coolshrimp

ok so for one i figured pre generating all modals is not efficient so i have created a single modal what gets the content set dynamically from link i click but i cannot get it working any one see the issue? Modal code: <div id="modalFullInfo" class="modal fade" role="dialog" tabindex="-1"> <div class="modal-dialog" role="document"> <div class="modal-content"> <div class="modal-header"> <button aria-label="Close" class="close" data-dismiss="modal" type="button"> <span aria-hidden="true">×</span></button> <h4 id="myModalLabel" class="modal-title">Modal Title</h4> </div> <div class="modal-body"> <table style="width: 100%"> <tr> <td style="text-align: center"> <img id="FullImage" src="#" width="400" /></td> </tr> <tr> <td style="text-align: center" valign="top"> <table style="width: 100%"> <tr> <td colspan="2" style="padding: 10px; width: 50%; font-size: x-large; text-align: center; color: purple;" valign="top"> <strong id="FullPrice">Price</strong></td> </tr> <tr> <td id="FullInfo" style="padding: 10px" valign="top"> Info<br /> </td> </tr> <tr> <td id="FullIncludes" style="padding: 10px" valign="top"> Includes<br /> </td> </tr> </table> </td> </tr> </table> </div> <div class="modal-footer"> <div style="float: left; padding-top: 5px; font-weight: bold;"> <span id="FullCount">00</span> Available</div> <button class="btn btn-primary" data-dismiss="modal" type="button"> Close</button></div> </div> </div> </div> Link with Data-fields set: <tr data-toggle="modal" data-id="$id" data-target="#modalFullInfo" data-FullName='$row[1]' data-fullimage="$row[8]" data-fullprice="$row[2]" data-fullinfo='$row[4]' data-fullincludes='$row[6]' data-fullcount="$row[0]"> <td style="width: 25%"><img src="{$row[8]}" width="200" /></td> <td> <table style="width: 100%"> <tr> <td valign="top" style="font-size: large; height: 25px;"> <strong>{$row[1]}</strong></td> </tr> <tr> <td style="width: 33%" valign="top">{$row[0]} Available</td> </tr> <tr> <td valign="top"><br />{$row[4]}<br /><br /></td> </tr> <tr> <td style="height: 20px;" valign="top" colspan="3">{$row[6]}<br /><br /></td> </tr> </table> </td> <td><span style="width: 33%; font-size: x-large; text-align: center; color:purple;" valign="top"><strong>{$row[2]}</strong></span></td> </tr> so the TR opens modal on click and the data fields are generated: <tr data-toggle="modal" data-id="$id" data-target="#modalFullInfo" data-FullName='$row[1]' data-fullimage="$row[8]" data-fullprice="$row[2]" data-fullinfo='$row[4]' data-fullincludes='$row[6]' data-fullcount="$row[0]"> JS it would change the modal content (Not working): $(document).ready(function () { $('#modalFullInfo').on('show.bs.modal', function (event) { // id of the modal with event var link = $(event.relatedTarget); // link that triggered the modal // Extract info from data-* attributes var fullname = link.data('fullname'); var fullimage = link.data('fullimage'); var fullprice = link.data('fullprice'); var fullinfo = link.data('fullinfo'); var fullincludes = link.data('fullincludes'); var fullcount = link.data('fullcount'); // Update the modal's content. var modal = $(this); modal.find('.modal-title').text(fullname); modal.find('#fullimage').attr("src", fullimage); modal.find('#fullprice').text(fullprice); modal.find('#fullinfo').text(fullinfo); modal.find('#fullincludes').text(fullincludes); modal.find('#fullcount').text(fullcount); }) }) So any suggestions what i'm missing the data info is there and the modal pops up on click but content does not change.

scripts used on the page To create Modal boxes each with Unique ID: <?php $count = 0; foreach ($CSVArray as $row) { $count++; if ($count > 1 && $row[1] !== "") { $id = preg_replace("/[^a-zA-Z0-9]/", "", $row[1]); echo <<<EOF <!-- Modal --> <div class="modal fade" id="$id" tabindex="-1" role="dialog" aria-labelledby="$id"> <div class="modal-dialog" role="document"> <div class="modal-content"> <div class="modal-header"> <button type="button" class="close" data-dismiss="modal" aria-label="Close"><span aria-hidden="true">×</span></button> <h4 class="modal-title" id="myModalLabel">{$row[1]}</h4> </div> <div class="modal-body"> <table style="width: 100%"> <tr> <td style="text-align:center"><img src="{$row[8]}" width="400" /></td> </tr><tr> <td style="text-align:center" valign="top"> <table style="width: 100%"> <tr> <td colspan="2" style="padding:10px;width: 50%; font-size: x-large; text-align: center; color:purple;" valign="top"><strong>{$row[2]}</strong></td> </tr> <tr> <td style="padding:10px" valign="top" >{$row[4]}<br /></td> </tr> <tr> <td style="padding:10px" valign="top" >{$row[6]}<br /></td> </tr> </table> </td> </tr> </table> </div> <div class="modal-footer"> <div style="float:left; padding-top:5px; font-weight: bold;">{$row[0]} Available</div> <button type="button" class="btn btn-primary" data-dismiss="modal">Close</button> </div> </div> </div> </div> EOF; } } ?> Script to create the table each row links to unique Modal popup: <table style="margin: 8px; width: 98%"> <tr> <td> <br /> <strong> <?php $numRows = 0; $count = 0; foreach ($CSVArray as $row) { $count++; if ($count > 1 && $row[1] !== "") { $numRows++; } } echo $numRows; echo " Items Total"; ?> </strong> <br /> <br /> <br /> </td> </tr> <tr> <td> <table id="itemslist" class="order-table table table-hover table-striped"> <thead> <tr> <th>Image</th> <th>Info</th> <th>Price</th> </tr> </thead> <tbody> <?php $count = 0; foreach ($CSVArray as $row) { $count++; if ($count > 1 && $row[1] !== "") { $id = preg_replace("/[^a-zA-Z0-9]/", "", $row[1]); echo <<<EOF <tr data-toggle="modal" data-id="1" data-target="#$id"> <td style="width: 25%"><img src="{$row[8]}" width="200" /></td> <td> <table style="width: 100%"> <tr> <td valign="top" style="font-size: large; height: 25px;"> <strong>{$row[1]}</strong></td> </tr> <tr> <td style="width: 33%" valign="top">{$row[0]} Available</td> </tr> <tr> <td valign="top"><br />{$row[4]}<br /><br /></td> </tr> <tr> <td style="height: 20px;" valign="top" colspan="3">{$row[6]}<br /><br /></td> </tr> </table> </td> <td><span style="width: 33%; font-size: x-large; text-align: center; color:purple;" valign="top"><strong>{$row[2]}</strong></span></td> </tr> EOF; } } ?> </tbody> </table> </td> </tr> </table> Example of CSV Data:

I buy/sell items so i have a simple csv file listing the items and for each item I hotlink to images either found online or on my Photobucket account. is there something i can do other then downloading each image then Photoshop them to a thumbnail and linking to that thumbnail instead. the images i currently use for each item in the data table is also same image i have loaded into a modal. my script currently create the table from csv as well as creates a modal box for each item with the full image.

hey so i need some help speeding up my page currently I have a simple page that reads a .csv file and converts it into a plain table. then i use the datatables JS (http://datatables.net/) to make it look nice. issue is each row in the table has an image and the page loads every image each time the page loads even if only a few rows are being shown by the JS. im listing products and I hotlink to images online so creating thumbnails and linking to them will not work. Page Thats Slow: http://sale.coolshrimpmodz.com/ Speedtest shows page is 22MB. This is bad for my mobile users. http://tools.pingdom.com/fpt/#!/bbGziz/http://sale.coolshrimpmodz.com/

see those are files they uploaded somehow. i never put them there and there not in my site backups so i know they injected them. they had a phpproxy page running too in my main directory as well.

i get what you mean good point.

For future is security. I have each of my sites in its own folder. is it possible to make it so hacker cannot access files in other directory? so say my forum in "Forum" folder is hacked they only can screw up forum and none of my other site folders?

thanks seems it was my magneto and VBulletin that they where able to get into. both seem to have a way in. VBulletin could have been this: http://www.cyberkendra.com/2014/07/vbulletin-fixed-critical-sql-injection.html Magento seems this was same person that hacked my site is talked about here "https://blog.sucuri.net/2015/04/magento-shoplift-supee-5344-exploits-in-the-wild.html" they created a few accounts for themselves: http://puu.sh/lGajf/5725d61f14.png

i have attached my access log im trying to figure out how someone was able to upload files and edit code on my site. Hacker IP seems to be "66.147.240.176" and "76.11.82.248" His files he injected to my site where found in "/js/fancybox/helpers/" Files like "zo-hax.php" Access Log: http://puu.sh/lG7Dz/dddc8855da.rar

<?php // Google API library include path set_include_path(get_include_path() . PATH_SEPARATOR . "$_SERVER[DOCUMENT_ROOT]" . "/Scripts/"); // Google Helper Script require_once($_SERVER['DOCUMENT_ROOT'] . "/Scripts/Google_Spreadsheet.php"); //*************************** Google Spreadsheet to use ******************************// //SpreadsheetSheet and Workbook To Use $ss = new Google_Spreadsheet('Registration', 'Registered'); //*************************** Get Fields From $_Post Into Array To send to Google doc ******************************// $_POST['Date'] = date('Y-m-d'); $_POST['Time'] = date("g:i A.", time()); $row = $_POST; //SHOW ARRAY /*print_r($row); */ //***************************Set $_Post Fields To Variables ******************************// foreach ($_POST as $key => $value) { $$key = $value; } //************************** Generate Form Backup Email ************************// $to = "email@domain.com"; $name = "Web Form"; $subject = "Registration"; $from = "email@domain.com"; $headers = 'MIME-Version: 1.0' . "\r\n" . 'Content-type: text/html; charset=iso-8859-1' . "\r\n" . "From:" . $name . " <" . $from . ">" . "\r\n" . "Reply-To:" . $from . "\r\n"; //Create Email $message = <<<EOF <html> <head> <meta content="text/html; charset=iso-8859-1" http-equiv="Content-Type" /> </head> <table cellspacing="4" cellpadding="4" border="1" align="center"><tr> EOF; foreach ($_POST as $key => $value) { $message .= "<td align=\"center\">" . $key . "</td>"; } $message .= <<<EOF </tr><tr> EOF; foreach ($_POST as $key => $value) { $message .= "<td align=\"center\">" . strip_tags($value) . "</td>"; } $message .= <<<EOF </tr></table> </body></html> EOF; //Echo Email Message /*echo $message;*/ //************************** Process ************************// if(isset($_POST['url']) && $_POST['url'] == ''){ if ($ss->insertRow($row)) { mail($to,$subject,$message,$headers); header("Location: Confirmation.htm"); exit(); } else { header("Location: Fail.htm"); exit(); } } else { echo "Error, Robot Detected!!"; } ?>

i have few diffrent php forms ill post another one in a min to have checked using code above could they put something like this an the Name field, would it run? is this how they get in? pasting in there own upload script? name']; echo 'hi'; exit; $test = $_REQUEST['name would this echo out hi and then not run rest of php script?

hey so my site was recently hacked. they did not login to hack the site, somehow they where able to inject there files and edit pages. so im guessing they may have been able to gain access using an email form or something. or simply a hole in (VBulletin, Magento) What i want to do id be sure my custom coded user submitting forms are secure to prevent future injections. so say this is my code below is there an security issues? should i be sanitizing the $Post data somehow and if so whats the best way? im thinking maybe they could inject code like adding in a quoted command (' <? PHP code here ?>') in one of the form fields and it may run? am i correct? <?php $to = "myemail@host.com"; $name = $_REQUEST['name']; $subject = "Contact Form - " . $_REQUEST['subject']; $from = $_REQUEST['email']; $headers = "From:" . $name . " <" . $from . ">" . "\r\n" . "Reply-To:" . $from . "\r\n" . "Content-Type: text/html; charset=ISO-8859-1\r\n"; $email = $from; $company = $_REQUEST['company']; $msgsubject = $_REQUEST['subject']; $comment = $_REQUEST['comment']; $date = date('Y-m-d'); $message = <<<EOF Name: $name Company: $company Subject: $msgsubject Comment: $comment Date: $date EOF; if(isset($_POST['url']) && $_POST['url'] == ''){ if (mail($to,$subject,$message,$headers)) { header("Location: ../pages/Contact_Success.html"); } else { header("Location: ../pages/Contact_Fail.html"); } } ?>

since i have multiple sites in one folder and im using a singe vhost in xammp, document_root will not work so instead iv done this //CSV Reader Scripts$FileLocaton = $_SERVER['DOCUMENT_ROOT'] . '/php/CSVReader.php';if (file_exists($FileLocaton)) { //Automatic Path include $FileLocaton;} else { //Backup Maual Path include '../php/CSVReader.php';}

Any tricks you know for the includes to work on both localhost and web server without setting absolute paths on all files?seems i have to use absolute path: include '../php/CSVReader.php'; If u use these: include (getcwd() . '/php/CSVReader.php');include ($_SERVER['DOCUMENT_ROOT'] . '/php/CSVReader.php'); On localhost it returns:"W:MySitesSiteNameSitedialogue/php/CSVReader.php""W:/MySites/php/CSVReader.php"And on server it returns:"/home2/server/public_html/HostedSites/SiteName/dialogue/php/CSVReader.php"/home2/server/public_html/HostedSites/SiteName/php/CSVReader.php" On localhost it should be:"W:MySitesSiteNameSitephp/CSVReader.php" And on server it should be:"www.SiteName.com/php/CSVReader.php" or "/home2/server/public_html/HostedSites/SiteName/php/CSVReader.php"

if i wanted to hide the function in another file whats the best way to include it?that will automatically get the included file no matter what directory a page is calling it from?also should i use Include, Include_once, require? Would i do: include ($_SERVER['DOCUMENT_ROOT'] . "Scritps/PHP/CSV.php";); inside"CSV.php": <?phpfunction csv_to_array($file_name) { $data = $header = array(); $i = 0; $file = fopen($file_name, 'r'); while (($line = fgetcsv($file)) !== FALSE) { if( $i==0 ) { $header = $line; } else { $data[] = $line; } $i++; } fclose($file); return $data;}?>

Great thank you.

cool ok i got it. dose all this look ok? <?phpfunction csv_to_array($file_name) { $data = $header = array(); $i = 0; $file = fopen($file_name, 'r'); while (($line = fgetcsv($file)) !== FALSE) { if( $i==0 ) { $header = $line; } else { $data[] = $line; } $i++; } fclose($file); return $data;}?><?php$file_name = 'myfile.csv';$thearray = csv_to_array($file_name);?><strong>Silver Images</strong><br><br><?php$count = 0;foreach ($thearray as $row) { $count++; if ($count > 1) { if ($row[3] === 'Platinum') { echo <<<EOF<a href="{$row[4]}" target="_blank"><img src="../../images/Logos/{$row[1]}" style="max-width:{$row[2]}px;" alt="{$row[0]}"></a>EOF; } }}?><br><br><strong>Corporate Images</strong><br><br><?php$count = 0;foreach ($thearray as $row) { $count++; if ($count > 1) { if ($row[3] === 'Corporate') { echo <<<EOF<a href="{$row[4]}" target="_blank"><img src="../../images/Logos/{$row[1]}" style="max-width:{$row[2]}px;" alt="{$row[0]}"></a>EOF; } }}?>

how come if i do this it only runs once and shows rows with "silver" but not the ons with gold?do i need to clear $rows before running the while statement? if so how would i do that? <?php//Open the file.$fileHandle = @fopen("myfile.csv", "r") or die(print_r(error_get_last(),true));?><strong>Silver Images</strong><br><br><?php$count = 0;//Loop through the CSV rows.while (($row = fgetcsv($fileHandle, 0, ",")) !== FALSE) { $count++; // Skip First 2 Rows if ($count > 2) { if ($row[3] === 'Silver') {echo <<<EOF<a href="{$row[4]}" target="_blank"><img src="../../images/Logos/{$row[1]}" style="max-width:{$row[2]}px;" alt="{$row[0]}"></a>EOF; } }}?><br><br><strong>Gold Images</strong><br><br><?php$count = 0;//Loop through the CSV rows.while (($row = fgetcsv($fileHandle, 0, ",")) !== FALSE) { $count++; // Skip First 2 Rows if ($count > 2) { if ($row[3] === 'Gold') {echo <<<EOF<a href="{$row[4]}" target="_blank"><img src="../../images/Logos/{$row[1]}" style="max-width:{$row[2]}px;" alt="{$row[0]}"></a>EOF; } }}?> This works but i don't want to have to set $filehandle every time i have 10 spots on the same webpage that i need content loaded from the same .csv file : <strong>Silver Images</strong><br><br><?php//Open the file.$fileHandle = @fopen("myfile.csv", "r") or die(print_r(error_get_last(),true));$count = 0;//Loop through the CSV rows.while (($row = fgetcsv($fileHandle, 0, ",")) !== FALSE) { $count++; // Skip First 2 Rows if ($count > 2) { if ($row[3] === 'Silver') {echo <<<EOF<a href="{$row[4]}" target="_blank"><img src="../../images/Logos/{$row[1]}" style="max-width:{$row[2]}px;" alt="{$row[0]}"></a>EOF; } }}?><br><br><strong>Gold Images</strong><br><br><?php//Open the file.$fileHandle = @fopen("myfile.csv", "r") or die(print_r(error_get_last(),true));$count = 0;//Loop through the CSV rows.while (($row = fgetcsv($fileHandle, 0, ",")) !== FALSE) { $count++; // Skip First 2 Rows if ($count > 2) { if ($row[3] === 'Gold') {echo <<<EOF<a href="{$row[4]}" target="_blank"><img src="../../images/Logos/{$row[1]}" style="max-width:{$row[2]}px;" alt="{$row[0]}"></a>EOF; } }}?>

i think i just wont have any user inputs load without being checked

NVM i see this WarningThis function does not modify any attributes on the tags that you allow using allowable_tags, including the style and onmouseover attributes that a mischievous user may abuse when posting text that will be shown to other users.

can i simply do this?is this safe? strip_tags($comment,'tag you want to allow'); like strip_tags($comment,'<br><b>');

yea i did after i sent the comment thanks. looking into it.

but strip_tags will remove all correct?id like to keep <br>, and <b> if possible.is there a way to strip_tags ignoring an allowed list?

OK thank you.yes i know you can change the identifier "EOF" i didn't know the proper term "heredoc". third way is what im currently using like you said its easier to make changes and understand whats going on its not all broken up in to Echo's. and no need to escape characters.one more questionSay i have a comment form writing to the CSV file.Fields: Name, Email, Comment I want to load that CSV to a webpage.i know csv has no formatiing so currently i put <br><br> between paragraphs in the comment field and it prints out the break and web browser knows its HTML break and formats.but anyone could then submit malicious code and it would load on the site right?so is there a way i can filter out all HTML tags but allow formatting tags like <br>, <b>, <strong> ect?

see my reply here for how to send mail with xampp: http://w3schools.invisionzone.com/index.php?showtopic=53554