PHP - Making A Code Mre Secure

Hi Little Help Needed
I have created a new website
In the index.php file i want to show records from database

Now, here is how the problem arise
I want to import codes from github intead of hosting those files on my server because i want to keep it opensource

Below is the code I am using
<?php
// connect to the database
include('connect-db.php');

// get results from database
$sql = "SELECT id, upadhi, name FROM munishri";
$result = $conn->query($sql);

if ($result->num_rows > 0) {
// output data of each row
while($row = $result->fetch_assoc()) {
echo "id: " . $row["id"]. " - Name: " . $row["upadhi"]. " " . $row["name"]. "<br>";
}
} else {
echo "0 results";
}

// close connection
$conn->close();
?>

Can i host the code to show result in another file and use something like
<?php
// connect to the database
include('connect-db.php');

// get results from database
include('http://rawgit.com/th...database.php');
?>

I have such lines of code:

$link["beF1LP"]="https://www.site.com";
$link["beN1LP"]="https://www.site.com";

I know I can simplify it like this:

$link["beF1LP"]=$link["beN1LP"]="https://www.site.com";

But I wanted something like this:

$link["be(F|N)1LP"]="https://www.site.com";

Which did not work.

How do I get it working for the string inside the brackets and under the quotes while using OR and/or other operators?

 

Thank you

Hi all, i have no idea where to start with this.. I do however have some code i am assured will pull the data.. What i need to know is can and will you help me.. I understand if not.. Just rather ask before i jump in.

Jamie

$info[130] is the random code, but how do i go about making sure the code is not used on any other row.... (even thou it would be unlikely even with this code, it is still possible)

Code: [Select]
<?php
# IF THE USER DOES NOT HAVE A UNIQUE CODE, CREATE ONE
if ($info[130] == "0") {
function randomPassword() {
  $salt = "abchefghjkmnpqrstuvwxyz0123456789";
  srand((double)microtime()*1000000);
  $i = 0;
  while ($i <= 14) {
$num = rand() % 33;
$tmp = substr($salt, $num, 1);
$pass = $pass . $tmp;
$i++;
  }
  return $pass;
}
$info[130] = randomPassword();
}
?>

This question includes MySQL, but I have a feeling the answer will involve PHP so putting it here for now. If it should be moved, feel free

Say I have a for loop that iterates through a certain amount of times and updates a value in my database EACH ITERATION thru the loop. In other words, we're connecting to the database multiple times.  Seems very inefficient, so I'd like to see if there is a better way.

Here is a basic example of the "bad" way (FYI, this code is basically reordering items after one of them moves down in the list)...

Code: [Select]
for ($a=$oldvalue+1; $a<=$othervalue; $a++) {
$sql = "UPDATE tablewithids SET
id=id - 1
WHERE id=$a";
$result = mysql_query($sql, $connection);
if (!$result) {
die("Database query failed: " . mysql_error());
} else {

}
So if $othervalue happened to be 80, then it would be 80 separate connections to the database!  I imagine it would make a lot more sense to gather the data first (into an array I presume) and then make one connection to the database an update that way, but I'm having trouble wrapping my head around how to do it based on this type of example.

Can anyone offer suggestions to help make this type of for loop code more efficient?

So what i mean is if i set a variable to "[" ($some_variable = "[") the rest of my code is now going to go CRAZY because there is an open [. Is there a way I can just make everything inside the first set of "" not relevant to the code? thanks!

OK so I have a page that a user can not access unless they are logged in works great. On that page I have links to documents, if you direct link to those docs they work. They should not unless you are logged in. How can I implement this?

I'm not amazing with PhP, so excuse me if it looks terrible xD I've taken tutorials, edited them to fit my wanting and tried it out, it seems to deny anything other than an image type, but could it be abused?

<div id="image-upload">
<h2>Upload your image</h2>
<form action="upload.php" method="post" enctype="multipart/form-data"> 
Upload:<br><br> 
<input type="file" name="image"><br><br>
Image Title:<br><br> 
<input type="text" name="image_title"><br><br> 
<input type="submit" name="submit" value="Upload"> 
</form>
	
	
<?php
include("upload_file.php");

function GetImageExtension($imagetype)
{
if(empty($imagetype)) return false;
switch($imagetype)
{
case 'image/bmp': return '.bmp';
case 'image/jpeg': return '.jpg';
case 'image/png': return '.png';
default: return false;
}
}
		 
			 
if ($_FILES['image']['error'] !== UPLOAD_ERR_OK) {
die();
}

$extension = getimagesize($_FILES['image']['tmp_name']);
if ($extension === FALSE) {
die("<br><font color='#8B0000'>Unable to determine image typeof uploaded file</font>");
}

if (($extension[2] !== IMAGETYPE_GIF) && ($extension[2] !== IMAGETYPE_JPEG) && ($extension[2] !== IMAGETYPE_PNG)) {
die("<br><font color='#8B0000'>Only images are allowed!</font>");
}
			 
			 
			 			 
if (!empty($_FILES["image"]["name"])) {

$file_name=$_FILES["image"]["name"];
$temp_name=$_FILES["image"]["tmp_name"];
$imgtype=$_FILES["image"]["type"];
$ext= GetImageExtension($imgtype);
$imagename=$_FILES["image"]["name"];
$target_path = "../../images/upload/".$imagename;
$title = $_POST["image_title"];

		
if(move_uploaded_file($temp_name, $target_path)) {
$query_upload="INSERT into `images_tbl` (`images_path`,`submission_date`,`image_title`) VALUES 
('".$target_path."','".date("Y-m-d")."','".$title."')";

mysql_query($query_upload) or die("error in $query_upload == ----> ".mysql_error()); 
echo '<br>Image uploaded!';
}else{
echo '<br><font color="#8B0000">Only images are allowed!</font>';
} 
}
?>

The code below allows me to insert articles into my website without having to hard-code them in the home page.

Is this code secure?  (Someone told me I should use a switch statement instead?!)

Code: [Select]
<?php
if (isset($_GET['article'])) {
$articleFile = preg_replace('#[^A-z0-9_\-]#', '', $_GET['article']).'.php';

if(file_exists($articleFile)) {
include($articleFile);
}else{
$title = 'Article Not Found';
$content = '';
}
}else{
include('default.php');
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>Dynamic Content Example</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<link type="text/css" rel="stylesheet" href="css/pagelayout.css">
<link type="text/css" rel="stylesheet" href="css/dropdown.css">
</head>

<body>
<div id="wrapper" class="clearfix">
<div id="inner">
<div id="header">
<!-- DROP-DOWN MENU -->
<ul id="topMenu">
<li class="current"><a href="?article=article1">Article 1</a></li>
<li><a href="?article=article2">Article 2</a></li>
<li><a href="?article=article3">Article 3</a></li>
<!-- and so on... -->
</ul><!-- End of TOPMENU -->

</div>
<div id="left">
<p>
Other content goes here : Other content goes here : Other content goes here :
</p>
</div>
<div id="middle">
<div id="content">
<h2>MAIN CONTENT</h2>
<p>
<!-- Dynamically insert Article here using PHP include!! -->
<?php echo $content; ?>
</p>
</div>
</div>
<div id="right">
<p>
Adverting goes here : Adverting goes here : Adverting goes here :
</p>
</div>
</div>
<div id="l"></div>
<div id="r"></div>
</div>
<div id="footer">
<p>footer</p>
</div>
</body>

</html>

If there is a better way to accomplish the same thing, and/or a more secure way, I would be interested in hearing about it.   

Thanks,



Debbie

I wrote an update script, how secure do you think it is?
By the way, this is an include. The page it is included on stop attacks by making sure the user is logged in.

function update_file($url, $file)
{
        //Get URL content
$ch = curl_init();
            curl_setopt($ch, CURLOPT_URL, $url);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
            $data = curl_exec($ch);
            curl_close($ch);
            $new_content = $data;

//Replace with content from URL
file_put_contents($file, $new_content);
echo $new_content;
}

function get_url($file)
{

$domain = 'http://www.mysite.com/';
$folder = 'update/'; 
$ver = '2.0.1';
$full_url = ''.$domain.''.$folder.'/'.$ver.'/';
$fileu = array
(
"functions/update.php" => "".$full_url."functions/update.txt"
);

return $fileu[$file];
}

$files = array
(
'functions/update.php'
);

foreach($files as $file)
{
update_file(get_url($file),$file);
}

Hi,
I'm inserting data into database. which is going fine. but i want to make sure how to insert secure data into database to avoid sql injection.
what function should i use to insert secure data into database. can any one guide me please???
Thanks

Hey guys i am making a php application and i have a feature where it allows members to upload images. If there a way to secure a folder to only be allowed access when a member is logged in and not someone accessing the folder and downloading images.

Stuped question i know would it be better to store the images in the database as BLOB? but then again could make the database big. Thanks

I have parts of my webpage protected with the following
Code: [Select]
session_start();
if(!isset($_SESSION['myusername'])){
header("Location:login.php");
} else {
$username = $_SESSION['myusername'];
}
How secure is this?

The goal is so people who don't have access to the page (don't have a login account) cannot get access

Thanks for any tips

Does anyone clean/filter session id? Is it necessary?