gevensen
-
Posts
206 -
Joined
-
Last visited
Posts posted by gevensen
-
-
i guess if i wasnt dumb it would help
the query did work fine
i didnt assign the $transaction_id a valid number
thanks for the help
-
it returns Resource id #9
am i not converting it right?
-
its not clear either
you have to validate your user to set your session data if your logging in
once you confirm your user you set your session and if your session is set then you can redirect if you want
dont forget
<?php ob_start();?> after your session starts or you can get a error trying to redirect
-
im trying to sum the column split_amount from table sc_expenses_transactions
can anyone tell me what im doing wrong?
$sql_query="SELECT SUM( split_amount) FROM sc_expenses_transactions WHERE ( expense_id = '$transaction_id') "; $result=mysql_query($sql_query); if(!$result){ die(mysql_error()); } $query_data=mysql_fetch_array($result); $number=$query_data[0]; echo "Query = " .$number."<br />";
-
ok for some reason i was thinking stripslashes was only for the ends
i had a huge headache most of that day
thanks and a DOYYYY for me
-
I am having a problem executing a ALTER TABLE command via php
I wasnt to pull the command from a input box for example
$data=$_POST['element'];
the problem i am having is when i use enum
the command portion i am having a problem with is ENUM( '0', '1' )
it comes out ENUM( '/0', '/1' ) using $_POST
How can I removed the slashes?
-
I am building an application in php
I would like to upload an image and then either move the uploaded image to another directory or delete it
The reason being a person could scan a lot of expenses and then work with them one by one and the original file being
taken out of the specified directory on the local machine to avoid confusion
can this be done using java?
I know it cant be done using php and i am limited in java at the moment and before i go crazy looking i thought i would ask
-
how is PHP calling it? with a header('Location: ...') redirect?
let me rephrase
the previous page calls a header redirect then the filenames are in <FRAME SRC="expense_image_2.php" NAME=Expense>
and <FRAME SRC="expense_image_1.php" NAME=Image>
this calls the 2 files into the frames (of course the code is not next to each other see the 1st post for the location
any other data is passed via session to the 2 pages called where it loads the info in seperate frames
-
i found an answer on the page its going to insert this java code after the body starts and it breaks the frames!
<script> if (window!= top) top.location.href=location.href </script>
-
php is calling it i am not clicking on it manually so i didnt use href
-
Hopefully a simple question
How can I take a page that has frames and collapse or close them without clsoing the browser window
IOW
I am using a frame
i have an expense image on the left and a voucher on the right
when the voucher saves successfully it redirects to the index but the frame for the image is still open
for example:
<FRAMESET COLS="800,*" FRAMEBORDER=0 FRAMESPACING=0 BORDER=0> <?php //echo "trying to call ".$expenseimage1."<br />";?> <!-- left frame which is the image frame--> <FRAME SRC="expense_image1.php" NAME=ExpenseImage> <!-- right frame is another frameset --> <!-- rows for horizontal divisions --> <FRAMESET ROWS="1200,*"> <!-- top frame --> <!-- <FRAME SRC="titlebar.html" NAME=titlebar SCROLLING=NO> --> <?php echo "trying to call ".$expenseimage2."<br />";?> <!-- bottom frame --> <FRAME SRC="expense_image_2.php" NAME=Expense> </FRAMESET>
-
thanks keith for the input
thats exactly what i am doing i am glad i am on the right track
i am almost finished writing the routine if they get blocked they can lift the block by entering a valid email thats in the database and responding to the email which will send them to a forgot login info routine using secret questions they would only know having filled out when they were set up as a user
-
I put a little check in my login page that when you input a bad user name OR password 3x you bring up a recaptcha page
of course you can manually hit the back button and resubmit
i want to try to eliminate/cut down on any autobot that would try to hack my login
is there a way to disable the backbutton via php or am i wasting my time?
i also have a another check where if there is a bad user AND password x number of times the ip is blacklisted until an admin can get involved
everything is written in php
i have also considered lifting that ban by forwarding to a page that allows you to enter your email and if it matches the database unblocks the ip and sends you to the forgot password/user routine
-
I am coding to expect attacks
Firefox has a nice addon that checks for vulnerabilities for xss attacks (css)
Look up htmlspecialchars,mysql_real_escape
Take apart upload file names and analyze them
Check your page referrer
There's a lot you can do
Do a search for php security
-
thats what i thought but wanted to make sure
i have written a log file in to help track down the issue which appeared only after using unset()
-
I have used unset to unset a session variable
For example unset($_SESSION['name'];
The problem I am having is every so often it clears other session variables
So my question is should I not be using unset to unset a
single session variable?
-
yes i am looking at regenerating the session id and perform my 5 checks every page change
im not sure how this will affect server performance
if all works well i will end up with a dedicated server down the road
its a SAS project (service as Subscription ) so it will not be open to the general public to browse around and play with
and all the scripts will be in one place not on anyone elses servers
That is called session fixation where they either steal or attempt to guess the session ID. This can be made more difficult by using sha instead of md5. Additionally using a system of sending other obfuscated or hashed cookies, then validate for each cookie not just the one. It is also a good idea to make sure they maintain the same user agent.
-
i am using the md5 to encode the filename not the password just to mess with the attempts that are made because we tend to make the filenames similar login.php admin.php deleteuser.php ect
login becomes a crazy filename so it becomes a little hard to guess what to try to hack which is merely just one aspect of hacker attacks
I am not to clued up on all this but I have read sha1 is better than md5 - http://uk2.php.net/md5 read the first user post you come to, it explains why. just my 2 pennies anyway, good luck staying safe. (on a side note I hear if you wrap things in rubber it makes lots of things safer)
-
for those interested i also found a great blog on security today while doing a bit more research
http://www.acunetix.com/index.php
(if its ok i post the link i am not involved with them admin can remove if they deem innapropriate)
i am trying to get my security setup like a fortress before i proceed too much further in the project
-
yes i have read the referer can be faked
thats why in a second check i think i am doing what you are recommneding
i set a encrypted (md5) session variable and then check that session variable against a whitelist of acceptable pages and then i unset set that session variable and when the page exits i set it again with the code for that page and the next page checks the passed code against that whitelist and on and on we go
i am also encrypting filenames to make it impossible to say try to call login.php or admin, delete or any of the common names
i have also implemented a neat little thing i found called bot-trap to catch web bots and ban there ip's in the last 2 days it has caught 3
it uses robot.txt to disallow and of course when the bot goes there anyhow it is blacklisted
'HTTP_REFERER' (your items 4 and 5 and the last post) is just a header that is easily faked (web proxy and bot scripts simply set it to match the domain being requested) and it cannot be relied on for any security purposes.
However, what you should do is store a value in a session variable that says a browser (or a bot script) has visited a particular page (i.e. make your own referrer session variable.) Then test on any dependent page that the session variable exists and has an acceptable value for the 'last page visited.' Unset the session variable or set it to a different value (a value that indicates the current page) on the dependent page to prevent multiple submissions to the dependent page (some bot scripts do use sessions and would visit pages in the correct order.)
-
also to address the cross site scripting 2 of the checks require the inquiry to come from my server domain and i pass a code thru sessions which is essentially the name of the script (index.php, login.php ect) where the referral came from
using http referal i then compare where the request came from and if it doenst match where the page came from the sesion is destroyed and the user is basically automatically logged out with no reason given
for example there is a list of acceptable referal pages for each called page
-
yes i am using mysql_real_escape_string to foil my sql injection attacks
-
I am working on a financial database and I am using 5 checks after login to foil hackers
1 - obviously $_SESSION must be set
2 - user in $_SESSION must be in database
3 - all authorizations passed in session must match the auth for user in database
4 - referal must come from my server
5 - each page is assigned a session referer code (encrypted filename) which must then match the http referrer
6- the session id is then regenerated
if any of the 1st 5 checks dont pass the user is automatically logged out and the session destroyed and an alert email is sent to the webmaster
my database password and username is extremely strong
my login page limits bad username and password attempts and blocks the ip ( for several invalid username AND password combos)
for multiple bad user OR password (everybody forgets sometimes) i was thinking about having capthca popup after 5 attempts
in your opinion is this a sound strategy?
-
you can write a routine to read each row then use php to split the string into an array and reassemble the string without the offending characters and rewrite it in the place it came from ( for ex rec 1 2 3 ect )
look at the explode example http://www.php.net/manual/en/function.explode.php
use the mysql_query to select the record
mysql_fetch_array to read the row
write a php routine to remove the characters
then use mysql_query to update the record your just read
[SOLVED] date range query
in MySQL Help
Posted
i cant seem to get a query working using name and date range (between start and end date)
all values are in the tables mysql doesnt return an error
any ideas?
mysql 5
php 5.2.8