ibolui

hi, these folders are not meant to host php files. i was told to use passthr() readfiles() to serve out the files. but my concern is will this put extra burdens on the server? such that 100 users are downloading different 1mb files (100x100mb) at a time will cause the memory or processing power to cripple??

i have some questions on how folders and files permissions work. say i have users directories outside 'protected' as below.. users -- usera -- docs -- userb -- docs protected i do not want user B who does not have the rights, to access anything in user A directories. also, i do not want any person to access the directories directory via url links. basically i just want users to be able to access their own directories, and no one else. how can it be done? thanks!

hi..anyone guide me on this??

hi, i know this question has been asked many times..and i have googled alot but i am still unable to get the desired result. my .htacess is as below Options -Indexes Options -ExecCGI AddHandler cgi-script .php .php3 .php4 .phtml .pl .py .jsp .asp .htm .shtml .sh .cgi <Files ^(*.jpeg|*.jpg|*.png|*.gif)> order deny,allow deny from all </Files> the Options -Indexes works but not the rest. because if i put a index.php with phpinfo(), i am able to view the php info. if i remove |*.gif, i am still able to load gif files in the browser. and if i put a text file in the directory, i am also able to load the text file. anyone guide me what went wrong??

but the $input is text from a richtextarea, which i think will be too much to token replace.. before i insert into database, i had mysql_real_escaped_string($input). for some reason because i need to echo out the exact $input to a flash app, can i just echo out $input exactly as it is, without using htmlentities or other escaping functions?

hi, i just read that for security purposes, i should escaped my $output before echoing the values. and the method is to use htmlentities. however if the $output is a html text, for example, $output = "A 'quote' is <b>bold</b>"; and i wish to retain the < b > instead of becoming <b> what should i do? if i am to echo ANY unescaped output to a flash app frontend, will there be security issues ???

my session codes are as follow... session_set_save_handler('_open', '_close', '_read', '_write', '_destroy', '_clean'); function _open() { global $db; return $db; } function _close() { global $db; return mysql_close($db); } function _read($id) { global $db; $algorithm = MCRYPT_BLOWFISH; $mode = MCRYPT_MODE_CBC; $id = mysql_real_escape_string($id); $sql = "SELECT session_data FROM sessions WHERE session_id = '$id'"; if ($result = mysql_query($sql, $db)) { if (mysql_num_rows($result)) { $record = mysql_fetch_assoc($result); // return $record['session_data']; $data = base64_decode($record['session_data']); $iv_size = mcrypt_get_iv_size($algorithm, $mode); $ciphertext = substr($data, $iv_size); $iv = substr($data, 0, $iv_size); $crypt = new crypt(); $crypt->iv = $iv; $crypt->ciphertext = $ciphertext; $crypt->decrypt(); return $crypt->cleartext; } } return ''; } function _write($id, $data) { global $db; $expires = time(); $crypt = new crypt(); $crypt->cleartext = $data; $crypt->generate_iv(); $crypt->encrypt(); $ciphertext = $crypt->ciphertext; $iv = $crypt->iv; $data = base64_encode($iv . $ciphertext); $id = mysql_real_escape_string($id); $expires = mysql_real_escape_string($expires); $data = mysql_real_escape_string($data); $sql = "REPLACE INTO sessions VALUES ('$id', '$expires', '$data')"; return mysql_query($sql, $db); } function _destroy($id) { global $db; $id = mysql_real_escape_string($id); $sql = "DELETE FROM sessions WHERE session_id = '$id'"; return mysql_query($sql, $db); } function _clean($max) { global $db; $old = time() - $max; $old = mysql_real_escape_string($old); $sql = "DELETE FROM sessions WHERE session_expires < '$old'"; return mysql_query($sql, $db); }

hi, i have implemented the storage of session data into mysql database, as described in 'essential php security'. i would like to ask how do i 'clean up' both the 'sessions' and 'sessions_keys' tables?

then try navigating to the dir where photo is in. say delete_photo.php is in main dir, photo.jpg is in main then should be something like unlink('./photo.jpg'); if delete_photo.php is in main dir, photo.jpg is in main/photos then should be something like unlink('./photos/photo.jpg'); try to navigate using . or .. to point to the correct path

i tried some simple test. firstly, if the file does not exist, your codes will not produce the die error. so if photo is in the same dir as delete_photo.php, try this.. unlink('./photo.jpg'); because as your first post said, "No such file or directory" which i assume that the path is wrong.

is this what you are looking for? $div = <<< EOQ your div here EOQ; echo $div ;

hi... somebody help me with me?

i m not too sure, someone correct me if i m wrong. i would think that unlink(/photos/1488659011.jpg) means deleting 1488659011.jpg from a photo dir, a subfolder where delete_Photo.php resided. meaning if delete_Photo.php is in dir main, then unlink is trying to delete main/photos/1488659011.jpg. hence you may like to check if the path is correct. also, unlink($filepath) returns unlink(/photos/1488659011.jpg), which may means $config_basedir is initialised..

hi, i am trying to write a script for uploading of media files (video/audio). i wish to know if there should be any concern for any security issues. as in what validation etc should my script perform.. i have done some basic checks such as the file extension, filesize and is_uploaded_file. for images, i tried using imagecreatedfromjepg etc to see whether the uploaded file is a valid image. likewise i would like to know if there is also any other ways to check whether the uploaded media files are valid.. also, will there be a problem if the uploaded images/medias contain viruses?

$new_width = $percent * $width; $new_height = $percent * $height; something like this??