Twister1004
-
Posts
201 -
Joined
-
Last visited
Posts posted by Twister1004
-
-
I'll guess one or more of the files being included have the BOM characters. See this thread with a similar problem - http://www.phpfreaks.com/forums/index.php?topic=355677.msg1680666#msg1680666
This fixed my problem. Now I need to read about BOM >_<.
Thank you very much!
-
There's some kind of output in one of those files that shouldn't be there.
Do a View Source on a bad page and see what's wrong. Odds are it's an error message but it could be something as innocent as whitespace in a bad place.
I have looked at the source code with and without, and there is no difference. There is not an error, or any difference in code within the output.
-
Hey guys!
Well this is actually kind of a weird problem I have been having, and not too sure why I'm getting this problem. I've tried a lot of stuff, and it doesnt seem like I've been able to find a solution. I've been trying for about a month.
Anyways, I have a website created with some OOP. Well, once I write an include statement to include a file, which then includes all my classes, it messes up my font, moves my website content down, and well.. it just does weird stuff.
However, once I comment the include out, the website looks normal again.
so basically, I can comment out the file itself and everything is just fine. But it only happens when I include my class files.
Any ideas or suggestions would be amazing! Thank you!
-
You wouldn't "use" magic_quotes_gpc(), per se. You do need to either ensure it's off by setting the directive in the php.ini file, or check for it with get_magic_quotes_gpc, then if it's on (and ONLY if it's on) you'd run stripslashes() on the incoming form data before escaping it. So it would be a function something like this:
function MAGIC_QUOTES_GPC_SUCKS($data) { if( get_magic_quotes_gpc() === TRUE ) { $data = stripslashes($data); } $data = mysql_real_escape_string($data); return $data; }Obviously, you'd need to add a check to make sure you didn't pass an array to the function, or change it to work with arrays.
So basically if Magic quotes is on, I do NOT need to run mysql_real_escape_string?
Would it be better to keep using Magic_quotes or just turn it off?
-
use stripslashes when you echo out your message from your database
There should be no reason to use stripslashes() on data coming from the database. If the data is being stored with escaping slashes, then something is wrong with the way it's being inserted to begin with, and that is what should be fixed.
I am using stripslashes() upon output. However there seems to be an extra slash that it is not removing.
then use htmlspecialchars on the message just before inserting it into the database.
htmlspecialchars() will not fix this issue. It is more than likely due to what Pikachu2000 has said.
No, the problem is that the data is being escaped more than once. The OP needs to figure out why that's happening, whether it's due to magic_quotes_gpc() being ON, or just redundant/unnecessary code and correct the problem.
As far as I am aware, I am not using magic_quotes_gpc(). I am using mysql_real_escape_string(). I also just found out, I am using it more than once as well. So I will be spending my time formatting the site again with my functions.
-
Your register form should re-populate the fields with the values when there is a validation error. Having to re-fill the form is annoying and will deter people from registering.
Your age calculation seems to be a tiny bit off. I was able to register successfully with a birthday that would make me 12 years old, not 13 like your error says you require.
When registration is successful, you should not show the registration form, and your message saying it was successful could be a bit bigger. Also:
Your account was successfully created.
Please wait at least one(1) minute before you log into your account.
Why? If they have to wait for an email confirmation, say that, don't just say wait one minute. If there is some other reason for the wait, it sounds like something you need to fix, not just ask people to wait.
When posting comments, you seem to have some issues with slashes. I posted the comment:
We say, "Welcome, O'neill!"<a href="/"> / </a>
And what got posted was:
We say, \\\"Welcome, O\\\'neill!\\\"\r\n\r\n /(or as the html)
We say, \\\"Welcome, O\\\'neill!\\\"\r\n\r\n<a href="\\\"/\\\""> / </a>You are still vulnerable to XSS attacks in your comment area, see the comment here, from batest. Click the link asdf
If I try and use the password recovery page, it tells me the birthday is invalid, even though I am entering the one i used on the registration page.
I also noticed some more security vulnerabilities, and fixed them in the process as well. The registration suggestions and issues, I have fixed. Although I'm not sure why it accepted someone at 2000, I tried and it only allowed 1999 or older. The comments, I will fix in time. I'm not sure exactly why its doing that. It shouldn't be adding that many slashes. However, I'll fix it once I can figure out the cause.
I will have to read more on XSS attacks then...
I really appreciate your help, I really do!
-
When you get it on a new server post back and I will look at it more. For now, the ads are far too annoying to do any kind of serious testing. I was getting popups / overlays on every single page load.
The Webserver is set up finally!
The address is: http://artistbeginnings.com
There is also NO ADS... yet anyways.
1. email address validation is missing, i created an account with email = 11
2. possible to register LINK while you are logged in.
3. xss (true) http://projecta.ulmb.com/news.php?NUID=11
4. possible to comment on posts that do not exist, and check the length of comments. http://projecta.ulmb.com/news.php?NUID=9999
5. on link http://projecta.ulmb.com/admin/ your refresh meta is not inside the head tag, so it dosnt work. well i am using chrome.
<meta http-equiv="refresh" content="2 url='../'"/>
I just went through all of the items you mentioned, and I have fixed them from as far as I can tell.
If you find anymore errors at all, please let me know.
Thank you again for testing the website!
-
You should remove all of the ad pop ups until testing is done.
Cross Site Scripting (XSS):
You can submit code on comments and it'll execute.
http://projecta.ulmb.com/news.php?NUID=13
Cross Site Scripting (XSS):
You can submit code in profile fields and it'll execute.
http://projecta.ulmb.com/profile.php?p=4
MySQL Error:
http://projecta.ulmb.com/profile.php?p='
Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in /hosted/subs/ulmb.com/p/r/projecta/public_html/inc/functions.php on line 257Full Path Disclosure:
http://projecta.ulmb.com/news.php?NUID[]
Warning: mysql_real_escape_string() expects parameter 1 to be string, array given in /hosted/subs/ulmb.com/p/r/projecta/public_html/news.php on line 4Warning: mysql_real_escape_string() expects parameter 1 to be string, array given in /hosted/subs/ulmb.com/p/r/projecta/public_html/news.php on line 26
I have fixed those problems, so those problems should be fixed =)!
Thank you for testing the website for me!
Also, for the pop-ups, I have no control about that. The web server I am using automatically pops those up. I'm buying a web server in a day or so.
-
I am needing testing of the website's vulnerabilities.
PLEASE NOTE: I have VERY VERY little experience to secure websites. Which is why I would like to do this.
If you find a security vulnerability, could you let me know and also mention how to fix it as well. I will be doing research for it, but I would still like user input.
Also, this website is completely clean and only has certain data on it. Also, please feel free to use anything at your fingertips. You will not be able to crash anything of my personal property.
Thank you very much.
Best Regards and have fun trashing my site
URL to required text file: http://projecta.ulmb.com/test.txt
Again I would like to thank anyone who helps me secure the site by your input!
-
HI everyone!
So basically I have this class called Login and another class classed Reports. They both extend a main class called OOP. I'm trying to get classes now and in the future, when I add on, to access that class so that way I dont have to create a new object everytime I need to do that. Plus I know I dont want to rely on calling another class inside of one class.
Here is an example
The Super Class
class OOP{ public function Login($pointer){ $Login->{$pointer}(); } public function Reports($pointer){ $Reports->{$pointer}() } }Login Class
class Login extends OOP{ public function userLogin($user, $pass){ //Login code here //if error occurs, send it to Reports super::Reports(Error()); } }Reports Class
class Reports extends OOP{ public function Error(){ //Send an error here } }Here is how I think I would call the class if a user was to login.
$OOP = new OOP(); $OOP->Login(userLogin($user, $pass));
So now when I need to call any class I should be able to, correct?
If you are confused about the top, then think of it this way:
I am trying to create a class to where I can call or reference to ANY object now or in the future so I can add on and call that class from another class.
Thank you for any help.
-
Ahh ok! That makes sense!
Thank you very much!
-
I understand that OOP isnt the problem, I'm still learning how to use it correctly.
However, it is still declaired inside the main file that is included. So isn't still declaired?
-
Hey everyone!
I'm starting to rewrite my code for my website and I'm understanding OOP more and more (since I had a class on it), however, I just can't seem to figure out what is going wrong with the code and my login script as to why it is not running my object, when its been declaired.
Here are the required parts of the files that is required for this OOP code im working on.
Login Function (Not writen in OOP yet)
File: functions.php
function userLogin($username, $pass){ $checkUser = mysql_query("SELECT * FROM `accounts` WHERE `username` = '".$username."' LIMIT 1"); if(mysql_num_rows($checkUser) == 1){ while($User = mysql_fetch_array($checkUser)){ if(hash('sha512', $pass) == $User['password']){ if(!@$_SESSION['id']){ //More Dynamic way other than SESSIONS are needed for updated accounts //Add security to banned accounts $_SESSION['id'] = $User['user_id']; $_SESSION['user'] = $User['username']; $_SESSION['permission'] = $User['clearence']; $_SESSION['isArtist'] = $User['isArtist']; $_SESSION['artistType'] = $User['artistType']; $_SESSION['lastlogin'] = $User['lastlogin']; $_SESSION['loginTime'] = time(); $_SESSION['artistTypeName'] = artistType($_SESSION['artistType']); $updateIP = mysql_query("UPDATE `accouns` SET `lastip` = '".$_SERVER['REMOTE_ADDR']."' WHERE `user_id` = '".$_SESSION['id']."'"); //This is a SQL error by the wrong table and it is purposefully done for testing my OOP Code. $updateLogin = mysql_query("UPDATE `accounts` SET `lastlogin` = '".time()."' WHERE `user_id` = '".$_SESSION['id']."' LIMIT 1"); if(!$updateIP){ $reports->Error("Failure to update IP in login: ".mysql_error(), $_SERVER['REQUEST_URI']); // ~~~~~~~~~~~~~~~~~ THIS IS LINE 24 ~~~~~~~~~~~~~~~~~ logout(0); die(); } if(!$updateLogin){ sendError(mysql_error(), $_SERVER['REQUEST_URI']); logout(0); } echo "<meta http-equiv=\"refresh\" content=0; url=\"\"/>"; } else break; } else{ echo "<font color='red'>Username or Password is incorrect.</font>"; } } } else{ echo "<font color='red'>Username or Password is incorrect.</font>"; } }File: includes.php
include("./inc/classes/reports.php"); include("./inc/database.php"); include("./inc/functions.php"); include("./inc/artclass.php"); //include("./inc/classes/loginsystem.php"); //$login = new Login(time()); $reports = new Reports();File:Reports.php
<?php class Reports{ public function Error($error, $page){ $error = mysql_real_escape_string($error); $page = mysql_real_escape_string($page); $sendError = mysql_query("INSERT INTO `errors` (errorCode, page, date) VALUES ('".$error."', '".$page."', '".time()."')"); //date("F m, Y -- h:i:s") if(!$sendError){ $this->Message(0); } else{ $this->Message(2); } } public function Report(){ } public function Query($Table, $Comment, $Page, $Date){ // NOT inplemented } private function Message($number){ switch($number){ case 0: echo "There was an error reporting an issue. Please alert us by <a href='contact.php'>contacting us</a>."; break; case 1: echo "There was an error sending a report. Please use the <a href='contact.php'>contact us</a> and let us know!"; break; case 2: echo "There was an error. Please wait about 30 minutes to retry your request.<br/><br/> We apologize for the inconvience."; break; } } } ?>The Error:
Notice: Undefined variable: reports in functions.php on line 23 Fatal error: Call to a member function Error() on a non-object in functions.php on line 23
Any help would be very much appreciated!
-
Your statement is not going to work. It will put inside the database '$thisvariable'. But even then, it wont do that and return an error.
Your Statement: $query_rsGetOrderDetails = "SELECT * FROM hd_order WHERE order_by = '$usernameLoggedin' ORDER BY order_id DESC LIMIT 3" Fixed Statement $query_rsGetOrderDetails = "SELECT * FROM hd_order WHERE order_by = '{$usernameLoggedin}' ORDER BY order_id DESC LIMIT 3"However as SergeiSS said, you have to use the mysql_query function for it to run.
-
Ello Everyone!
Ok, well I'm making a script with a file uploading thingy, and well, I'm also using a random number to generate a number they must write on a paper and upload it.
Issue: I'm experiencing a slight issue with the random numbers though. Once the user uploads their photo with the numbers, I'll send it to my MySQL database. When it gets to that point the random numbers changes, and the numbers will change. I can not find a way to keep it as is, without it changing until the numbers have been placed into the database.
//Top part $array = array(); for($i = 0; $i<5; $i++){ $array[$i] = rand(0,20); } $randNum = implode($array);//HTML part <form method="post" action="" enctype="multipart/form-data"> <table> <tr> <td> Generated Number: </td> <td> <h2> <?php echo $randNum ?> </h2> </td> </tr> <tr> <td> Group Name: </td> <td> <input type="text" name="group" maxlength="15" /> </td> </tr> <tr> <td> Photo Taken: </td> <td> <input type="file" name="image"/> </td> </tr> <tr> <th colspan="2"> <input name="submit" type="submit" value="Register As An Artist"/> </th> </tr> </table> </form>
//SQL Part if($copied){ $createArtist = mysql_query("INSERT INTO `artistregister` (user_id, groupname, photo, randomnum) VALUES ('".$_SESSION['id']."', '".$groupName."', '".$filePath."', '".$thisRandom."')"); $resetArtist = mysql_query("UPDATE `accounts` SET `isArtist` = '1' WHERE `user_id` = '{$_SESSION['id']}'"); if($createArtist){ if($resetArtist){ echo "Your account is now pending for Artist Access. This could take upto a week."; $_SESSION['isArtist'] = 1; } else{ echo "There was an error, and it had been recorded. Please try again later."; sendError(mysql_error(), $_SERVER['REQUEST_URI']); } } else{ echo "There was an error, and it had been recorded. Please try again later."; sendError(mysql_error(), $_SERVER['REQUEST_URI']); } } elseif(!$copied){ echo "There was an error, and it has been recorded. Please try again later."; sendError("Line 98", $_SERVER['REQUEST_URI']); }I've tried looking for different functions, and such, but I'm either not looking in the right place or I'm just making some stupid logical error.
Thank you for looking.
-
Ok, my random number go between 1-20, and it loops 5 times. So my array would look like
$array = array(); for($i = 0; $i<5; $i++){ $array[$i] = rand(0,20); }So my array has the all the random numbers in there.
But what I'm trying to do as my goal: is to put all the numbers as a STRING. So it looks like: 1510253, instead of it being added together, and put them in a variable so that was I don't have to do a foreach statement in my query (which is bad in my opinion).
The implode Function does work. I've never used it until now... Thank you very much Maniac!
-
Hello everyone,
I have been trying several things,recently, and I can't figure out how to get a series of numbers, grouped together as a string of number, instead of it adding or grabbing the last number that was randomly generated.
I'm wanting to save it in a variable (of course), so I can pass it though a query when it is needed.
foreach($array as $number){ echo $number; }$array is the variable where it is an array but all the randomly generated numbers are stored there.
All / any help would be gratefully appreciated.
-
Now onto figuring that out!
Thank you very much!
-
Thank you very much Buddski!
Now for another question:
is there a way for the mysql_query to execute multiple SQL querys in one file?
-
Hey everyone,
I have an SQL file called "Cype.sql" and I was wanting to have it run when the install feature is going on. However I can't seem to figure out why exactly the code is not working.
is it possible to have it run without getting too in depth the PHP coding? I'm not OOP Literate yet.
//Connection is opened //While in installation file $sqlFile = "Cype.sql"; if(!file_exists($sqlFile)){ echo "File not found"; } else{ $openFile = fopen($sqlFile, "r"); $tryQuery = mysql_query($openFile); }Now obviously, I'm not the best coder. I've been out of the works of PHP for quite some time now as well.
However, I have researched it and found no answers to my issue.
Any help would be greatly appreciate. Thank you.
-
Wow I do feel like an idiot. There was a data mismatch.... Thank you very much Fenway. That was an error by me.
-
I dont think you can use it like that. I believe you need to use mysql_select() or something, or use mysql_rows in a while loop and then echo those out.
-
Ok when I run this SQL, I'm trying to get data back. However when It grabs the second table, it just nulls all the info for the second table that is being combined.
If anyone could help me I would be entirely grateful.
SELECT `accounts`.`loggedin`, `characters`.`name` FROM `accounts` LEFT JOIN `characters` ON `accounts`.`id` = `characters`.`accountid` ORDER BY `characters`.`name` ASC;
-
If you are going to use auto increment, then you can NOT have the same number or leave it null. It will call it a duplicate and disregard that SQL. I don't know exactly how to go about your question though.
Not sure why
in PHP Coding Help
Posted
My assumption, is on your while loop, you have no curly braces.
When a if / else statement runs, it will only read the next line, and disband the others as if it doesnt exist.
//this will work! while($i < 10){ return $i; i++ } //This one will be an infinate Loop!! D= while($i < 10) return $i; i++as you notice, the first one has curly braces. But the second one does not. It will be an infinate loop. BECAUSE without curly braces it will only return the next statement. However, everything inside the curly braces will be executed as part of that statement.
So techinally your code is only checked to see if those variables actually match. That's just about it.