Search the Community

Hi, I'm using the code below to retrieve a file into a microcontroller running micropython. I understand I'm open for easy attacks so, I appreciate some inputs. TIA <?php $file = $_GET['file']; $dir = getcwd(); $file = $dir.'/'.$file; $myfile = fopen($file, "r") or die("FAIL"); echo file_get_contents($file); fclose($myfile); ?>

Hi, My ISP doesn't allow direct access to mysql Server so I created a bridge and stored the PHP code in the main web folder (https://www.mydomain.com/post.php). The bridge works fine and is used mainly for my IOT projects. In the same web folder, is located the conn.php code containing the server's credentials. The question is, how safe is the PHP code at that location? I can create a subfolder but not sure if it matters as far as security is concerned. TIA

I'm curious to get opinions on using strip_tags() for fields that will be encrypted in a database. I often see websites that say "choose a password that contains X certain characters but not Z other characters." And I got curious. Let's say there's a registration form where a new user creates a username and password, and the server will store the password as ... sha1( $user_entered_value ) ... or some other sort of hashed/encrypted string. In this case, why would it ever matter that a user had entered <div> or some other such text in their password? The password will only ever be hashed into something before it is matched... so why would you bother stripping tags? Why bother preventing any "special" characters? Thoughts?

Hi all, I am sorry if I am posting this in the wrong place. If so, kindly transfer it to the appropriate section. I was using code that used recaptcha and that worked perfectly well. Now it has stopped working. The recaptcha dialog box simply does not display. Does anyone have any clue what could be going on? Has someone else also faced this similar problem recently Thanks all.

Hi all ! I would have liked to continue this question on my previous post but since it became too long I thought I'ld post a new one. I would like to add the following bit of code on my reset page $current = 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; if(isset($_SERVER['HTTP_REFERER'])) $referrer = $_SERVER['HTTP_REFERER']; if ( $referrer === $current ) { }else { } to ensure that the page is being called from where it should be called. Is this OK or is there a better ( read more secure ) way to do it? (I think I read in one of the posts, quite some time ago, that this was not altogether secure). Since the password reset page is publicly accessible what other security concerns can turn up because of that and what care should be taken. Thanks all !

Hi Guys, I've got xampp running on my machine with wordpress, and had 2 security related questions: A) I was constantly running into issues with wordpress and trying to find includes. I'm building a plugin, so on the plugin's main file, I just added a 'set_include_path' function equal to the root directory of my website. Then, the require_once, and include functions that are also on that page seem to have stopped having issues. Are there any security issues with using the set_include_path, and setting it to say 'C:/htdocs/home'? B) I used Xampp to install apache, mysql, and php. Until recently, I had no idea what PEAR was. I'm curious though...is PEAR installed by default with PHP or Xampp? Thanks for any help guys

I'm running across this more and more. Prospective client gives access (w/o NDA) to (relatively) secure solution for the purpose of generating a project specification and project estimate. Usually the SOP is some add-on module or feature enhancement - in other words, not a major overhaul of the current solution. In the due diligence, security holes are discovered, to varying degrees of insecurity. This really becomes an awkward situation when the current solution is provided by a third party OEM and leased by the client. To make matters worse, the prospective client decides NOT to proceed with the project so there is no financial benefit to giving away consulting services. Options are: A: Do not notify the prospective client their solution is insecure and move on. B: Notify the client their solution is insecure even though they are not the code authors and can't fix it without contacting the vendor. C: Notify the vendor they have insecure code even though there is no financial incentive to do so - and likely violates terms and conditions for the client. D: Sell the exploit knowledge on some hacker forum... ( just kidding, this IS NOT really an option - toungue and cheek people... ). There are plenty of recent cases in the news where dudes hacking systems (usually without permission) but without nefarious/malicious intent, have been arrested and charged. For example, last months airline hack... http://thehackernews.com/2015/05/fbi-plane-hacking.html What'd Ya Think?

Hello I am receiving a huge amount of spam emails, now I am trying to implement Google Recaptcha V3 in my custom PHP From, I implemented all the steps for G-Recaptcha, but I receive error invalid-input-secret And I am sure that the secret code shout be copied right I added the below to the head tag <script src="https://www.google.com/recaptcha/api.js?render=6LfyPF0pAAAAAHLxp3315RTN7jrRvBe6kLdHGAiT"></script> <script> grecaptcha.ready(function() { grecaptcha.execute('6LfyPF0pAAAAAHLxp3315RTN7jrRvBe6kLdHGAiT', {action: 'submit'}).then(function(token) { let recaptchaResponse = document.getElementById("recaptchaResponse"); console.log(recaptchaResponse); recaptchaResponse.value = token; }); }); </script> Then added hidden input before the submit button in the Form <input type="hidden" name="recaptcha_response" id="recaptchaResponse"> <input class="contactInput no-border cursorPointer buttonStyle" name="submitContact" value="Submit" type="submit"> And finally, I implemented the PHP code if(isset($_POST['submitContact']) && $_SERVER['REQUEST_METHOD'] == 'POST'){ $recaptcha_url = 'https://www.google.com/recaptcha/api/siteverify'; $recaptcha_secret = '6LfyPF0pAAAAAEsS5lfN_WL3wKHh1XfGo0oE_PYU'; $recaptcha_response = $_POST['recaptcha_response']; $recaptcha = file_get_contents($recaptcha_url."?secret=".$recaptcha_secret."?response=".$recaptcha_response); $recaptcha = json_decode($recaptcha); if($recaptcha->success ==true){ if($recaptcha->score >= 0.5){ echo "Recaptcha Success"; }else{ echo"<pre>"; print_r("Recaptcha Not Verified"); echo"</pre>"; } }else{ echo"<pre>"; print_r($recaptcha); echo"</pre>"; } } But receiving the below error stdClass Object ( [success] => [error-codes] => Array ( [0] => invalid-input-secret ) )