Jump to content

Balderick

Members
  • Posts

    75
  • Joined

  • Last visited

Everything posted by Balderick

  1. and here you have the output of the script: X:mylocation\test-forumpost.php:15: array (size=36) 0 => string 'HTTP/1.1 302 Found' (length=18) 1 => string 'Location: https://www.facebook.com/thisisnothingbutcrap' (length=55) 2 => string 'Vary: Accept-Encoding' (length=21) 3 => string 'Content-Type: text/html; charset=UTF-8' (length=38) 4 => string 'X-FB-Debug: H2nqcWjKt6OFa3H/7fqtn4AmaBe8bs8XU7D8p5iiBbjfIFxKPFk0AXrzmYcsb1j6CQpEAr1WWY+BMO7chtE4vg==' (length=100) 5 => string 'Date: Thu, 10 Aug 2017 08:20:45 GMT' (length=35) 6 => string 'Connection: close' (length=17) 7 => string 'Content-Length: 0' (length=17) 8 => string 'HTTP/1.1 302 Found' (length=18) 9 => string 'Location: https://www.facebook.com/unsupportedbrowser' (length=53) 10 => string 'Strict-Transport-Security: max-age=15552000; preload' (length=52) 11 => string 'access-control-allow-method: OPTIONS' (length=36) 12 => string 'Vary: Origin' (length=12) 13 => string 'Access-Control-Expose-Headers: X-FB-Debug, X-Loader-Length' (length=58) 14 => string 'Access-Control-Allow-Origin: https://www.facebook.com' (length=53) 15 => string 'Access-Control-Allow-Credentials: true' (length=38) 16 => string 'Vary: Accept-Encoding' (length=21) 17 => string 'Content-Type: text/html; charset=UTF-8' (length=38) 18 => string 'X-FB-Debug: fc06dn16MiWV1IVm6K5HuEgZBb+X33cGRs/6WG+s8ayq3bhc48K3/4zopvdDa0ikEY97osK2u8Y/OCHRO3eLYQ==' (length=100) 19 => string 'Date: Thu, 10 Aug 2017 08:20:45 GMT' (length=35) 20 => string 'Connection: close' (length=17) 21 => string 'Content-Length: 0' (length=17) 22 => string 'HTTP/1.1 200 OK' (length=15) 23 => string 'X-XSS-Protection: 0' (length=19) 24 => string 'public-key-pins-report-only: max-age=500; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; pin-sha256="q4PO2G2cbkZhZ82+JgmRUyGMoAeozA+BSXVXQWB8XWQ="; report-uri="http://reports.fb.com/hpkp/"' (length=259) 25 => string 'Pragma: no-cache' (length=16) 26 => string 'Cache-Control: private, no-cache, no-store, must-revalidate' (length=59) 27 => string 'X-Frame-Options: DENY' (length=21) 28 => string 'Strict-Transport-Security: max-age=15552000; preload' (length=52) 29 => string 'X-Content-Type-Options: nosniff' (length=31) 30 => string 'Expires: Sat, 01 Jan 2000 00:00:00 GMT' (length=38) 31 => string 'Vary: Accept-Encoding' (length=21) 32 => string 'Content-Type: text/html; charset=UTF-8' (length=38) 33 => string 'X-FB-Debug: 2DMvDPHSjk4qfRmBAJo9RN+YmquJZHNnvnK7JtWUJ5tiz9sFiScne55HgP9PRhnrC/oQQjaPhBiCadng5jtfSg==' (length=100) 34 => string 'Date: Thu, 10 Aug 2017 08:20:45 GMT' (length=35) 35 => string 'Connection: close' (length=17) X:mylocation\test-forumpost.php:16:string 'http://www.facebook.com/thisisnothingbutcrap' (length=44) X:mylocation\test-forumpost.php:18:string 'HTTP/1.1 302 Found' (length=18) ........................................................................................... I deliberately input a non existing user and get the output above, similar to a user that does exist. Which of the offsets is used to determine whether it is false or not?
  2. this is a part of the code: <?php $url_inp = 'http://www.facebook.com/thisisnothingbutcrap'; $array = get_headers($url_inp); $string = $array[0]; // if( strpos($string,"200") || strpos($string,"301") || strpos($string,"302") || strpos($string,"403") ) { if( strpos($string,"302") ) { var_dump($array); var_dump($url_inp); var_dump($string); } ?>
  3. Can someone give any suggestion how to check if a facebook address is valid when send by form input? I created a function checking the url address with get_headers at status code 302. This doesn't work when a facebook username doesn't exist, because it still gives true. How to solve this problem?
  4. The error is like this: Warning: get_headers(): SSL operation failed with code 1. OpenSSL Error messages: error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 unrecognized name in ..... it concerns the line with: $array = get_headers($url); the url input is: if I change htttps to http then I dont have any error messages. I would like to find a way to check in advance what kind of url is put in to avoid the error messages. Anyone got any idea?
  5. I made a piece of code to check wheter a url page exists. This is a part of the get_headers routine I'm using: <?php // check with checkdnsrr // validate with FILTER_VALIDATE_URL /////////////////////////////////////////////////// // get_headers part $array = get_headers($url); var_dump($array); $string = $array[0]; if( strpos($string,"200") || strpos($string,"301") || strpos($string,"302") || strpos($string,"403") ) { var_dump($url); } else { echo '<br><br> this site is insecure<br>'; echo '<br> use http instead of https <br><br>'; } } ?> The problem is that some websites configure their server either http or https but this does not mean that there is page content. What can be used to determine if there is an index.php or an index.html or any alternative indexpage used? The things I'm considering are: file_exists, file_get_contents or glob() on the other hand var_dump($array) gives in several cases the parameter: Content Type. The value is txt/html . Can this be used to see if there is a page? What would you recommend and can you give an example how this is used?
  6. I decided to go for routine 1and luckily the errors are gone, but the script does not give a result yet. I commented the addeventlistener line and the placed onSubmit in the form tag. <!DOCTYPE html> <html> <body bgcolor="grey"> <center> <br><br><br> <div style="height: 200px; width: 600px; border: solid 2px blue;"> <form id="my_form" action="" method="post" onsubmit="submitForm(event)"> Give your name: <input type="text" name="fname"> <br> <input type="submit" value="Send" > <!--<button type="button" onclick="submitForm(e)">send it</button>--> </form> </div> </body> <script> // Add a submit event handler to the form var form = document.getElementById("my_form"); // form.addEventListener("submit", submitForm, false); // error function submitForm(e) { // Cancel form submission e.preventDefault(); // // Build a query string from the form data var form = e.currentTarget; var query = "", element; for(var i = 0; i < form.elements.length; i++ ) { // error element = form.elements[i]; if(element.name) { query += encodeURIComponent(element.name) + "=" + encodeURIComponent(element.value); query += "&"; } } // Send a request var request = new XMLHttpRequest(); request.onreadystatechange = doSomething; request.open("POST", "prophp.php", true); request.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); request.send(query); // Form data is here // Handle response here however you want to function doSomething() { if(request.readyState == 4) { if(request.status == 200) { // Success // // } else { // Error // // } } } } </script> </html> I use a php script to process the form data, both echo as well as the dump is not done; its like this: <?php echo '<br>test code here : '; if (isset($_POST['fname'])) { var_dump($_POST['fname']); // execute mysql queries } ?> I don not understand completely what is meant with what the target id element is (is that form?) , I put the form part above the javascript-part. What I would actually want is an extra div or p element to show the result.
  7. This is the script right now: <!DOCTYPE html> <html> <head> <script> // Add a submit event handler to the form var form = document.getElementById("my_form"); form.addEventListener("submit", submitForm, false); // error function submitForm(e) { // Cancel form submission e.preventDefault(); // // Build a query string from the form data var form = e.currentTarget; var query = "", element; for(var i = 0; i < form.elements.length; i++ ) { // error element = form.elements[i]; if(element.name) { query += encodeURIComponent(element.name) + "=" + encodeURIComponent(element.value); query += "&"; } } // Send a request var request = new XMLHttpRequest(); request.onreadystatechange = doSomething; request.open("POST", "prophp.php", true); request.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); request.send(query); // Form data is here // Handle response here however you want to function doSomething() { if(request.readyState == 4) { if(request.status == 200) { // Success // // } else { // Error // // } } } } </script> </head> <body bgcolor="grey"> <center> <br><br><br> <div style="height: 200px; width: 600px; border: solid 2px blue;"> <form id="my_form" action="" method="post"> Give your name: <input type="text" name="fname"> <br> <input type="submit" value="Send" onclick="submitForm(event)"> <!--<button type="button" onclick="submitForm(e)">send it</button>--> </form> </div> </body> The errors are at 2 lines: form.addEventListener("submit", submitForm, false); and for(var i = 0; i < form.elements.length; i++ ) { as you see I changed e to event in onclick but no result yet.
  8. I changed that, but it throws a new error like this: TypeError: form.elements is undefined it has to do with this line: for(var i = 0; i < form.elements.length; i++ ) {
  9. Ok thanks for clarification Ingolme I used this form to implement it: <!DOCTYPE html> <html> <body bgcolor="grey"> <center> <br><br><br> <div style="height: 200px; width: 600px; border: solid 2px blue;"> <form id="my_form" action="" method="post"> Give your name: <input type="text" name="fname"> <br> <input type="submit" value="Send" onclick="submitForm(e);"> <!--<button type="button" onclick="submitForm(e)">send it</button>--> </form> </div> but the error thrown out is about this piece of code. e.preventDefault(); the error code says: Reference error is not defined. e has to be declared. I tried to change fname into e; but that didnt work. How is this solved?
  10. Thank you for the answer. Like I said I have not much experience with javascript and I have a lot of questions. With a lot I mean A LOT. I counted 10, so be prepared. I still gonna ask them, I hope your explanation clears a lot. - Which events have which sequence? (in response to: e.PreventDefault) - What is the use of e.CurrentTarget? - With which reason is the query variable made? - Is EncodeURIComponent a way of sanitizing/validation? o Is it (EncodeURIComponent) obliged (strongly recommended) in javascript or is SSL enough in most cases? - Which safety aspects should I heed at when making ajax forms? o Are these security aspect different from php? o With which reason is php sufficient or not? - Can you embed a javascript function inside a function? o How does html process this?
  11. Hello, I have a question about how to send form data to the database, without reloading the entire page. I discovered working with xmlhttprequest. I managed to show text from another file by implementing a javascript function with xhr into my script. I don’t know much about javascript and don’t understand how a javascript form should be added to an existing function. Finally this should run a php script executing the code to add the form data to the database. <!DOCTYPE html> <html> <body bgcolor="grey"> <center> <br><br><br> <div style="height: 200px; width: 600px; border: solid 2px blue;"> <div id="kn_ze"> <form id="my_form" action=""> Give your name: <input type="text" name="fname"> <br> <input type="submit" value="Send" onclick="loadXMLDoc();"> <!-- <button type="button" onclick="loadXMLDoc()">send it</button> --> </form> </div> </div> <script> function loadXMLDoc() { /* document.getElementById("my_form").submit();*/ var xhttp = new XMLHttpRequest(); xhttp.onreadystatechange = function() { if (this.readyState == 4 && this.status == 200) { document.getElementById("kn_ze").innerHTML = this.responseText; } }; xhttp.open("GET", "prophp.php", true); xhttp.send(); } </script> </body> </html> test script to process the form data prophp.php : <?php echo '<br>test code here : '; if (isset($_POST['fname'])) { var_dump($_POST['fname']); // execute mysql queries } ?> 11) How are the form data placed in the existing function? (or should I create a second one? ) Maybe someone can help me out solving it.
  12. This I hear from the beginning I started php programming 2 years ago. But this a recommendation. A strong recommendation I presume, but does this say that everyone just follows these rules, or, that, it is not possible? The answer is no. Would you, therefore, not use mysqli and sanitize and validate all input in a proper way? I'm curious what your opinion is about that!
  13. Hi can someone explain how to create a mysql database in php using OOP prepared statements. I know how to do it with mysqli but I want to know if it can be done with placeholders and oop. a good and clear tut about is okay, but please provide a clear tut about using placeholders and prepared regarding CREATING a new database.
  14. 1) I have login scripts working in combination with database table and verify_password 2) the login scripts are RE-USED for another site 3) In the test fase I use the SAME database table values and copy these in phpmyadmin to a new table is it possible there is some kind of copy security or whatever in the encrypted original table values? I presume this because there is no password_verify match. It could be I'm overlooking something, but the password_verify($form_pw, $database_pw) procedure, does not need encryption BEFORE $form_pw is read? The only conclusion then is: the value in the newly copied table is not the same is in the original table. (of course I can also reinstall the registration scripts to test it, but i would like to rule out other causes ) EDIT: solved. silly me using the wrong password
  15. Sorry people here I have asked this before, so its a bit embarassing to me. But .... I have the following question. Its about using a function inside an if condition. The thing is that when I make a function with 2 returns in this case $data and $alternative I receive them both back. I ask this for grasping how a function acts inside an if condition. So my question is: how does the php engine ‘reason’? Is the outcome of the return ONLY POSSIBLE if you return 1 value inside an if condition; so either true or false ? Example: <?php function valid_someting($data){ global $alternative; $count=''; $count = strlen($data); if ( ($count < 8 && ($count > 4) ) ) { $data = preg_replace('/[^a-zA-Z0-9!@#$%^&*()\-_=+{};:,<.>]/', '', $data ); // $data = ltrim($data); $data = rtrim($data); return $data; } $alternative = $data; return $alternative; } $data = 'abcdabcdabcd'; if (valid_someting($data)) { echo 'color input field green'; } else if ($alternative == TRUE) { echo 'color input field RED'; } ?>
  16. oh wait. I figure out that the length of the hashed value is always 60 when you use password_bcrypt. I thought it would be doubling or exponential growing, but it is a fixed outcome, whether you choose a 5 letter password or a 160 chars long. this solves the database storage problem for setting the size of the column.
  17. Oh sorry I didnt mention I used bcrypt. If bcrypt only hashes that's okay. reading more at OWASP I discovered that the max password length they recommend is 160 chars. is there a way to calculate the size of the string stored after hashing it with bcrypt // password_hash // cost 11 ?
  18. I have a security question. Though I have gone through OWASP docs I still need to place specific things in the right perspective. It is actually quite brief regarding examples. But regarding security, I have to admit that I dont know much about how hackers are operating. What I know is that javascript can be included and mysql injection can be done if you don't escape well. I have a piece of regex to allow as much characters as possible for password input. So also the <> the dot . and the semi-colon ; and the string. After forcing the user to use the right characters the password is encrypted with blowfish. Im actually not sure what happens, because if you encrypt malicious code, you can finally make it work again when you decrypt it. Probably its naive to ask online for hacking examples, because then you inform hackers. Maybe if you cant make up any risky situation, you can give a recommendation for which characters should be avoided for a password input. All input is encryted with password_verify / Blowfish. Then prepared OOP queries store the variable in the database. regex: $var='/[!@#$%^&*()\-_=+{};:,<.>]/'; then the preg_replace does: if(preg_match_all($var,$pas_inp, $o)<2) { echo '<br><br>input should contain at least 2 special chars , try again'; return FALSE; } How risky (in which possible situations) is the use of: < > . ; $ & regarding javascript, mysql injection and other possible hacks. (sorry it is a very open question, but to avoid problems I have to start somewhere)
  19. I guess I solved this by using amongst others str_replace for the unwished input and I found a regex online that replaced all except the % $url = preg_replace("/([^a-zA-Z0-9+&@#?=~_|!:,.;]+)/","",$url);
  20. Hi all, I have a problem for sanitizing / validating a web address input. My personal favor is doing it with regex. I made a simple example with preg_replace <?php if (!empty($_POST['wbddrss']) ) { $wbddrss = $_POST['wbddrss']; $wbddrss = trim($wbddrss); var_dump($wbddrss); $validate = preg_replace('/<>/' , '', $wbddrss); var_dump($validate); } ?> But I would like to replace all chars that do not meet what is allowed. I guess the best solution would be to replace everything with a caret to negate. But it seems I cant find the right delimiters. This is the range of characters I would like to allow: A-Za-z0-9+&@#/%?=~_|!:,.;\(\) how is this done in a preg_replace function?
  21. sorry, I have not been able to solve it already. i got results and the output was that related to 3 different fields in table one; the record in table 2 was printed 3 times. When I added a record to table 2 this one was also 3 times printed so I bascially got six results. Is it possible anyway to have 1 columns like a unique number (unique_nr) in both tables and then as a result have f.i. multiple records for table 1 and only 1 for table 2? And is JOIN the right query or should I use something different. or (as I'm getting a bit impatient) should I just select the unique number first in table 2 and then use a second separate query to find the record values of table 1?
  22. Is it necessary to open the 2 different databases or not? How is this done in 1) phpmyadmin, 2) mysql console, 3) php script? with select database() in the console only 1 database is shown.
  23. I get an error message (error message 1054) : unknown column w.title in field list. What should I do to open 2 databases? I work now in the mysql console, but I'm not sure wether it is possible or not.
  24. Its not clear what is meant with the w and the c. Are this the tables? And what is client then in database1.client or writers in database2.writers? Is that also a table?
×
×
  • Create New...