PHP - Protecting Included Files

Hello,
In m script, I need to get the content of another php file as a string, including the content of all the files which are included in it and in lower levels.
Any idea how to do it?
I tried output buffer+include but it doesn't get the content of the included files.

Thanks

Hello,

I have a form for uploading CV files into a CV database.

Once the files are uploaded to their directory (e.g. www.jobsboard.com/cvdatabase/) please could someone tell me how to restrict access to users?

e.g. once a user logs into their userpanel they should be able to click on a hyperlink to download a CV e.g. (www.jobsboard.com/cvdatabase/CV1.doc) but a user who isn't logged in shouldn't be able to access www.jobsboard.com/cvdatabase/CV1.doc

Please could you tell me whether this is possible?

Many thanks,

Stu

Data siphoning is becoming more common every day, Data siphoning is when you intercept the data and sniff between a client and a host, also known as sniffing a connection. ( i am focusing on session hijack)   To protect clients I've decided to write an MD5 calculation function which changes a secure string (such as a password) to plain MD5   Then once the MD5_password reaches PHP i BCRYPT with cost 20 using password_hash _   MD5 is not ideal at all and i would like to write a better encryption but i only know how to do MD5 for java script, but i really don't need that much security here. the purpose is to not show sensitive information, that's going to be hashed on the server, during a data siphon attack. _   Data siphoning can not be protected against on the host server, the siphoning happens on the clients side usually when they don't have a strong firewall or such.     What are some good techniques you would practice to protect from data siphoning?       Before added security i was able to siphon this:  Username: Richard Password: mypassword   After added security i was able to siphon this:  Username: 6ae199a93c381bf6d5de27491139d3f9 Password: 5f4dcc3b5aa765d61d8327deb882cf99     Now the only vulnerability between the client and server is if the hacker dns hacks the client which could redirect them to a website that looks like mine with the same EXACT url. which i can't help.   The real username can be retrieved in a session on login.     The real username and password can be found if a hacker injects js to remove the MD5 function, so if you know how to detect JavaScript injection i would like to know that as well.     ______ Pretty much it looks like this..   Form -> Send md5(username) & md5(password) -> Server check if match in datbase -> If so login.                                                                                 ^ cypher                                                               ^cypher (session)
Edited by Richard_Grant, 12 September 2014 - 03:27 AM.

Hi,

I was asked to create an app, wherein, the user may enter the email addresses of people manually, and it auto generates a random key.
now this key will be used access such pages e.g

proposal.test.com/ppc
proposal.test.com/seo
proposal.test.com/design

so using the key for example =>  Sa22asdf 
it should appear like this

proposal.test.com/ppc/Sa22asdf
proposal.test.com/seo/Sa22asdf
proposal.test.com/design/Sa22asdf


without the unique key generated during the input of email address, the URL mentioned shouldn't be accessed by anyone..
now my question is, how to approach this thing in PHP ?

I have done the input for email address and generation of random keys., but i don't know yet what to do or how to do the
securing of pages using those keys  ? 

I have a script that runs periodically by a launchd timer. I give the script a very tight timeout ( set_time_limit(120); ). 

Most of the time, my script works great. But every once in a while, one of the commands I run in an exec( ) call seems to hang. This of course is a problem because once the exec( ) call hangs, the php script hangs as time spent on exec( ) calls does not count towards the script's runtime. 

Furthermore since the script is still running, launchd doesn't call it again. So in this way, my script is entirely at the mercy of a command line program not having a problem. And if it does, I can't do anything about it.  

So while I could try to figure out why my particular command seems to go awry (which is its own weird issue), the bigger issue is how can I call command line programs in php in a way that don't allow a runaway command to lock up the whole script forever? I wish there was an exec( )-type function with timeout built in. Or even a script timelimit function that DID count pauses and external programs. Something to kill this!? Something other than a SECOND php script that would check on the first script and kill it when there is a problem. There MUST be a better solution than that?

Any thoughts?

I have had a customer want to run my application (PHP/APACHE/MYSQL) on their server rather than a commercial hosting offering (JUSTHOST/GODADDY)   I am reluctant, as it means giving them access to my PHP code which could possibly be copied or distributed.    Can I protect against this?    

Hi, I'm putting together a database that once logged in, a user is able to insert, update and delete records via html forms.

The login is secured using mysql_real_escape_string, but I'm wondering should I do the same for all form elements that pass data to the db? There are a wide range of inputs, from numeric, alphanumeric, dates and more.

I'd appreciate your feedback.

Regards,

James

Hi all,

I'm working on this site which I'll soon ask the guys in the testing forum to have a peek at.  It's essentially an online community that was a uni project that has spiraled and grown exponetially.

I've spent many many hours in front of books and tutorals etc to put it together and as far as scripting goes, it seems to be fine.  The problem i'm having...The tut's that I read / watched were using eregi_replace to protect text fields and this is now unsuported.

I want my site to be as secure as it can be, within reason.

I've tried using preg_replace instead and have searched for the syntax but i keep getting strang results.
I'm working on the "bio" field at the moment and then when that works I can move on and a-ply the same idea to the other fields.

This si what I have and what I've changed.
if ($_POST['parse_var'] == "bio"){
   
    $bio_body = $_POST['bio_body'];
    //$bio_body = str_replace("'", "'", $bio_body);  (WAS TESTING THIS BUT NO JOY)
    //$bio_body = str_replace("`", "'", $bio_body);
         $bio_body = mysql_real_escape_string($bio_body);
         $bio_body = nl2br(htmlspecialchars($bio_body));

        $bio = $_POST['bio'];
   $bio = eregi_replace("'", "'", $bio);           (This works but is not as secure)
   $bio = eregi_replace("`", "'", $bio);
        $bio = mysql_real_escape_string($bio);
        $bio = nl2br(htmlspecialchars($_POST['bio']));

        $sqlUpdate = mysql_query("UPDATE members SET bio='$bio' WHERE id='$id'");
       and so on....}


When I change it to str_replace if I type in don't the whole word is deleted.  when I type in preg I get an error.
Can someone please give me the correct code / syntax for getting the result I want.

I just want to make sure that every single field that has a user input is protected against any malicious attacks.
Thanks.

Hi,

Im in trouble with a script. Mainly the problem is that the declared value is not reachable.

lets sai i have main.php file where i declare that

$user_id = '22';
and then i include a file that needs to get that value to work
include('somescript.php');

now when i go over to the somescript.php i write at the top that print $user_id; and i get nothing.

What am i doing wrong?

I understand that this is a header error but i still do not know how to fix it.
I am trying to create a login box that is in the top right corner of my site. Once the user uses it to log in they need to be redirected to the account page. i include the login_box.php file in the appropriate div. however the file uses header("Location: account.php"); to redirect the user. because this file is included after the header i receive Warning: Cannot modify header information - headers already sent by (output started at C:\xampp\htdocs\index.php:17) in C:\xampp\htdocs\layout_inc\login_box.php on line 76
What would be the correct way to do this. My code is bellow. Thank you in advance
<?php 
//Forms posted

if(!empty($_POST))
{
$errors = array();
$username = trim($_POST["username"]);
$password = trim($_POST["password"]);
$remember_choice = trim($_POST["remember_me"]);

//Perform some validation
//Feel free to edit / change as required
if($username == "")
{
$errors[] = lang("ACCOUNT_SPECIFY_USERNAME");
}
if($password == "")
{
$errors[] = lang("ACCOUNT_SPECIFY_PASSWORD");
}

//End data validation
if(count($errors) == 0)
{
//A security note here, never tell the user which credential was incorrect
if(!usernameExists($username))
{
$errors[] = lang("ACCOUNT_USER_OR_PASS_INVALID");
}
else
{
$userdetails = fetchUserDetails($username);

//See if the user's account is activation
if($userdetails["Active"]==0)
{
$errors[] = lang("ACCOUNT_INACTIVE");
}
else
{
//Hash the password and use the salt from the database to compare the password.
$entered_pass = generateHash($password,$userdetails["Password"]);

if($entered_pass != $userdetails["Password"])
{
//Again, we know the password is at fault here, but lets not give away the combination incase of someone bruteforcing
$errors[] = lang("ACCOUNT_USER_OR_PASS_INVALID");

}
else
{
//Passwords match! we're good to go'

//Construct a new logged in user object
//Transfer some db data to the session object
$loggedInUser = new loggedInUser();
$loggedInUser->email = $userdetails["Email"];
$loggedInUser->user_id = $userdetails["User_ID"];
$loggedInUser->hash_pw = $userdetails["Password"];
$loggedInUser->display_username = $userdetails["Username"];
$loggedInUser->clean_username = $userdetails["Username_Clean"];
$loggedInUser->remember_me = $remember_choice;
$loggedInUser->remember_me_sessid = generateHash(uniqid(rand(), true));
//Update last sign in
$loggedInUser->updateLastSignIn();

if($loggedInUser->remember_me == 0)
$_SESSION["userCakeUser"] = $loggedInUser;
else if($loggedInUser->remember_me == 1) {
$db->sql_query("INSERT INTO ".$db_table_prefix."Sessions VALUES('".time()."', '".serialize($loggedInUser)."', '".$loggedInUser->remember_me_sessid."')");
setcookie("userCakeUser", $loggedInUser->remember_me_sessid, time()+parseLength($remember_me_length));
}

//Redirect to user account page

header("Location: account.php");
die();
}
}
}
}
}

if(!isUserLoggedIn()) {?><form name="newUser" action="<?php echo $_SERVER['PHP_SELF'] ?>" method="post">
                <table>
<tr>
<td>
<label>Username:</label>
</td>
<td>
<input type="text" name="username" />
</td>
</tr>
<tr>
<td>
<label>Password:</label>
</td>
<td>
<input type="password" name="password" />
</td>
</tr>
<tr>
<td>
<label>&nbsp;</label>
<input type="submit" value="Login" class="submit"/>
</td>
<td>
<input type="checkbox" name="remember_me" value="1" /> <label style="font-size:12px">Remember Me?</label>
</td>
</tr>
</table>
<div style="text-align:center;">
<a href="register.php" class="info">Register</a> | <a href="forgot-password.php" class="info">Forgot Password?</a>
</div>
</form><?php }
else{?><h1>Welcome <?php echo $loggedInUser->display_username; ?> </h1>
 <br/>

<a href="account.php" class="info">Dashboard</a> | <a href="logout.php" class="info">Logout</a><?php }

?>

I hope that subject made sense!

I have a page where I want to generate page-specific keywords automatically. Actually I have some general keywords stored in a text file and then I add the page-specific ones after those. The problem is, however, solely caused by the keywords I pull from my text file. A "1" is added to my list of keywords. Consider a news page like so:

news.php
// ...
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="keywords" content="<?php require('php/generateKeywordList.php'); ?>" />
</head>
// ...

And then generateKeywordList.php
// I have omitted the part with the page-specific keywords, because it is not what causes the problem (commented it all out)
set_include_path('/mypath/');
$str = require_once('includes/websiteKeywords.txt');
echo $str; // For some reason, the number 1 is added at the end of this string


websiteKeywords.txt (it doesn't matter what I put in there)
Code: [Select]
these, are, my, keywords, for, my, website
In my meta tag, the above would be displayed as:
Code: [Select]
these, are, my, keywords, for, my, website1
I then tried to make a simple php page like this

$keywords = require('includes/websiteKeywords.txt');
echo $keywords;

... and it worked. At the moment I have absolutely no idea where the number 1 comes from.

So, basically if I include the keywords directly from the text file into my meta tag, it displays fine. If I make a simple php page where I echo out the keywords from the text file, it displays fine. But if I include my php script, which echos the keywords, into my meta tag, the number 1 is added at the end of the string.

Am I completely missing something here or is this extremely strange?


Thanks for any help!

Hello:

I have this code in an included file:
myNav.php
Code: [Select]
function spLeftMenu() {
$spLeftMenu =
"
<p>
<div id=\"myLeftNavPaper\">
<img src=\"images/sidePaperTop.png\" alt=\"\" />

<div id=\"myLeftNavPaper2\">

echo \". $mySideBarPageData .\"

</div>

<img src=\"images/sidePaperBottom.png\" alt=\"\" />
</div>

</p>

";
return $spLeftMenu;
}

I can not get:
Code: [Select]
echo \". $mySideBarPageData .\"

To display the results on this page:
Page.php
Code: [Select]
<html>
...

<?php echo spLeftMenu(); ?>

...
</html>


What am I missing ??

So far I have managed to create an upload process which uploads a picture, updates the database on file location and then tries to upload the db a 2nd time to update the Thumbnails file location (i tried updating the thumbnails location in one go and for some reason this causes failure)

But the main problem is that it doesn't upload some files

Here is my upload.php

<?php
include 'dbconnect.php';

$statusMsg = '';

$Title = $conn -> real_escape_string($_POST['Title']) ; 
$BodyText = $conn -> real_escape_string($_POST['ThreadBody']) ; 
	 

// File upload path
$targetDir = "upload/";
$fileName = basename($_FILES["file"]["name"]);
$targetFilePath = $targetDir . $fileName;
$fileType = pathinfo($targetFilePath,PATHINFO_EXTENSION);
$Thumbnail = "upload/Thumbnails/'$fileName'";

if(isset($_POST["submit"]) && !empty($_FILES["file"]["name"])){
    // Allow certain file formats
    $allowTypes = array('jpg','png','jpeg','gif','pdf', "webm", "mp4");
    if(in_array($fileType, $allowTypes)){

        // Upload file to server
        if(move_uploaded_file($_FILES["file"]["tmp_name"], $targetFilePath)){

            // Insert image file name into database
            $insert = $conn->query("INSERT into Threads (Title, ThreadBody, filename) VALUES ('$Title', '$BodyText', '$fileName')");
            if($insert){
               $statusMsg = "The file ".$fileName. " has been uploaded successfully."; 

		$targetFilePathArg = escapeshellarg($targetFilePath);
		$output=null;
		$retval=null;
		 //exec("convert $targetFilePathArg -resize 300x200 ./upload/Thumbnails/'$fileName'", $output, $retval);
		 exec("convert $targetFilePathArg -resize 200x200 $Thumbnail", $output, $retval);
		echo "REturned with status $retval and output:\n" ; 
		if ($retval == null) { 
		echo "Retval is null\n" ;
		echo "Thumbnail equals $Thumbnail\n" ; 
		}

            }else{
                $statusMsg = "File upload failed, please try again.";
            } 
        }else{
            $statusMsg = "Sorry, there was an error uploading your file.";
        }
    }else{
        $statusMsg = 'Sorry, only JPG, JPEG, PNG, GIF, mp4, webm & PDF files are allowed to upload.';
    }
}else{
    $statusMsg = 'Please select a file to upload.';
}

//Update SQL db by setting the thumbnail column to equal $Thumbnail
$update = $conn->query("update Threads set thumbnail = '$Thumbnail' where filename = '$fileName'");
            if($update){
               $statusMsg = "Updated the thumbnail to sql correctly.";
		echo $statusMsg ;  } 
else 
{ echo "\n Failed to update Thumbnail. Thumbnail equals $Thumbnail" ; } 


// Display status message
echo $statusMsg;
?>

And this does work on most files however it is not working on a 9.9mb png file  which is named "test.png" I tested on another 3.3 mb gif file and that failed too?

For some reason it returns the following

Updated the thumbnail to sql correctly.Updated the thumbnail to sql correctly.

Whereas on the files it works on it returns

REturned with status 0 and output: Retval is null Thumbnail equals upload/Thumbnails/'rainbow-trh-stache.gif' Failed to update Thumbnail. Thumbnail equals upload/Thumbnails/'rainbow-trh-stache.gif'The file rainbow-trh-stache.gif has been uploaded successfully.

Any idea on why this is?

Hello


I have a simple question about file handling...


Is it possible to list all files in directories / subdirectories, and then read ALL files in those dirs,
and put the content of their file into an array?

Like this:

array:
[SomePath/test.php] = "All In this php file is being read by a new smart function!";
[SomePath/Weird/hello.txt = "Hello world. This is me and im just trying to get some help!";

and so on, until no further files exists in that rootdir.

All my attempts went totally crazy and none of them works... therefore i need to ask you for help.


Do you have any ideas how to do this?
If so, how can I be able to do it?


Thanks in Advance, pros