drisate

Did you try CTRL+ALT+DEL? lol no seriously are you asking us t help you or do it for you? Post us some code something you tryed and show us where you block.

Use something like this $date=explode("/", $from) if ($date[0]=="01"){$date[0]="September";} [...] echo "$date[0] $date[1], $date[2]"

Thx i made the change but i get the same problem.I can't connect when i filtrer $COOKIE_ but all the rest seems to be ok.

Hey guys i am trying to build an effective code that will secure all my vars one shot for my board. this is what i have so fare function safeEscapeString($string){ if (get_magic_quotes_gpc()) { return $string; } else { return mysql_real_escape_string($string); } } function cleanVar($string){ $string = trim($string); $string = safeEscapeString($string); $string = htmlentities($string); return $string; } if (isset($_POST)){ $empty = $POST_ = array(); foreach ($_POST as $varname => $varvalue) { if (empty($varvalue)) { $empty[$varname] = $varvalue; } else { $POST_[$varname] = cleanVar($varvalue); $POST_[$varname] = $varvalue; echo "POST var $varname = $POST_[$varname]<br>"; // DEBUG } } } if (isset($_GET)){ $empty = $GET_ = array(); foreach ($_GET as $varname => $varvalue) { if (empty($varvalue)) { $empty[$varname] = $varvalue; } else { $GET_[$varname] = cleanVar($varvalue); $GET_[$varname] = $varvalue; echo "GET var $varname = $GET_[$varname]<br>"; // DEBUG } } } if (isset($_COOKIE)){ $empty = $COOKIE_ = array(); foreach ($_COOKIE as $varname => $varvalue) { if (empty($varvalue)) { $empty[$varname] = $varvalue; } else { $COOKIE_[$varname] = cleanVar($varvalue); //$COOKIE_[$varname] = $varvalue; echo "COOKIE var $varname = $COOKIE_[$varname]<br>"; // DEBUG } } } if (isset($_REQUEST)){ $empty = $REQUEST_ = array(); foreach ($_REQUEST as $varname => $varvalue) { if (empty($varvalue)) { $empty[$varname] = $varvalue; } else { $REQUEST_[$varname] = cleanVar($varvalue); //$REQUEST_[$varname] = $varvalue; echo "REQUEST var $varname = $REQUEST_[$varname]<br>"; // DEBUG } } } Works well for POST GET and REQUEST but form some reason when it gets to COOKIE it breaks ... POST var name = admin POST var pass = demo POST var from = target=forum GET var target = dologin COOKIE var logintheme = cpanel COOKIE var cprelogin = no COOKIE var cpsession = closed COOKIE var PHPSESSID = 820232b77016038d436e6f9ee5154929 REQUEST var target = dologin REQUEST var name = admin REQUEST var pass = demo REQUEST var from = target=forum REQUEST var logintheme = cpanel REQUEST var cprelogin = no REQUEST var cpsession = closed REQUEST var PHPSESSID = 820232b77016038d436e6f9ee5154929 http://versatilebb.com/demo Username: admin Pass: demo I can't log in and when i change $COOKIE_[$varname] = cleanVar($varvalue); to $COOKIE_[$varname] = $varvalue; it works number one ... This is my login script $getuser=mysql_query("SELECT * FROM $dbprefix"."_user WHERE name='$name' AND pass='$md5pass'", $db); if ($getuser) { if (mysql_num_rows($getuser)>0) { //session_cache_expire(30); //session_start(); $loguser=mysql_fetch_array($getuser); if ($loguser['allow_cookie']=="true" && !isset($cookie) && !empty($name)) { setcookie("cookie[name]",$name,time() + 86400*365); setcookie("cookie[md5pass]",$md5pass,time() + 86400*365); } if (session_register("loguser")) { $now=date("Y-m-d H:i:s"); $update=mysql_query("UPDATE $dbprefix"."_user SET lastlogin='$now', last_IP='$REMOTE_ADDR' WHERE ID='$loguser[iD]'"); } if (!isset($pass))$pass=""; $loguser['origpass']=$pass; $clear_read_messg=mysql_query("DELETE FROM $dbprefix"."_mread WHERE user_ID='$loguser[iD]'", $db); if ($target=="dologin") { if (!empty($from)) { //$from=ereg_replace("target=","otarget=",$from); print("<meta http-equiv=\"refresh\" content=\"0; URL=$PHP_SELF?$from$PS\">"); } else { print("<meta http-equiv=\"refresh\" content=\"0; URL=$PHP_SELF?target=forum$PS\">"); } } } else { include("admin/sendpass.inc.php"); $md5_2=md5($pass); } } else { print("error: "); echo mysql_errno($db) . " - " . mysql_error($db); }

would be more like if (isset($_POST)){ $empty = $POST_ = array(); foreach ($_POST as $varname => $varvalue) { if (empty($varvalue)) { $empty[$varname] = $varvalue; } else { $POST_[$varname] = cleanVar($varvalue); //$POST_[$varname] = $varvalue; //echo "POST var $varname = $POST_[$varname]<br>"; // DEBUG } } } if (isset($_GET)){ $empty = $GET_ = array(); foreach ($_GET as $varname => $varvalue) { if (empty($varvalue)) { $empty[$varname] = $varvalue; } else { $GET_[$varname] = cleanVar($varvalue); //$GET_[$varname] = $varvalue; //echo "GET var $varname = $GET_[$varname]<br>"; // DEBUG } } } if (isset($_COOKIE)){ $empty = $COOKIE_ = array(); foreach ($_COOKIE as $varname => $varvalue) { if (empty($varvalue)) { $empty[$varname] = $varvalue; } else { $COOKIE_[$varname] = cleanVar($varvalue); //$COOKIE_[$varname] = $varvalue; //echo "COOKIE var $varname = $COOKIE_[$varname]<br>"; // DEBUG } } } if (isset($_REQUEST)){ $empty = $REQUEST_ = array(); foreach ($_REQUEST as $varname => $varvalue) { if (empty($varvalue)) { $empty[$varname] = $varvalue; } else { $REQUEST_[$varname] = cleanVar($varvalue); //$REQUEST_[$varname] = $varvalue; //echo "REQUEST var $varname = $REQUEST_[$varname]<br>"; // DEBUG } } } lol i call those beer typos hehe

i am currently testing a new script i made function safeEscapeString($string){ if (get_magic_quotes_gpc()) { return $string; } else { return mysql_real_escape_string($string); } } function cleanVar($string){ $string = trim($string); $string = safeEscapeString($string); $string = htmlentities($string); return $string; } if (isset($_POST)){ $empty = $POST_ = array(); foreach ($_POST as $varname => $varvalue) { if (empty($varvalue)) { $empty[$varname] = cleanVar($varvalue); } else { $POST_[$varname] = cleanVar($varvalue); //$POST_[$varname] = $varvalue; //echo "POST var $varname = $POST_[$varname]<br>"; // DEBUG } } } if (isset($GET_)){ $empty = $GET_ = array(); foreach ($GET_ as $varname => $varvalue) { if (empty($varvalue)) { $empty[$varname] = cleanVar($varvalue); } else { $GET_[$varname] = cleanVar($varvalue); //$GET_[$varname] = $varvalue; //echo "GET var $varname = $GET_[$varname]<br>"; // DEBUG } } } if (isset($COOKIE_)){ $empty = $COOKIE_ = array(); foreach ($COOKIE_ as $varname => $varvalue) { if (empty($varvalue)) { $empty[$varname] = cleanVar($varvalue); } else { $COOKIE_[$varname] = cleanVar($varvalue); //$COOKIE_[$varname] = $varvalue; //echo "COOKIE var $varname = $COOKIE_[$varname]<br>"; // DEBUG } } } if (isset($REQUEST_)){ $empty = $REQUEST_ = array(); foreach ($REQUEST_ as $varname => $varvalue) { if (empty($varvalue)) { $empty[$varname] = cleanVar($varvalue); } else { $REQUEST_[$varname] = cleanVar($varvalue); //$REQUEST_[$varname] = $varvalue; //echo "REQUEST var $varname = $REQUEST_[$varname]<br>"; // DEBUG } } } I found a software called "IinfoRapid Search and replace" that replaced all $_POST, $_GET, $_COOKIE and $_REQUEST to the cleaned version $POST_, $GET_, $COOKIE_ and $REQUEST_ automatocly all in one shot hehe saved me hours and didin't miss one! Anyway, i hope this is gona solve every security issues. Abbout the email bug i am gona make it return an error message if not valid thanks.

Not nessesarly you can foreach($_POST['remove_selected'] as $value){ $del_string="id='$value' or".$del_string; } $del_string = substr($del_string, 0, -3); Then you DELETE using $del_string in your query

Exacly it's a way of making vars with out a $ into a simple way of explaining it lol

post the one you have ans tell us what exacly happens when you submit it

try something like foreach($_POST['remove_selected'] as $value){ //MySQL delete using $value as id }

It's not confusing when you take the time to read lol Defines a named constant at runtime Returns TRUE on success or FALSE on failure. <?php define("CONSTANT", "Hello world."); echo CONSTANT; // outputs "Hello world." echo Constant; // outputs "Constant" and issues a notice. define("GREETING", "Hello you.", true); echo GREETING; // outputs "Hello you." echo Greeting; // outputs "Hello you." ?>

hmm i am not sur i understand your question ... but if it's abbout displaying results of only one company why not using a var in your url like www.this-site.com?index.php?id=222 then clean the $_GET[id] and place it in your sql query like this SELECT * FROM this_table WHERE id='$cleaned_id'

You should trim() the files then explode() the spaces

<?php //us a var is update.php if (isset($forme_should_not_be_posted))[...] ?>

you can convert your aray to a string then explode by every (,) and loop using foreach

same thing if the value of the check box is equal to the value you received you echo "checked";

your way out off topic shank888 lol

if you convert a string to upper case and if it doesn't change compared to the way it looked like before... it's already uppercase if (strtoupper($the_string) == $the_string) { echo '$the_string contains only upper case letters and maybe other non-letter characters'; }

yeah much more clean thx

I dont beleave that exists yet ... you should download the codec and see if you can build one out of it

in this exemple i am using $contact_time ... did you $contact_time=$_POST[contact_time]; ?

use this <?php $Query = mysql_query("SELECT * from $TableName") or die (mysql_error()); if (mysql_num_rows($Query)) { while ($data = mysql_fetch_array($Query)) { ?> <table border="1" align="center"> <tr> <td>First Name</td><td>Last Name</td><td>Email</td><td>User Level</td><td>Delete</td><td>Edit User</td> </tr> <tr> <td><?php echo $data['fname']; ?></td><td><?php echo $data['lname']; ?></td><td><?php echo $data['email']; ?></td><td><?php echo $data['level']; ?></td><td><a href="delete.php?fname=<?php echo $data['fname']; ?>">Delete User</a></td><td><a href="edit.php?fname=<?php echo $data['fname']; ?>">Edit User</a></td> </tr> </table> <?php } } ?>

Maby it's time to make and XSS protection stiky thread where we can find everything we need ... how to prevent ... how to protect aganst it for global applications and not just one imput/output at the time.

yeah i asked the almost the same thing. Lets stick to the same thread. http://www.phpfreaks.com/forums/index.php/topic,183615.0.html

i use this XML class parser. Makes stuff very easy Ex of use: function xml_to_db1($name,$attribs,$content) { if ($content!=""){ $content = explode("<$name>", $content); $content = explode("</$name>", $content[1]); $content[0]=addslashes($content[0]); } if ($name=="Name"){ $enter = mysql_query("INSERT INTO coach (id, name) VALUE ('', '$content[0]')") or die (mysql_error()); }else{ if ($content!=""){ $coach_select = mysql_query("SELECT * FROM coach order by id desc limit 0,1") or die (mysql_error()); $coach = mysql_fetch_array($coach_select); $enter = mysql_query("UPDATE coach SET $name='$content[0]' WHERE id='$coach[id]'") or die (mysql_error()); } } } $parser1 = new Path_parser(); $parser1->set_handler("/STHS-Coaches/Coach/Name","xml_to_db1"); $parser1->set_handler("/STHS-Coaches/Coach/Team","xml_to_db1"); $parser1->set_handler("/STHS-Coaches/Coach/Country","xml_to_db1"); $parser1->set_handler("/STHS-Coaches/Coach/Age","xml_to_db1"); $parser1->set_handler("/STHS-Coaches/Coach/PH","xml_to_db1"); $parser1->set_handler("/STHS-Coaches/Coach/DF","xml_to_db1"); $parser1->set_handler("/STHS-Coaches/Coach/OF","xml_to_db1"); $parser1->set_handler("/STHS-Coaches/Coach/PD","xml_to_db1"); $parser1->set_handler("/STHS-Coaches/Coach/EX","xml_to_db1"); $parser1->set_handler("/STHS-Coaches/Coach/LD","xml_to_db1"); $parser1->set_handler("/STHS-Coaches/Coach/PO","xml_to_db1"); $parser1->set_handler("/STHS-Coaches/Coach/Contrac","xml_to_db1"); $parser1->set_handler("/STHS-Coaches/Coach/Salary","xml_to_db1"); if(!$parser1->parse_file("include/xml/LNHSP3-Coaches.xml")) { print("Error:".$parser1->get_error()."<br/>\n"); }else{ echo "LNHSP3-Coaches.xml has been parsed!<br>"; }