Jump to content

Err

Members
  • Posts

    1,009
  • Joined

  • Last visited

Posts posted by Err

  1. If the database is compromised, then they probably already have access to sensitive information they were trying to access. Same thing with the web server, if someone gets access they can get to your include file.If you want to save salts in a include file you can use arrays.

  2. Your second example needs to follow the same date format. So try this:

    $startDate = $monday->format('d-m-Y');$endDate = $sunday->format('d-m-Y')';

    Also, I don't know if you did this by accident but the for loop is missing the closing curly bracket }

  3. I should note right now, there is no consensus on any number of methods used. But generally, for practical purposes, using sha1() and a randomly generated salt or two ensures good security. Obviously it's not the best method you can do, but I find it that doing that suites MY needs and level of protection just fine.I can help you with #3 at least. An example:

      $salt = uniqid();  $pass = sha1($pass.$salt);

    Then save $salt in the database so you can reference it again later.

  4. Yes. Using a database is faster. Because you didn't mention what you have tried I'm going to be general. If you're gonna edit values in the database directly, then all you need to do is setup a database and a table with the columns that you need. A very popular database is MySQL, and a very popular database manager is phpMyAdmin, both are free. You can setup and manage your database with phpMyAdmin if you have it. More than likely your webhost (if you have one) will have phpMyAdmin database manager together with a MySQL database, just look for the link.

  5. Shouldn't I be able to detect messages like that through a .htaccess file and prevent attacks that way? Or would it be too late by the time the messages reach the .htaccess file?

  6. On an Apache server I have, been getting what I can only describe as attacks from different ips. My access logs have this:

    68.91.91.177 - - [25/Apr/2012:17:13:40 -0500] "\xb2\xfdf\x1c/\xbf\x96z\x18\xce\xd8'\r?`\xle;\x0e@D\xed\xdd\x7f\x88\xdaB" 501 299 "-" "-"

    I did a bit of research and found that it may be linked to Shellcode. Shellcode as I've understood in this context is arbitrary code that can be run on the machine to give attackers control over the machine. Am I right about this? How can I prevent such attacks? Or, at the very least, protect against these type of attacks?

  7. Use arrays:

    $mths = array(1 => 'January', 2 => 'February', 3 => 'March', 4 => 'April', 5 => 'May', 6 => 'June', 7 => 'July', 8 => 'August', 9 => 'September', 10 => 'October' 11 => 'November', 12 => 'December'); $fromMonth = 5;$toMonth = 7; // After you set the array, then just add 1 to $fromMonth every time by counting up until it reaches $toMonth,// you can do this by using a while loop.// While it's counting up, it's referencing the current number in the array which also echos out the month name. while ($fromMonth <= $toMonth) {  echo $mths[$fromMonth]."<br />";  $fromMonth++;}

    The above should work (I didn't test).

  8. What I usually do is: Make sure user cannot put username for a password.mysql_real_escape_string(); for sql injection protectionAdd a "salt" to password, then use sha1() BTW, sha1() is more secure than md5(). So something like this:

    $salt = "Salt makes a hash more secure.";if ($username !== $password) {  $username = mysql_real_escape_string($username);  $password = sha1($password.$salt);}

    I like to go overboard though. I save the hash of both the password and the username. This gives the login function more security as you don't have to worry about sql injection since it turns the username into a safe hash. I don't keep the plain-text username in the database unless I know I need to reference it. Instead I assign the username to the session. So as long as the user is logged in, they will have access to their own username in plain-text through the session.

  9. I had wrote a lot of stuff and I lost it all messing my browser settings... lesson learned.Basically, I have a application where I can search. The problem is when I search for characters like ¶ ® Ø I get this back: ¶®Ã�I have made sure my encoding on the page is UTF-8, made sure accept-charset="utf-8" is on the form and finally made sure my browser was set to display UTF-8. Where am I going wrong?

  10. Yes. I only want the errors returned if it does not connect. I think the concept they were not getting was that even in IF.. ELSEIF statements code inside of it is executed. Also that fact that you can assign variables inside those statements coupled with the @ suppressor.I call it like this:

    $err = dbConnect('yourhost','user','pass','yourdb');if (!$err) {  // do db stuff}echo $err;// echo other stuff, but if there is an error, it gets echo'd as well.

    Okay, that's all the feedback I needed. Thanks for assisting, everyone.

  11. Yeah, sorry about that, it was my fault for not refreshing a few times. I've been working on my project for so long that I've gotten used to changes showing up immediately.There is nothing else, right now.

  12. I would validate the page:http://validator.w3.orgIt will tell you any errors you have on that page. it won't validate PHP, only HTML.

×
×
  • Create New...