|
PHP - Security Issue!
triple posted for some reason.
Similar TutorialsHi, i am running an online ecommerce store where i let people list and sell their items. Howerver the security is to weak. when people click the buy button on a product they are taken to process.php where a session is set to true, and then they are redirected to paypal to complete tehir orders. after their payment is completed they are redirected to success.php where they collect their download from a link to the download url posted by the user who listed the product. now the problem is that all that is required to get access to file download is for the session to be "true", this means that someone could just navigate to process.php and then skip paypal and navigate directly to success.php. Here is what i want to do: instead of the link beeing displayed in the success.php file, i want paypal to navigate directly to the file download instead... Here is my php files: http://www.mediafire.com/?383u89twj197bjg Thank you all for helping me... i would be forever happy if any of you could have a look at the script and correct it as mentioned above, and please send the files back to : vallandepost@gmail.com ... thank you very much! i just discovered a hole in my scripts relating to access . 1. have a simple login form 2. based on the type of user , he is directed to a page for his options . 3. I now realise that altho each page therefter checks for sessions of the user , he can easily change the url to that of another user and there is no way to prevent it. 4. How can i make sure that each time a page is accessed it is only by the user whom it is meant for. Relevant code snippets below . Thanks ! Swati login.php --------- <?php //error_reporting(E_ERROR | E_PARSE | E_CORE_ERROR); //Process this if statement only if form was submitted if($_POST['submit']){ session_start(); $username=$_POST['username']; $password=$_POST['password']; include ("link.php"); // contains db info //Test for login success $sql = "SELECT * FROM Users WHERE Username='$username' AND Password = '$password'"; $result = mysql_query($sql); if ($myrow = mysql_fetch_assoc($result)){ // echo $sql; $login_success = 'Yes'; $userid = $myrow["Userid"]; $usertype = $myrow["UTID"]; $status = "On"; $url = $PHP_SELF."?".$_SERVER['QUERY_STRING'];; $logout = 'logout.php'; $_SESSION['id']=session_id(); $_SESSION['userid']=$userid; $_SESSION['usertype']=$usertype; $sql2= "insert into Log (Sessionid,Userid,IP,Date,File, Status) values('$_SESSION[id]','$userid','$ip','$tm', '$url', '$status')"; $result2 = mysql_query($sql2) or die ('no access to database: ' . mysql_error()); // echo mysql_error(); } } } ?> Each subsequent page has this header ============================== <? header("Cache-Control: public"); include ("log.php"); //db info for DB along with session start if(!isset($_SESSION['userid'])){ echo "<center><font face='Calibri' size='2' color=red>Sorry, Please login and use this page </font></center>"; exit;} ?> The url of each page : Code: [Select] www.abc.com/example/type1.php?Userid=USER1ID and such a user can easily change the url to Code: [Select] www.abc.com/example/type2.php?Userid=USER1ID and access all the options of type2.php Hi I run versions of sites on a local server. For these the path to a mysql connection script is pretty simple: mysql_connec.php On my live server, I put things out of the public directory - so this time the path is ../mysql_connect.php I therefore have to have sections like this in my files = and whilst not complex, its a pain having to uncomment/comment lines depending on which server I am working because I keep forgetting! Code: [Select] // require_once('../../workRecord/mysql_connect.php'); //online require_once('mysql_connect.php'); //local Is there some way I can identify which server I am on so I don't keep having to do this. I was thinking of using something like this: Code: [Select] if ($_SERVER['DOCUMENT_ROOT']=="c:/web_root/blah/blah"){ require_once('mysql_connect.php'); }else{ require_once('../../workRecord/mysql_connect.php'); } I am pretty sure this would work, but does this method present any security issues??? Hi folks, a few days back, we enabled SSL on our office server and the intranet migrated to https. Everything is ok on the intranet. On the public internet, we noticed today that the page on our website, which connects to our office server to fetch and display data was throwing an error, which I presumed was a Security Certificate issue... An area that's like the Dark Side of the Moon for me.. the webpage - https://liveconnections.in/hotjobs.php This is the error from the logs PHP Warning: file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed PHP Warning: file_get_contents(): Failed to enable crypto PHP Warning: file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Anycase, the internet was willing to help and so I updated the code to a curl function. The Data is not displaying still... Here's the code... where am i going wrong ?
<?php
//error_reporting(E_ERROR | E_PARSE | E_ALL);
$page="jobs-listing";
?>
<header class="section background-livec text-center">
<h3 class="text-white margin-bottom-0 text-size-40 text-thin text-line-height-1">Current & Hot Jobs</h3>
</header>
<?php
$industry = $_GET['industry'];
$location = $_GET['location'];
$expMin = $_GET['expMin'];
$expMax = $_GET['expMax'];
$sortBy = $_GET['sortBy'];
$cpg = $_GET['page'];
if(empty($cpg) || $cpg==1)
$npl = 1;
else {
//$npl = (($cpg+1)*10) - 9;
$npl = $_GET['startingRowNo'];
}
$industry = str_replace(' ', '%20', $industry);
$location = str_replace(' ', '%20', $location);
$url = "https://xx.xxx.xxx.xxx/WebService/rest/";
function file_get_contents_curl($url) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); //Set curl to return the data instead of printing it to the browser.
curl_setopt($ch, CURLOPT_URL, $url);
$data = curl_exec($ch);
curl_close($ch);
return $data;
}
if(!empty($sortBy)) {
$json = file_get_contents_curl($url.'getHeadersBySearch?industry='.$industry.'&location='.$location.'&expMin='.$expMin.'&expMax='.$expMax.'&sortBy='.$sortBy.'&startingRowNo='.$npl.'&noOfRows=1000000');
$data = json_decode($json);
} else if(!empty($industry) || !empty($location) || !empty($expMin) || !empty($expMax)) {
$json = file_get_contents_curl($url.'getHeadersBySearch?industry='.$industry.'&location='.$location.'&expMin='.$expMin.'&expMax='.$expMax.'&sortBy=&startingRowNo='.$npl.'&noOfRows=1000000');
$data = json_decode($json);
} else {
//$json = file_get_contents_curl($url.'getOnlineWebPosting');
$json = file_get_contents_curl($url.'getHeadersBySearch?industry='.$industry.'&location='.$location.'&expMin='.$expMin.'&expMax='.$expMax.'&sortBy=&startingRowNo='.$npl.'&noOfRows=1000000');
$data = json_decode($json);
//if (!$data) echo "Data Not Found" ;
}
if($sortBy=='DESC' || $sortBy=='') {
$aclass = 'down_arrow';
} else {
$aclass = 'up_arrow';
}
$json2 = file_get_contents_curl($url.'getSearchData');
$data2 = json_decode($json2);
$industry = str_replace('%20', ' ', $industry);
$location = str_replace('%20', ' ', $location);
if($industry=='F amp A - BPO') {
$industry = 'F & A - BPO';
}
if($industry=='OIL amp GAS') {
$industry = 'OIL & GAS';
}
?>
<div class="section background-white">
<div class="background-white">
<p class="text-padding-bot text-letter-spacing1">A cross-section of Jobs currently available. We recommend you to contact our Executives for further info. <br />
More details available when the Job is '<strong>View'</strong>ed. </p>
</div>
<?php
//$data='';
//if($data!=''){ ?>
<?php //if ($checkyear>2017) { ?>
<div class="subJobs">
<ul>
<li> Industry <br />
<select name="industry" id="industry" class="sel">
<option value="">Select Industry Name</option>
<?php for($i=0; $i<count($data2[0]); $i++) { ?>
<?php if(isset($industry) && $industry==$data2[0][$i]) { ?>
<option selected value="<?php echo $data2[0][$i];?>"><?php echo $data2[0][$i];?></option>
<?php } else { ?>
<option value="<?php echo $data2[0][$i];?>"><?php echo $data2[0][$i];?></option>
<?php }
} ?>
</select>
</li>
<li>Location<br />
<select name="city" id="city" class="sel">
<option value="">Select City Name</option
><?php $m=0; for($j=0; $j<count($data2[1]); $j++) { ?>
<?php $locat = explode(",",$location); ?>
<?php if($locat[$m]!="" && $locat[$m]==$data2[1][$j]) { ?>
<option selected value="<?php echo $data2[1][$j];?>"><?php echo $data2[1][$j];?></option>
<?php ++$m; } else { ?>
<option value="<?php echo $data2[1][$j];?>"><?php echo $data2[1][$j];?></option>
<?php }
} ?>
</select>
</li>
<li>Experience <br />
<select name="minyear" class="sel2" id="minyear">
<option value="">Min</option>
<?php for($ii=0; $ii<46; $ii++) { ?>
<?php if($expMin!="" && $expMin==$ii) { ?>
<option selected value="<?php echo $ii; ?>"><?php echo $ii; ?></option>
<?php } else { ?>
<option value="<?php echo $ii; ?>"><?php echo $ii; ?></option>
<?php }
} ?>
</select>
<select name="maxyear" class="sel2" id="maxyear" onchange="return select_max();">
<option value="">Max</option>
<?php for($ii=0; $ii<51; $ii++) { ?>
<?php if($expMax!="" && $expMax==$ii) { ?>
<option selected value="<?php echo $ii; ?>"><?php echo $ii; ?></option>
<?php } else { ?>
<option value="<?php echo $ii; ?>"><?php echo $ii; ?></option>
<?php }
} ?>
</select>
<!-- select name="" class="sel2" id="sort">
<option value="">Select</option>
<option value="ASC">ASC</option>
<option value="DESC">DESC</option>
</select -->
</li>
<li class="ser"><button type="button" onclick="search_by_category()" class="btn btn-default" style="margin-top:25px;"><i class="fa fa-search"></i> Search</button></li>
</ul>
</div>
<!-- Selected Jobs Headline Info -->
<div class="line">
<p class="text-dark text-center text-size-16">
<?php if($industry) echo 'Showing ' . '<b>' . $industry .'</b>' . ' Jobs' ; ?>
<?php if($location) echo ' at ' . '<b>' . $location .'</b>' ; ?>
<?php if($expMin) echo ' with Min ' . '<b>' . $expMin .'</b>' ; ?>
<?php if($expMax) echo ' to Max '. '<b>' . $expMax.'</b>' ; ?>
<?php if($expMin | $expMax) echo ' Years Experience' ;?>
</p>
</div>
<!-- Jobs Table -->
<table id="example" class="display" cellspacing="0" width="100%">
<thead>
<tr>
<th class="jobs_noshow text-center" width="5%">S.No</th>
<th class="text-center" width="15%">Posted On</th>
<th class="text-center" width="30%">Job Title</th>
<th class="jobs_noshow text-center" width="15%">Level</th>
<th class="jobs_noshow text-center" width="15%">Location</th>
<th class="jobs_noshow text-center" width="15%">Job Code</th>
<th class="text-center" width="5%">Action</th>
</tr>
</thead>
<tbody>
<?php $ri=1; foreach($data as $kk=>$d) { ?>
<?php
$date_posted = $d->postedDate; // get the Posted Date
$date_posted_year=date("Y",strtotime($date_posted)); // Get the Year from the date and store in a variable
if ($date_posted_year>$jobs_restrict_year) { // Show only Jobs posted after this year ?>
<tr>
<td class="jobs_noshow text-center"><?php echo $ri; ?></td>
<td class="text-center"><?php echo $d->postedDate; ?></td>
<td><?php echo $d->title; ?></td>
<td class="jobs_noshow ctext notreq"><?php echo $d->level; ?></td>
<td class="jobs_noshow text-center notreq"><?php echo $d->location; ?></td>
<td class="jobs_noshow text-center"><?php echo $d->requirementID; ?></td>
<td class="text-center"><a class="button background-livec border-radius text-white" style="color:white" data-fancybox="ajax" href="?contentid=jobs-detail&requirementID=<?php echo $d->requirementID; ?>&requirementSeqNo=<?php echo $d->requirementSeqNo; ?>" data-type="ajax">View</a></td>
</tr>
<?php } ?>
<?php $ri=$ri+1; } ?>
</tbody>
</table>
<script type="text/javascript">
$(document).ready(function () {
var table = $('#example').DataTable( {
"pageLength": 25,
"sPaginationType":"full_numbers",
"oLanguage": {
"sInfo": 'Showing _START_ to _END_ of _TOTAL_ Jobs.',
"sInfoEmpty": '',
"sEmptyTable": "No Jobs found currently",
}
});
$('#example').removeClass( 'display' ).addClass('table table-striped table-bordered');
});
</script>
<style> .dataTables_filter { display: none; } </style>
<!-- End of Table -->
</div>
<?php // } else { ?>
<div style="margin: 20px 0 40px 0px;height:200px;text-align:center;">
<h1 style="font-size:16px;">Server is unavailable at the moment. Please try after some time.</h1>
</div>
<?php //}?>
</div>
<!--jobs end-->
<script type="text/javascript">
function search_by_category() {
industry = $('#industry option:selected').val();
//city1 = $('#city option:selected').val();
minyear = $('#minyear option:selected').val();
maxyear = $('#maxyear option:selected').val();
//sortBy = $('#sort option:selected').val();
var city = $('select#city').val();
var cur_pg = "<?php echo $cpg; ?>";
var tot = "<?php echo $total; ?>";
var tot_pgs = Math.ceil(tot/25);
//if(cur_pg=="")
cur_pg = 1;
var last_pg = tot_pgs - cur_pg;
if(last_pg==0)
records = tot - ((tot_pgs -1) * 25);
else
records = 25;
var strt_val = ((cur_pg-1) * 25) + 1;
if(industry=='F & A - BPO')
industry ='F amp A - BPO';
if(industry=='OIL & GAS')
industry ='OIL amp GAS';
city1 = document.getElementById("city").value;
if(city1=="" || city1=="null") {
city="";
}
if(industry!="" || city!="" || minyear!="" || maxyear!="") {
location.href="hotjobs.php?contentid=hotjobs&industry="+industry+"&location="+city+"&expMin="+minyear+"&expMax="+maxyear+"&sortBy=&startingRowNo=1"+"&noOfRows="+records+"&page="+cur_pg;
} else {
//alert("Please select any one of the fields");
location.href="hotjobs.php?contentid=hotjobs&industry="+industry+"&location="+city+"&expMin="+minyear+"&expMax="+maxyear+"&sortBy=&startingRowNo=1"+"&noOfRows="+records+"&page="+cur_pg;
}
}
function sort_by_location() {
var order = '<?php echo $sortBy; ?>';
industry = $('#industry option:selected').val();
city = $('#city option:selected').val();
minyear = $('#minyear option:selected').val();
maxyear = $('#maxyear option:selected').val();
city1 = document.getElementById("city").value;
if(industry=='F & A - BPO')
industry ='F amp A - BPO';
if(industry=='OIL & GAS')
industry ='OIL amp GAS';
if(city1=="") {
city="";
} else {
city = $('select#city').val();
}
if(order=="" || order=="DESC") {
location.href="hotjobs.php?contentid=hotjobs&industry="+industry+"&location="+city+"&expMin="+minyear+"&expMax="+maxyear+"&sortBy=ASC"+"&startingRowNo=1&noOfRows=10";
} else {
location.href="hotjobs.php?contentid=hotjobs&industry="+industry+"&location="+city+"&expMin="+minyear+"&expMax="+maxyear+"&sortBy=DESC"+"&startingRowNo=1&noOfRows=10";
}
}
function select_max() {
minyear = document.getElementById("minyear").value;
maxyear = document.getElementById("maxyear").value;
if(parseInt(maxyear)>=parseInt(minyear)) {
return true;
} else {
if(maxyear!="") {
alert("Maximum year must be equal or greater than minimum year");
$('#maxyear').val("");
return false;
}
}
}
</script>
Also, if i change the $url in my code to https:// , no data is displayed... I raised a Support request to the Hosting provider, but they seem to have vanished into the ozone.... Any help would be highly appreciated. Cheers - Murali
Hi, I am currently working on an Invoice System using PHP and MySQL. However I was just wondering if the system I am using is secure enough. The Client gets a link like this: Code: [Select] mysite.com/?customerid=b3e470c55aad30eb38ee52eec1d8cb52 Each client has a unique "id" I also have an ID for the administrative back-end. I do clean the GET variable before querying the database though. Do I need to secure this with anything else or is this enough, as this is my first time creating anything with PHP and MySQL together. Thanks, mme hi php freaks I am using pdo as the driver for my new app the issue is I can't seem to find a clear answer. I want to sanise the vars that are coming into the database but pdo is suppose to fix all the issues. Is this true what other things do I need to watch for when using pdo they must have some flaws. Thanks I want to create an ADMIN directory with several directory under that. I want to be certain that the user cannot log into any of the directory unless they have confirmed login. Is $_session id's the best way to go? Should I create on the flyer and attached to username? What is the best practice for this? Regards, DED I have been working on a website for some time now. My work is now 95% finished and now I am starting to look at security, as I am using PHP. My webpage uses HTML FORMS. When most of these forms get send back to the server, 50% of the time PHP is inserting the value of the FORM inputs into MySQL. To give a basic run down, I have a newsletter sign up system. "Enter your e-mail address"... and then the user enters their e-mail and submits.. PHP runs a MySQL query to insert that FORM value into the database along the lines of this: Quote insert into newsletters (email) values ('.$POST['email'].') I fear this is very vulnerable to injection attack as it means a trouble maker can come along and enter anything they want into my database, potentially wiping it out. I believe I need to "sanitize" my input with a MySQL "real_escape_string" or something? Is there anything real obvious I should look out for when it comes to PHP security? Is there a way to forbid all strings/arguments except the few I need or something perhaps? I really have less idea about website security. Yesterday for the first time I learned website hacking and applied that method to my web page. My webpage was completely down after applying that. Q) To free a site from hacking what techniques are followed? Hi everyone, So, like my name says, I'm just a hobbyist PHPer, but I write the occassional PHP application for people, I've been doing it for quite a while and I fear that perhaps my way of securing my applications may be a bit antiquated... I was hoping that you guys/gals might be able to take a look and give me some help with perhaps how I could go about making these apps more secure... So, without further ado, here it is... standard application page, e.g. index.php Code: [Select] <? session_start(); if(!$_SESSION['Condition'] == 'Logged') { header("Location: login.php"); } elseif($_SESSION['Condition'] == 'Logged') { require "connection.inc"; ?> <? } ?> login.php page Code: [Select] <? if(isset($_POST['Login'])) { include_once 'connection.inc'; $count = 0; $query = "SELECT UserID FROM Users WHERE UserName = '$_POST[username]' AND UserPassword = '$_POST[password]'"; $results = mysql_query($query)or die(mysql_error()); $count = mysql_num_rows($results); while($row = mysql_fetch_array($results)) { $UserID = $row['UserID']; } if ($count == 1) { header("Location: loginaction.php?UserID=$UserID"); } } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head> <title></title> <link rel="stylesheet" type="text/css" href="StyleSheet.css" /> <script language="javascript" type="text/javascript"> function loginValidate(form) { if (form.username.value == '') { alert('You must supply a Username.'); form.username.focus(); return false; } if (form.password.value == '') { alert('You must supply a Password.'); form.password.focus(); return false; } else { return true; } } </script> </head> <body> <? include_once 'header.inc'; ?> <div id="LoginBox"> <div id="SubFormBoxHeading"> Log In </div> <form id="thisform" action="<? echo $_SERVER['PHP_SELF']; ?>" onsubmit="return loginValidate(this)" method="post"> <table> <tr> <td colspan="2"> <? if (isset($_POST['Login']) && !$count == 1) { echo '<h3>Wrong Username and/or Password</h3>'; } ?> </td> </tr> <tr> <td class="Labels">Username:</td> <td><input type="input" id="username" name="username" size="20" /></td> </tr> <tr> <td class="Labels">Password:</td> <td><input type="password" id="password" name="password" size="20" /></td> </tr> <tr> <td colspan="2"> <div style="text-align: center; margin-top: 20px; margin-bottom: 20px;"> <input type="submit" id="Login" name="Login" value="Log In" /> </div> </td> </tr> </table> </form> </div> <? include_once 'footer.inc'; ?> </body> </html> loginaction.php page Code: [Select] <? session_start(); $_SESSION['Condition'] = 'Logged'; $_SESSION['UserID'] = $_GET['UserID']; header("Location: index.php"); ?> and finally, the logout.php page Code: [Select] <? session_start(); unset($_SESSION['Condition']); unset($_SESSION['UserID']); session_destroy(); header("Location: index.php"); ?> Besides "mysql_real_escape_string"ing all the user input what other security strings should you definitely include n your site? I have nearly finished a website that i am making for my local community, they will be registering on the site and i am wandering what sort of security for the site i should be thinking about. I just dont want someone out there doing something to cause problem with the site and ruining it for everyone else. Hi everyone I'm kinda new to PHP and have a couple of questions; 1: How secure is PHP, is it very hackable? Are there things you recommend to make it more secure? 2: I am building a little employee system for staff at a friends company and they can view personal information when they login, as well as ordering stuff with online payment through WorldPay. What is therefore the best and most secure way of handling passwords, logins, data, insert statements etc. I basically want to make it as secure as possible and hopefully learn some new skills Any tips or help would be great Thanks Hey, so basically this is what im trying to do: I'm writing an mp3 store, and want the user to be able to play the whole track before purchase. Currently all the music files are in a protected folder with permissions set so access isnt possible. The mp3 player calls play.php?fid=encryptedfileid rather than the direct music link. This is all working perfectly. The bit i am now stuck on is stopping the users going to play.php?fid=encryptedfileid directly and downloading the mp3 directly. How do I make it so the server can execute the play.php file, but the user cannot? I attempted to set a cookie in play.php and deny access if cookie was present, however the server also set the cookie, so this didnt work. See play.php code (in this example, fid is just the filename, but it will be more encrypted, calling to a special md5 hash, albumid and artistid). <?PHP // Define the path to file $filename=$_GET[fid]; $file = "music/$filename.mp3"; if(!$file) { // File doesn't exist, output error die('file not occupied'); } elseif(!file_exists($file)) { die('Error: File not found.'); } else { // Set headers header("Cache-Control: public"); header("Content-Description: File Transfer"); header("Content-Disposition: attachment; filename=$file"); header("Content-Type: application/octet-stream"); header("Content-Transfer-Encoding: binary"); // Read the file from disk readfile($file); } ?> So to clarify, I need the server to access and execute this script with the mp3 player (simple javascript player) and the server not be able to visit play.php?fid=xxx directly to download. Thanks I have just made a couple of forms that submit data to a mysql database. I was wondering what measures I need to make to in order to keep the whole thing very secure. At the moment I have stripped the inputs of tags and forward slashes. Is there anything else I should do? Also some field in the form allow the user to enter a url. With these fields I have not stripped them of forward slashes. Is this a bad idea? Should I do something like replace the forward slashes with something else and then reverse this process every time I extract that data from the database? Hi, I am looking to create a directory that can not be accessed using .htaccess and neither can files directly. But I want to make it so when you are signed into joomla you can access the files via a mp3 player on the sight. My mp3 extention is joomline player flplayer. And I heard that if I cange the name of the file in joomla fomr lovelove.com/audio/love/abc.mp3 to lovelove.com/audio/love/abc.php?name=abc and then that abc.php script (inside the script it checks if you are logged in) will retrieve the file name, and the joomline will play it it will work. is this possible? Also, if not what can I do for this to work? Right now my script is not working as the joomline looks up all the mp3 files as one big string. this is the abc.php which on my site its calld psp.php
<?php
define( '_JEXEC', 1 );
define( 'JPATH_BASE', realpath(dirname(__FILE__).'/../../' ));
require_once ( JPATH_BASE .'/includes/defines.php' );
require_once ( JPATH_BASE .'/includes/framework.php' );
$mainframe =& JFactory::getApplication('site');
if( !empty( $_GET['name'] ) )
{
// check if user is logged
if(JFactory::getUser()->guest) {
die( "ERROR: invalid song or you don't have permissions to download it." );
}
else {
$psp = preg_replace( '#[^-\w]#', '', $_GET['name'] );
$psp_file = "{$_SERVER['DOCUMENT_ROOT']}/audio/live/{$psp}.mp3";
if( file_exists( $psp_file ) )
{
header( 'Cache-Control: public' );
header( 'Content-Description: File Transfer' );
header( "Content-Disposition: attachment; filename={$psp_file}" );
header( 'Content-Type: application/mp3' );
header( 'Content-Transfer-Encoding: binary' );
readfile( $psp_file );
exit;
}
}
}
?>
then I have joomline player jlplayer
<?php
/**
* JoomLine mp3 player - Joomla mp3 player
*
* @version 1.5
* @package JoomLine mp3 player
* @author Anton Voynov (anton@joomline.ru), Sergii Gaievskiy (shturman.kh@gmail.com)
* @copyright (C) 2010 by Anton Voynov(http://www.joomline.ru)
* @license GNU/GPL: http://www.gnu.org/copyleft/gpl.html
*
* If you fork this to create your own project,
* please make a reference to JoomLine someplace in your code
* and provide a link to http://www.joomline.ru
**/
defined('_JEXEC') or die('Restricted access');
function ascii2hex($ascii, $reverse = false) {
$hex = array();
for ($i = 0; $i < strlen($ascii); $i++) {
$byte = strtoupper(dechex(ord($ascii{$i})));
$byte = str_repeat('0', 2 - strlen($byte)).$byte;
$hex[] = $byte;
}
if ($reverse) $hex = array_reverse($hex);
return implode(" ",$hex);
}
function read_frame (&$f, &$tagdata, $frame) {
$pos = strpos($tagdata,$frame);
if ( $pos !== FALSE) {
// frame found. read length of this frame
fseek($f, 10+$pos+4);
$frame2len = hexdec(ascii2hex(fread($f,4)));
if (($frame2len-1) > 0) {
// read frame data
fseek($f, 10+$pos+4+2+4+1);
$data = trim(fread($f,$frame2len-1));
$hexfdata = ascii2hex($data);
if ( substr($hexfdata,0,5) == 'FF FE' or substr($hexfdata,0,5) == 'FE FF' ) {
$data = iconv("UCS-2","UTF-8",$data);
} else {
if (!preg_match('//u', $data)) {
$data = iconv("cp1251", "UTF-8",$data);
}
}
return $data;
} else {
return false;
}
} else {
return false;
}
}
function readmp3tag($file) {
$f = fopen($file, 'rb');
rewind($f);
fseek($f, -128, SEEK_END);
$tmp = fread($f,128);
if ($tmp[125] == Chr(0) and $tmp[126] != Chr(0)) {
// ID3 v1.1
$format = 'a3TAG/a30NAME/a30ARTISTS/a30ALBUM/a4YEAR/a28COMMENT/x1/C1TRACK/C1GENRENO';
} else {
// ID3 v1
$format = 'a3TAG/a30NAME/a30ARTISTS/a30ALBUM/a4YEAR/a30COMMENT/C1GENRENO';
}
$id3v1tag = unpack($format, $tmp);
// read tag length
fseek($f, 8);
$tmp = fread($f,2);
$tmp = ascii2hex($tmp);
$taglen= hexdec($tmp);
$tagdata = "";
if ($taglen > 0) {
//read tag data
fseek($f, 10);
$tagdata = fread($f,$taglen);
}
// find song title frame
$title = read_frame ($f, $tagdata, "TIT2");
if (!$title) {
if ($id3v1tag['TAG']== 'TAG' && ascii2hex(substr($id3v1tag['NAME'],0,1)) != '00' ) {
$title = $id3v1tag['NAME'];
} else {
$title = explode(DS,$file);
$title = $title[count($title)-1];
$title = explode('.',$title);
$title=$title[0];
}
if (!preg_match('//u', $title)) $title = iconv("cp1251", "UTF-8",$title);
}
$artist = read_frame ($f, $tagdata, "TPE1");
if (!$artist) {
if ($id3v1tag['TAG']== 'TAG' && ascii2hex(substr($id3v1tag['ARTISTS'],0,1)) != '00') {
$artist = $id3v1tag['ARTISTS'];
} else {
$artist = "";
}
}
if (!preg_match('//u', $artist)) $artist = iconv("cp1251", "UTF-8//TRANSLIT",$artist);
$id3tag['NAME'] = $title;
$id3tag['ARTIST'] = $artist;
return $id3tag;
}
if (DS == "/")
$dir = str_replace("\\",DS,$music_dir);
else
$dir = str_replace("/",DS,$music_dir);
$dir = JPATH_ROOT.DS.$dir;
if (!is_dir($dir)) {
echo "Wrong dir in settings";
} else {
$files = glob($dir.DS."*.{mp3,MP3}",GLOB_BRACE);
if (count($files) > 0) {
sort($files);
$host = $base_uri;
foreach ($files as $file) {
$tags = readmp3tag($file);
$file = explode (DS, $file);
if ($server_utf8 == 1) {
$fname = rawurlencode($file[count($file)-1]);
} else {
$fname = rawurlencode($file[count($file)-1]);
}
$fname = substr($fname, 0, -4);
$file = $host."/".$music_dir."/psp.php?name=".$fname;
echo $file;
$artist = trim($tags['ARTIST']);
$artist = $artist == "" ? "" : "{$tags['ARTIST']} - ";
$playlist[] = '{name:"'.$artist.$tags['NAME'].'",mp3:"'.$file.'"}';
}
}
/*
*
//if(!window.jQuery) {
document.write(unescape('<script type="text/javascript" src="<?=$base_uri?>/modules/mod_jlplayer/js/jq.js">%3C/script%3E'));
document.write(unescape('<script type="text/javascript">jQuery.noConflict();%3C/script%3E'));
//}
*
*/
?>
<script type="text/javascript">
var myPlayList = [
<?php
echo implode(",\n ",$playlist)."\n";
?>
];
Array.prototype.find=function(v){
for (i=0;i<this.length;i++){
if (this[i]==v) return i;
}
return 0;
}
var plIndex = [];
for (i=0;i<myPlayList.length;i++) {
plIndex[i] = i;
}
<?php if ($shfl == 1) : ?>
//shuffle
function randOrd(){
return (Math.round(Math.random())-0.5);
}
plIndex.sort(randOrd);
<?php endif; ?>
function setCookie (name, value) {
document.cookie = name + "=" + escape(value) + "; expires=Thu, 01-Jan-2055 00:00:01 GMT; path=/";
}
function getCookie(name) {
var cookie = " " + document.cookie;
var search = " " + name + "=";
var setStr = null;
var offset = 0;
var end = 0;
if (cookie.length > 0) {
offset = cookie.indexOf(search);
if (offset != -1) {
offset += search.length;
end = cookie.indexOf(";", offset)
if (end == -1) {
end = cookie.length;
}
setStr = unescape(cookie.substring(offset, end));
}
}
return(setStr);
}
function changeShflStatus(el) {
nowPlay = plIndex[playItem];
if (el.checked) {
setCookie("jlp_shfl","shuffle");
plIndex.sort(randOrd);
} else {
setCookie("jlp_shfl","notshuffle");
plIndex.sort();
}
playItem = plIndex.find(nowPlay);
}
</script>
<script type="text/javascript" src="<?=$base_uri?>/modules/mod_jlplayer/js/jq.js"></script>
<script type="text/javascript">jQuery.noConflict();</script>
<link href="<?=$base_uri?>/modules/mod_jlplayer/skin/skin.css" rel="stylesheet" type="text/css" />
<script type="text/javascript" src="<?=$base_uri?>/modules/mod_jlplayer/js/jquery.jplayer.min.js"></script>
<script type="text/javascript">
var playItem = 0;
jQuery(function(){
var jpPlayTime = jQuery("#jplayer_play_time");
var jpTotalTime = jQuery("#jplayer_total_time");
var jlp_shfl = getCookie("jlp_shfl");
if (jlp_shfl == "shuffle") {
document.getElementById('jlp_shfl').checked = true;
} else if (jlp_shfl == "notshuffle") {
document.getElementById('jlp_shfl').checked = false;
}
jsuri = baseuri+"/modules/mod_jlplayer/js/";
jQuery("#jquery_jplayer").jPlayer({
ready: function() {
displayPlayList();
playListInit(enable_autoplay); // Parameter is a boolean for autoplay.
},
errorAlerts:true,
warningAlerts:true,
swfPath: jsuri
})
.jPlayer("onProgressChange", function(loadPercent, playedPercentRelative, playedPercentAbsolute, playedTime, totalTime) {
jpPlayTime.text(jQuery.jPlayer.convertTime(playedTime));
jpTotalTime.text(jQuery.jPlayer.convertTime(totalTime));
})
.jPlayer("onSoundComplete", function() {
playListNext();
});
jQuery("#jplayer_previous").click( function() {
playListPrev();
return false;
});
jQuery("#jplayer_next").click( function() {
playListNext();
return false;
});
});
function displayPlayList() {
for (i=0; i < myPlayList.length; i++) {
jQuery("#jplayer_playlist").append("<div id='jplayer_playlist_item_"+i+"'>"+ myPlayList[i].name +"</div>");
jQuery("#jplayer_playlist_item_"+i).data( "index", i ).click( function() {
var index = jQuery(this).data("index");
if (plIndex[playItem] != index) {
_index = plIndex.find(index);
playListChange( _index, index );
} else {
jQuery("#jquery_jplayer").jPlayer("play");
}
});
}
}
function playListInit(autoplay) {
if(autoplay) {
playListChange(0, plIndex[0] );
} else {
playListConfig(0, plIndex[0] );
}
}
function playListConfig(_index, index ) {
jQuery("#jplayer_playlist_item_"+plIndex[playItem]).removeClass("jplayer_playlist_current");
jQuery("#jplayer_playlist_item_"+index).addClass("jplayer_playlist_current");
playItem = _index;
jQuery("#jquery_jplayer").jPlayer("setFile", myPlayList[plIndex[playItem]].mp3);
}
function playListChange(_index, index ) {
playListConfig(_index, index );
jQuery("#jquery_jplayer").jPlayer("play");
}
function playListNext() {
var _index = (playItem+1 < myPlayList.length) ? playItem+1 : 0;
var index = plIndex[_index];
playListChange(_index, index );
}
function playListPrev() {
var _index = (playItem-1 >= 0) ? playItem-1 : myPlayList.length-1;
var index = plIndex[_index];
playListChange(_index, index );
}
</script>
<?php include_once(JPATH_ROOT.DS.'modules/mod_jlplayer/skin/tpl.php'); ?>
<?php
}
I was messing around in there with $file
if ($server_utf8 == 1) {
$fname = rawurlencode($file[count($file)-1]);
} else {
$fname = rawurlencode($file[count($file)-1]);
}
$fname = substr($fname, 0, -4);
$file = $host."/".$music_dir."/psp.php?name=".$fname;
echo $file;
I am unsure how to retreive a file title only, with out the whole path, just the name and not even the file ext.It comes up with all the files names in the echo. Also I am not sure how joomline chooses just one file. I am not a php designer and I am quite confused lol Any help would be appreciated! Thank you. I'm building an e-commerce website using php and mysql and I'm a bit worried about security issues. The website is going to be handling personal information so I want to make sure that it's secure and that no-one can get hold of it. I don't really have any idea about and security issues or problems that I could run into and perhaps you could point me in the direction or some tutorials that would be really great. Also if anyone here has been in the same situation what did you do to make your site as secure as possible? Thanks for any help. Hi there, I'm in serious need to find a way to block people from a website I code for. The thing is, we have a jailing system, nice and simple, and IP/email ban system too. But with proxies, advertisers and repeated troublemakers keep coming back because we just get the new proxy IP each time and it's a losing battle. What I need is a way to ban them properly from the site, like somehow stopping the computer they use from accesing the site. someone once said you can use a cookie to stop a browser getting on the site, but I don't know how to set it up to give the cookies out upon login and find the one associated to an account we don't want (by "cookie" banning I guess?") and stop them from logging in. Hi This is the senario: User logs in, if successful connection details for his database are stored in a session variables which are used to access information. Are there any precautions I need to make sure the data in the sessions are safe? Thanks |
|||||||