Re: [PHP-DB] SQL Injection attack
Estimado veditio, you wrote: > I've got a ton of forms that use the $_POST variable to send > information into the database [...] > Any suggestions on how to tighten up the form security, or does > magic_quotes help enough? I'm not a security expert but after some attacks I have implemented this simple thing. Until today it works for me. You can put it before be connected to your database. I have one only script to connect my database placed outside the /public_html. It is and requested by means one include() in every oho script. In this way, this security works in the whole site. |%3c|%3e|SELECT|UNION|UPDATE|AND|exe|exec|INSERT|tmp/i'; ...etc // detecting if (preg_match($inyecc, $resto)) { // make something, in example sending an e-mail alert $ip = $HTTP_SERVER_VARS["HTTP_CLIENT_IP"]; $forwarded = $HTTP_SERVER_VARS["HTTP_X_FORWARDED_FOR"]; $remoteaddress = $HTTP_SERVER_VARS["REMOTE_ADDR"]; $message = "attack injection in $mi_url \n\nchain: $resto \n\n from: (ip-forw-RA):- $ip - $forwarded - $remoteaddress\n\n - end "; mail("[EMAIL PROTECTED]", "Attack injection", $message, "From: [EMAIL PROTECTED]'SERVER_NAME']}", "[EMAIL PROTECTED]'SERVER_NAME']}"); // kill execution echo 'illegal url'; die(); } // DB connection $connection=mysql_connect(...etc. ?> if you can encode this script with Zend Encoder or a similar thing. It will be an additional measure to avoid the reading of this file. hope it can be useful, Vicente, -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re[2]: [PHP-DB] phptotext]
Yui wrote: > $handle = popen("/usr/bin/pdftotext \"$original_name\" - -layout ",'r'); > $read = fread($handle, 2048000); > echo $read; > pclose($handle); > But I can not see anything!! > Please do help me! $tmpfile = '/home/domain/public_html/pdf_files/myfile.pdf'; chmod ($tmpfile, 0777); $salida = shell_exec("pdftotext /home/domain/public_html/pdf_files/$tmpfile 2>&1"); Here we assume pdftotext.exe is inside /home/domain/public_html/pdf_files/ Maybe you have this inside /usr/bin... etc. In this case be aware of the security restrictions in your server when you try to execute a program outside your secure environment. If you have these problems then you can put the executable in the same file's folder. No fear. It works. Also, you can translate the pdftotext error codes or messages to japanese ^_^ if (ereg('some words in the console answer', $salida)) { print 'my message in jp'; } etc.. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Storing Credit Cards, Passwords, Securely, two-way encryption
Peter wrote: > So I'm thinking about how to save credit card numbers in the DB, for > re-charging cards for subscriptions, new orders, etc. > I'm also thinking about how to save passwords in the DB, not plaintext, but > not one-way encrypted either. > Any suggestions? How would I secure the database? I'm thinking some > abstract process in code, or something -- security through obscurity. if you need to perform the bank operations, then you can use GPG to send you by e-mail the last 4 or 5 digits of a credit card when the user makes the registration process or his first purchase. In this way, you can have in your DB only a portion of the card number and you can offer to the user a way to know his own card. Although somebody can be able to enter in your system he cannot find any complete information. Anyway, if your system is compromised, any person can change your own php scripts,etc... so be careful. If you can use Paypal or Bank it is the best option because you are free of responsibility. Note that although you can use Zend encoder or similar, anyone can encode new scripts to supplant your owns. Also, he can obtain memory dumps, reverse your secret-keys scripts, etc.. Unfortunately, until I know, the popular encoders don't provide means to implement security to authentify our own scripts, neither a way to protect passwords residents in memory. Eventually, this utility http://www.ossec.net/owl/ can monitor your webpages performing periodical MD5 checksum but it is not a final solution if somebody is inside your server. Having a good security can be a very hard task while putting a Paypal button is a trivial thing. br, Vicent, -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] Mirroring two DB
Hi, I want to know how to mirror one MySQL database installed in two different servers so they can be synchronized. Any idea? thanks, -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Mirroring two DB
thanks to all for the answers. I'm reading the Replication section of MySQL manual. It is exactly what I need. My scenary is of of one Mysql working in Intranet, and the replication in another server in Internet. Both working with Linux, I expect people indexing information in both sides at same time. As I am reading in MysQL manual, I will need to establish the connection by some port. I ignore the security and performance consequences in the Internet server side. It can be better using an alternative port? Also, I can expect some decrement in my internet server? There is some advice regarding authomatic updates in the MySQL engine? Any advice will be of great help thanks again, > You can setup two servers in a master slave situation, you'll need to do all > your inserts on the master, but the slave will stay synced. There is some > latency to that setup, but depending on a few variables it's not too long. > > MySQL Cluster is released now too, which may provide a better solution, but > I've never looked at it. Just go to their website and read up on it. > > -Micah -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re[2]: [PHP-DB] php using odbc
bedul wrote: your link doesn't work then I don't know what you want exactly > thx for your info and example > i hope i can use the link i gave in previous message > i want to connect to there -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] IF ( $_POST['submit'] == "Update Subscriptions" OR $_POST['submit'] == "Update Entire Account" ) {
Ron wrote: > I am stuck again. If on the admin screen someone clicks "UPDATE > ADDRESS" the address change is saved. BUT if I try to do an address > change and then click "UPDATE ENTIRE ACCOUNT" the address change isn't > saved. logical. It is not well structured. When clicking "UPDATE ADDRESS" you are accomplishing the second IF. When you click "UPDATE ENTIRE ACCOUNT", you are accomplishing the first IF and here it's the end of your process. You cannot expect more things than those present inside this first IF. As Bastien Koert wrote, it would be better only one button, You can show all the actual dates to the user: etc... when users changes any of them, after clicking on submit button also the rest of unchanged data will be saved. In this way you only need one condition: if ($_POST['submit'] == "Update Entire Account") { // UPDATE all fields } best regards, -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re[2]: [PHP-DB] Special chars & UTF-8: sometimes ok, sometimes wrong
>> I serve a UTF-8 header within my HTML, Apache is configured to serve >> UTF-8 and PHP scripts are saved in UTF-8 charset. >> However, this is a very odd issue, since it happens only with text >> taken from DataBase, but not from texts written in scripts :( >> >> Any similar experience? yes, it depends of the translation between tables and html pages. I manage frequently standard configurations in Apache for Spanish websites. On my view, it's better not changing the Apache configuration. Instead that, be focused in having a latin_set characters in your Mysql tables, in example latin1_swedish_ci. As a guide, when I open phpMyAdmin, I have my tables with latin1_swedish_ci in where appears España. Then, having the HTML pages with it works without problems. You can use use the PHP utf8_decode() function but it will be a hard work for all variables in the whole site. If you are now in a mess, I recommend you putting the Apache configuration in the standard way. Restart, and load your HTML page, changing the page codification using UTF and ISO-8859-1. In this way, you can know what codification demands your HTML page to show DB dates in a right way according the actual state of you tables. If still you are not able to see the characters in any way, then you can export and re-import your tables choosing a latin1_set and then problem will be solved using UTF-8 in the HTML pages. But if you change Apache configuration, it can interfere with other previous scripts or tables, I don't recommend you. It is my experience. Hope it helps, Vicente, -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Reading excel files
there are alternative solutions like these: http://www.phpclasses.org/discuss/package/1919/thread/12/ hope it helps, --- > Hello, > Does anybody have experience with excel spreadsheet reader packages, > either free or commercial? The old PEAR class is no longer maintained > and the current sourceforge-hosted reader fails to read files above a > certain size - I have attempted to debug it but to no avail. I have a > commercial application that requires a new solution urgently, and any > input on this subject would be appreciated. > Kind regards, > Andy -- Saludos, Vicentemailto:[EMAIL PROTECTED] -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php