3raser

For each individual thread that is echoed out, would I add a new form? I tried making the form tag spread from before the threads start echoing, to after. But that made my site look a little weird. Is there any possible way I can add a checkbox before each individual title, and have it assigned to a form? I don't think it's possible, though. This is what I was trying to do, but it made my site look a little odd: echo '<form action="test.php" method="POST">'; while($row = blah) { echo '<input type="checkbox" name="action[]" value="'. $row['id'] .'">'.$row['title']; } echo '</form>'; Any suggestions?

Thank you. Sorry for asking the question. I always want to be sure before going through with something.

How would I go about making a small feature for my moderators that allows them to select multiple threads while viewing a forum then take action? All I need is an idea of how I would do this. Wouldn't I use the explode() function? Example: http://i490.photobucket.com/albums/rr267/brannenclass/ex.png

Please ignore the post above! Can someone try and test if the cookies are vulnerable? (http://www.osremake.org) I spent the past two hours writing new validation code, changing the login system, and editing all the pages to the new functions to make it operational. I believe everything is secure now. You can no longer edit a cookie to any username you want, as the new code will actually check if the cookie exists in the database. If it does, it withdraws the username that cookie is matched to. The cookie value is also hashed and salted. I'd rather not release the way it's hashed and salted, but even if I did - part of it is based off of random numbers using the rand() function.

Please give me any feedback/ideas you have about this: This is how I plan on securing cookies. I made a new row/field in the users table called "cookie" that stores a random hashed & salted value upon creation of the account. This is what I use: //generate cookie $cookie_value = substr(sha1(md5($username.$e3).$e2).md5(sha1($username.$e3).sha1($e1)), 1, 30); function createCookie($username, $e1, $e2, $e3) { //generate cookie $cookie_value = sha1(md5($username.$e3).$e2).md5(sha1($username.$e3).sha1($e1)); //ignore this if(checkCookie($cookie_value)) { } else { } } Then I plan on storing that with the user. And whenever I do $lb->isLoggedIn() to check if a user is logged in, I run this piece of validation code: public function isLoggedIn() { //query $query = mysql_query("SELECT cookie FROM users WHERE username = '". mysql_real_escape_string($_COOKIE['user']) ."' LIMIT 1"); if(mysql_num_rows($query) < 1) { return 0; } else { //retrieve the stored cookie value $fetch = mysql_fetch_assoc($query); if($fetch['cookie'] !== $_COOKIE['user_session']) { return 0; //they shouldn't have the cookie of a user when they don't match $this->destroyCookie($_COOKIE['user_session']); } else { return 1; } } } Any ideas or feedback?

Ah, thanks for the reply kicken. Read everything.

function redirect($url) { header('Location: '. $url); } I'm assuming you're thinking it's XSS vulnerable? No I was assuming you didn't have an exit() following the header() redirect, allowing code to continue to execute after the header() is sent. If the browser ignores the header, the rest of the code still executes as though the redirect isn't even there. Ah, thanks. I'll add this immediately. Do you mean the post above? I haven't added the exit() function yet; this is the first time me seeing Pikachu suggesting it. I may have passed it up somewhere else if not here. And I see what you're saying. If the redirect function fails for some reason, they basically have access to something they aren't supposed to have access to. Thanks guys.

No, could you possibly tell me why? Should I not use MD5 at all and just stick to sha1 three or so times?

Ah, sorry about that. I completely forgot. If you could close/delete this thread, that'd be wonderful. I have replied to the other thread responding to every post I didn't answer.

function redirect($url) { header('Location: '. $url); } I'm assuming you're thinking it's XSS vulnerable? You also didn't answer the question I asked. I'm assuming hashing it then adding some simple form of salt would help secure it? And to answer your question: If someone isn't logged in while viewing the page, the code shows them the form. In some cases around the website, if they aren't logged in, it'll immediately redirect them to another page, thus ending the process of the code (suppose to, anyways). And yes, most forms have a small line of verification to make sure they're logged in before it continues processing the code. Usually like so: if(isset($_COOKIE['user'])) { //process } else { //display error message or redirect them somewhere else } Some lines of verification are like below, but I'm not sure if makes a difference than the one above. if(!isset($_COOKIE['user'])) redirect('index.php'); //code Thanks, I'll go check it out soon as I finish up this reply. Wow, I've never really thought about that. I guess someone could easily edit the cookie to some SQL injection code and the page will try to process it as such. Would you recommend me using a whole different method or just escaping the cookie with mysql_real_escape_string()? This wasn't really my question, but since you said that - I'm sure it could happen (with all the reasons you guys have listed in the above posts). I guess I never really thought that out. I could always take the cookie, then run a username check through the database. But it all honestly depends on how I plan on changing the system. And thanks to xylex for pointing out the fact it leads to a possibility of having SQL injection attacks. Which page is having the error, or is it global issue around the site for you? I haven't seen any redirect failures. One of the fileds in the "users" table is "banned". Whenever a user is banned, I change the 1 -> 0. Whenever they attempt to login (will logout them out if they're logged in, too) it basically runs a check with the database to make sure they aren't banned (checking if the field "banned" is a 0). Although, in this case, deleting all the accounts was very necessary. They spammed the registration system with thousands of accounts (I added in a system to only allow 3 accounts per IP, so this should help avoid that) so I felt it was necessary to delete all of them. Luckily the user who initiated the attack made an account with an identical username and email of one of the bots, therefor allowing me to get his actual IP adress. The account is still in the database, although banned. And to respond to deleting posts, it's basically the same exact way. Instead of deleting, I "hide" posts. I appreciate the replies, A LOT. This is very helpful and I appreciate you guys taking your time to help me out.

Well, then can you possibly tell me what I should do then? :/

I honestly don't think salt is necessary with my system. I currently use: $password = md5(sha1(md5(sha1($_POST['password'])))); Is this good enough when it comes to storing a password, encrypted?

So I would change the "name" part of the cookie, not the value, correct?

I was told that my login page could easily be manipulated to set themselves as my username (Mod Justin), giving them powers. How can I further secure my website's use of cookies? My login code: http://pastebin.com/cBLybGKq Any possible solution to this?

Here: http://pastebin.com/iiLMCHq2 Sorry it's a little sloppy. But I'm pretty sure I pass all the correct tests before actually displaying the form data. Test for yourself here: http://www.osremake.org/forums/addreply.php

I had a spam bot attacking on one of my forums. I quickly wrote a feature that allows me to delete all posts, threads, and IPs (and any other account they have) via username. In my create.php page, you need to be logged in ($_COOKIE['user']) in-order to post. How is it that they posted without being logged in?

Thanks!

Can you show an example? ;/

I noticed someone using heredoc in a project of theirs, somewhat like this: <?php $var = 'really'; $txt = <<<TEST This is $var cool! TEST; echo $txt; ?> What's the use/benefit of using heredoc?

Thank you for the reply.

Zane, are you saying we should or shouldn't make everything on one line? Isn't it more professional/neater code?

I cannot believe I forgot about the explode function.... -.- Thank you.

If I were to split this variable in half: $one = none:0 Using this bit of code: function cut($string) { $string = substr($string, strrpos($string, ':')); $string = str_replace(':', '', $string); return $string; } Is it possible to get the part of the string that comes after the : in $one? EDIT: I suppose I could add another : at the end of the string and get the position of the last occurrence, but I'm curious if their is an easier method.

I'm pretty sure the problem is starring me in the face, but I can't seem to locate it. function filter($string) { //swear words pulled from bannedwordlist.com $f = fopen('../badwords.txt', 'r'); $bad_words = fread($f, filesize('../badwords.txt')); $bad_words = explode('\n', $bad_words); $input = strtolower($string); foreach($bad_words as $value) { $string = str_replace($value, '****', $input); } return $string; } UPDATED CODE function filter($string) { //swear words pulled from bannedwordlist.com $f = fopen('../badwords.txt', 'r'); $bad_words = fread($f, filesize('../badwords.txt')); $bad_words = explode('\n', $bad_words); $input = strtolower($string); $string = str_replace($bad_words, '****', $input); return $string; } I've already echoed out $value in the foreeach loop, and it does correctly retrieve the bad words and put them into an array. My only problem is, the returned string is still in strtolower() form, and the words aren't censored. :/

The lastpost field in the users table seems like it would be faster, seeing as I'd have to extract their last post time from the threads and posts table. I'm also going to make a "time since last post" feature in the future. And thanks, I'll be using a database.