Jump to content

keldorn

Members
  • Posts

    340
  • Joined

  • Last visited

    Never

Everything posted by keldorn

  1. I believe this the incorrect way to address an index from an array. $list[ozet]; Should be $list['ozet']; (Notice the single quotes). Unless your dealing with integers, then you don't. But those are strings. So they need the ' ' Almost all your code is like that. Fix that, and perhaps it'll will work. (Or at least get rid of any E_NOTICE errors you haven't been noticing filling up your error log, saying undefined ozet, assuming 'ozet'.)...
  2. You started programming when you were 8, that is now 25 years of programming experince, your probably well skilled in programming methodology. You shoule beable to understand and solve programming problems quickly. 94' that is 15 years experience. That sounds pretty good right there.
  3. Glype proves that cURL is highly appropriate for a proxy.
  4. This is redundant. /* Delete this $name =$_POST['name']; $email =$_POST['email']; $country=$_POST['country']; //--- End delete */ // values sent from form $name = mysql_real_escape_string(strip_tags($_POST['name'])); $email = mysql_real_escape_string(strip_tags($_POST['email'])); $country = mysql_real_escape_string(strip_tags($_POST['country'])); I think that he/she must becuase else mysql_real_escape_string() would give an error if its done before the database connection.
  5. btw On my dedicated serer I get a dozen hackers everyday trying to brute force my SSH login from different IPs that come from all the world (probably proxies of more hacked machines). So yeah, hackers are out, working full time to break into any systems they can. If you use shared hosting you may aswell consider it compromised from day one. You better keep backups constantly updated. Keldorn.
  6. Yeah as the guy above mentioned, its looks like a Base64 string. This is why shared hosting is no good. You dont know what the hell is going on in the server. Anything can happen. What if someone buyd some hosting and uploadd C99shell.php and the customer now has access to the whole harddrive? I've heard these so many times, and every time is something to do with shared hosting. I have a dedicated server, this is why I wont sell any my space to anybody. Its not worth the risk. This whole programming server language thing just doesn't work when its shared, if its just static files and .html is fine, but with PHP and such you can uplaod programming file that do stuff it should be doing... Thats why all you guys who say you have experience with saying your sites getting hacked, it probably becuase your on shared hosting. Its becuase the hacker got in from somebodies elses insecure site, or the shared customer themselves was a hacker who bought a shared hosting package just to hack the server. I the least you can do, is get a VPS. You can get those for 50 a month. If you can afford that you should be be running website anyways thats running PHP. If you want to learn host it yourself on a homecomputer and put lamp stack on it. </rant>
  7. Remember to use Code tags. [*PHP] [/*PHP] for PHP and [*code] [*/code]. btw you can set the email table to Unique index. This way the mysql wont accept duplicate emails. Next this is wrong. I think you need Double quotes in this. $query =mysql_query(SELECT * FROM tbl1_name WHERE email='$email'); so: $query =mysql_query("SELECT * FROM tbl1_name WHERE email='$email'"); Also there doesn't appear to be any email validation and just sticking the email right away into the database. Your going to get yourself hacked programming your applications like that. You validated it with a function. This is one that works pretty well it allows emails like john+doe@example.com & john.doe@example.com . Although not quite to RFC specs. Personally just for sake of simplicity I would allow emails like jonh\"doe@example.com (Yes that is valid) is just very bad. Becase then you have to add extra abscraction to your script when dealing with the emails. // Check if Valid email function valid_email($input) { // This regex works pretty well. if(! preg_match("/^([a-z0-9\+_\-]+)(\.[a-z0-9\+_\-]+)*@([a-z0-9\-]+\.)+[a-z]{2,6}$/ix", $input)) { // Were here? Its bad. Set message.. return false; } // else return "good" return true; } Put that function into your script, and next do this, // values sent from form $name = myql_real_escape_string(strip_tags($_POST['name'])); $email = mysql_real_escape_string(strip_tags($_POST['email'])); $country = mysql_real_escape_string(strip_tags($_POST['country'])); if(!valid_email($email)){ echo('That email is invalid'); }
  8. Read the manual, PHP operators =Means to set a variable ==Means to compare So no == false would be wrong, that would be comparing it. You want to set it to false. The reason why I set variables in the top of script is to avoid E_NOTICE messages about trying to check undefined variables. For example, if($success){ } Works fine and dandy if $success is set, however if it not it would generate a E_NOTICE warning. So setting $success = false; in the top of the script avoids that, and will still return false, if there is no success.
  9. Consider this code. Beware of bugs in the below code; I have only proved it correct, not tried it. session_start(); token = false; if(!isset($_SESSION['token'])){ $token = md5($_SERVER['REMOTE_ADDR'] . uniqid()); $_SESSION['token'] = $token; } if($_POST){ if($_SESSION['token'] == $token){ // Do upload and validation stuff $_SESSION['token'] = false; } else { exit('You cant do that'); } } ?> <html> <head> </head> <body> <?php if ($_SESSION['token'] != false){ ?> <form method="post" action=""> <input type="hidden" name="token" value="<?php echo $token; ?>"/> <input type="file" name="the_file" size="25" /> <!-- in bytes --> <input type="hidden" name="MAX_FILE_SIZE" value="500000000" /> </form> <?php }elseif($_SESSION['token'] == false{ ?> <p>Congratulations the file was uploaded</p> <?php } ?> </body> </html> But really the trouble you will have with code like that is it mixes business logic with presentation logic. It makes it really complicated going in out html with php tags. In smarty I would do something like this. session_start(); token = false; $error = false; $success = false; if(!isset($_SESSION['token'])){ $token = md5($_SERVER['REMOTE_ADDR'] . uniqid()); $_SESSION['token'] = $token; $smarty->assign('token',$token); } if($_POST){ if($_SESSION['token'] == $token){ // Do upload and validation stuff + set a success message. (type:string) if(!empty($success)){ $smarty->assign('success',$success); $smarty->display('uploadform.tpl'); exit; } $_SESSION['token'] = false; } else { $smarty->assign('error',"Your session expired, but a new was created for you"); $smarty->display('uploadform.tpl'); exit; } } $smarty->display('uploadform.tpl'); Then in the .tpl I would have {if isset($error)}{$error}{/if} {if !isset($success)} <form method="post" action=""> <input type="hidden" name="token" value="{$token}"/> <input type="file" name="the_file" size="25" /> <!-- in bytes --> <input type="hidden" name="MAX_FILE_SIZE" value="500000000" /> </form> {else} {$success}{/if} Which would show the error and also it would of regenerated the token. So the form actually would be usable again or it would remove the form, and show a success message.
  10. How about this to stop duplicate upload? Some people do accidental hit post twice or refresh. Use a token in a hidden field of the form, <input type="hidden" name="token" value="{$token}"> also set the same token in a session. Then when they go to your page it generates a token right away for the page, and also has seperate part for handling $_POST. if(!isset($_SESSION['token']){ $_SESSION['token'] = md5($_SERVER['REMOTE_ADDR'] . uniqid()): $token = $_SESSION['token']; } if($_POST){ if($_SESSION['token'] == $_POST['token']){ // upload stuff // + destroy token $_SESSION['token'] = false; } else { $error = "Your session expired, your trying to upload the same thing twice, or you have cookies disabled."; } } Edit: Btw if you look at TinyPic.com , they have few hidden fields, one being as I saw I believe that would the same thing I described.
  11. This reminds me of this quote. This means if you use 100% of your IQ/Skill to write a script and it has a bug, You will need 100% more Skill and IQ which you don't have to debug it. Your are now requiring the expertize of someone smarter then you. xD
  12. Something like this would work for checking a user login. //database connection here $username = mysql_real_escape_string($_POST['username']); $password = md5($_POST['password']; $sql = mysql_query("SELECT password FROM members WHERE username='{$username}'"); $mysql_result = mysql_fetch_row($result); if(!is_array($mysql_result)){ $error = "No username found by that username"; }elseif($password == $mysql_result['password'])) { // log in stuff } else { $error = "Oops your password is wrong"; }
  13. It works for me. Oh yeah about checking if a $_POST variable is actually set. Say $name = $_POST['name']; and $_POST['email']; which you were expecting ,but some wanker sends only one of the variables threw a Post becuase there casing your script for holes. That would generate a Full Path Disclosure saying, undefined index: var in /path/path/path/, you could as you said use isset() or empty() on each $_POST, like if(isset($_POST['var'])){ $var = $_POST['var']; } if(!empty($_POST['var2'])){ $var2 = $_POST['var2']; } I think that would quickly get redundant and annoying having to type that out. Would you think using the @ would be better?, which will remove the error. Say this $name = @$_POST['name']; $email = trim(@$_POST['email']); I've tried this and it seems to work quite well.
  14. Some of the points mentioned here is why I use Smarty. I've read alot people bashing smarty saying its useless, but it can address and solve namely these 2 problems, 1. Seperate business logic from presentation 2. generate Friendly error message instead of Die(); I dont know where I would be without Smarty, I probably would still have horrible ways to generate error messages. But this is how I generate them. Bascially saying I'm checking some $_POST. (this for an example there is no validation really except for checking their empty.) //registration.php //we have a post! if($_POST){ $error = false; $email = $_POST['email']; $name = $_POST['name']; if(empty($email)){ $error .= "<li>Your forgot your email</li>\n"; } if(empty($name)){ $error .= "<li>Your forgot your name</li>\n"; } //ERROR? if($error){ $smarty->assign('error',$error); $smarty->display('registration.tpl); // All done exit; } } Then in the .tpl file I would have something like this, {if isset($error)}<ul>{$error}</ul>{/if} That might be bad to base your script around assuming its off. What if down the road you end up on different hosting where its on, and you cant' control it? you totally forget about ti and now site is messed up and your pulling your hair going threw the code your forget how it works and it was commented bad... yadda. lol Checking for it I would say is still the best. So in the example above we simple modify it a bit to include this. #MAGIC QUOTES if(function_exists('get_magic_quotes_gpc')) { $magic_quotes = true; } //we have a post! if($_POST){ $error = false; $email = $_POST['email']; $name = $_POST['name']; if($magic_quotes == true){ $name = stripslashes($name); $email = stripslashes($email); } if(empty($email)){ $error .= "<li>Your forgot your email</li>\n"; } if(empty($name)){ $error .= "<li>Your forgot your name</li>\n"; } //ERROR? if($error){ $smarty->assign('error',$error); $smarty->display('registration.tpl); // All done exit; } }
  15. You have the mysq_close out of the else statement which means it gets called even if there was no database connection (which happens in the else statement). Hence the error, since ther eis nothing to close try this. <?php $srch = $_REQUEST["srch"]; if (empty($srch)) { print <<<HERE <form> Type the Store location: <input type = "text" name = "srch"> <input type = "submit"> </form> HERE; } else { $con = mysql_connect("localhost","root","icebird"); if (!$con) { die('Could not connect: ' . mysql_error()); } mysql_select_db("IpPhoneDir", $con); // Send a query to the server if ($result = mysql_query($con, "call GetBranchBeg($srch)")) { $um_rows = mysql_num_rows($result); if($num_rows <= 0) { echo "no match found"; } print "<table border = 1>\n"; //get row data as an associative array While ($row = mysql_fetch_assoc($result)) { print "<tr>\n"; //look at each field foreach ($row as $col=>$val){ print "<td>$val</td>\n"; }//end foreach print "</tr>\n\n"; }//end while- print "</table>\n"; } else { trigger_error(mysql_error(),E_USER_WARNING); //this will display MySQL's error message } mysql_close($con) } // end of Else ?>
  16. This works, mysql_fetch_row() returns FALSE, according the documentation, if the there is no Array created. So I can assume that the false means the table does not exist and can proceed with if(!$sql){} Also with error_reporting(E_ALL); it generates no PHP error messages in the top of page. So putting a @ in not necessary in front the mysql_fetch_row(). Good way to check if a row exists in mysql table? //Check first if it exists $sql = mysql_query("SELECT var FROM fake WHERE token='{$token}'"); $sql = mysql_fetch_row($sql); if(!$sql){ // Does not exist! Create it. $sql = mysql_query("INSERT INTO fake (var,token) VALUES('$var','$token')") ; } else { //It exists, Update it. $sql = mysql_query("UPDATE fake SET var='{$var}' WHERE token='{$token}'") ; }
  17. Hey, I'm trying to determine if a table already exists in mysql, but doing a query first with mysql_query, then checking $sql as if it a were TRUE of FALSE. Which I though it would be. My Code always skips to the }else{ statment after the If(). What is wrong, How I do this? I could of sworn I've wrote other scripts using this and it works. PHP: //Check first if it exists $sql = mysql_query("SELECT var FROM fake WHERE token='{$token}'"); if( ! $sql){ // Does not exist! Create it. $sql = mysql_query("INSERT INTO fake (var,token) VALUES('$var','$token')") ; } else { //It exists, Update it. $sql = mysql_query("UPDATE fake SET var='{$var}' WHERE token='{$token}'") ; } Also echo $sql; prints out, Resource id #11 or something.. Doesn't seem to say false or true....
  18. What makes perl slow when using it for a website is it has to be loaded threw CGI with apache which is a huge bottleneck.
  19. Ok, well it probably worthless to use then. Imagine if Youtube were using it, it would be switching between hundreds of file upload progresses every few milliseconds. It would be hilarious and pretty useless.
  20. Guys remember back in the day, everyone's site has cgi-bin in their urls if their site was dynamic. lol That would of been Perl I think. Then after 2000's PHP 4 hit the scenes and became mainstream. That was probably the death of Perl being used for developing web applications. But perl still has uses, also languages like Ptyhon, I'm pretty sure some "sensitive" sites are using this languages, maby like Paypal. I also remember back then Geocities didn't allow you to upload PHP files, I think thats why Geocities died , becuase on other hosts you can upload PHP files. Who would would want to use a host and you can't upload some php files? Also they had a 4MB bandwidth limit per hour! I would say right on the money, Perl is definitely great for that. On my dedicated server I use Perl scripts to do tasks like that. I am actually running Squid Cache on my server and I had to write a perl script that modifies how Squid handles the naming the file cached files. I used Perl, becuase its faster. It can handle hundreds of connections a second with boging th server down. If I used PHP, it would of probably killed the ram.
  21. Yeah its called Perl. If Perl was decent, why'd they bother to make PHP? If Python is good why did they make Ruby? Or if PHP is good why did they make ASP.NET or Coldfusion? Why has Microsoft made Silverlight when there Adobe flash? The answers are purely subjective. My opinion is that Perl is extremely developer unfriendly for making websites.
  22. Yep, Double ROT-13 is very secure. </sarcasm>
  23. Does that mean it can only show the upload progress for one person at a time?
  24. Nah, on Mac, any other suggestions? Well you would have to find a similar program for mac that can emulate the shell login.
  25. To answer your question, Log into root via SSH with Putty (If on windows), then type. nano /usr/local/lib/php.ini
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.