funbinod

if my local site is opening FINE just because I've disabled error displayed setting, shouldn't the online page open along with error messages?????? but my page is displaying only errors.......

please have a look at these pages...

http://mimosa-nepal.com/mimosa_cashier (my online page)

and

http://103.28.84.9/mimosa_cashier (my local server)

use the following username and password to login---

 

username: testuser

password: TestPassword1

and please help me resolve the problem....

don't u need quotes for ur id inside bracket?????

like

tl = document.getElementById('id');

why is my scripts not working on online server while it is working fine on local server????

like

this is working fine on my local server but while online it gives error regarding session_start() and header informations.

I don't know what is this. please guide.......

was my last question unclear???

i was asking - is using PHP-Antixss good? will it protect from every type of XSS attack?

i didn't understand what u said. but its ok will not think of hashing a username for now........

there is no proper logic. i just thought this if we could hide all the usernames also from hackers, if they hacked the database... then they will need more time to extract the username and password....

how is it to use php-antixss??

actually I suggest not to use <h1> but to do everything inside style.....

that means htmlspecialchars() will convert <script> to &ldscript&gd !!!???? or anything else? is there any idea to stop activity if it found <script> or such elements...????

thank u for all the guidance.

one last question! how about hashing username????

or would u give me green signal if I just used escaping characters but not prepared statements?

and please define differences between mysqli_real_escape_string() and htmlspecialchars() along with the use of trim()....

I think he means with the code like----

<div style="color:#F00">   // edited    <h1>Hello World</h1></div>

it will work if you put <div> inside <h1>. like ---

<h1><div style="color:#F00">   // edited    Hello World</div></h1>

but I suggest, when u r using style to a <div> or <p> or whatever, you need not to use <h1> or <h2> or whatever. just extend ur style with font:size; font-weight or whatever u need.....

isn't this for storing to database....????

$username = mysqli_real_escape_string($connect, $_POST['username'])mysqli_query($connect, "INSERT INTO user (username) VALUES ('$username')");

hummmmmm!!! it means, he will find the hashed password, and the salt but could not execute the password coz it is combined in the hashed password in the database!

did I understand correct!?

if so please guide how the salt is uniquely generated for each user!?

 

Maybe you run it through a filter that removes Javascript from submitted text, or maybe you escape HTML characters when printing user-supplied text, etc.

can u please define this with some example....

 

Prepared statements and escaping just prevent SQL injection

and can escaping characters work fine as prepared statements???

thank u!

another question!

where is the salt stored? if stored in database and if it is hacked, cannot the hacker even get the salt??? if stored in a file or script, isn't it possible they can hack everything when they can hack database???

can anyone suggest what is the best method to prevent xss attacks! is using " mysqli_real_escape_string " enough for this?? please guide in detail...

 

if 100 users all have the same password, their hashes are all different.

sorry! i'm just learning about salt.

confusion arouse is "if all have same password and the salt for all is the same, how could their hash be different?" please help me understand how salt work....

to the @JamesB's suggestion---

what I wonder is,

if the stored hash is hacked and found the exact password, lets say " password ", then cannot a hacker use that to login since the process is -

$salt = 'example'; // this must never change $passwordUnencrypted = 'password';$passwordEncrypted = hash('sha512', $passwordUnencrypted . $salt); // checking password in table (logging in)$sql = "SELECT COUNT(*) FROM users WHERE password =  '" . ($passwordEncrypted) ."' LIMIT 1"; // obviously check for username too

and when he tries logging in, he will enter the ' password ' won't it is added to the fix salt value which is always there in the script or database and he doesn't need to provide, as u described !? isn't it the same as entering the password only without any salt??? please help me understand this more clearly....

suggestion from ingoime worked out.. thank u for this.

I appreciate ur suggestion and even I think that it might not be good to force users to enable javascript. but my application works under some simple ajax script. it won't work good if they disabled javascript. and when they have to enable javascript, why not use javascript to force them to open a popup window. I wish the popup window to have a application like look, not like a website.

so far I understood less of the davej's suggestion. I dunno how can I establish a session before I login. but I tried the form submit post method. it again didn't read the (isset($_POST[' '])) and returned "you cannot open........!"

can anyone please suggest me how can I use salted password? I just learnt how to use hashed password. after learning I came to know that they can be easily hacked using rainbow table or other methods and got suggestion online to use salted password with hash. but I got difficulties to learn the use of salt. please guide me how can I use salt while registering, logging in and changing the password......

thanks in advance....

that is the problem. I will force them to enable javascript to use my app. along with I wish to force them to click on the link to open a popup window and if they tried opening the login page DIRECTLY, I wish the script stop and warn them to go back to click the login link.... and here I got the problem....

using a database record sounds good for me as @justsomeguy suggested. can u please go in deep. is it like insert or update method of MySQL query? can u please suggest some example...????

before any popup blocker blocks the popup window, we will make them aware about to disable the popup blocker or disclude our site from it or we will guide them for it. if they don't do that, it's no matter they use the site or not. if they like us, they will follow us.

so let's escape this chapter of popup blocker.....

i'm trying a user management page and I want to let admins to force other users logout if necessary. but I just managed to do is to set database column from "isLoggedIn = Y" to "isLoggedIn = N" but that doesn't actually logout that user. when a user loges out self, I just use "$user->logout" that includes 'session_destroy' for that user. but if a admin want's to destroy other user's session what would be the process? can please anyone guide!!???