TzFiles

[Philip]

Okay, and also, you might want to put something saying there is a 8MB file size limit (or change it in the php settings ;))

[The Little Guy]

How do you know there is an 8MB file size limit?

[Philip]

Well, actually, I know a lot about your server.
http://tzfiles.com/users/demo/phpinfo.php

I was successfully able to view your directory and what files you had. I have a lot of suggestions for you.

#1. Put your important files (like the db.php) BELOW the /public_html/ area. This will only allow the server to execute that file, and not somebody from an outside source.

#2. Please do something about the PHP issue. Looking at your other thread, I thought you figured out the CHMOD issue. However, I was still able to upload a PHP file and execute it. See #3 and #4 for suggestions:

#3 When uploading a PHP file, rename the file to like .phps (as long as you keep it that way in the PHP settings)

#4 With [b]ANY[/b] executable file, have the server zip the file. Link: http://us2.php.net/manual/en/ref.zip.php


Hopefully, one of these solutions will work out for you. Right now, you have a really big security hole you need to plug. I would recommend playing around with these options, or if you don't have the time right now, you should disable uploading executable files (.php .js .exe etc..)

[The Little Guy]

I only have acces to ryannaddy and everything to the right

/home/.marble/ryannaddy/tzfiles.com/filename.something

So where would i put db.php? right now it is in tzfiles.com should I move it to ryannaddy? If i move it there, how do I tell my files to connect to it?

Thanks, all of the solutions are ones I want to fix, and I need to fix all those holes.

securing db.php was the main Idea of this thread:

http://www.phpfreaks.com/forums/index.php/topic,121909.0.html

for number #2 I did fix it, but when The file was uploaded, it wouldn't allow me to fread()/fwrite()/fopen(), so I temporarily allowed files to be run on the server. What chmod should I use?

[The Little Guy]

#1 was fixed by makeing my db.php file look like this:
[code]
<?php

if(basename(__FILE__) == basename($_SERVER['PHP_SELF'])) send_404(); 

$dbHost = "localhost";        //Location Of Database usually its localhost
$dbUser = "xxxxx";                        //Database User Name
$dbPass = "xxxxx";                        //Database Password
$dbDatabase = "file_host";              //Database Name

$db = mysql_connect("$dbHost", "$dbUser", "$dbPass") or die ("Error connecting to database.");
mysql_select_db("$dbDatabase", $db) or die ("Couldn't select the database.");

function send_404()
{
    header('HTTP/1.x 404 Not Found');
    print '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">'."\n".
    '<html><head>'."\n".
    '<title>404 Not Found</title>'."\n".
    '</head><body>'."\n".
    '<h1>Not Found</h1>'."\n".
    '<p>The requested URL '.
    str_replace(strstr($_SERVER['REQUEST_URI'], '?'), '', $_SERVER['REQUEST_URI']).
    ' was not found on this server.</p>'."\n".
    '</body></html>'."\n";
    exit;
}

?> [/code]

[AXiSS]

...I wonder how my "Kill Spiders" button got on there. Maybe I forgot to delete it after I used it for testing. :-\

Anyway, everything is looking good, but the header seems kind of empty, to the right of the name. Maybe you should put a simple "Welcome back, USERNAME" up there.

[The Little Guy]

Done!

[Philip]

The little guy, please get on MSN and accept my friends invite.

I would like to show you something that is more private regarding the security.

[The Little Guy]

I would like to announce, that I have new home page images!  What do you think of these?  there is only 3 at the moment though.

[AXiSS]

Much better than pictures looking up people's noses! :D