|
PHP - Root Protection
I have been getting a lot more client requests to protect files. What is the easiest way to do this.
So, basically I have tried doing it outside the public directory. There are too many things that cause issues with this. I haven't been able to get a successfull implementation of this since I started working with this. So I was thinking instead about password protecting a directory that is inside public view, but still get files via PHP. Is there a way to setup a password protected directory, then retreive stuff from that directory using PHP. Or, a good way to put them outside the public folder. Everything I have tried to do to get a file to save outside of public view, has not worked. It always says uploaded but the file is never there. Also, I have verified correct permission for this as well. Similar Tutorialshello.
im trying to password protect my pages in a simple way like this:
http://www.scottconn...ord_protection/
but for some reason it doesnt chek the login file, so it doesnt work:
<?php require_once 'login.php'; ?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Untitled Document</title>
<style type="text/css">
#form1 table tr td label {
}
#form1 table {
text-align: left;
}
#wrapper {
margin: 20px auto;
text-align: center;
font-size: 20px;
}
#wrapper2 {
margin: 20px auto;
text-align: center;
font-size: 20px;
}
</style>
</head>
<body>
<div id="wrapper">
--<a href="tilfojer.html">Tilføj Aktivitet</a>--<br>
--<a href="tilfojtilvalg.html">Tilføj Tilvalg</a>--<br>
--<a href="tilfojrestaurant.html">Tilføj Restaurant</a>--<br>
--<a href="tilfojmenu.html">Tilføj Menu</a>--
</div>
<div id="wrapper2">
--<a href="seaktivitet.php">Se Aktiviteter</a>--<br>
--<a href="setilvalg.php">Se Tilvalg</a>--<br>
--<a href="serestaurant.php">Se Restauranter</a>--<br>
--<a href="semenu.php">Se Menuer</a>--
</div>
</body>
<a href="?logout=1">Logout</a>
</html>
that is how i implemented it. made the file an php file
can somone tell me why it doesnt work. and maybe how to make it work, and why that works
many thanks
how would this code work? Code: [Select] if ($_POST['username'] == "[, ., ,, _, -" ){ die('Invalid characters.'); i want it to mean if there are any characters like ", [ . - _ ' " or anything in the username then die('invalid characters.'); for extra safety I want to password protect my entire website. How would I go on to doing this. There is a website that has this already (www.printerdev.co.uk). I want to do the exact same thing but not sure how to. Can someone please help me I need to know, what i need to care about while im coding, how someone can hack my php code. Some tricks for protection pls? im having some robots injecting gibberish i wnat to deny amy links in the requesttext of the form for some reason i tested it and it accepted a http link Code: [Select] if (preg_match("/http/i","$RequestText")){ exit();} thanks I have a contact form, and I want to make sure it doesn't send a bunch of duplicates if the page is refreshed after being submitted. Simple way is to make sure this record isn't identical to the one before it: select * from `contacts` where `Name`='$name' and `Phone`='$phone' and `Message`='$message' and `Subject`='$subject' and `Email`='$email' But, that checks against all records. While not likely, this could cause problems, if the same customer came back a month later and put in the same exact contact. Any way I can check it only against the very last record in the database? Something like: and `id`=XX , where XX is one less than the current auto inc id? How can you protect mysql injection? (from inserting different statements into the input field) Thanks <?php include ("database.php"); // show comments $result = mysql_query("SELECT * FROM gamecomments"); while($row = mysql_fetch_array($result)) { echo $row['username'] . ": <Br> " . $row['comment']; echo "<p>"; } ini_set ("display_errors", "1"); error_reporting(E_ALL); if (isset($_POST['submit'])) { // now we insert it into the database $insert = "INSERT INTO gamecomments (username, comment) VALUES ('[$username]', '$_POST[comment]')"; $add_comment = mysql_query($insert); { echo "<META HTTP-EQUIV=\"Refresh\" CONTENT=\"1; URL=games.php\">"; } } I haven't had a problem with sql injection yet, but I'm scarred to death. I didn't do any form data validation as I was building my site. I'm just now starting to learn how. Magic_quotes is turned on at my host. I know about htmlspecialchars and mysql_real_escape_string and stripslashes and htmlentities. In testing each of these, it seems they all miss one thing or another. so, I created an array of words and characters that I can't for the life of me imagine anyone would ever need on any form in my site, that I THINK addresses most if not all of the really bad things. But hey... I'm new to this. So here is my array and using print_r() it looks pretty good. Code: [Select] $badstuff = array('select','delete','update','insert','drop','=',';','"','\'','<','>','/'); Code: [Select] Array ( [0] => select [1] => delete [2] => update [3] => insert [4] => drop [5] => select [6] => delete [7] => update [8] => insert [9] => drop [10] => = [11] => ; [12] => " [13] => ' [14] => < [15] => > [16] => / ) My str_ireplace() function works fine within the code, but I'd like to create a function using str_ireplace(). I am failing miserably. Here is my function that doesn't work... Code: [Select] function strip($string){ return str_ireplace($badstuff,"",$string); } Here below..... the first line, that uses the function does NOT work. The second line that just uses str_replace() function works fine. Code: [Select] echo strip($string).'<br>'; echo str_ireplace($badstuff,"",$string) Can anyone tell me why my function does not work? I've read and watched 20 tutorials and just can't see the problem. Thanks for any input. I have never looked into sanitizing before, Is using htmlentities() good enough to protect against sql injection ? Thanks. Hey, Wondering if this would work, it is based on the idea that everyone who is a real visitor will be using a browser, is that correct? Do robots use browsers too? if so, it wont work! haha. <? $browser = mb_substr($_SERVER['HTTP_USER_AGENT'], 0, 31); if (!empty($browser)){echo '<form action="send.php" method="post">';} ?> Just thought it was nice and simple, and couldnt see anywhere if it would work or not... '[$username]' is using a variable from a cookie varifying that you are logged in, this code works except i need to put real escape strings and protection from mysql injection and dont really know where to put them. Code: [Select] if (isset($_POST['submit'])) { // now we insert it into the database $insert = "INSERT INTO gamecomments (username, comment) VALUES ('[$username]', '$_POST[comment]')"; $add_comment = mysql_query($insert); { echo "<META HTTP-EQUIV=\"Refresh\" CONTENT=\"1; URL=games.php\">"; } } [CODE] I have a comment section that is secure against everything except spam.. Is there anyway to do like a 10second minimum wait time between posts? Hi guys, I've got a simple script that I'm running from a folder above the root (as a cron job). I've tried the script in the httpdocs folder and it works fine. Code: [Select] mail('email@example.com', 'Before include', '', 'From:<email@example.com>'); // include the myriad class include($_SERVER['DOCUMENT_ROOT'].'/path/to/class'); mail('email@example.com', 'After include', '', 'From:<email@example.com>'); // initiate and instance of our class $obj = new class_name; $email = $obj->email; $file = $obj->file_name; mail('email@example.com', 'End of file', $email.' & '.$file, 'From:<email@example.com>'); If I run this file in httpdocs, it's fine and I get all emails. If I run this from 1 folder above the root (from a cron job), I get the first 2 emails but not the last one, suggesting that the include hasn't worked. Could this be a permissions problem? I have tried running the cron job as both root and apache and changed the owner/group of the script to match. Is there a reason why includes won't work above the root? If I an deep inside of nested folders, how do I get back to the Web Root (as far as directory notation goes)?? Debbie Having problems pointing to where files are. Is this the root?: Code: [Select] include "../connectdb.php"; That file is locate din the root. If I am already in the root when I include that statment, the file isn't found. If I use the above code while I am in the subdirectory hello, (root/hello), it works. I use this in every page, so I think I need a way to point to the absolute root, not relative. Hi, I have a dynamic variable like this: /def/g/qaz/pol/cxz/cba/abc I only wish to keep this: /def/g/qaz/pol/cxz How would I do this? Thanks, - mme Hi All, I googled this and there is endless results. I went through a lot of them but couldn't get this working properly. How do I link from within my web site root to files outside the root? It works for me using relative links i.e. ../../phpfiles/includes but that is going to get messy and I can't get a way of doing absolute links to work. If someone could lay that out so a newbie can get it clearly I would really appreciate it! Also - I understand why I should put all of my php files outside the web root but is this a guaranteed way to secure these files other than someone hacking my ftp access? I've looked at a few site hierarchy examples - Am I right that the only pages within the web site root should be template pages with calls to required files (outside the root), session checks, and content includes and all other includes that have php executable code should be outside the root? I really appreciate the advice and insight. Thank you! Hi, I want to get root path and use on links even if i'm in sub to sub folder etc... suppose my site name is fitness.com and having two subfolder. so url will become http://www.fitness.com/dir/dir_sub here i want to put a link to go to root directory file. there are different ways to do that. e.g: Code: [Select] <a href='../../filename.php'>go to that page</a> but i want to use some constant that always shows to root directory. as i defined here Code: [Select] define("SERVER_NAME" , $_SERVER['HTTP_HOST']); //and used it like this <a href='<?php echo SERVER_NAME; ?>/filename.php'>go to that page</a> it works when we're on root directory. but when we go to sub directory it added sub directory name with it. which i don't want. is there any way? Thanks |
|||||||