ibolui

hi, these folders are not meant to host php files. i was told to use passthr() readfiles() to serve out the files. but my concern is will this put extra burdens on the server? such that 100 users are downloading different 1mb files (100x100mb) at a time will cause the memory or processing power to cripple??

i have some questions on how folders and files permissions work. say i have users directories outside 'protected' as below.. users -- usera -- docs -- userb -- docs protected i do not want user B who does not have the rights, to access anything in user A directories. also, i do not want any person to access the directories directory via url links. basically i just want users to be able to access their own directories, and no one else. how can it be done? thanks!

hi..anyone guide me on this??

hi, i know this question has been asked many times..and i have googled alot but i am still unable to get the desired result. my .htacess is as below Options -Indexes Options -ExecCGI AddHandler cgi-script .php .php3 .php4 .phtml .pl .py .jsp .asp .htm .shtml .sh .cgi <Files ^(*.jpeg|*.jpg|*.png|*.gif)> order deny,allow deny from all </Files> the Options -Indexes works but not the rest. because if i put a index.php with phpinfo(), i am able to view the php info. if i remove |*.gif, i am still able to load gif files in the browser. and if i put a text file in the directory, i am also able to load the text file. anyone guide me what went wrong??

but the $input is text from a richtextarea, which i think will be too much to token replace.. before i insert into database, i had mysql_real_escaped_string($input). for some reason because i need to echo out the exact $input to a flash app, can i just echo out $input exactly as it is, without using htmlentities or other escaping functions?

hi, i just read that for security purposes, i should escaped my $output before echoing the values. and the method is to use htmlentities. however if the $output is a html text, for example, $output = "A 'quote' is <b>bold</b>"; and i wish to retain the < b > instead of becoming <b> what should i do? if i am to echo ANY unescaped output to a flash app frontend, will there be security issues ???

my session codes are as follow... session_set_save_handler('_open', '_close', '_read', '_write', '_destroy', '_clean'); function _open() { global $db; return $db; } function _close() { global $db; return mysql_close($db); } function _read($id) { global $db; $algorithm = MCRYPT_BLOWFISH; $mode = MCRYPT_MODE_CBC; $id = mysql_real_escape_string($id); $sql = "SELECT session_data FROM sessions WHERE session_id = '$id'"; if ($result = mysql_query($sql, $db)) { if (mysql_num_rows($result)) { $record = mysql_fetch_assoc($result); // return $record['session_data']; $data = base64_decode($record['session_data']); $iv_size = mcrypt_get_iv_size($algorithm, $mode); $ciphertext = substr($data, $iv_size); $iv = substr($data, 0, $iv_size); $crypt = new crypt(); $crypt->iv = $iv; $crypt->ciphertext = $ciphertext; $crypt->decrypt(); return $crypt->cleartext; } } return ''; } function _write($id, $data) { global $db; $expires = time(); $crypt = new crypt(); $crypt->cleartext = $data; $crypt->generate_iv(); $crypt->encrypt(); $ciphertext = $crypt->ciphertext; $iv = $crypt->iv; $data = base64_encode($iv . $ciphertext); $id = mysql_real_escape_string($id); $expires = mysql_real_escape_string($expires); $data = mysql_real_escape_string($data); $sql = "REPLACE INTO sessions VALUES ('$id', '$expires', '$data')"; return mysql_query($sql, $db); } function _destroy($id) { global $db; $id = mysql_real_escape_string($id); $sql = "DELETE FROM sessions WHERE session_id = '$id'"; return mysql_query($sql, $db); } function _clean($max) { global $db; $old = time() - $max; $old = mysql_real_escape_string($old); $sql = "DELETE FROM sessions WHERE session_expires < '$old'"; return mysql_query($sql, $db); }

hi, i have implemented the storage of session data into mysql database, as described in 'essential php security'. i would like to ask how do i 'clean up' both the 'sessions' and 'sessions_keys' tables?

then try navigating to the dir where photo is in. say delete_photo.php is in main dir, photo.jpg is in main then should be something like unlink('./photo.jpg'); if delete_photo.php is in main dir, photo.jpg is in main/photos then should be something like unlink('./photos/photo.jpg'); try to navigate using . or .. to point to the correct path

i tried some simple test. firstly, if the file does not exist, your codes will not produce the die error. so if photo is in the same dir as delete_photo.php, try this.. unlink('./photo.jpg'); because as your first post said, "No such file or directory" which i assume that the path is wrong.

is this what you are looking for? $div = <<< EOQ your div here EOQ; echo $div ;

hi... somebody help me with me?

i m not too sure, someone correct me if i m wrong. i would think that unlink(/photos/1488659011.jpg) means deleting 1488659011.jpg from a photo dir, a subfolder where delete_Photo.php resided. meaning if delete_Photo.php is in dir main, then unlink is trying to delete main/photos/1488659011.jpg. hence you may like to check if the path is correct. also, unlink($filepath) returns unlink(/photos/1488659011.jpg), which may means $config_basedir is initialised..

hi, i am trying to write a script for uploading of media files (video/audio). i wish to know if there should be any concern for any security issues. as in what validation etc should my script perform.. i have done some basic checks such as the file extension, filesize and is_uploaded_file. for images, i tried using imagecreatedfromjepg etc to see whether the uploaded file is a valid image. likewise i would like to know if there is also any other ways to check whether the uploaded media files are valid.. also, will there be a problem if the uploaded images/medias contain viruses?

$new_width = $percent * $width; $new_height = $percent * $height; something like this??

if($pk = 'Copyright © Dazzozo.COM 2008 All Rights Reserved<br><br><a href=\\\"http://dazzozo.com/led/\\\" title=\\\"Dazzozo.COM\\\">The LED Project</a>') { $pk = $rn; } else { $dr = base64_decode('WU9VIEhBVkUgUkVNT1ZFRCBUSEUgQ09QWVJJR0hUIE5PVElDRSwgUExFQVNFIEVNQUlMIDxhIGhyZWY9XCJtYWlsdG86bGVkQGRhenpvem8uY29tXCI+TEVEQERBWlpPWk8uQ09NPC9hPi4='); } i am not sure.. but does if($pk = 'Copyright ..... always return true? shouldnt it be if($pk == 'Copyright .... ???

yeah it works! just as simple as $clone = clone $obj; thanks!

i did some testing and realise that if i do this, $aaa = 123; $bbb = $aaa; $bbb = 456; $aaa will remains as 123. but if i did this, class c { var $x; } $aaa = new c(); $aaa->x = 123; $bbb = $aaa; $bbb->x = 456; $aaa->x will become 456. but i do not want $aaa->x to change.. i am quite new to this also. someone enlighten me how to do it?

emm.. i not really sure but i did tried using =& but the outcome is not what i wanted. basically i used $user_temp = $_SESSION['user'] because i want to change some fields of the user, but i do not want to change the instance inside session. hence i thought i could create a new variable with a copy of the user instance in session. but upon changing the $user_temp, the user instance inside session is also changed as well...

hmmm.. i think i found where the problem lies.. $user_temp = $_SESSION['user']; $user_temp->birthday = date("n/j/Y", $user_temp->birthday); echo json_encode($user_temp); in my code i tried to create a temp var to store $_SESSION['user'], and then edit the birthday inside. however i think the $_SESSION['user']->birthday has also been edit. how do i actually prevent this

hi, i am facing a weird problem with my first attempt at flex, php and mysql. please pardon me if this is not the correct place to post my question. i had a form created using flex and json, with php as the backend. below are segments of my codes.. //get the raw JSON data and cast to String var rawData:String = String(event.result); var user = JSON.decode(rawData); first_name.text = user.first_name; last_name.text = user.last_name; email.text = user.email; if (user.gender == "male") { male.selected = true; } else { female.selected = true; } var bday:Date = new Date(user.birthday); day.selectedIndex = bday.getDate() - 1; month.selectedIndex = bday.getMonth(); year.selectedIndex = year_array.indexOf(bday.getFullYear().toString()); ........ echo json_encode($_SESSION['user']); when i first load the page, everything is being populated correctly on the flex frontend. however, when i refresh the page using f5, the birthday fields are incorrect. in the sense that it becomes 1 jan 1970. i tried to print out the value of user.birthday and it is indeed 1 jan 1970. but i am not sure why it has become this value..

ohh.. thanks

if i understand correctly... the article said that the purpose of putting the files outside website root is to prevent users from accessing the files directly. but then this solution may leads to local file inclusion attacks. hence to rename the files uniquely and keep track in database. i think putting the files outside website root is a very good idea, but i think that will be a overkill to read and write those files via the database. is there another method to prevent local file inclusion attacks beside the method mentioned in the article?

eemmm... i mean if lets say my website is a image gallery. then by generating a unique filename and keeping track in database, for huge numbers of files, is it feasible?

hi, i would like to seek recommendation regarding file upload. i have read that to prevent local file inclusion vulnerability, a uploaded file should randomly generating file name for it and keeping track in a database. http://www.scanit.be/uploads/php-file-upload.pdf i am wondering about the feasibilty of it because if there are huge number of files such as a gallery website, would it be advisable to use this approach? if not, what can be done?