PHP - Cross-site Scripting Attack Help

Hello All,

I am in desperate help here since my site was DDoS attacked by some one in turkey (Ips originate mostly from turkey, Germany, and some other Europe countries). I have installed the ddos deflation and most of the IPs are now blocked.


I have a php file in my server that I use to input data into my database and my streaming servers. This file is called connect.php and the hacker is basically created an automated script that repeatedly call the connect.php file from a botnet resulting in both apache and mysql dead. I use connect.php in the following way

http.open('get', "ajax/createchannel_1.php?channel=" + channelname + "&sitename=" + sitename + "&privateurl=" + privateurl + "&privateurlcheck=" + privateurlcheck);

How can i change the connect.php so that it only accept execution from my server/
Please your help is greatly appreciated.

Ok this is kind of a logical help which I need. I am writing a quiz script and I need to send and receive data from database on a timeout basis and I also want that when time finishes (of quiz) user must be moved to some other page. I basically need timeout based function if there are any and real time retrieval and storage of data. Thanks a lot

Hi,

I'm working on a design for a new website of mine, but I'm kind of stuck on how to fit in the php aspect of it. There's going to be a lot of different pages and different things you're able to do on each page. I guess I'm trying to figure out how to take my design for the website and break it up into a template system. I don't know anything about using templates though. The last time I tried to make a template I just winged it and it turned out really bad with a lot of confusing code slapped together with html all around it. Right now all I have is a single page made (front page) and I want to use this as my base template.

Could anyone explain to me the proper way to go about this, or perhaps link me to a tutorial covering this.

Thanks,

http://www.lastcraft.com/browser_documentation.php
can someone post back an example of where this is working?
<?php
    require_once('simpletest/browser.php');
   
    $browser = &new SimpleBrowser();
    $browser->get('http://php.net/');
    $browser->click('reporting bugs');
    $browser->click('statistics');
    $page = $browser->click('PHP 5 bugs only');
    preg_match('/status=Open.*?by=Any.*?(\d+)<\/a>/', $page, $matches);
    print $matches[1];
?>

I am trying to generate data similar to a running balance for a checkbook.

My approach (correct me if there is a better method) is to get the balance from the previous record ID and then add/subtract the new value and create a new total balance.

However, I am not havig succes with MAX(id) or last_insert_id  -- is one preferable over the other??

 if($result = mysqli_query($link, $sql)){
    if(mysqli_num_rows($result) > 0){
 $sql = "SELECT MAX(id) FROM persons";
 echo "<br /<br />"; echo $sql;

Please assist.

This topic has been moved to JavaScript Help.

http://www.phpfreaks.com/forums/index.php?topic=342389.0

This is my first attemp at a log in system for a website.  Everything seems to work fine until the "successful" IF function near the end.  All I get it an output of "?>" instead of a redirect to the file "login_success.php".  Any help would be GREATLY appreciated!!  Tom


<?php

// Connect to server and select databse.
mysql_connect("localhost", "scripts3_public", "sfj123!")or die("cannot connect");
mysql_select_db("scripts3_sfj")or die("cannot select DB");

// username and password sent from form
$fusername=$_POST['fusername'];
$fpassword=$_POST['fpassword'];

// To protect MySQL injection (more detail about MySQL injection)
$fusername = stripslashes($fusername);
$fpassword = stripslashes($fpassword);
$fusername = mysql_real_escape_string($fusername);
$fpassword = mysql_real_escape_string($fpassword);

$sql="SELECT * FROM `users` WHERE `User name` = '$fusername' AND `Password` = '$fpassword'";
$result=mysql_query($sql);

if(!mysql_num_rows($result))
{echo "No results returned.";}

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);

// If result matched $fusername and $fpassword, table row must be 1 row

if($count==1){

// Register $fusername, $fpassword and redirect to file "login_success.php"
session_register("fusername");
session_register("fpassword");
header("location:login_success.php");
}

else {
echo "Wrong Username or Password";
}

?>

Hello,   I designed (not coded) a finance application for windows phone 8.1 and one of the features that would be ideal is to copy your login steps in order to access your bank account automatically. Yes this does not sound safe or sane. How do I convince app users to use it?    Anyway, I want this access. My rationale is that, the login information would be stored locally and if my phone was hacked then what's the loss in my login steps being hacked... they would probably be encrypted anyway but...    The goal is to be able to open up a clone browser (eg. within the app) and then every step that you take, enter url, login credentials, security questions, pages accessed... the clone browser remembers and then later on as part of the app's function, it would automatically update your balances. I mean I suppose you could come up with the formulas, cash advance fees, interest rates, etc... but at the same time this doesn't seem to be a fixed thing... eg. hard to keep track and get the exact cent amount... or maybe I'm just bad at math   Some things in mind bitmapping, key strokes, string search, number search...    Anyway scripting came to mind, not sure if php or python but    Any thoughts? 

I have a web portal which is scripted using client side scripting language i.e HTML. I want to create a login page in .php and want the other pages to be in .hmtl.
Can i do so?
I want to do this because i want the login password to be stored in a database. Also I want the password to get encrypted (by either MD5 javascript or OpenSSL ) when user enters it inside the login form.

I cannot create the entire portal in php because my portal makes use of C code. And php doesn't have an interface with C language.

Can a user get directed to a .html page after a secure login from login.php page ?
My main aim is to secure the access to my web portal using a password.

I tried to authenticate the login using javascript where the password was stored in an array. But i feel any one having moderate knowledge can easily break that password.

Any help would be greatly appreciated!!

I have several "sites" located in my html directory, and each has a "general" access point and an "administrator" access point:

/var/www/html/site1/index.php
/var/www/html/site1/administrator/index.php
/var/www/html/site2/index.php
/var/www/html/site2/administrator/index.php
/var/www/html/site3/index.php
/var/www/html/site3/administrator/index.php

All sites are similar except that data will be specific to site1, site2, or site3, etc.   Users who log onto /var/www/html/siteX/index.php are totally unrelated to those who logon to /var/www/html/siteX/administrator/index.php, will have different logon credentials, are stored in different DB tables, and each should have their own session.  If a user logs off of either the general or administrator site, it should not effect the other site even if they were previously logged on to both on the same PC (and of course not effect other sites). When a user logs off, I would like to destroy their previous cookie and associated session.  Users for either will only use https.  I am using Apache to rewrite https://www.mysite.com/ to https://mysite.com/.  While I named the administrator site "administrator" above, the administrator user has the ability to change the directory name.   I am thinking I need to use session_set_cookie_params to specify where I wish the session cookie to be stored since /var/www/html/siteX/administrator/index.php is a sub-directory to /var/www/html/siteX/index.php, but am not really sure.  Sorry for the cryptic post, but I am not very well versed in this subject. How would you recommend setting up cookies/sessions for this scenario?  Thank you

Hi,

My first post here is a cry for help

I have a Windows 2003 server running IIS6/PHP5, the server hosts multiple web sites.

The problem is include files that are for site A are showing on site B (each site having its own includes as part of the site files in its own site folder), though not every time, its very random, sometimes the correct includes show, sometimes ones from another site on the same server. This only occurs where the include files for both sites have the same name, such as 'inc-header.php' for example.

I can only assume PHP is caching includes and because they have the same name is showing the wrong one on other sites sometimes, if I rename them to something unique then the problem goes away, but its not a practical solution to rename all include files to unique names so I find myself looking for a 'real' fix.

I have a feeling its to do with the include_path in the php.ini, but right now its disabled with a semi-colon, and I don't want to set one as I have no global includes, all includes are site specific.

Any help would be very much appreciated!

Phil

now i use this code to show where the visitors came from to my site.

<?php
$referer=$_SERVER['HTTP_REFERER'];
echo $referer;
?>

now, i want to show the  5 latest vistors referer's site url on my site ?

Not sure if I'm trying to achieve something totally crazy here, or if this is something pretty standard. Didn't have much luck with searching as I'm not fully down with all the terms.

(A) I have one site providing an RSS feed.
(B) I have one site I want to search, once for each of the items in the feed A.
(C) I want the results of the search in (B) to be displayed on page (C).

So for example, the feed on (A) says;

apples
bananas
oranges
cheese

I want site (B) to search for each of those terms (by passing the item in the feed (A) to the ?search= part of the URL of that page) and then show the results from THAT search on page C. Bit of a complex one, let me know if you need me to clarify. Thanks for any help! 

Transferring data from sub-domain.site.com
Reading sub-domain.site.com

What is this all about?
I'm going to put all .. images into a separate sub-domain eg: images.site.com.
This would create a folder inside my public_HTML called "images"

Now when sites have that Transferring data, and Reading... is this .. something relating to what I want. Facebook also does it, and they get their images for the site from a sub domain, how is it all done?

I'm not sure if its entirely PHP, but I hope someone can help.

Thanks