darkfreaks Posted July 10, 2008 Share Posted July 10, 2008 you are good now Link to comment Share on other sites More sharing options...
magebash Posted July 10, 2008 Author Share Posted July 10, 2008 YES! Any other issues you see? Link to comment Share on other sites More sharing options...
darkfreaks Posted July 10, 2008 Share Posted July 10, 2008 what kind of files are you allowing people to upload ??? Link to comment Share on other sites More sharing options...
magebash Posted July 10, 2008 Author Share Posted July 10, 2008 jpeg, png, and gif Link to comment Share on other sites More sharing options...
darkfreaks Posted July 10, 2008 Share Posted July 10, 2008 are you checking to see if the extension ends in .jpg .png and .jpeg ??? Link to comment Share on other sites More sharing options...
magebash Posted July 10, 2008 Author Share Posted July 10, 2008 yes, but it seems that strip_tags didn't work... Link to comment Share on other sites More sharing options...
darkfreaks Posted July 10, 2008 Share Posted July 10, 2008 why so ??? Link to comment Share on other sites More sharing options...
magebash Posted July 10, 2008 Author Share Posted July 10, 2008 the alerts still worked. :'( Link to comment Share on other sites More sharing options...
darkfreaks Posted July 10, 2008 Share Posted July 10, 2008 are you doing like: <?php $variable= strip_tags(trim(mysql_real_escape_string($_POST['variable'])));?> Link to comment Share on other sites More sharing options...
magebash Posted July 10, 2008 Author Share Posted July 10, 2008 No like: $var = mysql_real_escape_string($var); $var = strip_tags('$var'); Link to comment Share on other sites More sharing options...
darkfreaks Posted July 10, 2008 Share Posted July 10, 2008 that isnt going to work you need it like: <?php $var = mysql_real_escape_string($var); $var .= strip_tags($var);?> the other way i listed above works too Link to comment Share on other sites More sharing options...
magebash Posted July 10, 2008 Author Share Posted July 10, 2008 ok Link to comment Share on other sites More sharing options...
magebash Posted July 10, 2008 Author Share Posted July 10, 2008 im working on doing that right now Link to comment Share on other sites More sharing options...
magebash Posted July 10, 2008 Author Share Posted July 10, 2008 ok now try. Link to comment Share on other sites More sharing options...
darkfreaks Posted July 10, 2008 Share Posted July 10, 2008 it froze. but if you cant input stuff manually it is most likely safe. also you should do something like: <?php if ($ext==".exe"||$ext==".js"||$ext==".php") { echo "extension not allowed"; }?> Link to comment Share on other sites More sharing options...
magebash Posted July 10, 2008 Author Share Posted July 10, 2008 i did. I think i fixed it for good now, could you make sure? Link to comment Share on other sites More sharing options...
darkfreaks Posted July 10, 2008 Share Posted July 10, 2008 no XSS errors on my end. however it still says users can upload harmful files. Link to comment Share on other sites More sharing options...
magebash Posted July 10, 2008 Author Share Posted July 10, 2008 hmm... I have it so they only can upload images. I wonder why... Link to comment Share on other sites More sharing options...
darkfreaks Posted July 10, 2008 Share Posted July 10, 2008 make sure it is coded liike this <?php if ($ext==".jpg"||$ext==".png"||$ext==".jpeg") { //upload to database } else { echo "you cannot upload this file!";}?> Link to comment Share on other sites More sharing options...
magebash Posted July 10, 2008 Author Share Posted July 10, 2008 hows this? if (!($userfile_type=="image/jpeg" OR $userfile_type=="image/png" OR $userfile_type=="image/gif")){ die("Please only upload JPEG, GIF, and PNG files.");} Link to comment Share on other sites More sharing options...
darkfreaks Posted July 10, 2008 Share Posted July 10, 2008 that is bad coding use mine Link to comment Share on other sites More sharing options...
magebash Posted July 10, 2008 Author Share Posted July 10, 2008 How would I obtain $ext Link to comment Share on other sites More sharing options...
darkfreaks Posted July 10, 2008 Share Posted July 10, 2008 lol <?php if ($userfile_type=="image/jpeg"||$userfile_type=="image/gif" ||$userfile_type=="image/png") { //insert into database } else { //error }?> Link to comment Share on other sites More sharing options...
magebash Posted July 10, 2008 Author Share Posted July 10, 2008 wow im stupid. LOL Link to comment Share on other sites More sharing options...
darkfreaks Posted July 10, 2008 Share Posted July 10, 2008 its okay lemme know once ya got it setup Link to comment Share on other sites More sharing options...
Recommended Posts