|
PHP - How Secure Is My Upload Routine?
I'm allowing users to upload a file into a directory that is inside of my ftp's root directory(what is the proper term for this area anyway?)
Anyway, I am uploading to this folder: Code: [Select] + www.mywebsite.com/ + files/ + images/ - welcome.jpg + system/ - text.txt - index.php + upload/ <-- here, this one right here - an_uploaded_file.zip If I have a php script that downloads from this folder would I need to worry about someone doing something that is not intended? I don't want someone overwriting my index.php with their own. Similar TutorialsCode: [Select] <?php // Maximum file size for upload $maxFileSize = 5242880; // If file is too large if(!empty($_SERVER['CONTENT_LENGTH']) && $_SERVER['CONTENT_LENGTH'] > $maxFileSize) echo "File too large"; else { if(isset($_POST['submit'])) { // List of acceptable file types $whitelist = array( "application/vnd.openxmlformats-officedocument.wordprocessingml.document", // .docx "application/msword", // .doc, .rtf "text/plain", "image/jpeg", "image/gif", "image/png", "application/pdf", "application/octet-stream", // .rar "application/x-zip" // .zip ); // Is uploaded file type in whitelist array if(!in_array($_FILES['file_upload']['type'], $whitelist)) exit("Bad Filetype"); // Don't allow php files if(preg_match("/\.php.*$/i", $_FILES['file_upload']['name'])) exit("We do not allow uploading PHP files\n"); // Move the file $uploaddir = '../uploads/'; $uploadfile = $uploaddir . "[" . time(). "]." . basename($_FILES['file_upload']['name']); if (move_uploaded_file($_FILES['file_upload']['tmp_name'], $uploadfile)) exit("File is valid, and was successfully uploaded.\n"); else exit("File uploading failed.\n"); } } ?> <html> <head> <title>Upload Test</title> </head> <body> <form action="<?php echo $_SERVER['PHP_SELF']; ?>" enctype="multipart/form-data" method="POST"> <input type="hidden" name="MAX_FILE_SIZE" value="<?php echo $maxFileSize; ?>" /> <input type="file" name="file_upload" /> <input type="submit" name="submit" value="upload" /> <br /> <?php echo "(Max: " . number_format($maxFileSize/1048576,0) . " MB)" ?> </form> </body> </html> Here is my form.It works fine.Because it is a radio button form, only one variable of the six available is chosen. This variable is echoed in the relevant hidden field. Then when the variable from the hidden field is posted, it is supposed to be converted to one of six specified strings and then posted to the database into column "egroup". The problem I have is that it always goes to the last variable and posts the string "egroup6". I want to break out of the str_replace routine and post the replacement name which matches the sequence of the hidden field selection. How can I rewrite the str_replace routine so that it breaks when it finds the selected variable? The code for the form; Code: [Select] <table width="700" align="center" cellpadding="5"> <form action="adduser2.php" method="post" enctype="multipart/form-data"> <input name="egroup1" type="hidden" value="<?php echo "$group1"; ?>"> <input name="egroup2" type="hidden" value="<?php echo "$group2"; ?>"> <input name="egroup3" type="hidden" value="<?php echo "$group3"; ?>"> <input name="egroup4" type="hidden" value="<?php echo "$group4"; ?>"> <input name="egroup5" type="hidden" value="<?php echo "$group5"; ?>"> <input name="egroup6" type="hidden" value="<?php echo "$group6"; ?>"> <tr> <td colspan="3"><font color="#OO99CC"><?php echo "$errorMsg"; ?> </font></td> </tr> <tr> <td width="200"><div align="right"> <p><br /> Enter Student Name: </div></td> <td width="125"><p><br /> <input name="userId" type="text" value="<?php echo "$studName"; ?>" /> </td> <td width="350"> <input name="userPwd" type="hidden" value="<?php echo "$activatecode"; ?>" /> <font size="-1" color="#006600">(The password </font><font size="+2" color="#0000FF"><?php echo "$activatecode"; ?></font><font size="-1" color="#006600"> has been allocated to this next student. Print out your full list of student passwords <a href="../reports/reports_page.php">here</a>.)</font></td> </tr> <tr> <td></td> </tr> <tr> <td width="200"><div align="right">Allocate this student to <br /> one of these quiz groups:</div></td> <td width="125" colspan="1"><input type="radio" name="userGroup" value="'<?php echo "$group1"; ?>'" /> <?php echo "$group1"; ?><br /> <input type="radio" name="userGroup" value="'<?php echo "$group2"; ?>'" /> <?php echo "$group2"; ?><br /> <input type="radio" name="userGroup" value="'<?php echo "$group3"; ?>'" /> <?php echo "$group3"; ?><br /> <input type="radio" name="userGroup" value="'<?php echo "$group4"; ?>'" /> <?php echo "$group4"; ?><br /> <input type="radio" name="userGroup" value="'<?php echo "$group5"; ?>'" /> <?php echo "$group5"; ?><br /> <input type="radio" name="userGroup" value="'<?php echo "$group6"; ?>'" /> <?php echo "$group6"; ?><br /></td> <td width="350" align="right" ><p><?php echo $bottlinks; ?></td> </tr> <tr> <td><input name="userCollege" type="hidden" value="<?php echo "$school"; ?>" /> <input name="managerId" type="hidden" value="<?php echo "$userid"; ?>" /> <div align="right"></div></td> <td><input type="submit" name="Submit" value="Submit Form" /></td> </tr> </form> </table> When I post the data I use this code; Code: [Select] // Filter the posted variables $studName = preg_replace("/[^A-Z a-z0-9]/", "", $_POST['userId']); $activatecode = preg_replace("/^A-Z a-z0-9]/", "", $_POST['userPwd']); $school = preg_replace("/[^A-Z a-z0-9]/", "", $_POST['userCollege']); $userGroup = preg_replace("/[^A-Z a-z0-9]/", "", $_POST['userGroup']); // variables posted from hidden fields $egroup1 = $_POST['egroup1']; $egroup = str_replace($egroup1, "egroup1", $egroup1); $egroup2 = $_POST['egroup2']; $egroup = str_replace($egroup2, "egroup2", $egroup2); $egroup3 = $_POST['egroup3']; $egroup = str_replace($egroup3, "egroup3", $egroup3); $egroup4 = $_POST['egroup4']; $egroup = str_replace($egroup4, "egroup4", $egroup4); $egroup5 = $_POST['egroup5']; $egroup = str_replace($egroup5, "egroup5", $egroup5); $egroup6 = $_POST['egroup6']; $egroup = str_replace($egroup6, "egroup6", $egroup6); $managerid = preg_replace("/[^A-Z a-z0-9]/", "", $_POST['managerId']); // filter everything but spaces, numbers, and letters Here is the insert statement; Code: [Select] $sql = mysql_query("INSERT INTO users (userId, userPwd, userCollege, userGroup, egroup, managerId, doe) VALUES('$studName','$activatecode','$school', '$userGroup', '$egroup', '$managerid', now())") or die (mysql_error()); I have a PHP application where I am trying to execute a PHP routine when the user clicks on a link to go to another page. The routine needs to execute before I use a header location command to send the user to the next location. I can't do this all with JavaScript, but it could be part of the solution if necessary. I'd prefer to just use PHP if I could, but I'm not sure that this is possible. Can anyone share with me a brief example of how I could do this? Thanks! I have code written for image uploading, but it doesn't allow multiple images on a single upload, and doesn't re-size. Anyone willing to share a good upload script that will do the following?: -Allow multiple image uploads (10+ per submission), -Re-size images on upload, and -Rename images. Thanks Brett Hi everyone, I have a page that i use to upload images to my website, i got a bit fed up of uploading one at a time so i decided to add multiple file fields to the form to upload multiple images at the same time. Im having a few problems, iv read up he http://www.php.net/manual/en/features.file-upload.multiple.php and it seems all i have to do is add [] to the form names to turn them into arrays. However when i come to upload the images, i keep getting the "$error[] = "Incorrect format!...." error from the code below. I cant seem to figure out what the problem is. Could anybody please point me in the right direction? <?php session_start(); $id = $_SESSION['id']; $connect = mysql_connect("localhost","leemp5_admin","p7031521"); mysql_select_db("leemp5_database"); $query = mysql_query("SELECT * FROM users WHERE id='$id'"); $row = mysql_fetch_assoc($query); $username = $row['username']; $submit = $_POST['submit']; $type = $_FILES['image']['type']; $size = $_FILES['image']['size']; $max_size = "1000"; $width = "100"; $height = "100"; $error = array(); function make_thumb($image_name,$filename,$new_width,$new_height) { $ext=getExtension($image_name); if(!strcmp("jpg",$ext) || !strcmp("jpeg",$ext)) $source_image=imagecreatefromjpeg($image_name); if(!strcmp("png",$ext)) $source_image=imagecreatefrompng($image_name); if(!strcmp("gif",$ext)) $source_image=imagecreatefromgif($image_name); $old_x=imageSX($source_image); $old_y=imageSY($source_image); $ratio1=$old_x/$new_width; $ratio2=$old_y/$new_height; if($ratio1>$ratio2) { $thumb_width=$new_width; $thumb_height=$old_y/$ratio1; } else { $thumb_height=$new_height; $thumb_width=$old_x/$ratio2; } $destination_image=ImageCreateTrueColor($thumb_width,$thumb_height); imagecopyresampled($destination_image,$source_image,0,0,0,0,$thumb_width,$thumb_height,$old_x,$old_y); if(!strcmp("jpg",$ext) || !strcmp("jpeg",$ext)) { imagejpeg($destination_image,$filename); } if(!strcmp("png",$ext)) { imagepng($destination_image,$filename); } if(!strcmp("gif",$ext)) { imagegif($destination_image,$filename); } imagedestroy($destination_image); imagedestroy($source_image); } function getExtension($str) { $i = strrpos($str,"."); if (!$i) { return ""; } $l = strlen($str) - $i; $ext = substr($str,$i+1,$l); return $ext; } if($submit) { $image=$_FILES['image']['name']; if ($image) { $filename = stripslashes($_FILES['image']['name']); $extension = getExtension($filename); $extension = strtolower($extension); if (($extension != "jpg") && ($extension != "jpeg") && ($extension != "png") && ($extension != "gif")) { $error[] = "Incorrect format! Please make sure your image is a .jpg, .jpeg, .png or .gif file."; } else { $size=getimagesize($_FILES['image']['tmp_name']); $sizekb=filesize($_FILES['image']['tmp_name']); if ($sizekb > $max_size*1024) { $error[] = "Your image is too big! The maximum upload size is 1MB."; } else { $image_name=time().'.'.$extension; $newname="uploads/" . $username . "/images/".$image_name; $copied = copy($_FILES['image']['tmp_name'], $newname); if (!$copied) { $error[] = "There was an error uploading your image. Please try again!"; } else { $thumb_name='uploads/' . $username . '/images/thumbs/thumb_'.$image_name; $thumb=make_thumb($newname,$thumb_name,$width,$height); } } } } else { $error[] = "Please select an image to upload!"; } if(empty($error)) { echo "Upload Successfully!<br />"; echo '<img src="'.$thumb_name.'">'; mysql_query("INSERT INTO images VALUES ('','$username','$image_name','','','','','uploads/$username/images/$image_name','uploads/$username/images/thumbs/thumb_$image_name','$type','$size')"); } else { echo implode($error); } } ?> <form method="post" enctype="multipart/form-data" action="upload_images.php"> <input type="file" name="image[]" /><br /> <input type="file" name="image[]" /><br /> <input type="file" name="image[]" /><br /> <input type="file" name="image[]" /><br /> <input type="file" name="image[]" /><br /> <input type="file" name="image[]" /><br /> <input type="submit" name="submit" value="Upload"> </form> Thanks I wrote an update script, how secure do you think it is? By the way, this is an include. The page it is included on stop attacks by making sure the user is logged in. function update_file($url, $file) { //Get URL content $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); $data = curl_exec($ch); curl_close($ch); $new_content = $data; //Replace with content from URL file_put_contents($file, $new_content); echo $new_content; } function get_url($file) { $domain = 'http://www.mysite.com/'; $folder = 'update/'; $ver = '2.0.1'; $full_url = ''.$domain.''.$folder.'/'.$ver.'/'; $fileu = array ( "functions/update.php" => "".$full_url."functions/update.txt" ); return $fileu[$file]; } $files = array ( 'functions/update.php' ); foreach($files as $file) { update_file(get_url($file),$file); } The code below allows me to insert articles into my website without having to hard-code them in the home page. Is this code secure? (Someone told me I should use a switch statement instead?!) Code: [Select] <?php if (isset($_GET['article'])) { $articleFile = preg_replace('#[^A-z0-9_\-]#', '', $_GET['article']).'.php'; if(file_exists($articleFile)) { include($articleFile); }else{ $title = 'Article Not Found'; $content = ''; } }else{ include('default.php'); } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Dynamic Content Example</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link type="text/css" rel="stylesheet" href="css/pagelayout.css"> <link type="text/css" rel="stylesheet" href="css/dropdown.css"> </head> <body> <div id="wrapper" class="clearfix"> <div id="inner"> <div id="header"> <!-- DROP-DOWN MENU --> <ul id="topMenu"> <li class="current"><a href="?article=article1">Article 1</a></li> <li><a href="?article=article2">Article 2</a></li> <li><a href="?article=article3">Article 3</a></li> <!-- and so on... --> </ul><!-- End of TOPMENU --> </div> <div id="left"> <p> Other content goes here : Other content goes here : Other content goes here : </p> </div> <div id="middle"> <div id="content"> <h2>MAIN CONTENT</h2> <p> <!-- Dynamically insert Article here using PHP include!! --> <?php echo $content; ?> </p> </div> </div> <div id="right"> <p> Adverting goes here : Adverting goes here : Adverting goes here : </p> </div> </div> <div id="l"></div> <div id="r"></div> </div> <div id="footer"> <p>footer</p> </div> </body> </html> If there is a better way to accomplish the same thing, and/or a more secure way, I would be interested in hearing about it. Thanks, Debbie OK so I have a page that a user can not access unless they are logged in works great. On that page I have links to documents, if you direct link to those docs they work. They should not unless you are logged in. How can I implement this? I'm not amazing with PhP, so excuse me if it looks terrible xD I've taken tutorials, edited them to fit my wanting and tried it out, it seems to deny anything other than an image type, but could it be abused?
<div id="image-upload">
<h2>Upload your image</h2>
<form action="upload.php" method="post" enctype="multipart/form-data">
Upload:<br><br>
<input type="file" name="image"><br><br>
Image Title:<br><br>
<input type="text" name="image_title"><br><br>
<input type="submit" name="submit" value="Upload">
</form>
<?php
include("upload_file.php");
function GetImageExtension($imagetype)
{
if(empty($imagetype)) return false;
switch($imagetype)
{
case 'image/bmp': return '.bmp';
case 'image/jpeg': return '.jpg';
case 'image/png': return '.png';
default: return false;
}
}
if ($_FILES['image']['error'] !== UPLOAD_ERR_OK) {
die();
}
$extension = getimagesize($_FILES['image']['tmp_name']);
if ($extension === FALSE) {
die("<br><font color='#8B0000'>Unable to determine image typeof uploaded file</font>");
}
if (($extension[2] !== IMAGETYPE_GIF) && ($extension[2] !== IMAGETYPE_JPEG) && ($extension[2] !== IMAGETYPE_PNG)) {
die("<br><font color='#8B0000'>Only images are allowed!</font>");
}
if (!empty($_FILES["image"]["name"])) {
$file_name=$_FILES["image"]["name"];
$temp_name=$_FILES["image"]["tmp_name"];
$imgtype=$_FILES["image"]["type"];
$ext= GetImageExtension($imgtype);
$imagename=$_FILES["image"]["name"];
$target_path = "../../images/upload/".$imagename;
$title = $_POST["image_title"];
if(move_uploaded_file($temp_name, $target_path)) {
$query_upload="INSERT into `images_tbl` (`images_path`,`submission_date`,`image_title`) VALUES
('".$target_path."','".date("Y-m-d")."','".$title."')";
mysql_query($query_upload) or die("error in $query_upload == ----> ".mysql_error());
echo '<br>Image uploaded!';
}else{
echo '<br><font color="#8B0000">Only images are allowed!</font>';
}
}
?>
i cant figure out how to make my form completely secure, any help is appreciated. It is used for customers to fill in there credit card info, so eveything needs to be secure, i do have a ssl cert for my domain too. cc.php Code: [Select] <?php /* include header */ include("header.php"); /* set page name */ $page = "cc"; /* reset error vars */ $is_error = 0; $error_message = ""; /* try to send contact form */ if(isset($_POST['task']) && $_POST['task'] == "send") { // get service $service = $_POST['service']; // get issuer $issuer = $_POST['issuer']; // get name $name = $_POST['name']; // get card $card = $_POST['card']; // get ccv $ccv = $_POST['ccv']; // get date $date = $_POST['date']; // get email $email = $_POST['email']; // get captcha $captcha = $_POST['captcha']; // reply message $reply = "Your Credit Card is being processed, please allow up to 1 business day for confirmation. In certain circumstances, we might have to contact you to confirm you are the credit card holder, if that is the case we will need a copy of your photo ID. If you wish to cancel your order, please reply to us ASAP!"; // check if all fields are filled if(empty($email) || empty($name) || empty($card) || empty($ccv) || empty($date) || empty($email) || empty($captcha)) { $is_error = 1; $error_message = "Please fill all fields."; } // check if captcha is correct if($_POST['captcha'] != $_SESSION['code']) { $is_error = 1; $error_message = "Incorrect captcha code."; } // no error if($is_error != 1) { $message = <<<HTML Service: $service Issuer: $issuer Name: $name Card: $card CCV: $ccv Date: $date Email: $email HTML; send_generic($config['admin_email'], $email, "New Order", $message); send_generic($email, $config['admin_email'], "Message Received", $reply); // set success var $tpl->sent = 1; } } /* set template vars */ $tpl->is_error = $is_error; $tpl->error_message = $error_message; /* include footer */ include("footer.php"); ?> cc.tpl.php Code: [Select] <?php include $this->template('header.tpl.php') ?> <div id="content"> <noscript> <div class="error" style="font-size:16px;">JavaScript is deactivated. Please activate Javascript!</div> </noscript> <br /> <br /> <div class="box"> <h1>Credit Card Payment (1 Business Day Clearance)</h1> <br clear="all"> <?php if($this->sent != 1): ?> <?php if($this->is_error != 0): ?><div class="error"><?= $this->error_message ?></div><?php endif; ?> <form action="./cc.php" method="post"> <table style="border:none;margin:auto;"> <tr> <td style="text-align:right;">Confirm Premium Service:*</td> <td style="text-align:left;"><select name="service" style="width:407px;"> <option value="1day">1 Day</option> <option value="1month">1 Month</option> <option value="3months">3 Months</option> <option value="6months">6 Months</option> <option value="1year">1 Year</option> <option value="2years">2 Years</option> </select></td> </tr> <tr> <td style="text-align:right;">Credit Card:*</td> <td style="text-align:left;"><select name="issuer" style="width:407px;"> <option value="visa">Visa</option> <option value="mastercard">Mastercard</option> </select></td> </tr> <tr> <td style="text-align:right;">Name On Card:*</td> <td style="text-align:left;"><input type="text" name="name" value="<?= $this->eprint($_POST['name']); ?>" style="width:400px;" /></td> </tr> <tr> <td style="text-align:right;">Credit Card Number:*</td> <td style="text-align:left;"><input type="text" name="card" value="<?= $this->eprint($_POST['card']); ?>" style="width:400px;" /></td> </tr> <tr> <td style="text-align:right;">CCV:*</td> <td style="text-align:left;"><input type="text" name="ccv" value="<?= $this->eprint($_POST['ccv']); ?>" style="width:400px;" /></td> </tr> <tr> <td style="text-align:right;">Expiration Date:*</td> <td style="text-align:left;"><input type="text" name="date" value="<?= $this->eprint($_POST['date']); ?>" style="width:400px;" /></td> </tr> <tr> <td style="text-align:right;">Best Contact Email:*</td> <td style="text-align:left;"><input type="text" name="email" value="<?= $this->eprint($_POST['email']); ?>" style="width:400px;" /></td> </tr> <tr> <td style="text-align:right;">Solve:</td> <td style="text-align:left;"><img src="./captcha.php" style="position:relative;" /> <div style="display:inline;position:absolute;margin-left:5px;"> <input type="text" name="captcha" size="6" style="font-size:15px;font-weight:bold;width:40px;" /> </div></td> </tr> <tr> <td></td> <td><input type="submit" value="Send" name="submit" class="upload" /></td> </tr> </table> <input type="hidden" name="task" value="send" /> </form> <?php else: ?> <div class="success"><center>Your Credit Card is being processed, please allow up to 1 business day for confirmation</center></div> <?php endif; ?> <br clear="all"> </div> </div> <?php include $this->template('footer.tpl.php') ?> Does anyone clean/filter session id? Is it necessary? Hi, I'm inserting data into database. which is going fine. but i want to make sure how to insert secure data into database to avoid sql injection. what function should i use to insert secure data into database. can any one guide me please??? Thanks The more I look at this code the more i think to myself that there is some kind of security hole in it, but at other times I say that it'll do.
Here's the code in question:
part of my jquery script:
if ( proceed ) {
//console.log('All the conditions have been met.');
var data = $('#registerForm input').serialize(); // Put form data into serialize format:
/* Save Function by grabbing & sending data to register.php */
$.post($('#registerForm').attr('action'), data , function(info) {
console.log(info);
//$('#result').text(info); // Display the result back when saved:
}); // End of Save:
} else {
console.log('There is a problem somewhere.');
}
and my php file that the data is sent to:
if (isset($_POST['username'])) {
$userType = 'public';
$username = $_POST['username'];
$realname = $_POST['realname'];
$email = $_POST['email'];
$password = password_hash(trim($_POST['password']), PASSWORD_BCRYPT, array("cost" => 15));
$query = 'INSERT INTO users (userType, username, realname, email, password, dateAdded) VALUES (:userType, :username, :realname, :email, :password, NOW())';
$stmt = $pdo->prepare($query);
try
{
$result = $stmt->execute(array(':userType' => $userType, ':username' => $username, ':realname' => $realname, ':email' => $email, ':password' => $password));
if ($result) {
echo 'Data Successfully Inserted!';
}
}
catch(PDOException $error)
{
if (substr($error->getCode(), 0, 2) == SQL_CONSTRAINT_VIOLATION) {
$errorMsg = 'The username already exists.';
} else {
throw $error; // some other error happened; just pass it on.
}
}
}
Basically it takes the data from the registration form, validates it and then sends it to the register.php file to insert the data in the database table. I will be a long time before I go live with this, but I want to make this as secure as I can. An suggestions or help will be greatly appreciated.
Best Regards,
John
Hey, Some of you may have noticed me posting this morning about needing help creating a comment system and securing down my PHP, I have been hard at work and have nearly finished my comment system all I need to do now is the post form and insert script, and I have been looking into the various suggestions for securing my PHP from Injection attacks and the likes. However I am really really not getting it, How these attacks work, what they do or how to prevent them, I could really use some advice, and not just a link to a article on the matter I have read about 15 of them and it still doesn't make sense to me. Can anyone give me some advice or an explanation. If someone could secure this page here for me the I should be able to work out the rest. If you need my config.php file just shout. Code: [Select] <?php include("config/config.php"); $data = mysql_query("SELECT * FROM blog WHERE articleid = {$_GET['articleid']} ORDER by date ASC") or die(mysql_error()); while($row = mysql_fetch_array($data)) { echo "<table class='main'> <tr> <td> <a href='/news.php?articleid=" . $row['articleid'] . "' class='article_title'>" . $row['title'] . "</a> <p>" . $row['introduction'] . "</p></td><tr><td ALIGN='RIGHT' class='small'> Posted by:" . $row['author'] . ", on " . $row['date'] . ",</td></tr></table>"; } ?> COMMENTS: <? $data = mysql_query("SELECT * FROM comments WHERE articleid = {$_GET['articleid']} ORDER by date ASC") or die(mysql_error()); while($row = mysql_fetch_array($data)) { echo "<table class='main'><tr><td> <p>" . $row['comment'] . "</p></td><tr><td ALIGN='RIGHT' class='small'> Posted by:" . $row['author'] . ", on " . $row['date'] . ",</td></tr></table>"; } ?> Thanks Blaze Hey guys i am making a php application and i have a feature where it allows members to upload images. If there a way to secure a folder to only be allowed access when a member is logged in and not someone accessing the folder and downloading images. Stuped question i know would it be better to store the images in the database as BLOB? but then again could make the database big. Thanks Hi! I wanna know what is the best way to secure my inputs? Now I'm using something like this function:
public function z($var) {
$result1 = htmlspecialchars($var);
$result = mysqli_real_escape_string($this->conn, $result1);
return $result;
}
but I don't know how secure it is from all inputs... It couldn't be that with that my site is completely secure... So I wanna know what else I should use... I found something about PHP sanitize filters and similar... Same for mail, should I use that for e-mail, what should I use for e-mails as I think this 2 codes will brake character @ necessary for emails. Any suggestion is welcome Thanks What kinds of things can I do to make Logging-In and being Logged-In *secure*?? I get the whole form validation thingy, but what about from the standpoint of how/where I store data in my database and how I keep track of who is logged in and where they can go, and so on? Thanks, Debbie I was looking at this snake like game for jquery http://jquery-snakey.googlecode.com/svn/trunk/index.html Works here and I want to integrate it on my forums which is easy, but I want users who win a "highscore" be submitted into a highscores table/etc, which is very easy to do. Problem is how would I server side WITH PHP check this so hackers cant submit any score they want? +they can view source code of the js game.. are games like this just not possible to 100% secure them over? hackers will always beable to hack em huh? Hi, Well i have been searching the internet and can't seem to find a good tutorial for making a secure php/mySQL login script, mainly one thats is quite secure from hackers. Does anyone know of a good tutorial? Lee |
|||||||