Jump to content

cherri8

Members
  • Posts

    43
  • Joined

  • Last visited

Everything posted by cherri8

  1. i dont have members for it as yet but i did postback test on those offerwall sites. i did change code to match my site. it seems that the server will only allow changes to the database if someone is present on the page and if it's my own site.
  2. hi when i get postbacks from the outside like mediumpath which is an offerwall, my database doesnt update or select member's info. i didnt use the exact postback below but it's the same idea. it's an example from that site. if(!empty($_POST)){ define('EvolutionScript', 1); define('ROOTPATH',dirname(__FILE__).'/'); define('INCLUDES',ROOTPATH.'includes/'); require(INCLUDES.'core.php'); require_once INCLUDES.'global.php'; $user_id = isset($_POST['user_id']) ? $_POST['user_id'] : null; $transId = isset($_POST['transId']) ? $_POST['transId'] : null; $reward = isset($_POST['reward']) ? $_POST['reward'] : null; $currency = isset($_POST['currency']) ? $_POST['currency'] : null; $signature = isset($_POST['signature']) ? $_POST['signature'] : null; $status = isset($_POST['status']) ? $_POST['status'] : null; $userIp = isset($_POST['userIp']) ? $_POST['userIp'] : null; $campaign_id = isset($_POST['campaign_id']) ? $_POST['campaign_id'] : null; $country = isset($_POST['country']) ? $_POST['country'] : null; $secret = "[YOUR_WEBSITE/APP_SECRET_KEY]"; // check your app info at www.mediumpath.com $user_id = isset($_POST['user_id']) ? $_POST['user_id'] : null; $transId = isset($_POST['transId']) ? $_POST['transId'] : null; $reward = isset($_POST['reward']) ? $_POST['reward'] : null; $signature = isset($_POST['signature']) ? $_POST['signature'] : null; if(md5($user_id.$transId.$reward.$secret) != $signature){ print_r($_POST); exit; }else{ $insert = array( 'user_id' => $user_id, 'transId' => $transId, 'reward' => $reward, 'currency' => $currency, 'signature' => $signature, 'status' => $status, 'userIp' => $userIp, 'campaign_id' => $campaign_id, 'country' => $country, ); $insertdb = $db->insert("mediumpathipn", $insert); $orderid = $db->lastInsertId(); $user_info = $db->fetchRow("SELECT * FROM members WHERE id={$user_id}"); if(!empty($user_info)){ $set = array( 'money' => $user_info['money']+$reward, ); $upd = $db->update("members", $set, "id = {$user_id}"); } } }else{ echo "ERROR: No key founds"; exit; }
  3. hi i have a little issue. Host server doesn't want to change database when there is incoming info from postbacks. Is there a code to stop this in htaccess or something?. I had a gpt site that had no issues but i didnt create the script and the script was encrypted.
  4. HI During my third comment I understood what you meant by that.I should have been more clear.Both you and Don E answer all my questions perfectly.You all help me allot.Thanks
  5. Ok.Thanks It is alright if I don't receive your help anymore .Im fine if others will do the same.For my last comment I wasnt saying that people who use wth or wtf are being rude or offensive but It only depends on how those statements are used and in what situation. If I explain further I might confuse you.I usually get made fun of about the way I write on the net.Good bye and thanks allot for your help. Sorry if you think I offended you.
  6. I already know what wth means but i didnt know if you were trying to be rude to me.Wth or wtf is suppose to be offensive statements but i guess everyone doesn't know so nevermind.
  7. Thanks but I don't know why the bold part was even necessary since I get that.you don't understand anything I wrote.It is hard to tell if you are trying to offend me?........
  8. hi, I have a question about the code below which has always been on my mind.Is there a limit to how many times I use the elseif(condition) ?.the site only mentions that several blocks of code can be executed but i don't know the amount of code that can't be used.first i'll use the if statement to check if user inputs are empty and in the else statement it would contain more condition statements: in the if(condition) and elseif(condition) i will validate(for these conditions it would show true that there has been an error like for example: the users didn't use a proper email address) user inputs and in the else im plan to put user input in database( since the other conditions aren't true it would be safe to enter user data in database).thanks if (condition){code to be executed if condition is true;}elseif (condition){code to be executed if condition is true;}else{code to be executed if condition is false;}
  9. I will look at the codes on the net to understand session handler better
  10. Thanks you all. Thanks Birbal :I wanted to make my own codes for session_set_save_handler() when I use it to understand it more instead of using the ones that are already made on the net. I notice that most people only use mysql_real_escape_string in handler which wouldn't be enough to filter stuff. It would be more work for me to think of which filters to use for every session data which is one of the reasons why I wanted to use session_set_save_handler() later because im in a rush to finish site for important reasons lol. I already know that I have to use this to filter session id: if ((preg_match('/[^a-zA-Z0-9-,]/i', $sessid ))!==TRUE). If I don't use the handler I did plan to make a mysql query at the login page to put the session id+user agent in database.After i will get ip from database that was put there during signup than put session id+user agent+ip in session at login page.yah it sounds like allot of work my way and confusing too lol.It seems that with session_set_save_handler() I don't have to do a mysql query every time to put session data in database.
  11. Thanks i'll check user agent string with ip. I dont know how to decode after hashing stuff so i hope that i dont need to decode user agent string.ill put hash user agent string in database.
  12. Thanks.So far i already have $_SESSION['ipcheck'] = true;(when ip is already found in database) and $_SESSION['logincheck'] = true;(when password and username is found in database).I'll use this code below that i found on wiki that has user agent.ill change up some stuff in code.The user agent stuff is new to me s i had to google it.if (strpos($_SERVER['HTTP_REFERER'], 'https://DiD/') !== 0 || isset($_GET['LOGOUT']) || $_SERVER['REMOTE_ADDR'] !== $_SESSION['PREV_REMOTEADDR'] || $_SERVER['HTTP_USER_AGENT'] !== $_SESSION['PREV_USERAGENT']) session_destroy(); session_regenerate_id(); // generate a new session identifier $_SESSION['PREV_USERAGENT'] = $_SERVER['HTTP_USER_AGENT'];$_SESSION['PREV_REMOTEADDR'] = $_SERVER['REMOTE_ADDR'];
  13. Thanks for help :Happy: . I thought that the session set safe handler was also use to prevent people's session ID from being stolen. I'll only use the session regenerate Id and not the session set safe handler. I'll just use the defaults. If I put error in files ,I'll store them in the private directory on server that is above the public directorys.
  14. Hi, Session set safe handing is abit confusing for me to use now even though i can get the codes on the net.I will not be able to store sessions in database without the session set safe handler.if I always change session id when users login than i shouldnt have to use session set safe handler? is this code alone good enough to use to change id? .i got the code from wikipedia : //accept only SIDs generated on my serverif (!isset($_SESSION['SERVER_GENERATED_SID'])) { session_destroy(); // destroy all data in session}session_regenerate_id(); // new sid$_SESSION['SERVER_GENERATED_SID'] = true; Are errors safe in the error log on server? and is this code that i got at php.net good enough to use for error logging? my purpose is to not display errors to people. /* 00.00.00.00 is replace with the site owner ip address.*/// Report all PHP errorserror_reporting(-1);if($_SERVER['REMOTE_ADDR']=="00.00.00.00"){ini_set('display_errors','On');}else{ini_set('display_errors','Off');}
  15. thanks both of you!!! .im relieved that i dont have to filter the other stuff.i was losing my mind before which made it hard to enjoy php.i even forgotten some things i learned just because i never got to practice them because of the filter problem i had. birbal: thank you so much your examples helps me allot.Some of those characters are very similar to each other like newline and carriage returns.I'll just use all characters except form feed and backspace.
  16. \' single quote \" double quote \\ backslash \n new line \r carriage return \t tab \b backspace \f form feed hi Im really confuse about what these terms mean and where and how to use them so far I know that they have to be used in strings and in echo.I already know about the single quote and double quote.Please provide examples to explain them in simple terms.i search on many tutorials site but nothing helps ;(. Im also really confused about something with the filtering.when i filter my varibles like email, connect varibles do i have to filter the stuff where these varibles go?.I'll put examples: $my_servername $my_username$my_password$my_database ----i have filter these varibles that is used to connect to the server with mysql_real_escape_string, filter_var($my_servername, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH); -i use this hoping it takes away everything except numbers and letters, (preg_match('/[^a-zA-Z0-9]/i', $my_password))!==TRUE i don't have a problem with these varibles but it is with these "non varibles" because im wondering if i have to filter them since i already filter their varibles on top: $con = mysql_connect($my_servername,$my_username,$my_password);$createdatabase = mysql_query("CREATE DATABASE $my_db",$con);$getdata = mysql_select_db($my_db, $con); do i have to filter these also even though the variables going inside them are already filtered ?.tutorials on net talk as if everything needs to be filtered.for example if i need to filter a whole table with the varibles already inside that was filtered already?.I hope i make sense im really confusing myself lol.i've been staying up untill 5 in the morning allot just to be a good developer in a short time lol.thanks: CREATE TABLE Persons () INSERT INTO table_name (column1, column2, column3,...)VALUES (value1, value2, value3,...) SELECT column_name(s)FROM table_name and others simliar to these three that takes in varibles.
  17. i defiantly need frames for affiliate sites.frames are not good for pages that needs to be indexed by google.there is a site that talks about the disadvantages to backlinks and one of them is frames.i hope that i can make a good frame substitute like the mod had mentioned.
  18. thanks you guys!.birbal: i'll use the $ _SESSION['auth']=true; idea like you said and since that session is going to be made for correct ip,password,and username i decided to not put username in sessions and just use isset($_SESSION['auth']) && isset($_SESSION['id']).i heard it isnt the good idea to put username in sessions so that method would be great for me. justsomeguy: i'll use md5 instead.I hope that its ok to use with isset: $pwd=$_POST['fpassword']; = md5($salt.$_POST['fpassword']);$id=$_SESSION['id']; = md5($salt.$_SESSION['id']); isset(md5($salt.$_SESSION['id']))
  19. thanks. if i only use sessions for php and not cookies can i use these codes to check if people are login on a secure page?. i plan to do the regenerate id or whatever it is called for session id but i have not done it as yet. if (isset($_SESSION['fuser']) && isset(shal1($salt.$_SESSION['id']) && isset(sha1($salt.$_POST['fpassword']) ) ) {header('Location:securepage.php');} if (!isset($_SESSION['fuser']) && !isset(shal1($salt.$_SESSION['id']) && !isset(sha1($salt.$_POST['fpassword']) ) ){header('Location:index.php');}----------------------------------i have a database tables question.im going to do a session table with "CREATE TABLE sessions ( id varchar(32) NOT NULL, access int(10) unsigned DEFAULT NULL, data text DEFAULT NULL, PRIMARY KEY (id) )";saw this on a tutorial on the net.the sessions id does not have AUTO_INCREMENT like i see in this site tutorials.Im wondering if i can replace id varchar(32) NOT NULL, with id int UNSIGNED NOT NULL AUTO_INCREMENT, in my members table and all the other tables connected with members like the shop table for example? or i probably should just put everything from the sessions table into the members table?thanks
  20. Hi i hear allot of things on the net that PHP sessions can be unsafe if you are not an experience programmer.I still want to make sites with PHP regardless what I hear.I was wondering if ASP sessions+cookies are safer than PHP sessions+cookies because ASP codes are hidden on the browser? . I think ASP session info is hidden from people using shared hosting but with PHP sessions it is not hidden from people . thanks
  21. cherri8

    Cookies & Login !

    Good stuff.at this link below they mention other important parts for sessions so im wondering if they were already apply in your codes? i cant find the part where the sessiom id is in cookie.i was going to use cookie before reading comments here because of problems i here about seesions like people's info are store in some public thing lol at the server which anyone can see and that a url can be made to delete users and passwords :0 http://stackoverflow.com/questions/4481250/php-session-security-for-website-login number 1 to 4 is what i got from the link "1.) Make sure your session is encrypted. If you are using PHP's built-in sessions, the associated entropy (randomness) is relatively high, so you should be fine.2.) ONLY store the session id in the cookie. Any other information should simply be associated on the server using that id. I've seen many cases where the system engineer determines if someone is admin if the token 'is_admin' = true in the session. You can obviously see the problem with this.Some will complain that its an expensive operation, but I recommend creating a (my)SQL table for active sessions. Then, when the page is loaded, pull the associated data from the table and deal with it just as you would any other data. Some frameworks (like CodeIgnitor) do this for you by changing one configuration item.3.) Validate against IP - in your table, add the current IP address. If the current IP doesn't match the one in the session, someone is probably trying to hijack. Force a logout and terminate.4.) Place limits on login attempts. Adding a 1 second sleep(); server side on each login is virtually unnoticeable to the user, but for an automated system, it makes it virtually impossible to brute force logins."
  22. Thanks for links!.I'm checking them out now.
  23. thanks. the parse and php.ini thing is new to me and i dont know how to use them even after reading the tutorial.i hope that i won't have security issues from not using them.
×
×
  • Create New...