PHP - Preventing Bots From Accessing A Directory.

Hi, I making a banner exchange script. Members will have to place a banner code on their sites to make banners appear. Some members might cheat by using bots to refresh the page to gain impressions and to waste other members impressions so i wanted to know if bots have ip addresses? because i want to only give member impressions if their visitors have ip. What are the other things i can do to check if members are cheating?. Thanks  

$ip=$_SERVER['REMOTE_ADDR'];

Hello

We have a series of sites that use Google API to serve locations stored in local DB, that show google maps from within given PHP pages within our sites (these pages also have other db driven content we wish to keep....

Each 'member' in our sites,  they each have a google map shown on each page present for their 'location' menu tab...

These calls to the google map API,  often goes over our daily allotment of freebie map presentations from the google API

It is SE and other Bots that run these view numbers off the charts and prevent the google maps from loading the actual maps - we get a google map err message - advising that maximum views have been reached... (we see this in our server error logs)

Thoughts on how i can serve this map code to only legit http requests (human eyes)  or at least reduce the burden of bot crawl requests to the google API?

here is the code we use to call the maps

 - We need to encapsulate Google Map Display in a snippet that will block it from getting hit by bots....

Huge Thanks!

Code: [Select]
<form target="_blank" method="GET" action="http://maps.google.com/maps">
<input type="hidden" name="daddr" value="<? echo "$address, $city, $state $zip $country" ?>">
<?php display_tooltip("Please enter your starting point in the form address, city, state zip country or simply enter your city", "mapdir");?>
<input type="text" name="saddr" value="your starting point" onfocus=this.select()>
<input class="clickableL" type="submit" value="Map and Directions">
</form>

Hi guys,

I've been working on a script for a while now,
and I'm sure it doesn't look great and all, and it's probably really messed up..
But right now I've finally got it working!
There's only 1 thing I'd really like to add..
Searching through & listing of remote directories!
The directories I'm trying to list have directory listings enabled,
and I think it *should* be possible.
I just have no clue how.

Here's my current code in a beautiful mix of HTML and PHP:


<?
$border_size = "0";

function returner($what) {
$what=explode("/",$what);
$tps=count($what);
$what=$what[$tps-1];
return $what;
}

$page_url= "";
$home_url=returner(__FILE__);
if(isset($_GET['q'])) {
$qtext=$_GET['q'];
} else {
$qtext="";
}
function getdirsize($directory, $format=FALSE) {
$size = 0;
if(substr($directory,-1) == '/') {
$directory = substr($directory,0,-1);
}
if(!file_exists($directory) || !is_dir($directory) || !is_readable($directory)) {
return -1;
}
if($handle = opendir($directory)) {
while(($file = readdir($handle)) !== false) {
$path = $directory.'/'.$file;
if($file != '.' && $file != '..') {
if(is_file($path)) {
$size += filesize($path);
}
elseif(is_dir($path)) {
$handlesize = getdirsize($path);
if($handlesize >= 0) {
$size += $handlesize;
} else {
return -1;
}
}
}
}
closedir($handle);
}
if($format == TRUE) {
if($size / 1048576 > 1) {
return round($size / 1048576, 1).' MB';
}
elseif($size / 1024 > 1) {
return round($size / 1024, 1).' KB';
} else {
return round($size, 1).' bytes';
}
} else {
return $size;
}
}

if(isset($_GET['type'])){
  $type=$_GET['type'];
} else {
  $type="new";
}

$textures=0;
$models=0;
$avatars=0;
$seqs=0;
$sounds=0;

foreach (glob("textures/*.jpg") as $texture){
$textures++;
}
foreach (glob("models/*.zip") as $model){
$models++;
}
foreach (glob("avatars/*.zip") as $avatar){
$avatars++;
}
foreach (glob("seqs/*.zip") as $seq){
$seqs++;
}
foreach (glob("sounds/*.zip") as $sound){
$sounds++;
}
?>
<!DOCTYPE html>
<html>
<head>
<title>ObjectPath Search</title>
<style type="text/css">
#wrapper {
width: 850px;
margin: 30px auto 30px auto;
padding: 10px;
}

body 
{
color:#C6C6C6;
background:#1E1E1E;
/* margin:0; padding:0; */
overflow-x:hidden;
}

#tabs {
font: 85% "Trebuchet MS", sans-serif;
}

.left {
float: left;
}

.right {
float: right;
}

a:link, a:visited, a:active {
color: #3DB015;
text-decoration: none;
}

a:hover {
color: #00E0FF;
}

h2 {
color: #3DB015;
padding-bottom: 0.2em;
font-size: 110%;
}
ul#icon {margin: 0; padding: 0;}
ul#icon li {margin: 1px; position: relative; padding: 1px 0; cursor: pointer; float: left;  list-style: none;}
ul#icon span.ui-icon {float: left; margin: 0 1px;}
</style>
<link type="text/css" href="http://objects.jk-hosting.com/search/css/black-tie/jquery-ui-1.8.2.custom.css" rel="stylesheet" />
<script type="text/javascript" src="http://objects.jk-hosting.com/search/js/jquery-1.4.2.min.js"></script>
<script type="text/javascript" src="http://objects.jk-hosting.com/search/js/jquery-ui-1.8.2.custom.min.js"></script>
<script type="text/javascript">
function formHandler(form){
var URL = document.form.site.options[document.form.site.selectedIndex].value;
window.location.href = URL;
};

$(function(){
// Tabs
$('#tabs').tabs();
});
</script>
</head>
<body>
<div id="wrapper">
<div id="tabs"> <!-- Tabs start -->
<ul>
<li><a href="#tab-search">Search</a></li>
<li><a href="#tab-list">List Objects</a></li>
<li><a href="#tab-info">OP info</a></li>
</ul>

<div id="tab-search"><!-- Searchtab start -->
Please enter a string to search for, and choose a folder to search in. <br /><br />
<form name="Search">
<input type='hidden' value='search' name='type'>
<input value='<? print $qtext; ?>' type='text' name='q'> 
<select name='map'>
<option selected='selected' value='models'>Models</option>
<option value='avatars'>Avatars</option>
<option value='textures'>Textures</option>
<option value='seqs'>Seqs</option>
<option value='sounds'>Sounds</option></select> <input type='submit' value='Search'>
</form>
</div> <!-- Searchtab end -->

<div id="tab-list"><!-- Listtab start -->
Please pick a folder to browse. <br /><br />
<form name="form">
<select name="site" onChange="javascript:formHandler()">
<option value="#">Look in folder...</option>
<option value="<? print $page_url; ?>?type=list&map=models">Models</option>
<option value="<? print $page_url; ?>?type=list&map=avatars">Avatars</option>
<option value="<? print $page_url; ?>?type=list&map=textures">Textures</option>
<option value="<? print $page_url; ?>?type=list&map=seqs">Seqs</option>
<option value="<? print $page_url; ?>?type=list&map=sounds">Sounds</option>
</select>
</form>
</div> <!-- Listtab end -->

<div id="tab-info"><!-- Info tab start -->  
The OP currently contains: <br /><br />
<table>
<tr><td><b><? echo $models; ?></b></td> <td>Models</td></tr>
<tr><td><b><? echo $avatars; ?></b></td> <td>Avatars</td></tr>
<tr><td><b><? echo $textures; ?></b></td> <td>Textures</td></tr>
<tr><td><b><? echo $seqs; ?></b></td> <td>Seqs</td></tr>
<tr><td><b><? echo $sounds; ?></b></td> <td>Sounds</td></tr>
</table>
</div> <!-- Info tab end -->
</div> <!-- Tabs end -->
</div>

<!-- Start PHP generated content -->

<?
if($type=="search" || $type=="list") {
$M=$_GET['map'];
if($type=="search") {
$Q=$_GET['q'];
$empty="Nothing found with <b>\"" . $Q . "\"</b> in it's name.<br />\nPlease make a more general search query, or try a different folder.\n\n";
} else {
$Q="";
$empty='This folder is empty';
}
if($M=="textures") {
$ext="jpg";
} else {
$ext="zip";
}
$i=0;
print "<hr>\n";
$endfile=array();
$endsize=array();
$endsize2=array();
    foreach (glob($M."/*".$Q."*.".$ext) as $filename) {
$filename = explode(".", $filename);
$filename=$filename[0];
$filename = explode("/", $filename);
$filename=$filename[1];
$i++;
$endfile[$i]=$filename;
if($ext=="jpg") {
$endfile[$i]="<a name='".$endfile[$i]."' href='".$pageurl."?type=view&name=".$endfile[$i]."&folder=".$M."&from=".$type."&addon=".$Q."'>".$endfile[$i]."</a>";
}
$endsize[$i]=$size;
$endsize2[$i]=$size2;
}
if($i != 1) {
print "<b>".$i."</b> items were found.\n<hr>\n";
} else {
print "<b>".$i."</b> item was found.\n<hr>\n";
}
    echo("<table width='100%' border='" . $border_size . "' cellspacing='0' cellpadding='0' >\n");
if($i!=0) {
for ($t = 1; $t < $i; $t++) {
$thumbfile = $M."/".$endfile[$t].'.jpg';
if(file_exists($thumbfile)) {
$thumbnail = "<a name='".$endfile[$t]."' href='".$page_url."?type=view&name=".$endfile[$t]."&folder=".$M."&from=".$type."&addon=".$Q."'><ul id='icon'><li class='ui-state-default ui-corner-all' title='".$endfile[$t]."'><span class='ui-icon ui-icon-image'></span></li></ul></a>";
} else {
$thumbnail = "";
}
if($t=="1") {
echo("<tr><td width='10%'>Number</td><td width='3%'><ul id='icon'><li class='ui-state-default ui-corner-all' title='".$endfile[$t]."'><span class='ui-icon ui-icon-image'></span></li></ul></td><td width='60%'>Name</td></tr>\n");
}
echo("<tr><td>" . $t . "</td><td>".$thumbnail."</td><td>" . $endfile[$t] . "</td></tr>\n");
flush();
}
$thumbfile = $M."/".$endfile[$t].'.jpg';
if(file_exists($thumbfile)) {
$thumbnail = "<a name='".$endfile[$t]."' href='".$page_url."?type=view&name=".$endfile[$t]."&folder=".$M."&from=".$type."&addon=".$Q."'><ul id='icon'><li class='ui-state-default ui-corner-all' title='".$endfile[$t]."'><span class='ui-icon ui-icon-image'></span></li></ul></a>";
} else {
$thumbnail = "";
}
echo("<tr><td>" . $t . "</td><td>".$thumbnail."</td><td>" . $endfile[$t] . "</td></tr>\n");
}
print "</table>\n";     
if($i=="0") {
print $empty;
}
} elseif($type=="view") {
$filename=$_GET['name'];
$folder=$_GET['folder'];
  
if($_GET['from']=="list"){
$addon="?type=list&map=".$folder."#".$filename;
}

if($_GET['from']=="search"){
$addon="?type=search&q=".$filename."&map=".$folder."#".$filename;
}
print"<center><a href='".$home_url."'>Home</a></center>";
print "<hr>\n<center><img src='".$folder."/".$filename.".jpg'></img></center>\n<hr>\n<br />\n<a href='".$page_url."".$addon."'>Previous Page</a>\n";
}
$htmlshow="";
if($_GET['type']=="returnOPfile") {
if(isset($_GET['split'])) {
$splitter=$_GET['split'];
} else {
$splitter=" | ";
}
if(isset($_GET['html'])) {
$htmlshow="<br />";
}
foreach (glob("textures/*.jpg") as $texture){
if(isset($_GET['size'])) {
$size=$splitter.filesize($texture);
}
    $texture = explode("/", $texture);
$texture=$texture[1];
print "textures".$splitter.$texture.$size."\n".$htmlshow;
}
  
foreach (glob("models/*.zip") as $model){
if(isset($_GET['size'])) {
$size=$splitter.filesize($model);
}
    $model = explode("/", $model);
$model=$model[1];
print "models".$splitter.$model.$size."\n".$htmlshow;
}
  
foreach (glob("avatars/*.zip") as $avatar){
if(isset($_GET['size'])) {
$size=$splitter.filesize($avatar);
}
    $avatar = explode("/", $avatar);
$avatar=$avatar[1];
print "avatars".$splitter.$avatar.$size."\n".$htmlshow;
}
  
foreach (glob("seqs/*.zip") as $seq){
if(isset($_GET['size'])) {
$size=$splitter.filesize($seq);
}
    $seq = explode("/", $seq);
$seq=$seq[1];
print "seqs".$splitter.$seq.$size."\n".$htmlshow;
}
    foreach (glob("sounds/*.zip") as $sound){
if(isset($_GET['size'])) {
$size=$splitter.filesize($sound);
}
      $sound = explode("/", $sound);
$sound=$sound[1];
print "sounds".$splitter.$sound.$size."\n".$htmlshow;
}
}
?>

<!-- End PHP generated content -->

</body>
</html>


So right now my question to you PHP freaks is,
can you please help me edit my script so I can search through a remote directory?

*This* is one of the directories I wish to be able to search through & list..

Thanks in advance. 

Edit;
It might help if you know what the site currently looks like.
*Click*

I am trying to write a php/mysql that will allow a church keep attendance on their members in bible study. I am also going to try to prevent doing a circular reference between tables and just can't figure it out how since I am just starting to learn mysql. Here are the tables:   Table 1: Members: --------------- 1:Name: 2:Address: 3:Bible Study Group it belongs to:   Table 2: Cells -------------- 1:Bible Study Lider: 2:Bible Group Name   Table 3: Attendance -------------- 1:Date 2:Member 3:Bible Group   As you all can see, Table 2:2 makes a lookup at Table 1 for the member(in this case, the leader). BUT Table 1:3 makes a lookup to Table 2:2 and is a circular lookup.   Anyone have an idea on how to properly do this without any circular problems?   Thanks in advance!          

i have made an delete files script which works for only one directory but not sub directory so i want to delete files of same extention from directory and subdirectory.

My current code is

Code: [Select]

<?

$dir = 'hmm/';

function scanr($dir){

$arr = glob($dir.'/*.jpg');
foreach($arr as $vv){



//check if $vv is a file
if(is_file($vv)){

//if file, get the filename
$vx=explode('/',$vv);
$file=$vx[count($vx)-1];


// if no extension delete the file
unlink($vv);
// print the deletion message
echo $vv." deleted!<br>";}else{
// if $vv is a dir then scan it again for files
scanr($vv);
}}
}

scanr($dir);
?>

Would this work to prevent remote file inclusion vulnerability?

$file = "../include/links.php";
if ($file = '../include/links.php'){
include $file;
}

I've run into a little bit of a logistical nightmare on some registration pages I've taken over work on.  On these pages, parents register their kids for classes. The pages have been coded as such:
page one: the user enters name and personal info, and selects one or two classes to register for, on submit, they go to page two.
page two: their info is entered into the mysql database's registration table on a unique id  The user verifies the total, enters a discount and submits
page three: credit card info is added to registration table, and sent to authorize.net.
page four: payment processed, and they enter the data for their kids into the attendees table
page five: confirmation and done.

My issue is that, at first I saw people entering page one data, going to page two, then for some reason, hitting the back button. They could then enter the data again. I'd have two entries in the registration table for the same person. I was going to put some sort of unique key on the name and an email, but then I saw scenario two...

Another person enters data and registers one kid.. then for whatever personal reason goes back and registers a second kid in a completely separate transaction.

So I can't put that key on there, but is there a way to prevent them from going back and reentering twice. I don't want to have to blow up the code to do it at the end of everything. and that would take implementing sessions, wouldn't it? I'm not so versed at that. Any thoughts?

I know that the following lines of code can be used to prevent errors from being displayed:

Code: [Select]
<?php
error_reporting(0);
ini_set('display_errors', 0);
?>

Is there a reason to use one over the other? Is it better to use both?

I hope this is enough info, but I have this code (at the bottom) that grabs images from my S3 account (Amazon Web Services)... If there is no bucket for the name given, it gives this warning...

Code: [Select]
Warning: S3::getBucket(): [NoSuchBucket] The specified bucket does not exist in /home/xxxxxxx/public_html/xxxxxxx.com/S3.php on line 126
Assuming it's not specific syntax to S3 and is general PHP syntax, how could I prevent that warning from showing, by saying in plain English "If a bucket by that name doesn't exist, I'm gonna do something else and NOT spit out this warning?"

Basically, I want to echo a message like "There is no bucket yet" instead of having that ugly warning.


Code: [Select]
// Get the contents of our bucket
$contents = $s3->getBucket("mybucket");
foreach ($contents as $file){

$fname = $file['name'];
$furl = "http://mybucket.s3.amazonaws.com/".$fname;

//output a link to the file
echo "<a href=\"$furl\">$fname</a><br />";
echo "<img src='$furl' width='50' /><br />";
echo "$furl<br />";

}

Basically, I have the following code ($c2 is my connection variable):
Code: [Select]
$rid = $_GET['id'];
$q = mysql_query("SELECT * FROM reports WHERE id = $rid", $c2) or die(mysql_error());
$report = mysql_fetch_array($q);
$report is used later on to gather more information that is outputted to the user.

However, if in the URL, someone were to put id=1', they would have an error message spit out to them (something along the lines of: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1), indicating a SQL Injection exploit.

How would I go about fixing this, and also preventing SQL Injection?

Thanks a bunch,
Mark

I imagine there are lots of ways to answer this question, so I just want people's opinions as to the best way (if there is one).

I have code with a basic form that submits data to a MySQL database. 

So when someone submits data the first time, I "clean it up" by doing...
Code: [Select]
$_POST['data'] = trim(mysql_prep($_POST['data']));
.. and then submit that info into a "varchar" mySQL field.

Then if the user comes back to edit it, the form comes up and the data they previously entered is pulled into the field this way (I'm leaving out the MySQL to pull the data, obviously)...

Code: [Select]
<input type="text" name="field" value="<?php echo $data;?>">

The problem is that if someone entered this originally...
Code: [Select]
Here is "some" data with apostrophes
...Then when I echo that back into the value of the text field, it would only show...
Code: [Select]
Here is "...and then cuts off because the quotation mark in the data conflicted with the quotation mark after value=

Is htmlentities the answer here, or is there some other/better way?

FYI...


Code: [Select]
function mysql_prep($value) {
$magic_quotes_active = get_magic_quotes_gpc();
$new_enough_php = function_exists("mysql_real_escape_string") ; //i.e. PHP >= v4.3.0
if($new_enough_php) { //PHP v4.3.0 or higher
//undo any magic quote effects so mysql_real_escape_string can do the work
if($magic_quotes_active) { $value = stripslashes($value) ;}
$value = mysql_real_escape_string($value);
} else { //before php v4.3.0
// if magic quotes aren;t already on then add slashes manually
if(!magic_quotes_active) { $value = addslashes($value); }
// if magic quotes are active, then the slashes already exist
}
return $value;
}

I'm trying to echo the directory and sub directory only. I am not looking to show the files contained - only folders.

"BACK" or REFRESH: Preventing database interaction / code execution
how to prevent database interaction / code execution when user presses back or refresh button?
can i detect?
can i disable back/refresh?

If $result contains the result of mysql_query, a select count distinct query, how do I access the count?  I've tried $result[0] to no avail and $result only returns the resource #.

I am a part of an institue which has internal web pages. It also provides me with my web space with php servers. Now I know those internal web pages are available to the server. I want a code that can fetch those web pages and display it  in my web space. And whatever forms i fill or links i click it should do those on internal page and again return the new web page.