pastcow

A good idea might be to set all php files and directories within the webroot to read-only, executable by their owner and group, this way it will be hard for the attacker to add content to the site. Directorys that allow file uploads should have the php_engine disabled. You might also want to check through your weblogs for any suspicious activity.

If you stick that mod rewrite rule in place even .AVI and .TXT requests will flow through the "protected.php" script which can do the checks. If someone pastes a link to the AVI they wont be able to download it unless the have a valid session identifier

You might be able do do something along the lines of redirecting all requests via a PHP script. e.g. RewriteEngine On RewriteBase / RewriteRule . /protected.php [L] Then have the protected.php check for that session variable and if it exists use the readfile() function to fetch the file and return it to the user.

I think you need to make sure the DB table supports the correct charset and that when you display it from the DB its supporting the page you display it on sets the correct charset.

From the looks of the error msg it looks like your second argument to copy() needs to be a file, not a directory

You probably need to look at this for the redirect header("Location: http://www.example.com"); die(); and mysql_query() for getting data from the db.

Your website is littered with SQL injection vulnerabilities.

You can do it easily via the apache config file for your site. e.g. <Files wp-login.php> Redirect permanent / https://www.yourdomain.com/ </Files>

You need to make sure your PHP is being executed. It could be that your javascript is inside a .js file which isnt processed by php. An alternate solution might be to do <script src="bleh.php"> and have the php output something along the lines of <script>var x = 5</script> etc... It might well be better to use AJAX but it depends on the situation...

None of those links are working for me. I'm just getting a "Problem loading page"

Hi, You have a few issues: The activation of user accounts can easily be forged by guessing the activation id. Password resets should send a link with which the user can use to reset their password and not a new password There is SQL injection in some paramaters / forms. Forms are vulnerable to CSRF Password complexity is not enforced Msg me if you want further details.

Your CMS has heaps of security issues. Without much effort I was able to obtain admin access. A few issues include: Cross Site Request Forgeries SQL Injection Weak account policies msg me if you want full details. proof: http://cs1.ucc.ie/~jct1/cs1109/lab18/index.php?article_id=80 (check the sourcecode)

Other things to consider are the version of SSL your going to enable on your site, SSLv2 / SSLv3, the ciphers you are going to permit, if your cookies and sessions are going to have the Secure flag set. You might also want to consider that there is increased latency when using SSL and using SSL might put a more significant load on your server.

Hey everyone, I've released a script I wrote about a year ago for hardening / securing PHP - its a PHP script that you run which goes through all your PHP.ini settings and alerts you to any settings that you might want to change in order to secure your PHP installation. Obviously the settings wont meet everyone needs and there isn't any support for the suhosin module yet but I'd like suggestions / comments / or any bugs you notice. This link explains a little more about it: http://www.idontplaydarts.com/2011/02/hardening-and-securing-php-on-linux/ You can download the code here: http://www.idontplaydarts.com/wp-content/uploads/2011/02/Secure-PHP-conf.tar

Upload it and we can take a look

Heres a simple twitter script, just update the username and password with your user/password for twitter function postToTwitter($message, $username = "mrwoot", $password="123456"){ $host = "http://twitter.com/statuses/update.xml?status=".urlencode(stripslashes(urldecode($message))); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $host); curl_setopt($ch, CURLOPT_VERBOSE, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_USERPWD, "$username:$password"); curl_setopt($ch, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_1); curl_setopt($ch, CURLOPT_POST, 1); $result = curl_exec($ch); // Look at the returned header $resultArray = curl_getinfo($ch); curl_close($ch); } then you can just use postToTwitter("hello world"); to post to twitter I'm using it for my ASPC processing twitter account http://twitter.com/aspcprocessing bare in mind there isnt any error checking on this simple script.

SELECT p.name as parent_name, c.* FROM category AS p LEFT JOIN category AS c ON c.parent=p.category_id ORDER BY c.parent; This should give you each category and its parents name

foreach($_POST['signupID'] as $item) { $item = mysql_escape_string($item) etc...

webappsec.org has some good content in its mailing lists

Does anyone know if its going to be open source?

$today = date("dd/mm/yyyy"); gives the output 0202/1111/09090909 - you need to make sure you have your date format correct. $today = date("Y-m-d"); will give you 2009-11-02 which is probably what you want to be compatable with mysql. A much better way of doing this would be to use Unix timestamps that are integers. this makes > < and == much simpler.

if ($row_rsProjects['projdue'] == DATE("Y-m-d") should give you the same functionality you might want to check http://php.net/manual/en/function.date.php for more info...

imagecopyresampled will give you a better quality output, ive always found imagecopyresized seems to be a bit grainy on the output. Im not aware of any built in PHP function to resize your images keeping the aspect ratio - you need to write your own function

Yeah, i have to agree the Zend framework isnt exactly well documented, their "quickstart" tutorial is more a demo of MVC rather than telling you how to use the framework. Ive just completed my first site using the Zend Framework and ive gotta say I actually quite like it now. Whats the code you are trying at the moment to get your Zend_Controller_Router_Route to work?

I always stick with gmmktime, it always gives the time in GMT - this might not be the best thing to do but I like it as it keeps everything simple. eg the timestamp 0 is 1970 not 1969