tinker
-
Posts
328 -
Joined
-
Last visited
Never
Everything posted by tinker
-
okay dokey, better example time... Theres a little bloat for managing the db. Whilst looking through strip_tags docs i came across the strip_tags_content() function, as seen being used when outputting. <html><head></head><body> <?php $host = 'localhost'; $user = 'user'; $pass = 'pass'; $db = 'db'; $conn = mysql_connect($host, $user, $pass) or die(mysql_error()); mysql_select_db($db, $conn) or die(mysql_error()); // INSTALL $install=1; if($install){ $s = "DROP TABLE test_store"; mysql_query($s, $conn); $s = "CREATE TABLE test_store (id int not null primary key auto_increment, title varchar(128), blog text )"; if(mysql_query($s, $conn)){ print "creation success<br /><br />"; } else{ print "creation failed<br /><br />"; } $s = "INSERT INTO test_store VALUES('1', '<b>myTitle <script>alert(\'tit<>led\');</script></b>','<b>Blog <script>alert(\'blogged\');</script> blog blog</b>')"; if(mysql_query($s, $conn)){ print "insert success<br /><br />"; } else{ print "insert failed<br /><br />"; } } $title=""; $blog=""; function scheck_code($s){ //$s = strip_tags($s); return htmlspecialchars($s); } function scheck_code_d($s){ $s=strip_tags($s); return htmlspecialchars_decode($s,ENT_QUOTES); } // php.net functions // see... http://uk3.php.net/manual/en/function.strip-tags.php function strip_only($str, $tags) { if(!is_array($tags)) { $tags = (strpos($str, '>') !== false ? explode('>', str_replace('<', '', $tags)) : array($tags)); if(end($tags) == '') array_pop($tags); } foreach($tags as $tag) $str = preg_replace('#</?'.$tag.'[^>]*>#is', '', $str); return $str; } function strip_tags_content($text, $tags = '', $invert = FALSE) { preg_match_all('/<(.+?)[\s]*\/?[\s]*>/si', trim($tags), $tags); $tags = array_unique($tags[1]); if(is_array($tags) AND count($tags) > 0) { if($invert == FALSE) { return preg_replace('@<(?!(?:'. implode('|', $tags) .')\b)(\w+)\b.*?>.*?</\1>@si', '', $text); } else { return preg_replace('@<('. implode('|', $tags) .')\b.*?>.*?</\1>@si', '', $text); } } elseif($invert == FALSE) { return preg_replace('@<(\w+)\b.*?>.*?</\1>@si', '', $text); } return $text; } // end php.net functions // UPDATE DATA if(isset($_POST['submit'])){ $title=$_POST['title']; $blog=$_POST['blog']; $title=mysql_real_escape_string($title); $blog=mysql_real_escape_string($blog); $title=scheck_code($title); $blog=scheck_code($blog); $s = "UPDATE test_store SET title = '".$title."', blog='".$blog."' WHERE id = 1"; if(mysql_query($s, $conn)){ print "update success<br>"; } else{ print "update failed<br>"; } } // RETRIEVE DATA $s = "SELECT * FROM test_store WHERE id = 1"; $res = mysql_query($s, $conn) or die(mysql_error()); if(mysql_num_rows($res)==1){ while($a = mysql_fetch_array($res)){ $title=$a['title']; $blog=$a['blog']; } } print "<br />\n"; print "<b>TITLE:</b> ".scheck_code_d($title)."<br />\n"; print "<b>TITLE:</b> ".strip_only($title,array('script'))."<br />\n"; print "<b>TITLE:</b> ".strip_tags_content($title,'<script>',true)."<br />\n"; print "<b>BLOG:</b> ".scheck_code_d($blog)."<br />\n"; print "<br /><br />\n"; print "<br />\n <form method='POST' action=''><table> <tr valign='top'><td align='right'>Title</td><td><input type='text' name='title' size='32' value='".htmlentities($title,ENT_QUOTES)."'></td></tr> <tr valign='top'><td align='right'>Blog</td><td><textarea name='blog' rows='7' cols='32'>".$blog."</textarea></td></tr> <tr valign='top'><td align='right'></td><td><input type='submit' name='submit' value=''></td></tr> </table></form><br />"; ?> </body></html> is this function up to scratch? What else should be checked for, for instance: function strip_cdata($string) { preg_match_all('/<!\[cdata\[(.*?)\]\]>/is', $string, $matches); return str_replace($matches[0], $matches[1], $string); }
-
last night i noticed that i could pass scripts to a field and they didn't get santitised, i do take certan measures generally, but they wernt working for some reason. heres a bit of a demo... <html><head></head><body> <?php function scheck_code($s){ $s=strip_tags($s); return htmlspecialchars($s); } $s="<script>alert('test 1');</script>"; print $s."<br />\n"; print scheck_code($s)."<br />\n"; ?> </body></html> i'll post another shortly because my example involves text and textarea form elements and is stored in mysql. tbh i dont generally use strip_tags, i convert to htmlentities and then apply bbcode parsing i think..
-
check your server logs for agent and referer
-
ok
-
so how would you do it?
-
When you view or save a page, it may have the '.php' extension or the like, but that page should have been parsed by the server and contain no php, if there is it's either because the server is setup incorrectly or the code is buggy. A web browser simply downloads a page, then scans it for any resource links it may contain (images, frame links, rss feed, adverts, etc) and also downloads them, then it renders it.
-
I was reading in some PDF from some blackhat conference about the security issues of AJAX. It referred numerous times about how much easier it is to hack an AJAX site that use's GET instead of POST. Any reasoning as to why?
-
If your worried about snooping peeps in the middle and your boss won't fork out for a ssl cert then here's something I posted a while ago that may be of interest...
-
He's already stated that there is a login system. If your using GET or POST then the link in the bookmark will still take you to the right place, just not show the relevant info, but that should only be a single click away. To complicate things even more, you could use a lookup system of ref's, where on each generation of the page a list of refs are added to a table which also ref the page with an id. These entries are then nullified or deleted once one has bee used. I can see issues, but hey if you want security... This is similar to the proper implementation of the CAPTCHA protocol.
-
mmm, your issue sounds more like css/html, even though it's to incorporate ajax chat (js). As XoSilenceoX states, you should be looking at layers (<div>)...
-
no i wasn't using any uniques, but i've just had an idea which does, if i combine the two keys into a single, then that will be unique, e.g. tn (id, user_n_room, last) $user_n_room = $u_id.":".$room; this solves my abuse of sql networks but not my understanding of sql logic... sigh! merci
-
What i'm trying to prevent is, if there are multiple groups and you are only allowed to see the details of your group members, then by changing the id in the request would let you trawl the db, whereas using name would restrict you to users of which you know their login usernames (many more variations). However they can still trawl (albeit limited), therefore md5 the name with a salt of the hour/day. For escaping see this. Yes, GET and POST are equally abusable, there are many ways to generate POST packets, I tend to use telnet to test my security in this area...
-
[NOT IN ORDER?] a) All PHP files served by a server should get processed by the PHP interpreter and will only display any HTML (etc) that the PHP code outputs. So technically no people can't just download your PHP pages. b) Once you have some kind of system to login, then you use some logic like this: if($logged_in==1) { print "Hi user"; } else { print "Who the f are you?"; }
-
I thought I understood your issue, yet reading through i'm less sure, however concerning this, I considered this the other day, thinking that I should use usernames instead then they can't just increment the number to trawl the db. I liked the idea of md5'ing the identifier, but if you take an id, hash it, send it, retrieve it, compare it... it doesn't appear to be any different except theres a process being thrown in for 'good' measure. If you were to do such a thing, I might suggest salting it with the id/name of the requesting user (supposing that they are logged in).
-
update if two fields match values, otherwise insert a new record. I don't believe I can use the duplicates catch because of depending upon two fields? Basically it's a bit of a log thing for a chat room, however you may be present in multiple chat rooms at once. The table looks a bit like this: tn (id, u_id, room_id, last_time) If u_id and room_id match then update time, else insert new. Every now and again everyone one in a room within x amount of time will be harvested and sent back as a buddy list. Also set up in cron is a function which clears any out over a certain age... I've got a solution that i'm currently using, but it makes a sql call, then depending upon the result it decides upon 1 of 2 other sql calls, it just seems a bit wasteful and I like learning something new (to me anyway). Cheers for any consideration...
-
I just so happen to be reading this and I move onto page 45...
-
The hash of what? if your using a sess_id then also keep track of last sess_id so when return check against last and update cookie to new... then it's reset on every new browser session, you could do a length of time thing as well just for good measure?
-
OK, some searching and I find that firefox trips when trying to make multiple connections... strange because once it's going it handles it fine, anyway i've set a second set of connection handlers which seems far from ideal. However I now expect that I might need to set up a third connection set. I'm going to do some tests to see if I just need a separate handler or send function, any wisdom will be gratefully received...
-
i'm very self taught with ajax, i found an example which said this is how complicated it wasn't, the rest was up to your protocol... The problem i get is when upon loading a new page, say a connection sends a msg, then another is sent upon the send returning, however i get errors: This error is always from the second send... this is some of the connection code (i assume it's tcp, however can it handle sending another msg before the last returns?): function ajax_create_conn() { if(navigator.appName == 'Microsoft Internet Explorer') { try { ajaxconn=new ActiveXObject('Msxml2.XMLHTTP'); } catch (e) { try { ajaxconn=new ActiveXObject('Microsoft.XMLHTTP'); } catch (e) { alert('Your browser does not support AJAX!'); ajaxconn = null; } } } else { // Firefox, Opera 8.0+, Safari ajaxconn = new XMLHttpRequest(); } return; } function ajax_send(cmd) { if(ajaxconn != null) { ajaxconn.onreadystatechange = ajax_handle_conn; ajaxconn.open('get', '".$loc."?cmd=' + cmd); ajaxconn.send(null); } } function ajax_handle_conn() { if(ajaxconn.readyState == 4) { var response = ajaxconn.responseText; //... } }
-
not that i'm sure on this but is this a valid table name? it has a dot in it, or is that a db dot notation type thing i've not come accross? also see if this gives any more insight: error_reporting(E_ALL); can't see it, but have you got insert privileges, can you insert on other tables?
-
seems ok at first glance? is it throwing any errors? - try: error_reporting(E_ALL); just for fun I use this for comparing strings (but its not your prob): strcmp($catagoryDesc, "") == 0) hmmm not sure?
-
theres always two parts to a sign, the signifier and the signified, and i was so rightly informed the other day, it's all aboot perception...
-
just thinking how you'd handle a replace to ensure continuity... /^([0-9]{6})([, ]{0,1})([0-9]{4})([, ]{0,1})([0-9]{4})([, ]{0,1})([0-9]{4})$/ but i'm not sure what would happen if a grouping was missing, i think it should be ok...
-
Have you tested that? you could use: [, -_.|:] etc, to cover all the bases, p.s. some of those may need escaping... oh I just noticed: /^[0-9]{6}[, ]{0,1}[0-9]{4}[, ]{0,1}[0-9]{4}[, ]{0,1}[0-9]{4}$/ that the last bit was'n needed! p.s. this isn't checked, i'm here just to drink my coffee... and the theres a whole area dedicated to this subject next door...
-
regex could go a little like: /[0-9]{6}[, ]{0,1}[0-9]{4}[, ]{0,1}[0-9]{4}[, ]{0,1}[0-9]{4}[, ]{0,1}/ it'll be similar for both... p.s. they can use spaces or nothing instead of commies, you know what studies are like!