PHP - Non Thread Safe Vs. Thread Safe

Hello everyone, it's my first post here. I was recommend this community for it's professionalism and "friendlyness". During my stay here, please excuse my english. I know it can be unpleasant for you to read a thread with terrible grammar, I hate it in my native language, I'll do my best.

Okay, so I'm having two major issues for my website to operate like I'd like it to, I've done everything I knew about, and I can't think about anything else Google didn't help me much either this time.

First one is that I seem to have a cookies/sessions problem. Well, I use Liberty Reserve to allow my members to top up their account. So I send my form to their SCI and when I either cancel or complete a transaction, I return to my website but I'm not logged in anymore! So the auto-add to balance system can't work. Alright, when I saw this I was only using sessions, so I added cookies so I could rely on them too. And there again, same thing. Doubled, tripled checked all the LR settings and everything, I know they are right. But what's really, really, weird to me and what's really doing my head in is that I'm not actually logged out, because if I use another tab/window I'm still logged in. In other words, it's only the window coming back from Liberty Reserve that won't log in. The cookies are still here and so is the session so...
Another terrible thing is that it used to work when I was on my previous host (just moved to a dedicated server, which may be causing the problems, it's the first time I administrate a dedi).
This is blocking my entire website from working.

And my second problem is with the function mail() -there again 'caused' by new server-. I don't get any error message, or anything. The e-mails with cPanel/WHM work great. Though, I have done several tests and it never reaches my Gmail, Hotmail or Yahoo account. It did work with a Yopmail inbox though. So, I was focusing on 'why isn't it sending it' but since I just noticed it worked with Yopmail, I'm sure it is sending it and have no ideas why wouldn't it work with other e-mail service providers.

I hope you understood what I meant and that, hopefully, you guys can help me out with those totally handicapping issues.

Thank you,

Regards.

-Ben.

Solution: Turns out the headers will not send unless all of the other code is behind an else userinfo.php?user=MikeH, possible addition to the sticked post?


So strictly speaking I dont have a header error because my script does not produce errors. However my script should be redirecting me to "notes.php?error=ad" but instead it just sends me back to the page I was previously at. My script is made to process a download via "tokens" and then redirect the user. That all works fine but what I am trying to do now is check if the user has already about the download and if they have redirect them to the error page letting them know. So in short the URL goes like this:

notes.php?viewn=2 -> purchase.php?user=MikeH&nid=2 (unseen page all processing) -> notes.php?error=ad

however what it is doing is:

notes.php?viewn=2 -> purchase.php?user=MikeH&nid=2 (unseen page all processing) -> notes.php?viewn=2

Here is the notes code:

<?php
}else if (isset($_GET['viewn'])){
$cid = $_GET['viewn'];
$query = "SELECT * FROM approvednotes WHERE cid =".$cid;
$res = mysql_query($query) or die (mysql_error());
$i=0;
$r=1;
?>
<h2>Programs:</h2>
<table summary="Summary Here" cellpadding="0" cellspacing="0">
<tr>
  <td><b>File Name</b></td>
  <td><b>Author</b></td>
  <td><b>Cost</b></td>
  <td><b>Buy</b></td>
</tr>
<?php
echo "<tbody>";
echo "<tr class= \"dark\">";
while ($row = mysql_fetch_array($res)){


if($i == 1){
echo "</tr>";
$r++;
if($r% 1 == 0){
echo "<tr class = \"light\">";

$i=0;
$r = 0;


}else{
echo "<tr class = \"dark\">";
$i=0;
}



}
echo "<td> ". $row['name']."</td><td>".$row['username']."</td><td>".$row['value']."&nbsp;<img src=\"images/money.png \" height=\"30px\" /></td><td><a href=\"purchase.php?user=".$session->username."&nid=".$row['id']."\"><img src=\"images/buy.png\" height=\"30px\"/></a></td>";
$i++;


}

echo "</table>";


}?>


Here is the purchase code:


<?php
include("include/session.php");

if($session->checkLogin()){


$user= $_GET['user'];

if ($user == $session->username){
$note = $_GET['nid'];

$query3 = "SELECT * FROM users_downloaded WHERE nid=$note AND username='$user'";
$res3 = mysql_query($query3) or die (mysql_error());
$pass = mysql_num_rows($res3);

if ($pass != 0){
header("Location: notess.php?error=ad");

}



$nquery = "SELECT * FROM approvednotes WHERE id= ".$note;
$nres = mysql_query($nquery) or die (mysql_error());
//Get info about the file 
while ($nrow = mysql_fetch_assoc($nres)){
$price = $nrow['value'] ;
$location = $nrow['location'];
}
//see if user even has enough credits for this

   function creditcheck($username){
   $usern= $_GET['user'];
   
   $query = "SELECT * FROM users WHERE username = '".$usern."'";

$res = mysql_query($query) or die(mysql_error());
while ($row = mysql_fetch_array($res)){
$credits = $row['credits'];
}
return $credits;
   }

$credits = creditcheck($user);
if($credits >= $price){
//user has enough credits to purchase note.
$newamount = $credits - $price;
$person = $session->username;
$query = "UPDATE users SET credits =".$newamount." WHERE username='$person'";
$res = mysql_query($query) or die (mysql_error());

$query2 = "INSERT INTO users_downloaded (nid, username) VALUES ('$note','$person')";
$res2 = mysql_query($query2) or die (mysql_error());

header("Location: download.php?f=".$location);
exit;



}else{
//error not enough money!!
header("Location: notes.php?error=ne");

}
}

}else{
header ("Location: notes.php?error=nl");
}






?>

Hi guys, I have been using the same code for years now to include my default page and pull content into my layouts.   I found the code online and its a bit confusing so was just wondering if its still safe to use, and is it all needed nowadays? or is there a simpler way i could be doing this?   Thanks for any help

<?php

    if (isset($_GET['nav'])) 
{
    if (strpos($_GET['nav'], "/")) 
{
    $direc = substr(str_replace('..', '', $_GET['nav']), 0, strpos($_GET['nav'], "/")) . "/";
    $file = substr(strrchr($_GET['nav'], "/"), 1);
    if (file_exists($direc.$file.".php")) 
{
    require($direc.$file.".php");
} else {
    require("error.php");
}
} else {
    if (file_exists(basename($_GET['nav']).".php")) 
{
    require(basename($_GET['nav']).".php");
} else {
    require("error.php");
}
}
} else {
    require("links.php");
}
?>

Hello all.

Just wanted to run this past you guys to see if I am missing anything important. I am making a script that I plan to allow a lot of other people around the web to use, so I want to make sure it's as bullet proof as possible.

I am passing two values and grabbing them with a _GET, one is a big number, and the other is only letters and 8 characters long.

her's my code so far.

Code: [Select]
<?php
    $clan = $_GET['clanid'];
    // make sure its an INT
        //if(isint($clan)){
        if(ereg("[^0-9]", $clan)){
            //im an int.
            echo ("ERROR Invalid CLANID");
            die;          
        }
    
    // make sure its a 8 letter only word.
    $style=$_GET['style'];
        
        // cut style down to 8 characters long.
        $style=substr($style, 0, 8);
        
        if(ereg("[^a-zA-Z]+", $style)) {
            // Contains only letters.
            echo("ERROR Invalid STYLE NAME");
            die;          
        }   
    
?>

to my noob php eye's it looks pretty solid, I cant think of any way a malicious user could get past it, but like I said, thought I would run it past you guys first , you can never be to careful.

I have a button that uses $_POST to send information to another page.  The data is in a hidden input so it's not possible for users to change information.  I have nothing to check if the data is correct on the other page.  Is it still possible for people to change the $_POST data though?  Or somehow send false $_POST data to the other page?

finally got some time to code   anyway i cant figure out why this doesnt work, i think its an error in my logic...

<?php
$db = new PDO('mysql:host=localhost; dbname=test;', 'root', '');
$db2 = new PDO('mysql:host=localhost; dbname=test2;', 'root', '');
foreach($db->query('SELECT * FROM database1 LIMIT 1') as $row) {
$thing1 = $row['COL 1'];
$thing2 = $row['COL 2'];
$thing3 = $row['COL 4'];
$thing4 = $row['COL 6'];
$thing5 = $row['COL 7'];
$content = "\"big text with $things\"";
addslashes($content);
$db2->exec("INSERT INTO database2(col1,col2,col3) VALUES ('$thing1','text','$content')");
}
?>

my foreach command should read all lines from database one and write one by one on database two? thx in advance

Mmm i'm not sure if i'm approaching this correctly.

Anyways, I wanted to create a multi-level thread, Where the child thread would be after the parent thread.

Something like this:

Hello World
       - Hello World
               - Hi!
               - What's up?
       - Hi Bob!
Goodbye World
       - ....This guy got issues
       - Dude! You should watch Despicable Me! "It's so fuzzy i'm going to dieee!"


Anyways, so my table looks something along the line of this:

|    post id   |    parent_id    |            title            |      body    |   date      |
      1                |       NULL        |    Hello                  | Hi, i'm K    |   date
      2                |       NULL        |    Thread One       | Body One  |   date
      3                |          1           |    Hello World | Body One  |   date
      4                |          2           |    Thread post 4   | Body One  |   date
      5                |          1           |    Thread post 5   | Body One  |   date
      6                |          1           |    Thread post 6   | Body One  |   date
      7                |          3           |    Hi What's up    | Body One  |   date


And here's the PHP code, although it's not very neat I want to clean it up and make it neater.  I can only go two level deep so far.   Any suggestion or recommendations? 

Using while & for:


// Select * Threads
$q = "SELECT * FROM test_db ORDER BY post_id ASC";
$r = @mysql_query($q);



while ($pid_row = @mysql_fetch_object($r)) {

// Array
$pid_arr[] = $pid_row->post_id; // Assign Indexes to Post ID
$ppid_arr[] = $pid_row->parent_id; // Assign Indexes to ParentID
$md_arr = array($pid_arr, $ppid_arr);  // Create multi-dimensional array matrix

$parent_id = $pid_row->parent_id;




}

for ($i = 0; $i < count($pid_arr); $i++) {

for ($a = 0; $a < count($ppid_arr); $a++) {
$pid = $pid_arr[$i]; // pid = post id
$ppid = $ppid_arr[$i]; // ppid = parent id

//echo "<div>~~ PID $pid ~~ PPID $ppid ~~</div>";

if ($ppid === NULL) {
$ppid_is_null = " & parent_id is NULL";
} else {
$ppid_is_null = NULL;
}

// Select Top level Thread
$z = "SELECT * FROM test_db WHERE post_id = '$pid'";
$y = @mysql_query($z);

while ($t_row = @mysql_fetch_object($y)) 
{

$title = $t_row->title;  // title of child thread
$level = $t_row->level;  // level of child thread...is this useful?
}




// Display top level thread lvl 1
if ($ppid === NULL) {  // If the parent_id is NULL, display top level thread
echo '<div>PID: ' . $pid . ' || PPID: ' . $ppid . " || Title: " . $title . "</div><br>\n";

$post = $pid; // PostID = 1
$parent = $ppid; // Parent ID ex: [1]

// Get child id, where parent id = [1]
// trying to get the child thread here...but it's not working
$child_q = "SELECT * FROM test_db WHERE parent_id = '$post'";
$child_r = @mysql_query($child_q);

while($c_row = @mysql_fetch_object($child_r)) {
$c_arr[] = $c_row->post_id;
$c_ppid_arr[] = $c_row->parent_id;
}
for ($n = 0; $n < count($c_arr); $n++) {
if ($c_ppid_arr[$n] === $post) {
echo "<div>$c_arr[$n]</div>";



}

}
break;

//echo "<div>PID: $pid</div>";




} 




break;
}

}



Using While:

<?php 
require_once('db_connection');
echo '<hr><hr><br>';

// I just realized that selecting * where parent id is null might limit the amount of rows retrieved.

// Query to select threads
$n = NULL;
$q = "SELECT * FROM test_db WHERE (test_db.parent_id is NULL) Order By date ASC";
$r = @mysql_query($q);

while ($threads = @mysql_fetch_object($r)){
$pid = $threads->post_id;
$sid = $threads->subject_id;
$parent_id = $threads->parent_id;
$title = $threads->title;
$body = $threads->body;



echo '<div>PostID: ' . $pid . ' || Parent: ' . $parent_id . ' || SubjectID: ' . $sid . ' || Title: ' . $title . ' || Body: ' . $body . '</div>';

$q2 = "SELECT * FROM test_db WHERE parent_id = '$pid' Order by date DESC";
$r2 = @mysql_query($q2);

while ($level2 = @mysql_fetch_object($r2)) {
$level2_pid = $level2->post_id;
$level = 1.5 *($level2->level); // lvl 2: 3em


echo '<div style="text-indent:' . $level . 'em">' . 'PostID: ' . $level2->post_id . ' || ParentID: ' . $level2->parent_id . '</div>';


$q3 = "SELECT * FROM test_db WHERE parent_id = '$level2_pid'";
$r3 = @mysql_query($r3);
while ($level3 = @mysql_fetch_object($r3)) {

$level3 = 1.5 + $level;

echo '<div style="text-indent:' . $level3 . 'em">' . 'PostID: ' . $level3->post_id . ' || ParentID: ' . $level3->parent_id . '</div>';

}






}


}


?>


I'm not a comp. sci major or anything, so I'm learning this as I go.  Any help would be greatly appreciated.   It seems like the while & for is more practical, but i'm not quiet sure.  What am I doing wrong?

- K

I just joined this forum today ^_^  Hope to be good friends with you guys and gals

Hi,     Recently I've been trying writing a safe password hash and I wanted to know that if I use an MD5 hash at the end, just so it will be like some short of "packed",so instead of saving a 128 string, I'll use md5 to "pack" it into 32 characters and save up to 96 characters.   I know MD5 isn't safe and all, but the question is, does it lower the security ?   Also, would be happy for feedbacks about my password hash

function hash_($input,$key) {

     $op=hash("whirlpool",hash("sha512",$key) . "$" . $input . "$" . hash("sha512",$key));

Hi guys, I've been around here for a few years, but for some reason my other account doesn't seem to 'exist' anymore which was real annoying. I also noticed the captcha here was kind of buggy has anyone else been getting that? I'd enter it in case sensative 9-10 times before it would finally work.   Anyways, I've been looking through a lot of research in upgrading my server from Mysql to Mysqli funtions. What I am curious about though is other peoples opinions and thoughts on how to make user input safer. For the time being I've just been using mysql_real_escape_string and htmlspecialchars. I've done quite a bit of research on this and there really isn't much for any guides on how to keep your data clean and safe. I've seen a lot of posts that anymore these two functions are not enough to secure your data. So I'm curious what people in this community are doing (annonomysly) to keep your user input safe. I'm also looking into prepared statements as well with Mysqli. Anyways any responses are much appreciated, would love to chat with you guys about this!   Does anyone know if there was some deal with why I can't access my origional account? I entered in all of the only 5 email addresses I use. It said it sent an email to the one, but it never appeared in junk/inbox.

Hello,   I've noticed that there are services that I can pay to have my code checked for possibly unsafe / insecure code. But I'd rather audit the code myself, as my code is not meant to make money. Is there a list of safe ways to use PHP?   Also is there any automatic way to do this that is free? For instance is there a code checker?   I've noticed there are a number of ways to do PHP wrongly that can be easy to overlook. Is there a list of common PHP pitfalls?   Thanks.

Hi,

I am using parameterized queries on my code, here's the relevant part

Code: [Select]
$params=$_POST['ITGtable'];

$tsql2 = "SELECT COLUMN_NAME, DATA_TYPE, ORDINAL_POSITION,
  COLUMN_DEFAULT, CHARACTER_MAXIMUM_LENGTH, IS_NULLABLE
  FROM INFORMATION_SCHEMA.COLUMNS
  WHERE TABLE_NAME=?";

/* Execute the statement with the specified parameter value.
Display the returned data if no errors occur. */
$stmt2 = sqlsrv_query( $conn, $tsql2, $params);
if( $stmt2 === false )
{
     echo "Statement 2 could not be executed.\n";
     die( print_r(sqlsrv_errors(), true));
}
else
{
     $qty = sqlsrv_fetch_array( $stmt2);
}
Do I really have to sanitize $_POST['ITGtable'] for apostrophe, semicolon, etc, to avoid SQL injection problems? Or just with above code I should be safer (I did not say safe) against SQL injection? And if the answer is "No", what could be the sanitize code of function? I am using sqlsrv and MS-SQL database engine; most of the functions we have for sanitize inputs on MySQL are not available for MS-SQL.

Thanks in advance,

Hey guys!
I have a doubt and this is a question that relates Flash and PHP...

I have a flash (swf) file that grabs/sends variables from/to php.
That swf file is FULLY encrypted and the paths to the PHP urls are also encrypted.

Is there any other way a hacker could find out where and which my PHP files are located/named?

Any ideas, suggestions?
Thanks in advance!
Cheers,

I am using seo friendly urls so when someone makes a post named "this is a post" the url will point to www.example.com/topic/this_is_a_post

But when the user enters a character in their post name that means something in a url(? /) it obviously breaks. How can i make the urls safe from this without str_replace as i want to keep the characters.

I am building an XML string to send to another server.

The manual I am going off of says,

Quote

NOTE:
    * XML has a special set of characters that cannot be used in normal XML strings. These characters a
      Special Character    Equivalent
      &    &amp;
      <    &lt;
      >    &gt;
      "    &quot;
      '    &#39;


It goes on to say...
Quote

# To avoid problems with special characters, URLEncode special characters (example: ~ ! @ # % ^ &) before sending to the IS Gateway
# If you are using POST method, UTF-8 encoding must be used.



I am unsure of what to do based on the information above?!

It looks like I might want to use urlencode??

Also, maybe I need either htmlentities (or possibly htmlspecialchars)??

Please enlighten me (and help protect my data)!! 

Thanks,



Debbie

I am trying to implement what I call private uploads. Basically, users can check a box to indicate they want their file "private"

If so, the upload location is then (exampled as): _domain_/private-folder/$randomfolder

Upon uploading their file, the random folder is created, their file moved to the directory, the upload information stored to the database, .htaccess file is created like so:


info to add to new .htaccess:
Code: [Select]
<files "*.*">
Deny from All
</files>

<files "*.*">
Allow from
$domains
</files>

the string $domains is the domains they enter each seperated by a new line in a form textarea.

The problem - how can I make sure this is safe. i.e. I want the string to be obviously proofed with php so that no matter what they input, only domains will be outputted.

I don't need code written for me (maybe), I'm just unsure of the necessary methods I should use.