of it right. Store the URL's in the DB, then call the previous and next URL from the DB to create previous/next links. You'll have to order the articles somehow and figure out how to number them.

Try clicking the old host first, than the new host. I bet everyone is clicking new host first, and then when they go to old host, some of the images are already cached, thus enabling faster load time. Try using 2 sets of completely different images, I think you'll get more accurate results.

Ok, checking empty values is easy enough. Just use the empty() function. ex: if(empty($title)){ $errors[] = 'Please input a title'; } Then you can check $errors using: if(!empty($errors)){ foreach($errors as $msg){ echo $msg.'<br />'; } die(); }else{ run rest of script... } For the thumbnails, look into the GD Image Libary: http://www.php.net/gd http://www.phpgd.com/ Also, here's a tutorial that instructs you through creating thumbnails and resizing images. http://www.phpit.net/article/image-manipulation-php-gd-part1/ http://www.phpit.net/article/image-manipulation-php-gd-part2/

It is doing that because you are selecting ALL the users $sql = "SELECT * FROM Login ORDER BY id"; and displaying all of the users (including hidden id's) in the table. You can either limit the users returned (LIMIT #) or re-arrange your script. I would add a checkbox beside each username and have the checkbox's value as the id. Then you set the script up that it will only delete the users that have been checked. Make sense?

Try this: <?phpif(isset($_POST['submit'])) { echo "asdfadsf"; $findpw = "SELECT * FROM school WHERE id = '1'"; $run = mysql_query($findpw) or die(mysql_error()); while($data2 = mysql_fetch_array($run)) { echo $data2['password']; } } Will check for errors and display to you if found and also removed a semi-colon ( at the end of your while line.

Use sessions. That will do the trick. Ex: <?php session_start(); $_SESSION['variable'] = 'data here'; ?>

Post more code and elaborate on the problem please. What's given is hardly helpful.

Hi, I'm writing a return to previous page type function like phpBB, SMF, VB and the likes implement. Someone wants me to implement it into their PM system so it would work like so: When the user first visits the site and logs in, if they have a new/unread PM, they will be redirected to a page that says 'You have a new PM | Read | Return'. They have the option to click read, which brings them to the PM, or the option to 'Return', which returns them to the page they were previously viewing or trying to view. This is the part I'm having trouble with, I don't know how to effectively capture the previous page. I've thought up a couple methods, but none are terribly efficient nor effective. 1) Use Javascript history.go(-1) Problem: If they enter from another site (ex: google.com), they will be returned to Google. I don't want to kick them off my site... 2) Use HTTP_REFERRER Problem: May not be stored or again could be another site, not part of my own. I could fix this by checking if their is a HTTP_REFERRER, and then preg_match or search it for my host name and if not found, set a 'static' page to go to. ex: if(empty(REFERRER)){ $url = 'mysite.com/members.php'; }else{ $find = '^mysite.com'; if(!preg_match($find,REFERRER)){ $url = 'mysite.com/members.php'; } } header("Location: $url"); Anyone have any better suggestions or how-to's? Thanks -fl00d

if I understand you correctly (somehow I doubt I do), you need to separate the data? the explode function. explode it using ',' (i.e: explode(",",$text) and then you could use in_array to see if it is there. ex: <?php $item1 = 'CCC'; $inCart = $_SESSION['cart']; $individualItems = explode(",",$inCart); if(in_array($item1,$inCart)){ echo "in cart"; }else{ echo "not in cart"; } ?>

thanks I'll fix the CHMOD ASAP.

Hi, Well, I've been working on my site on and off for about 6-7 months now (maybe one 2-3 days of work a month ) and it's been really progessing. In fact, it's almost complete. I've only got a few more scripts to write and integrate plus a couple more features. I decided it's time to have it audited. Myself, I have tried the basic stuff, some XSS, path disclosures etc but I haven't been able to get any results. However, I'm no expert in vulnerability exploitation, so I was hoping some of you crazy folk () would kindly help me out and see if any bugs can be found. (and reported) I'd appreciate if the actual domain and name of the site were kept hidden (Google seems to index posts here pertty fast) and if any huge risks are exposed, they won't be taken advantage of (too badly, i.e: taking over my server ). Right, so down to the nitty gritty. Here's my URL: http://tinyurl.com/yrjmvr Thanks for any help! -CMC Also visual bug notification would be greatly appreciated.(I'm aware of alignment issues between IE and FX)