Jump to content

Mudsaf

Members
  • Posts

    462
  • Joined

  • Last visited

  • Days Won

    1

Posts posted by Mudsaf

  1. Hey, was wondering what might have caused issue with my script to break. Basically I have "Search" function that uses jQuery .get to access website, but somehow when text is entered on chatbox it causes 500 error?

    This only happens on remote server and not local, could it be some sort of security block?

    Example (Error) https://mudsaf.com/script/php/search.php?search=asd

    Example (No error)  https://mudsaf.com/script/php/search.php?search=12

    ---------------

    Probably know the solution, why I always figure it out when I have posted here..

  2. It's somewhat easy to patch up, but you need to know what to do (how php and sql works). I'd suggest you to learn about check out these links if you want to have more secure system against SQL injections.

    https://websitebeaver.com/prepared-statements-in-php-mysqli-to-prevent-sql-injection

    and

    https://www.w3schools.com/php/php_mysql_prepared_statements.asp

    ---

    On 11/22/2019 at 2:27 AM, Html said:

    $sql = "INSERT INTO images (image, image_text) VALUES ('$image', '$image_text')";

    I'd also recommend to sanitize or escape the image name too from $image.

  3. 11 hours ago, Html said:

    CREATE TABLE IF NOT EXISTS images (
    user_id INT UNSIGNED NOT NULL AUTO_INCREMENT,
    image VARCHAR(100) NOT NULL,
    image_text text NOT NULL,
    reg_date DATETIME NOT NULL,
    PRIMARY KEY (user_id)
    );

    You don't want to use Auto increment in user_id on images table (as mentioned above), instead just get the value from $_SESSION. You are also setting it as Primary key, which means you can't have multiple images linked to one person. (However if you do, just use unique and create id column for images table with Auto_increment+Primary key.

  4. 53 minutes ago, Html said:

    <?php
       while ($row msql_fetch_array($resultMSQL_ASSOC)) {
        echo 
    $row['id'] . ': ' $row['image']  : $row['image_text'] . "\n";

          echo "<div id='img_div'>";
              echo "<img src='images/".$row['image']."' >";
               echo "<p>".$row['image_text']."</p>";
           echo "</div>";
        }
      ?>

    This seems fine, but has errors in it. Check the first echo after row image, missing dot and single quote or delete the line. As you asked the first echo is not required, was probably used to show you the results.

  5. mysqli_query($conn, "UPDATE users set password='" . $_POST["newPassword"] . "' WHERE userId='" . $_SESSION["userId"] . "'");

    Honestly, I would recommend against this method, since its vulnerable to SQL injection. At least mysqli_escape the post method and consider hashing the passwords instead of storing them as plain text. This is so minor update that matters lot.

    Mysqli_real_escape_stringhttps://www.php.net/manual/en/mysqli.real-escape-string.php prevents from sql injection (not required with prepared statements, but yours isn't one).

  6. 53 minutes ago, Html said:

    Right okay, that has worked, so the example of having an image uploaded, does this mean that it goes within the main folder of the files?

    Thank you.

    You can store wherever you want as long as you know the path you store them. If you want to store outside of www directory then you need to use php readfile() and store mime_types, but that gets bit more complex.

  7. 18 hours ago, Html said:

    MySQL said: Documentation

    #1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '(item_id)
     )' at line 4

    Check the item_id where you are getting the error. You are trying to create it as primary key, but you only have column called id. As justsomeguy told you have to pay attention to details.

     

    18 hours ago, Html said:

    CREATE TABLE IF NOT EXISTS images (
    id INT UNSIGNED NOT NULL AUTO_INCREMENT,
    img VARCHAR(20) NOT NULL
    PRIMARY KEY (item_id)
    );
    INSERT INTO images
    (img)
    VALUES
    ("images")

    Check the underlined areas, also you are missing a comma before primary key. Below working example.

    CREATE TABLE IF NOT EXISTS images (
    id INT UNSIGNED NOT NULL AUTO_INCREMENT,
    img VARCHAR(20) NOT NULL,
    PRIMARY KEY (id)
    );
    
    INSERT INTO images (img) VALUES ("testx");

     

  8. 22 minutes ago, Html said:
    VALUES ( "Rhino", "A friendly jungle buddy.", "images/rhino.png",29.99 );
     

    What you are trying to do isn't going to work with the table you just created. You need to make 3 more columns to your database table to be able to fill the rest of information in your query.

    Example scenario account information

    id int auto_increment primary key | username varchar(50) | password varchar(128) | email (varchar150) unique

    So lets pretend that the table we created with the "create table" query. So we wound have to do insert query like below.

    insert into accounts (username,password,email) values (value1,value2,value3)

     

  9. Just now, Html said:

    Why imageurl? I got the idea from the /images/file.png table of the cart.

      

    Hmm, I haven't tried it, but I was thinking I doubt this would work right off what I just thought up. The cart.php file gave me the thought.

    It was just example text that you could insert to the database. (Whatever you want to insert into img column, usually the filepath+name as you mentioned)

  10. After move_uploaded_file just do simple sql query that adds the information to database. You already have all the available information ready. If you only have 2 columns on database, you only need the image name stored, since id is auto_integer primary key (so its auto generated).

    What kind of issues are you having with your code?

    More about file upload: https://www.w3schools.com/php/php_file_upload.asp
    More about sql insert: https://www.w3schools.com/php/php_mysql_insert.asp

     

     

  11. On 8/19/2019 at 8:57 PM, justsomeguy said:

    I would use ord or mb_ord to loop through the characters in the string and print the value of each byte to see what's actually there.

    https://www.php.net/manual/en/function.ord.php

    https://www.php.net/manual/en/function.mb-ord.php

    The unicode block symbol returned value of 194 via ord() function, got any idea what might be the cause to create that unicode block?

    result5.PNG.70509b379bf449f6caaa4731ba09c7a5.PNG

    Source code of tester below, string too.

     

    <!DOCTYPE html>
    <html>
    <head>
    <meta charset="utf-8">
    <style>
    #kool { width:800px; border:groove; margin:0 auto; padding:25px; }
    .mid { margin:0 auto; max-width:800px; text-align:centeR; margin-top:10px; }
    #preg_input { width:300px; }
    </style>
    </head>
    <body>
    <?php
    /* Test preg_replace function */
    
    // #%&()=@£\$€\[\]_\-,.:?
    $basic = "A-Za-Z0-9";
    $preg_pattern = "/[^A-Za-z0-9!\"#%£&()=@\s]/";
    $func_preg_replace = preg_replace($preg_pattern,"",$_GET['preg']);
    if (isset($_GET['preg'])) {
    echo "<div id='kool'>";
    echo "<b>Original string: </b> " . $_GET['preg'];
    echo "<hr>";
    echo "<b>Preg pattern: </b> " . $preg_pattern;
    echo "<hr>";
    echo "<b>Result: </b> " . $func_preg_replace;
    echo "<hr>";
    echo "<b>Rawurl: </b> " . rawurlencode($_GET['preg']);
    echo "<hr>";
    echo "<b>Ord: </b> ";
    	for ($i=0;$i<strlen($func_preg_replace);$i++) {
    	echo $func_preg_replace[$i] . "(" . ord($func_preg_replace[$i]) .  ") ";	
    	}
    echo "</div>";
    }
    
    ?>
    <div class="mid">
    <form method="get" action="preg_test.php">
    <input type="text" id="preg_input" name="preg" <?php if (isset($_GET['preg'])) { echo " value='" . $_GET['preg'] . "'"; }  ?>> <input type="submit">
    </form>
    </div>
    </body>
    </html>

    And the string without

    What is love 0-9, Specialcharacters: !"#¤%&/()=?

    Does it reproduce for you guys?

    ----

    Also tried to UTF-8 encode string via php, the preg_replace string, 2 new unicode blocks appeared with �(195) �(130).

    $func_preg_replace = utf8_encode ($func_preg_replace);

     

  12. Apparently my browser forces ¤ to be at url, even though i replace it with %C2%A4 (if this was what you meant). Rest of the stuff is encoded properly (chrome). But on edge it is encoded.

    result4.thumb.PNG.d60fbabbfe5caddcaa3dacb1cc4233cd.PNG

    (Image from Edge browser)

    Also  tried urldecode the GET parameter.

  13. So i'm not still really familiar with regex and how does it work, but i have issue with my code. I have ¤ in my text and it gets replace with unicode ? block. https://en.wikipedia.org/wiki/Specials_(Unicode_block) for me and I don't get why.

    Here is the code I'm using.

    <!DOCTYPE html>
    <html>
    <head>
    <meta charset="utf-8">
    <style>
    #kool { width:800px; border:groove; margin:0 auto; padding:25px; }
    </style>
    </head>
    <body>
    <?php
    /* Test preg_replace function */
    $preg_pattern = "/[^A-Za-z0-9!\"#%£&()=@\s]/";
    
    if (isset($_GET['preg'])) {
    echo "<div id='kool'>";
    echo "<b>Original string: </b> " . $_GET['preg'];
    echo "<hr>";
    echo "<b>Preg pattern: </b> " . $preg_pattern;
    echo "<hr>";
    echo "<b>Result: </b> " . preg_replace($preg_pattern,"",$_GET['preg']);
    echo "</div>";
    }
    
    ?>
    <form method="get" action="preg_test.php">
    <input type="text" name="preg" <?php if (isset($_GET['preg'])) { echo " value='" . $_GET['preg'] . "'"; }  ?>> <input type="submit">
    </form>
    </body>
    </html>

    And here is the string I'm trying to use.

    Test 0-9, Specialcharacters: !"#¤%&/()=?

    Result image below

    result.thumb.PNG.29437c96300a4d2bb92a51bfdb495ebe.PNG

    Any guides / help appreciated.

  14. I guess i'll remake the code one by one to see where it fails (if it fails again).  (Checked source code without output, is this the reason? 🤔)

     

    class DbCon {
    	protected $con;
    	private $db_host = ""; //Database host
    	private $db_user = ""; //Database username
    	private $db_pass = ""; //Database user password
    	private $db_name = ""; //Database name
    	
    	public function connect() {
    	$this->con = new mysqli($this->db_host, $this->db_user, $this->db_pass, $this->db_name);
    		if ($this->con->connect_error) {
    		//die("Connection error, please try again later.");
    		} else {
    		return $this->con;
    		}
    	}
    }

    This seems to jam it, but don't know why? Even when i require_once it without running it via function call. OR something to do with require inside class.

    Day 17, i still cant seem to find the cure for this error, i'll continue tomorrow.

  15. Still the same issue

    if (isset($_GET['image']) && is_numeric($_GET['image'])){
    $iload = new LoadImage;
    $arr = $iload->fetchIByID($_GET['image']);
    	if (!empty($arr[0]) && !empty($arr[1])) {
    	echo $arr[0]  . " | " . $arr[1];
    	//header('Content-Type:'.$arr[1]);
    	//header('Content-Length: ' . filesize($arr[0]));
    	//readfile($arr[0]);
    	}
    }
    
    class blablabla {
    //header stuff replaced with below
    return array($this->GFilePath.$iurl, $im_type);
    }

     

×
×
  • Create New...