Jump to content

maverick5x

Members
  • Posts

    18
  • Joined

  • Last visited

    Never

Profile Information

  • Gender
    Not Telling

maverick5x's Achievements

Newbie

Newbie (1/5)

0

Reputation

  1. Hello, I am having problems developing an arabic website using PHP/MySQL and ajax. Arabic text in pages is displayed as is with no problems. but when data is posted from an html form the data are saved in the database in UTF-8 encoding. I though it was from the mysql collation thing and charsets but it wasn't. I discovered that when data is sent to the PHP script, it reads them as utf-8 strings although i did specify the charset in the ajax post request xmlHttp.onreadystatechange=AjaxStateChanged; xmlHttp.open("POST",url,true); xmlHttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=Windows-1256"); xmlHttp.send(postdata); I knew that by replacing html that should be displayed as a response to my page by the sql statement that contains the values posted and they appear as some wierd characters. So we can tell it's not the mysql, nor ajax(it shows correct encoding in "alert" before posting). I think i can say it's in the http connection. Is there a solution to this one? i cannot convert to utf-8 because i have a huge database with arabic (windows-1256) data on it. Hope someone has the answer best regards, Rakan
  2. Hello, I was thinking while i was developing an application in ajax.What are the security risks and flaws that ajax has and have to be taken care of while developing an ajax-based-app?
  3. in $ouremail you will have to set an extra header for content-type which should be as far as i know text/html.
  4. Hello All, I am currently the developer of an ecommerce system. i have developed the application to be as secure as possible by removing sql injections from any GET and POST data i read. The application is a mediator between a client and an online shopping site like ebay and amazon. The client makes an order with specified set of items and this mediator buys and ships the items to the client. Anyway, I have tested everything but got a problem with order deletion. In every single command that a client wants to do on his orders a verficiation must be done to match the order's member_id with the client's memberID. In the deletion we have a log table to trace all deleted orders and a backup table for orders so that when a client deletes an order its moved to backup table and deleted from the main orders table just in case. The problem is that i am still getting email's from the owner of the site that he is getting complaints about some orders getting deleted. Ofcourse at the moment i take the deleted order's ID and search for it in log, backup and main orders table with no trace. Searched for code that maybe deletes the order accidently from a non-delete action... no luck. Now getting to the code: here is the class that does processing on POST and GET: <? /** * A Web class * @author: Rakan Alhneiti * @version: 1.0 */ class Web { /** * @return mixed $_GET[$id] value * @param string The index or key for the GET value that should be returned. */ function GET($id="") { if (@isset($_GET[$id]) && ! @empty($_GET[$id])) { return $this->clearSqlInjections($_GET[$id]); } else { return ""; } } /** * @return mixed $_GET[$id] value * @param string The index or key for the POST value that should be returned. */ function POST($id="") { if(@isset($_POST[$id]) && ! @empty($_POST[$id])) return trim($this->clearSqlInjections($_POST[$id])); else return ""; } /** * @return string Same text with sql injection characters removed. * @param string Text to remove sql injections from. */ function clearSqlInjections($Item="") { //character 39 = ' (Single quote) if(strpos($Item,chr(39))!=false) { $Item = str_replace(chr(39),"''",$Item); //<-- two 's } return $Item; } } ?> Order belongs to user verification function: function OrderBelongsToUser($OrderID) { global $DB; $SQL = "SELECT Member_ID FROM orders WHERE OrderID='".$OrderID."' AND Member_ID='".$_SESSION["UserID"]."'"; $DB->Query($SQL); if($DB->countRows()!=0) { return true; } else { return false; } } and the cancel_order action $SQL = "SELECT Member_ID FROM orders WHERE OrderID='".$Web->GET("id")."' and Member_ID='".$_SESSION["UserID"]."'"; $DB->Query($SQL); $MemberID = $DB->getResult("Member_ID"); if($_SESSION["UserID"]==$MemberID) { $SQL = "INSERT INTO backup_orders SELECT * FROM orders WHERE OrderID='".$Web->GET("id")."'"; $DB->Execute($SQL); $SQL = "INSERT INTO backup_items SELECT * FROM items WHERE Order_ID='".$Web->GET("id")."'"; $DB->Execute($SQL); $SQL = "INSERT INTO backup_last_message SELECT * FROM last_message WHERE Order_ID='".$Web->GET("id")."'"; $DB->Execute($SQL); $SQL = "INSERT INTO backup_order_messages SELECT * FROM order_messages WHERE Order_ID='".$Web->GET("id")."'"; $DB->Execute($SQL); $SQL = "INSERT INTO backup_order_tracking SELECT * FROM order_tracking WHERE Order_ID='".$Web->GET("id")."'"; $DB->Execute($SQL); $SQL = "DELETE FROM orders WHERE orderid='".$Web->GET("id")."'"; $DB->Execute($SQL); $SQL = "DELETE FROM items WHERE order_id='".$Web->GET("id")."'"; $DB->Execute($SQL); $SQL = "DELETE FROM last_message WHERE Order_ID='".$Web->GET("id")."'"; $DB->Execute($SQL); $SQL = "DELETE FROM order_messages WHERE Order_ID='".$Web->GET("id")."'"; $DB->Execute($SQL); $SQL = "DELETE FROM order_tracking WHERE Order_ID='".$Web->GET("id")."'"; $DB->Execute($SQL); $Temp->clearParams(); $Temp->setFilename("transfer.tpl"); $Temp->addParam("Page","orders.php?action=cancel_order"); $Temp->addParam("Msg",$Lang["Orders_Page_Order_Deleted"]); $Content = $Temp->Compile(); } else { $Log .= "A try to delete an order was detected!"; $SQL = "INSERT INTO log_table(Body,DateAdded,Member_ID,Order_ID) VALUES('".$Log."','".time()."','".$_SESSION["UserID"]."','".$Web->GET("id")."')"; $DB->Execute($SQL); $Temp->clearParams(); $Temp->setFilename("orders_errors.tpl"); $Temp->addParam("Errors","<LI>".$Lang["Orders_Page_Not_Your_Order"]); $Temp->addParam("BackPage","orders.php?action=cancel_order"); $Content = $Temp->Compile(); } $Temp is the template class $DB is a database engine. getResult() gets the result of the select statement just like mysql_result(). What can be the problem? I am really suspecting that somebody might be inserting some code that gets executed on server or something i really dont know. This got me really confused.
  5. I think there is a encoded string that you put in your html code to make this. so that when the user goes back to the form page because of an error displayed by script that values are still in the form. It was mentioned in one of the ASP.NET books that i have but i cant seem to find it for ya. Anyway, the way i use is templates. $Temp->clearParams(); $Temp->setFilename("form_name.tpl"); $Temp->addParam("Name",$Web->POST("name")); $Temp->addParam("School",$Web->POST("school")); . . . $Content = $Temp->Compile(); here is the template class written by me <? /** * A Templates class * @author: Rakan Alhneiti * @version: 1.0 */ class Template { /** @var Filename of the template file.*/ var $Template_Filename; /** @var Array of tags and their values.*/ var $Replacements = array(); /** @var Language variable */ var $Language; /** @var Application specific language text array */ var $Application_Language = array(); /** * Sets & gets the application specific language */ function setAppLang($Arr) { $this->Application_Language = $Arr; } function getAppLang() { return $this->Application_Language; } /** * Sets the language of the page */ function setLanguage($lang) { $this->Language = $lang; } /** * Sets the filename the the template file */ function setFilename($file) { if($this->Language != "") $this->Template_Filename = "templates/".$this->Language."/".$file; else $this->Template_Filename = "templates/".$file; } /** * @return void * @param Key of tag to be repalced * @param Value of tag */ function addParam($Key,$Value) { $this->Replacements[$Key] = $Value; } /** * @return void */ function clearParams() { unset($this->Replacements); $this->Replacements = array(); } /** * @return string Gets the contents of the template file * @param string Filename of template file. */ function getContent() { $File = fopen($this->Template_Filename,'r'); $Content = fread($File,filesize($this->Template_Filename)); fclose($File); return $Content; } /** * @return Replaces all tags with their values */ function Compile() { if($this->Language!=""); $this->addParam("Lang",$this->Language); $Content = $this->getContent(); if(sizeof($this->Application_Language)>0) { while(list($Col,$Val)=each($this->Application_Language)) { if(strpos($Content,$Col,0)!=false) $Content = str_replace("{".$Col."}",$Val,$Content); } } reset($this->Application_Language); if(sizeof($this->Replacements)>0) { while(list($Index,$Val) = each($this->Replacements) ) { $Content = str_replace("{".$Index."}",$Val,$Content); } } return $Content; } } ?> Web class <? /** * A Web class * @author: Rakan Alhneiti * @version: 1.0 */ class Web { /** * @return mixed $_GET[$id] value * @param string The index or key for the GET value that should be returned. */ function GET($id="") { if (@isset($_GET[$id]) && trim($_GET[$id])!="") { return trim($this->clearSqlInjections($_GET[$id])); } else { return ""; } } /** * @return mixed $_GET[$id] value * @param string The index or key for the POST value that should be returned. */ function POST($id="") { if(@isset($_POST[$id]) && ! @empty($_POST[$id])) return trim($this->clearSqlInjections($_POST[$id])); else return ""; } function scanEmail($Item) { if(!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $Item)) { return false; } else { return true; } } function clearSqlInjections($Item="") { //character 39 = ' (Single quote) if(strpos($Item,chr(39))!=false) { $Item = str_replace(chr(39),"",$Item); } //character 60 = < if(strpos($Item,chr(60))!=false) { $Item = str_replace(chr(60),"&lt",$Item); } //character 61 = "=" (equal sign) if(strpos($Item,chr(61))!=false) { $Item = str_replace(chr(61),"",$Item); } //character 62 = > if(strpos($Item,chr(62))!=false) { $Item = str_replace(chr(62),"&gt",$Item); } return $Item; } } ?>
  6. Thanks to a guy called "Dashiva" in "javascript" channel on some IRC server . He pointed out the problem by saying: "Duh, you dont set the header before calling open()" so i moved the header setting to the line just after calling open() method and it worked. Without even using $HTTP_RAW_POST_DATA. here is the result: client = createXMLObject(); var params = "username="+Username+"&password="+Password; client.open("POST","login.php",true); client.setRequestHeader("Content-Type", "application/x-www-form-urlencoded "); client.onreadystatechange = updateLogin; client.send(params);
  7. Hmm, Can you show me how to do that please? I think that $_POST is readonly but i will try this while(list($Col,$Val)=each($HTTP_RAW_POST_DATA)) { $_POST[$Col] = $Val; } would that work?
  8. in the login.php all i do is print echo $_POST["username"]."<BR>".$_POST["password"]; The problem is, nothing gets posted and this echo line doesnt print anything apart from the <BR>
  9. Hello all i have this function client = createXMLObject(); var params = "username="+Username+"&password="+Password; client.setRequestHeader("Content-Type", "text/plain"); client.open("POST","login.php",true); client.onreadystatechange = updateLogin; client.send(params); and it gives an error in the line where i setRequestHeader "unspecified error". I am reading a tutorial and this code was in it. so what can be the problem? Thanks in advance
  10. hello all, i have a table row with the display:none style set <TR id='bankrow' name='bankrow' style='display:none;'> i have a <select> component and a javascript code <select id='paidthrough' name='paidthrough' onChange="javascript:evaluate();"> <script language="javascript"> function evaluate() { alert("Hello"); var val = document.getElementById("paidthrough").options[document.getElementById("paidthrough").selectedIndex].value if(val == 2) { document.getElementById("bankrow").style.display = "block"; } else { document.getElementById("bankrow").style.display = "none"; } } </script> The idea is when an item index 2 is selected the table row "bankrow" should be shown. This code works on IE but not on firefox. The alert("Hello") does not show in firefox when the item is selected. What can be the problem here? Thanks in advance?
  11. Hello all, I am trying to add arabic content inside some insert statements into mysql through phpMyAdmin When i import this file that includes the sql statements the data are imported but with problems The default server collation is UTF8 The tables' collation is cp1256(arabic(windows)) The fields that contain text such as Text,varchar are cp1256_general_ci but when i select from the tables the data retrieved appear as question marks instead of original letters although the application sets the page encoding to arabic windows. I have tried several things which did not work and wondering where the problem can be. I am requesting your help here Thanks in advance.
  12. Hello all. I was asked to make a web application that allows 3 types of users to upload/download files. One type of the users which is a prepaid account called golden membership which needs to create a folder in the directory with the username of the registrant and set the quota of that folder to a constant value. Now my question is how can i create an ftp account and a folder with constant quota, say 1000 MB via PHP? My client doesnt have any clue about the ftp server nor whether his php has root access or not. Please advice because this is the first time i am asked to do such a thing. Thanks in advance.
  13. Hello The only way of validating is this suffix idea. But i decided to edit the whole application to run every script file on it's own so instead of index.php?p=profile i am calling profile.php. I think its better and more secure.
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.