Jump to content

RussellReal

Members
  • Posts

    1,773
  • Joined

  • Last visited

Everything posted by RussellReal

  1. if ($check['team'] == 'Group 1') { // include or w.e } elseif ($check['team'] == 'Group 2') { // whatever } elseif ($check['team'] == 'Group 3') { // whatever 2 } but you'd be better off with switch ($check['team']) { case 'Group 1': break; case 'Group 2': break; case 'Group 3': break; }
  2. XSS is remote file inclusion.. and local file inclusion, how will the user KNOW what to include? but either way you probably should do something like <?php switch ($_GET['file']) { case '': $file = 'whatever'; break; ... etc } include('include/$file'); ?> like most people do either way, but I don't see a point in protecting against 'LFI' if you're coding it yourself
  3. use $_SERVER['HTTP_REFERER'] echoing javascript will only be seen and evaluated after php has exited, so your obgetcontents won't work..
  4. if (!($t % 3)) $class = 'whatever'; else $class = 'blah';
  5. the things about web development.. its NEVER 100% safe or secure.. or any kind of programming, you can always do your absolute best for the current threats, but eventually people find new ways in or whatever, with joomla and OTHER opensource applications, you basically are giving away tons of key details to your site.. for example, if you have joomla and so do I. I know all your table names and fields to select.. what tables to drop which would mean alot to you.. etc.. I could comb through my joomla and read every query and find out which query isn't being escaped correctly and then find your page that leads to that query and whatever, you know what I'm saying? all you need to do.. store sensitive files away from your public directory so no user can get to it by simply browsing to it.. and then PUSH the data out with php.. secure all incoming data.. $_POST $_GET if its supposed to be an int.. just type cast it to int.. if string.. use mysql_real_escape_string never do something like this: <?php include($_GET['file']); ?> do something more like <?php include('includes/'.$_GET['file']); ?> that way it could not possibly be evaluated as a external file since php will have ...../includes/http://whatever.com/jhgaa.php and you will most likely get an error instead of XSS never trust users on your site everything that comes from them process it until you're content.. use cookies for storing session ids and sessions for storing pass hashes usernames id numbers etc so that you keep all user specific or classified information on the server not in a cookie on the user's computer
  6. add me to msn or aim I'll help you better from there I hate the post back and forth bs
  7. everybody with a black suit! if this was the matrix that is.
  8. add it to the end
  9. mike.. please re-read your posts before you submit.. or atleast preview them, look @ your code here lol and the last post you posted on.. the eval() demo.. there is a syntax error.. its not a race
  10. a constructor is just the function to trigger when the object is instantiated.. whether you specify it in the class or in a method inside the class, it will still do the same thing, however, there is an exception to this.. if you make the variable declared within the class not within the method static than you can access it like this: foo::$variable; but that is mostly for outside use as its more strict with static values.
  11. are you trying to make the code you submit to be treated as php code not as plain text?
  12. $q = mysql_query("SELECT * FROM proposals JOIN status_list ON (proposals.statusID = status_list.statusID)"); while ($row = mysql_fetch_assoc($q)) { print_r($row); }
  13. make both of $cw equal to 0
  14. in the second page the id isn't being passed to it.
  15. in every form.. just do.. echo "<input type='hidden' name='id' value='{$_GET['id']}' />";
  16. sorry.. here: while ($cw < 4) { echo "<td> </td>"; } that should be: while ($cw < 4) { echo "<td> </td>"; $cw++; }
  17. mktime() usually will if you put 13 months it will increase the year for you and put you on January >.> says so in the manual last time I checked.
  18. <?php $imgs = Array( Array('mariza', 'main.jpg'), Array('anaraquel', 'main.jpg'), Array('joicy', 'main.jpg'), Array('rita', 'main.jpg') ); shuffle($imgs); echo "<table><tr>"; $width = 4; $cw = 1; foreach($imgs as $img) { if ($cw == $width) { echo "</tr><tr>"; $cw = 1; } echo '<td><div align="center"><a href="' . $img[0] . '.html" target="_blank"><img src="imagens/' . $img[0] . '/' . $img[1] . '" width="220" height="240" border="0"></a></div></td>'; $cw++; } while ($cw < 4) { echo "<td> </td>"; } echo "</tr></table>"; ?> building off of alex's post
  19. thats not your IP thats your subnet ip, you need to find out your network's IP and change the flash app to connect to THAT IP.. also, you need to portforward whatever port you're using to connecty to your computer.. make that port forward to your subnet ip so that the router doesn't dismiss the request due to not knowing where to point the client
  20. coz 'return' exits the function.. You would have to do something like this.. function values(){ $checks = array(); foreach ($_POST['check'] as $value): if(!empty($value)): $checks[] = str_replace(array("\\",),"",$value)."\n"; endif; endforeach; return $checks; } $getArrayOfCheckboxes = values();
  21. oops.. mispost Got ahead of myself <3 anytime buddy
  22. with your .htaccess do this.. RewriteRule ^/babe.gif$ thePHPFile.php btw you're outputting as a png.. your addhandler is setting .png as an extension.. not .gif.. but either way that is a very bad idea to make images evaluate as php code just make rewrite rules.. the above rewrite will when a user requests xxx.com/babe.gif it will redirect them to thePHPFile.php.. and the php can spit out the image.. then the user will think they're seeing an image.. but its rly a php generated image.. clever huh?!
  23. hey.. why don't you name the checkboxes something like this: <input type="checkbox" name="check[]" value="Agree To Donate Star Stickers" /> then instead of 'skipping' the first 4.. you just loop through $_POST['check'] with a foreach.. much less hassle
  24. <?php $query = "SELECT member_id FROM ipb_members WHERE member_group_id=7 or member_group_id=4 or member_group_id=6"; $result = mysql_query($query) or die('Error : ' . mysql_error()); $ids = array(); while(list($member_id) = mysql_fetch_array($result, MYSQL_NUM)){ $ids[] = "'{$member_id}'"; } $id = implode(',',$ids); $query2 = "SELECT field_13 FROM ipb_pfields_content WHERE member_id IN ({$id})"; $result2 = mysql_query($query2) or die('Error : ' . mysql_error()); while(list($field_13) = mysql_fetch_array($result2, MYSQL_NUM)) { echo $field_13."<br />"; } ?>
  25. I'm assuming by clean you mean to make sure it doesn't mess up the syntax of your mysql query.. but, that is the whole purpose of mysql injection, to remodel the structure of your query to do things you wouldn't want a user to have access to... like.. select more rows than expected.. drop a table.. etc so in the case above.. you'd use mysql_real_escape_string on strings, on integers you really don't need to.. just type cast the variable.. hope it helps.
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.