PHP - How Secure Is My Anti-directory Transversal Code?

$username = $loggedInUser->username; // This is the logged in username
$time = time();
$makedir = $username.'_'.$time;

$var = getcwd();
$var = str_replace('\users', '\imageuploads', $var);
$dirlocation = $var."\\".test_directory($username, $mysqli);   function test_directory ($username, $mysqli) {
     $stmt = $mysqli->prepare("SELECT Temp_Directory FROM uc_users WHERE user_name LIKE ?");
    $stmt->bind_param("s", $username);
    $stmt->execute();
    $stmt->bind_result($Tempdir);
    while ($stmt->fetch()){
    return $Tempdir;
        }
    } if((!empty(test_directory($username, $mysqli))) && is_dir($dirlocation)){
//echo "this is it";
$thedirectory = $dirlocation;
}

if(empty(test_directory($username, $mysqli))){
//echo "it's not a directory";
$newdir = $var."\\".$makedir;
$query = mysqli_query($mysqli, "UPDATE uc_users SET Temp_Directory='$makedir' WHERE user_name='$username'");
if(!$query){
//echo mysqli_error($mysqli);
}
mkdir($newdir);
//security
chmod($newdir, 0644);
$thedirectory = $newdir;
}

if(!is_dir($dirlocation) && (!empty(test_directory($username, $mysqli)))){
//echo "third one";
mkdir($dirlocation);
chmod($dirlocation, 0644);
$thedirectory = $dirlocation;
}         Ok, so what I'm doing here is testing to see whether a a record exists of the user having a folder in the MySQL database. Then, if it does, make sure that a folder exists at that location. If there is no folder, we create one for the user. If there is already a folder, we leave it alone.   This is for image uploads, and $thedirectory, is where we upload images later on in the script.   Hope that makes sense.   The code seems to work. But how can I improve it and make it more robust? Or should I just leave it alone? Should I return FALSE from the function for better reliability over empty()?  

i am using a Anti MySQL Injection my friend made for me

config.php
//Anti MySQL Injection
function anti_injection($sql) {
   // removes words that contain sql syntax
   $sql = preg_replace(sql_regcase("/(from|select|insert|delete|where|drop table|show tables|#|\*|--|\\\\)/"),"",$sql);
   $sql = trim($sql); // strip whitespace
   $sql = strip_tags($sql); // strip HTML and PHP tags
   $sql = addslashes($sql); // quote string with slashes
   return $sql;
}

<?php 
include "./config.php";
$title = $_POST[title];
$type = $_POST[type];
$episode = $_POST[episode];
$year = $_POST[year];
$genre = $_POST[genre];
$status = $_POST[status];
$summary = $_POST[summary];
$pictures = $_POST[pictures];
$title = anti_injection($title);
$type = anti_injection($type);
$episode = anti_injection($episode);
$year = anti_injection($year);
$genre = anti_injection($genre);
$status = anti_injection($status);
$summary = anti_injection($summary);
$pictures = anti_injection($pictures); ?>
When i enter the data from the text box and click submit

it still puts the data in to the date base but it shows

]Notice: Use of undefined constant title - assumed 'title' in C:\wamp\www\studying\take 2\addin11.php on line 41

Notice: Use of undefined constant type - assumed 'type' in C:\wamp\www\studying\take 2\addin11.php on line 42

Notice: Use of undefined constant episode - assumed 'episode' in C:\wamp\www\studying\take 2\addin11.php on line 43

Notice: Use of undefined constant year - assumed 'year' in C:\wamp\www\studying\take 2\addin11.php on line 44

Notice: Use of undefined constant genre - assumed 'genre' in C:\wamp\www\studying\take 2\addin11.php on line 45

Notice: Use of undefined constant status - assumed 'status' in C:\wamp\www\studying\take 2\addin11.php on line 46

Notice: Use of undefined constant summary - assumed 'summary' in C:\wamp\www\studying\take 2\addin11.php on line 47

Notice: Use of undefined constant pictures - assumed 'pictures' in C:\wamp\www\studying\take 2\addin11.php on line 48

Deprecated: Function sql_regcase() is deprecated in C:\wamp\www\studying\take 2\config.php on line 30

Deprecated: Function sql_regcase() is deprecated in C:\wamp\www\studying\take 2\config.php on line 30

Deprecated: Function sql_regcase() is deprecated in C:\wamp\www\studying\take 2\config.php on line 30

Deprecated: Function sql_regcase() is deprecated in C:\wamp\www\studying\take 2\config.php on line 30

Deprecated: Function sql_regcase() is deprecated in C:\wamp\www\studying\take 2\config.php on line 30

Deprecated: Function sql_regcase() is deprecated in C:\wamp\www\studying\take 2\config.php on line 30

Deprecated: Function sql_regcase() is deprecated in C:\wamp\www\studying\take 2\config.php on line 30

Deprecated: Function sql_regcase() is deprecated in C:\wamp\www\studying\take 2\config.php on line 30

And thanks to the Anti MySQL Injection my Primary key in my database dont work :s
can you help? thank you

Using MVC, the controller does some logic, gets data from the model, and the view presents the content.   Where should the reverse be performed?   For instance, I have an edit page which is pre-populated with values from the model, and the view changes 1000 to $1,000, 0.4 to 40%, and 2014-10-09 09:31:41 to 10/09/2014 09:31:41 AM.   Now I need to save the values, and must convert them back to their original format before doing so.  Should this functionality be performed in the controller, model, or view?   Thanks      

This topic has been moved to PHP Freelancing.

http://www.phpfreaks.com/forums/index.php?topic=355195.0

Hi guys,

I've been working on a script for a while now,
and I'm sure it doesn't look great and all, and it's probably really messed up..
But right now I've finally got it working!
There's only 1 thing I'd really like to add..
Searching through & listing of remote directories!
The directories I'm trying to list have directory listings enabled,
and I think it *should* be possible.
I just have no clue how.

Here's my current code in a beautiful mix of HTML and PHP:


<?
$border_size = "0";

function returner($what) {
$what=explode("/",$what);
$tps=count($what);
$what=$what[$tps-1];
return $what;
}

$page_url= "";
$home_url=returner(__FILE__);
if(isset($_GET['q'])) {
$qtext=$_GET['q'];
} else {
$qtext="";
}
function getdirsize($directory, $format=FALSE) {
$size = 0;
if(substr($directory,-1) == '/') {
$directory = substr($directory,0,-1);
}
if(!file_exists($directory) || !is_dir($directory) || !is_readable($directory)) {
return -1;
}
if($handle = opendir($directory)) {
while(($file = readdir($handle)) !== false) {
$path = $directory.'/'.$file;
if($file != '.' && $file != '..') {
if(is_file($path)) {
$size += filesize($path);
}
elseif(is_dir($path)) {
$handlesize = getdirsize($path);
if($handlesize >= 0) {
$size += $handlesize;
} else {
return -1;
}
}
}
}
closedir($handle);
}
if($format == TRUE) {
if($size / 1048576 > 1) {
return round($size / 1048576, 1).' MB';
}
elseif($size / 1024 > 1) {
return round($size / 1024, 1).' KB';
} else {
return round($size, 1).' bytes';
}
} else {
return $size;
}
}

if(isset($_GET['type'])){
  $type=$_GET['type'];
} else {
  $type="new";
}

$textures=0;
$models=0;
$avatars=0;
$seqs=0;
$sounds=0;

foreach (glob("textures/*.jpg") as $texture){
$textures++;
}
foreach (glob("models/*.zip") as $model){
$models++;
}
foreach (glob("avatars/*.zip") as $avatar){
$avatars++;
}
foreach (glob("seqs/*.zip") as $seq){
$seqs++;
}
foreach (glob("sounds/*.zip") as $sound){
$sounds++;
}
?>
<!DOCTYPE html>
<html>
<head>
<title>ObjectPath Search</title>
<style type="text/css">
#wrapper {
width: 850px;
margin: 30px auto 30px auto;
padding: 10px;
}

body 
{
color:#C6C6C6;
background:#1E1E1E;
/* margin:0; padding:0; */
overflow-x:hidden;
}

#tabs {
font: 85% "Trebuchet MS", sans-serif;
}

.left {
float: left;
}

.right {
float: right;
}

a:link, a:visited, a:active {
color: #3DB015;
text-decoration: none;
}

a:hover {
color: #00E0FF;
}

h2 {
color: #3DB015;
padding-bottom: 0.2em;
font-size: 110%;
}
ul#icon {margin: 0; padding: 0;}
ul#icon li {margin: 1px; position: relative; padding: 1px 0; cursor: pointer; float: left;  list-style: none;}
ul#icon span.ui-icon {float: left; margin: 0 1px;}
</style>
<link type="text/css" href="http://objects.jk-hosting.com/search/css/black-tie/jquery-ui-1.8.2.custom.css" rel="stylesheet" />
<script type="text/javascript" src="http://objects.jk-hosting.com/search/js/jquery-1.4.2.min.js"></script>
<script type="text/javascript" src="http://objects.jk-hosting.com/search/js/jquery-ui-1.8.2.custom.min.js"></script>
<script type="text/javascript">
function formHandler(form){
var URL = document.form.site.options[document.form.site.selectedIndex].value;
window.location.href = URL;
};

$(function(){
// Tabs
$('#tabs').tabs();
});
</script>
</head>
<body>
<div id="wrapper">
<div id="tabs"> <!-- Tabs start -->
<ul>
<li><a href="#tab-search">Search</a></li>
<li><a href="#tab-list">List Objects</a></li>
<li><a href="#tab-info">OP info</a></li>
</ul>

<div id="tab-search"><!-- Searchtab start -->
Please enter a string to search for, and choose a folder to search in. <br /><br />
<form name="Search">
<input type='hidden' value='search' name='type'>
<input value='<? print $qtext; ?>' type='text' name='q'> 
<select name='map'>
<option selected='selected' value='models'>Models</option>
<option value='avatars'>Avatars</option>
<option value='textures'>Textures</option>
<option value='seqs'>Seqs</option>
<option value='sounds'>Sounds</option></select> <input type='submit' value='Search'>
</form>
</div> <!-- Searchtab end -->

<div id="tab-list"><!-- Listtab start -->
Please pick a folder to browse. <br /><br />
<form name="form">
<select name="site" onChange="javascript:formHandler()">
<option value="#">Look in folder...</option>
<option value="<? print $page_url; ?>?type=list&map=models">Models</option>
<option value="<? print $page_url; ?>?type=list&map=avatars">Avatars</option>
<option value="<? print $page_url; ?>?type=list&map=textures">Textures</option>
<option value="<? print $page_url; ?>?type=list&map=seqs">Seqs</option>
<option value="<? print $page_url; ?>?type=list&map=sounds">Sounds</option>
</select>
</form>
</div> <!-- Listtab end -->

<div id="tab-info"><!-- Info tab start -->  
The OP currently contains: <br /><br />
<table>
<tr><td><b><? echo $models; ?></b></td> <td>Models</td></tr>
<tr><td><b><? echo $avatars; ?></b></td> <td>Avatars</td></tr>
<tr><td><b><? echo $textures; ?></b></td> <td>Textures</td></tr>
<tr><td><b><? echo $seqs; ?></b></td> <td>Seqs</td></tr>
<tr><td><b><? echo $sounds; ?></b></td> <td>Sounds</td></tr>
</table>
</div> <!-- Info tab end -->
</div> <!-- Tabs end -->
</div>

<!-- Start PHP generated content -->

<?
if($type=="search" || $type=="list") {
$M=$_GET['map'];
if($type=="search") {
$Q=$_GET['q'];
$empty="Nothing found with <b>\"" . $Q . "\"</b> in it's name.<br />\nPlease make a more general search query, or try a different folder.\n\n";
} else {
$Q="";
$empty='This folder is empty';
}
if($M=="textures") {
$ext="jpg";
} else {
$ext="zip";
}
$i=0;
print "<hr>\n";
$endfile=array();
$endsize=array();
$endsize2=array();
    foreach (glob($M."/*".$Q."*.".$ext) as $filename) {
$filename = explode(".", $filename);
$filename=$filename[0];
$filename = explode("/", $filename);
$filename=$filename[1];
$i++;
$endfile[$i]=$filename;
if($ext=="jpg") {
$endfile[$i]="<a name='".$endfile[$i]."' href='".$pageurl."?type=view&name=".$endfile[$i]."&folder=".$M."&from=".$type."&addon=".$Q."'>".$endfile[$i]."</a>";
}
$endsize[$i]=$size;
$endsize2[$i]=$size2;
}
if($i != 1) {
print "<b>".$i."</b> items were found.\n<hr>\n";
} else {
print "<b>".$i."</b> item was found.\n<hr>\n";
}
    echo("<table width='100%' border='" . $border_size . "' cellspacing='0' cellpadding='0' >\n");
if($i!=0) {
for ($t = 1; $t < $i; $t++) {
$thumbfile = $M."/".$endfile[$t].'.jpg';
if(file_exists($thumbfile)) {
$thumbnail = "<a name='".$endfile[$t]."' href='".$page_url."?type=view&name=".$endfile[$t]."&folder=".$M."&from=".$type."&addon=".$Q."'><ul id='icon'><li class='ui-state-default ui-corner-all' title='".$endfile[$t]."'><span class='ui-icon ui-icon-image'></span></li></ul></a>";
} else {
$thumbnail = "";
}
if($t=="1") {
echo("<tr><td width='10%'>Number</td><td width='3%'><ul id='icon'><li class='ui-state-default ui-corner-all' title='".$endfile[$t]."'><span class='ui-icon ui-icon-image'></span></li></ul></td><td width='60%'>Name</td></tr>\n");
}
echo("<tr><td>" . $t . "</td><td>".$thumbnail."</td><td>" . $endfile[$t] . "</td></tr>\n");
flush();
}
$thumbfile = $M."/".$endfile[$t].'.jpg';
if(file_exists($thumbfile)) {
$thumbnail = "<a name='".$endfile[$t]."' href='".$page_url."?type=view&name=".$endfile[$t]."&folder=".$M."&from=".$type."&addon=".$Q."'><ul id='icon'><li class='ui-state-default ui-corner-all' title='".$endfile[$t]."'><span class='ui-icon ui-icon-image'></span></li></ul></a>";
} else {
$thumbnail = "";
}
echo("<tr><td>" . $t . "</td><td>".$thumbnail."</td><td>" . $endfile[$t] . "</td></tr>\n");
}
print "</table>\n";     
if($i=="0") {
print $empty;
}
} elseif($type=="view") {
$filename=$_GET['name'];
$folder=$_GET['folder'];
  
if($_GET['from']=="list"){
$addon="?type=list&map=".$folder."#".$filename;
}

if($_GET['from']=="search"){
$addon="?type=search&q=".$filename."&map=".$folder."#".$filename;
}
print"<center><a href='".$home_url."'>Home</a></center>";
print "<hr>\n<center><img src='".$folder."/".$filename.".jpg'></img></center>\n<hr>\n<br />\n<a href='".$page_url."".$addon."'>Previous Page</a>\n";
}
$htmlshow="";
if($_GET['type']=="returnOPfile") {
if(isset($_GET['split'])) {
$splitter=$_GET['split'];
} else {
$splitter=" | ";
}
if(isset($_GET['html'])) {
$htmlshow="<br />";
}
foreach (glob("textures/*.jpg") as $texture){
if(isset($_GET['size'])) {
$size=$splitter.filesize($texture);
}
    $texture = explode("/", $texture);
$texture=$texture[1];
print "textures".$splitter.$texture.$size."\n".$htmlshow;
}
  
foreach (glob("models/*.zip") as $model){
if(isset($_GET['size'])) {
$size=$splitter.filesize($model);
}
    $model = explode("/", $model);
$model=$model[1];
print "models".$splitter.$model.$size."\n".$htmlshow;
}
  
foreach (glob("avatars/*.zip") as $avatar){
if(isset($_GET['size'])) {
$size=$splitter.filesize($avatar);
}
    $avatar = explode("/", $avatar);
$avatar=$avatar[1];
print "avatars".$splitter.$avatar.$size."\n".$htmlshow;
}
  
foreach (glob("seqs/*.zip") as $seq){
if(isset($_GET['size'])) {
$size=$splitter.filesize($seq);
}
    $seq = explode("/", $seq);
$seq=$seq[1];
print "seqs".$splitter.$seq.$size."\n".$htmlshow;
}
    foreach (glob("sounds/*.zip") as $sound){
if(isset($_GET['size'])) {
$size=$splitter.filesize($sound);
}
      $sound = explode("/", $sound);
$sound=$sound[1];
print "sounds".$splitter.$sound.$size."\n".$htmlshow;
}
}
?>

<!-- End PHP generated content -->

</body>
</html>


So right now my question to you PHP freaks is,
can you please help me edit my script so I can search through a remote directory?

*This* is one of the directories I wish to be able to search through & list..

Thanks in advance. 

Edit;
It might help if you know what the site currently looks like.
*Click*

Below is my contact from - and I have set anti spam question as I don't like captcha. How to I code the post/human bit so it is case insensitive?
I am a designer so I don't know what I am doing ☹️.

 

<div class="one-half-column-right" id="contactform">
 <form method="post" action="index.php#contactform">
<label>Name*</label>
<div class="clear"></div>
<input name="name" placeholder="Type Here">
 <label>Email*</label>
 <div class="clear"></div>
      <input name="email" type="email" placeholder="Type Here">
<label>Message</label>
<textarea name="message" placeholder="Type Here"></textarea>
 <label>*If today is Tuesday, what is tomorrow? <br> [lowercase answer please]<br> (Anti-spam)</label>
<input name="human" placeholder="Type Here">
<input id="submit" name="submit" type="submit" value="Submit">
</form>
 <?php
    $name = $_POST['name'];
    $email = $_POST['email'];
    $message = $_POST['message'];
    $from = 'From: Website Form'; 
    $to = ‘name@name.com’; 
    $subject = 'website form enquiry';
    $human = $_POST['human'];


$headers .= 'From: '.$from."\r\n".
    'Reply-To: '.$from."\r\n" .
    'X-Mailer: PHP/' . phpversion();
    $body = "From: $name\n E-Mail: $email\n Message:\n $message";
                
    if ($_POST['submit'] && $human == ‘wednesday’) {    
        if (mail ($to, $subject, $body, $from)) { 
        echo '<p style="font-family: Montserrat, Helvetica, Arial, sans-serif; font-weight: 600; text-align:center; font-size: 16px; color: #000; text-transform: uppercase; background-color: #FFD700"> 

     
      Request has been sent. We will get back to within 48 hours!<br></p>';

    } else { 
        echo '<p style="font-family: Montserrat, Helvetica, Arial, sans-serif; font-weight: 600; text-align:center; font-size: 16px; color: #000; text-transform: uppercase; background-color: #FFD700"> 

       Something went wrong, go back and try again!</p>'; 
    } 
    } else if ($_POST['submit'] && $human != '') {
    echo '<p style="font-family: Montserrat, Helvetica, Arial, sans-serif; font-weight: 600; text-align:center; font-size: 16px; color: #000; text-transform: uppercase; background-color: #FFD700"> 
    You answered the anti-spam question incorrectly!</p>';
    }
?>
    <!--// form //-->

    

Hello guys, i have a problem that i am trying to solve myself for the entire past week. I am not a php programmer and i wish you can help me.
There is a russian project called Crot Anti-Plagiarism, it is a open source moodle plugin. I started to use it and it is a really nice feature. The problem is that there are quite few people that are developing it and new features are coming once a year...
I see a big "hole" in this project (at least for me) : The plugin checks for plagiarism in the file that you submit only once, if a student resubmits the file it doesn't see that and you need to start the plugin's test again for all the files which is time consuming if you have a lot of submitted files to check.
I would like to add a function that will check if a file changed his modified date , if yes - mark for checking, if no - skip the checking.
I already added a similar function that checks if the name has changed, but it seems harder to check it by uploaded time(modified time).
Things i have already done:
I added a new column "assignment_submissions_timemodified" in database.
I added a new function that records the "time modified" of the file in the database.
But i can't add and i cannot make the comparison between the date of the first time the file submitted versus the date of the second time the same file was resubmitted.
Alright no more bullsh**t here is the code: (there are 3 comments that shows what i've changed, starting with  //my job...)
Thanks a lot!
Code: [Select]
$apath= $CFG->dataroot."/$assignment->course/moddata/assignment/$asubmission->assignment/$asubmission->userid";
        $timemodified= filemtime($apath);    //my job... it checks the file's modified time.
$files = scandir($apath, 1);
if (! $unprocessedsubm = get_record("crot_submissions", "submissionid", $asubmission->id, "crot_submission_file_name", $files[0], "assignment_submissions_timemodified", $timemodified))  //my job...now i guess here is the problem ( "assignment_submissions_timemodified", $timemodified)
{
        echo "$timemodified";
        echo "$unprocessedsubm";
print_r($unprocessedsubm);
echo "\nsubmission $asubmission->id was not processed yet. start processing now ... \n" ;
$atime = microtime();
$atime = explode(" ",$atime);
$atime = $atime[1] + $atime[0];
$astarttime = $atime;
if(!count($files))break;
//TODO we should verify if filename changed
//TODO add loop on the documents folder as well as loop for unzipping
$apath = $apath."/$files[0]";
// call tokenizer to get plain text and store it in crot_submissions
$atext = tokenizer ($apath);
// update the crot_submissions table
// delete if exists
delete_records("crot_submissions", "submissionid", $asubmission->id);
// insert the new record
$record->submissionid=$asubmission->id;
$record->updated = time();
$record->crot_submission_file_name = $files[0];                                   
$record->assignment_submissions_timemodified = $timemodified;        //this is my job.... it is recording the date as it has to.
$submid = insert_record("crot_submissions", $record);
// insert into documents
$docrecord->crot_submission_id = $submid;
Also i have attached the whole file crot_crone.php.

i have made an delete files script which works for only one directory but not sub directory so i want to delete files of same extention from directory and subdirectory.

My current code is

Code: [Select]

<?

$dir = 'hmm/';

function scanr($dir){

$arr = glob($dir.'/*.jpg');
foreach($arr as $vv){



//check if $vv is a file
if(is_file($vv)){

//if file, get the filename
$vx=explode('/',$vv);
$file=$vx[count($vx)-1];


// if no extension delete the file
unlink($vv);
// print the deletion message
echo $vv." deleted!<br>";}else{
// if $vv is a dir then scan it again for files
scanr($vv);
}}
}

scanr($dir);
?>

I'm trying to echo the directory and sub directory only. I am not looking to show the files contained - only folders.

I'm not amazing with PhP, so excuse me if it looks terrible xD I've taken tutorials, edited them to fit my wanting and tried it out, it seems to deny anything other than an image type, but could it be abused?

<div id="image-upload">
<h2>Upload your image</h2>
<form action="upload.php" method="post" enctype="multipart/form-data"> 
Upload:<br><br> 
<input type="file" name="image"><br><br>
Image Title:<br><br> 
<input type="text" name="image_title"><br><br> 
<input type="submit" name="submit" value="Upload"> 
</form>
	
	
<?php
include("upload_file.php");

function GetImageExtension($imagetype)
{
if(empty($imagetype)) return false;
switch($imagetype)
{
case 'image/bmp': return '.bmp';
case 'image/jpeg': return '.jpg';
case 'image/png': return '.png';
default: return false;
}
}
		 
			 
if ($_FILES['image']['error'] !== UPLOAD_ERR_OK) {
die();
}

$extension = getimagesize($_FILES['image']['tmp_name']);
if ($extension === FALSE) {
die("<br><font color='#8B0000'>Unable to determine image typeof uploaded file</font>");
}

if (($extension[2] !== IMAGETYPE_GIF) && ($extension[2] !== IMAGETYPE_JPEG) && ($extension[2] !== IMAGETYPE_PNG)) {
die("<br><font color='#8B0000'>Only images are allowed!</font>");
}
			 
			 
			 			 
if (!empty($_FILES["image"]["name"])) {

$file_name=$_FILES["image"]["name"];
$temp_name=$_FILES["image"]["tmp_name"];
$imgtype=$_FILES["image"]["type"];
$ext= GetImageExtension($imgtype);
$imagename=$_FILES["image"]["name"];
$target_path = "../../images/upload/".$imagename;
$title = $_POST["image_title"];

		
if(move_uploaded_file($temp_name, $target_path)) {
$query_upload="INSERT into `images_tbl` (`images_path`,`submission_date`,`image_title`) VALUES 
('".$target_path."','".date("Y-m-d")."','".$title."')";

mysql_query($query_upload) or die("error in $query_upload == ----> ".mysql_error()); 
echo '<br>Image uploaded!';
}else{
echo '<br><font color="#8B0000">Only images are allowed!</font>';
} 
}
?>

The code below allows me to insert articles into my website without having to hard-code them in the home page.

Is this code secure?  (Someone told me I should use a switch statement instead?!)

Code: [Select]
<?php
if (isset($_GET['article'])) {
$articleFile = preg_replace('#[^A-z0-9_\-]#', '', $_GET['article']).'.php';

if(file_exists($articleFile)) {
include($articleFile);
}else{
$title = 'Article Not Found';
$content = '';
}
}else{
include('default.php');
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>Dynamic Content Example</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<link type="text/css" rel="stylesheet" href="css/pagelayout.css">
<link type="text/css" rel="stylesheet" href="css/dropdown.css">
</head>

<body>
<div id="wrapper" class="clearfix">
<div id="inner">
<div id="header">
<!-- DROP-DOWN MENU -->
<ul id="topMenu">
<li class="current"><a href="?article=article1">Article 1</a></li>
<li><a href="?article=article2">Article 2</a></li>
<li><a href="?article=article3">Article 3</a></li>
<!-- and so on... -->
</ul><!-- End of TOPMENU -->

</div>
<div id="left">
<p>
Other content goes here : Other content goes here : Other content goes here :
</p>
</div>
<div id="middle">
<div id="content">
<h2>MAIN CONTENT</h2>
<p>
<!-- Dynamically insert Article here using PHP include!! -->
<?php echo $content; ?>
</p>
</div>
</div>
<div id="right">
<p>
Adverting goes here : Adverting goes here : Adverting goes here :
</p>
</div>
</div>
<div id="l"></div>
<div id="r"></div>
</div>
<div id="footer">
<p>footer</p>
</div>
</body>

</html>

If there is a better way to accomplish the same thing, and/or a more secure way, I would be interested in hearing about it.   

Thanks,



Debbie

OK so I have a page that a user can not access unless they are logged in works great. On that page I have links to documents, if you direct link to those docs they work. They should not unless you are logged in. How can I implement this?

I wrote an update script, how secure do you think it is?
By the way, this is an include. The page it is included on stop attacks by making sure the user is logged in.

function update_file($url, $file)
{
        //Get URL content
$ch = curl_init();
            curl_setopt($ch, CURLOPT_URL, $url);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
            $data = curl_exec($ch);
            curl_close($ch);
            $new_content = $data;

//Replace with content from URL
file_put_contents($file, $new_content);
echo $new_content;
}

function get_url($file)
{

$domain = 'http://www.mysite.com/';
$folder = 'update/'; 
$ver = '2.0.1';
$full_url = ''.$domain.''.$folder.'/'.$ver.'/';
$fileu = array
(
"functions/update.php" => "".$full_url."functions/update.txt"
);

return $fileu[$file];
}

$files = array
(
'functions/update.php'
);

foreach($files as $file)
{
update_file(get_url($file),$file);
}

Hey guys i am making a php application and i have a feature where it allows members to upload images. If there a way to secure a folder to only be allowed access when a member is logged in and not someone accessing the folder and downloading images.

Stuped question i know would it be better to store the images in the database as BLOB? but then again could make the database big. Thanks

I have parts of my webpage protected with the following
Code: [Select]
session_start();
if(!isset($_SESSION['myusername'])){
header("Location:login.php");
} else {
$username = $_SESSION['myusername'];
}
How secure is this?

The goal is so people who don't have access to the page (don't have a login account) cannot get access

Thanks for any tips