Posts by Aeonix

Ah, yes, you recreate the thing. But problem is, that DIV needs to position yourself regardless of height of parents.
.container .Box:first-of-type { height: 250px; }
Shows vulnerability, unfortunately height of first div will be max-height, height, min-height, 50% of document position will break it :(

I need a way to position it, adjusting to size, while it can be done in jQuery, can be done with CSS/HTML?

Since I English no good. I picture send you.
How do I do?

Just kidding.
How could I put div through another divs perimeter by 20 pixels, 100 pixels or perfectly within them both? I saw that on a website, but they have ultra-spaghetti code with 50 billion wrappers (no kiddin', I scrolled down to notice that it has 11 different layers). I could use jQuery and take height of first, subtract half of own height and position absolute that. But, isn't there a better way? Less wonky, more compatible?

Someone's gotta link or example?

http://oi65.tinypic.com/28vg3k2.jpg

Because I know how you all love aliasing and Microsoft Paint.

Are you referring to a Node.js application ?

Yea.

(If so what is the point of 4 ?)

I don't know how it's not a point.

According to this link. V8 Snapshot of your JavaScript file, makes it somehow more protected.

Notice: This is V8 Snapshot not just V8.

Now I have couple questions, if you're familiar with this technology:

1) Is there a way to obfuscate it more? There are .NET obfuscators, there are C++ obfuscators. I would probably find Python/Perl/Ruby obfuscators if I looked. Is there a way to over-obfuscate a C++ compiled .bin file? Or maybe it's possible to obfuscate it before it actually gets turned into C++ file (using Linux, which is supported)?

2) Is there a way to obfuscate the JavaScript source? Rather stupid question. Given you send the file to the computer and deobfuscating would be stupid. But makes me somehow think, that making spaghetti, out of spaghetti, would take longer to despaghetties. I mean, if I have earphones in my pocket, it's bad, but when I have three, oh boy.

3) Is the JavaScript in the .bin file, there or it has been converted? Is the .bin file, just a virtualization space where it has it's JavaScript virtualized and protected? Or, the JavaScript has been interpreted and translated into C++?

4) It is said to have 30% impact on performance. But JavaScript can interpret about 1000 lines of code at once, does it really matter when you load 700 lines per second? I have never written function or method that has ever over 700 lines. I barely think I have ever written HTML document so long. Once …

you don't have any reason to share code from fiddles here , daniweb has an excellent code / code snippet editor.

Link on Fiddle.NET, allows clicking a link and immediately showing the effect. Posting code on DaniWeb kind of forces people to copy 3 chunks of code from 3 different boxes into 3 different files they manually have to make up, and then manually add links from one another (linking them together).

$(this).children("div").children("span.display_1_title")

Oh, I thought $(this).children("span.display_1_title") stood for this span.display_1_title { }.

Don't use jQuery animate when you don't have any reason to, now we have transition in CSS. Lets see your example with transitions , e.g:

Are there any performance issues to this? I still feel like doing animate({}). It's there for a reason. If your method (which is absolutely correct and fine, don't mind me) would be better than animate({}) what would be reason to have animate({}) at all? What would be reason for using your method over animate({}) and vice versa?

Also, thanks you told me that jQuery .addClass() is able to animate transition:; in CSS. Didn't know that. Also, YOU CAN STACK CLASSES IN CSS?!?!? Wow! Didn't know that.

https://jsfiddle.net/fg1mfn2m/2/

I don't understand jQuery. Or any programming language for that matter.

I'm trying to get to resize a child of a div, as soon as said DIV is clicked. Nothing is triggered. Except my nerves. Previous time I asked for help of jQuery, I got the right code (which required few changes), but unfortunately no explanation why my code sucked.

So please, this time when you provide solution, could you tell where I messed up? I won't learn from copy-pasting code, I will improve if I will detect problem by it's description. Thanks.

you wrote that the "bad" user might send[login name=#USERNAME#,pwd=#PASSWORD#], how would he know the password?

Assuming. He/she created 20 accounts of which passwords he/she owns. He/she created 20 accounts, so system can be abused and spammed.

Are we talking about the fear of a brute force attack ?

Least of my worries. I could just make server block attempts for 15 seconds.

You keep the "bad" user IP , don't you ?

It's not like banning 35 malicious IPs would resolve the issue, since there's still 1000 roaming and there's a thing called proxy.

I am just asking that because I didn't understood it from your question.

Wow. My English must really be bad, you're #6 that doesn't understand what I'm asking, dayum. The worst part of it is, I don't know what is not to be understood (not blaming you or anything).

The entire question resolves to:
How can I detect automated access to my servers through unwanted program?

Your code does work and it does provide the solution.
Unfortunately I still don't understand what the problem was about.

Since I totally F'd up entire topic. Over here, where nobody has ever known what I meant, until I realized that I said a lot of things that didn't make sense at all, nor I could make up any reasonable statements from smart people out there. By suggestion of said discussion's member. Here I start clean topic, where I'll check 50 times, that what I ask, actually makes damn bit of sense.

Let's start with me, 1st party (don't know if that's how it works). Anyways, it's stripped down kernel. There's one application listening to port 69. It receives the HTTPS/1.1, then sends a HTTP/1.1 answers. For example, user who is logging in, he/she sends (imaginary example)
[name="OnlyAlphaNumeric123",pwd="((hashed))"]
It checks into database, on failure:
[result="failure"]
On success:
[result="success",icon="BASE64-BLOB",money="9001",team="Kappa"]

And all works perfectly. Program is designed to send queries through HTTPS, server receives, interprets, finds, provides answer. So far so good. Right?

Josh decides to download the software. He installs it, has no malicious intents, wants to use program as it was designed. He logs in and starts seeking for "Recommended Allies" or something. He adds people, starts chatting, plays a game and is gone, by this time, since logging in and logging out (after he's done), he's sent these absolutely legal and meant queries to the server:

[login name="Ronald",pwd="whatarethoooose"]
[recfrnds amount="10"]
[addFriend name="Dawg"]
[sendmsg name="Dawg" msg="Hi there!"]
[addFriend name="Fiona"]
[sendmsg …

But... everybody is still talking about middleman attacks :D

Yes, your topic is "Verify if data sent by servers? How do bigger companies do that?" so we get to dive into a lot of the MITM. Later you clarify the messages are not coming from servers and we are now in the weeds as you now have a new topic. I like what ryantroop wrote but you need to be clearer next time. You lead with data sent by servers and changed that to something else.

Yes, I know, my bad.

Likely because his personal private key did not match the key on the server, and the server did not originally care to authenticate. With a patch, they suddenly care, and then were able to block users due to malformed or incorrectly encrypted data.

Can't the rearsniffer obtain that private key from his operating system? And change accordingly to DO match the changed private key? Doesn't that "de-resolve" it?

Since there are public and private keys on all three computers

But, there are 2 computers. Server and user.

and we are talking about encryption which by it's nature protects data in some state or another from tampering

Yes. But owning local private key, and public key, doesn't that allow de/encrypt the message? And reforge the hash for verification?

The user has both private and public key on their computer the moment we did Handshake. They can easily manipulate the data.

I give …

I can't stop laughing.

Why does everybody focus on "Middleman Attack" and protection of sent data? That's not what I'm asking xD
Did I really mistyped the post and title and everything else, so badly, nobody seems to find out what I'm meaning to ask?

I have a server, which receives requests and sents responds. It's type of a program. It will get order, for example [send="Aeonix",content="Hi!"], the server will then send content of this message to, well, my program, and program will notify me about it, as programmed. Clicks within the program links (like buying premium or something), uploading configuration files (some preferences online). Are all send back and forth. It's all great and all good.

Now, there's that rearsniffer, he's a programmer, he takes the private key from his computer, manually decrypts server's message. Learns how queries are built (their logic). He finds out, that he could manually resend the query, change the date, change the content and tries [name="RogueTestingAccount1",content="Hey, visit this virus.com!"]. And suddenly it works! He decides to exploit the system, with recommended friends, instead of actually clicking for links, he creates a program, logs in, receives the list from server and instead of [addFriend="NameOfSuggestedFriend"], he uses program to add them all automatically by parsing the list.

I want to prevent such automated use. How can this be done?
How do I know? Example that I used in first post:

I was playing …

then you are well and truly pwned and all your secrets are their's. If not, then you are safe and your communications are secure.
So. I'm pwned either way. The user does have the key.

Stick with HTTPS.

But...

Couldn't owner of the computer just take the private/public key, decrypt the message, analyze it, then create program which would send same queries (to the server)?
.

How would server verify that the content hasn't been modified? If I have the content and en/decryption key, I could forge new hash, couldn't I?

If I stick with HTTPS, couldn't... can't I write? Couldn't owner of the computer, manually decrypt the message, find out how it looks, and recreate it and then automate queries by program?

I know that HTTPS protects me from middle man attacks (which I do understand), but I'm worried about computer owner himself/herself. I don't want one guy to create program that would send queries back and forth with my server. Sending everybody copy of "Hi, visit this link (link)" to 128 people in contacts list, with just single button.

I still don't understand.

Couldn't owner of the computer just take the private/public key, decrypt the message, analyze it, then create program which would send same queries (to the server)?

That's what I'm trying to prevent, and apparently there are such companies, that can do it. Just I don't know how.

If I write
{"message"=>"Hi!"}
and they decrypt it and replace with
{"message"=>"Here's a virus for ya http://googol.ex.fr"}

I want to prevent people from using automated programs to execute tasks (commands) on the server. Of course I could analyze packets of data, but it's not like programs can't mimic it.
{"message"=>"Here's a virus for ya http://googol.ex.fr"}
How do I verify on that, that program hasn't sent it, but user? Comapnies do it, I need to know how >:C

It seems you're concentrating on safety of the content. Once again, I'm assuming that content is HEALTHY. First, I need to detect that sent request is legitimate and not automated (this is the point of the topic), then I can bother with protection.

Still awaiting some more explanation.
Anyone? :)

https://jsfiddle.net/cr72vqhb/1/

Follow 2 scenario's.

First Scenario:
Click on client-side, get message, menu slides out.
Click on server-side, get message, first menu hides, second slides out.
Perfect, right?

Second Scenario:
Click on server-side, nothing. Absolutely nothing. It's as if I mistyped the selector.

Why is this happening? server-side can be only triggered once client-side has been triggered.

You see, when you use ssh, or ssl, or some form of encryption you not only verify that no-one has modified the transmission in transit,

Whoa whoa whoa! Doesn't Windows, Linux, MacOS, Android and every single operating system with internet connection, save these "passwords" somewhere which can easily be extracted and used in decryption? How would server verify that the content hasn't been modified? If I have the content and en/decryption key, I could forge new hash, couldn't I?

Don't jump to the conclusion that the user is automatically the bad guy,

...I mean no disrespect. But this is most unhealthy set-up for a programmer in my opinion. There are bad guys out there, and you should always be protected for the worst. I know that majority isn't malicious, but there's still that 1%, and I'm not going to risk not parsing data because majority isn't malicious.

There are also tools which can alert you to exactly what is being transmitted to your servers, network sniffers come to mind, but you have to learn all the tricks/filters associated with your specific protocol. Make sure you have permission to run one on your network. Firewalls are good to have, and many can log suspicious activity on your network.

Sir, you're wondering off track, I'm not asking how to protect my server against malicious string, but how could I verify if string has been sent by MY program, and not reforged. I'm assuming that the string …

If you're willing to continue learning PHP.
I'm not master in it, and I don't live up to heels of PHP giants over here.
But I've done some coding here and there and understand all basic, and majority of medior principles of PHP and programming overall.

So, if you're still dedicated to learning PHP, hit me up on Private Messaging, where I could explain everything to you.

HTTPS / ssh encrypt the data stream.

Is this what you're talking about?: https://help.github.com/articles/using-ssh-over-the-https-port/
Or at least something alike? Also, does SSH over HTTPS make it somehow less interceptable? Than with pure HTTPS?
Does SSH over HTTPS work well with UDP connections? So far it seems it is 2-way encryption, wouldn't add that pretty big delay to the packet arrival? Or is there "keep-alive" connection?

I have read this https://www.digitalocean.com/community/tutorials/understanding-the-ssh-encryption-and-connection-process link about SSH (I don't know if it's correct). Isn't it how HTTPS itself works?

As soon as I find out exact manner of communication between the server and the software. I realized how easy it is to use programs to intercept it, analyze it and then send malicious (or rather illegal) query through.

So. I was wondering is there a way to make sure that the query is sent by a legal program that was meant to send these queries and not a fakey.

I know it sounds obscene, these days everything can be corrupted, broken, taken apart. And interception of connection (HTTP(S) queries in this case) is everyday-bread for even the most empty-headed scriptkiddies.

But how do great companies detect/block such a thing? I was playing an online video game, it's quite popular and out there. On some day, a programmer released his very own version of the launcher (with buttons, shop, and ways to enter a game (which still would open the original "battle arena .exe")). Owners of game didn't like it. And even though program sent exactly same query as the original launcher, still, majority of users of this "new launcher" got banned for 3rd party software (as it was forbidden in ToU).

What could be the way they detected it? I mean, of course they could've updated their client to send additional token with HTTP(S) which the newly-forged program wouldn't send, and then ban everybody who didn't send that token (honey token).

But even then, the developer of his own new launcher, could've detected differences in patch version (from 4.2 …

https://jsfiddle.net/cmvs815c/1/

Is there a way to make "Enter a tag...", red as well?

Try animation-iteration-count: 1; ?

http://www.w3schools.com/css/css3_animations.asp

Thank you :)

If I wrote a program which would Console.WriteLine() a base64 code, like an easter egg ("a hidden secret" in gaming jargon) or something, for example

string EasterEgg = "dGhlYmlnc2VjcmV0";
Console.WriteLine(b64d(EasterEgg));

And I would let a good obfuscator run through it. Now I know that crackers with enough time and knowledge can reverse engineer a program. From it's almost humanly-unreadable form. And change the Easter Egg or remove it. Meaning they can change value by editing the binary sequence behind it, remove it by leaving a null. But can they read the original value? When a program is compiled and obfuscated. It's obviously not easteregg = "dGhlYmlnc2VjcmV0" in the compiled file, it's something like ?@#[null][null]JJJA??? (just throwing random characters). They can replace these unreadable characters, they can delete these unreadable characters, but can they reverse these unreadable characters and read it's original value?

For example, they can replace int PremiumBought = ?$%?#$@%$$# with int PremiumBought = 1, but can they actually find out what the value of ?$%?#$@%$$# was? (following the logic, of course it was 0, but that's just an example to give you an idea).

If I compiled and obfuscated string EasterEgg = "Johnson"; into it's rogue form. Would someone be able to find out what it's actual value was before the process? They can change, they can remove, can they read?

Can crackers reverse engineer the obfuscated and compiled original value of a variable?

And once again (to avoid any unnecessary mean comments about my question …

Website is exclusively built with .click(), onclick="" and alikes. I'd like to use a plugin that there is out in the world, which would allow me to use custom scrollbar to scroll content of a lengthy <div>. I've tested about 6, whom 1 didn't work (maybe I just can't read), 4 broke it visually (by adding 4 own <div>'s) and there's that one that does work, but produces self-referal link.

Imagine a scroller, heck imagine this website, if you hover over a link, you see link indicator on bottom left or bottom right corner, right? It shows you address it's pointing to. Well, if I went to DaniWeb.com, and used the plugin, hovering over the scroller, will point me to "http://daniweb.com", link changes to cursor: pointer and while clicking does nothing. It still bothers me. Website is rather dark in design and the menu is at the bottom of the page attached as position: fixed. It really destroys "the mood". I would really need plugin not to be able to create a link.

I would need to return no href, each time user would hover over the scrollbar. The script that is attached to the website is minified, so I deminified it here (using websites): http://pastebin.com/zYr2pigz
There are couple href and a mentionings but I don't know what would cause it to produce a virtual link. I tried commenting out the hrefs but some have no (directly visible) effect, and some break script leaving it unusable.

What happend with the styling of div#four. Anyways...

The entire <nav> creation is in progress.

CSS3 Flexbox was the answer exactly. LOL. 2 lines of code instead place of 15.

 <nav>
    <div id="main">
        <div id="one">
            A
        </div>
        <div id="two">
            B
        </div>
        <div id="three">
            C
        </div>
        <div id="four">
            D
        </div>
        <div id="five">
            E
        </div>
    </div>
</nav>

<style>
#main {
    min-height: 175px;
    height: 27.5%;
    width: 100%;
    background-color: #222;
    position: fixed;
        bottom: 0;
        left: 0;
}

#navBackground {
    width: 100%;
}

nav div {
    display: inline-block;
    height: 100%;
    vertical-align: top;
}

div#one {
    width: 20%;
    min-width: 225px;
}

div#two {
    width: 20%;
    min-width: 225px;
}

div#three {
    width: 20%;
    min-width: 150px;
}

div#five {
    background-color: #DDD;
}
</style>

I would like to make div#five fill entire remaining width. This comes from my websites, this is striped from all unnecessary stylings and elements. Up until the moment where the "problem" remains.

There has been tutorials relying on margins and/or making everything float. But I cannot change my layout now. It's too perfect (*o*). Changing this would force me to change layout of website a lot, even though website is almost done.

The server will response back HTTP/1.1 200 OK that's mean the page you are trying to request exists. Optionally, the server may send Set-Cookie: .... to tell browser that you need to store the following cookie value into your browser for this domain.

Solution. So it IS send per request.

That's an over-simplification, I know, but that's the gist of it AFAIK.

It's over-simplified!?!?!

localStorage is like a mini local DB to be read by the client (js; but not the server), unless that is you send that data purposely, e.g. via Ajax or form or url etc. [...] Cookies on the other hand are meant to be read by the server as they are sent with all HTTP requests from the client to the server.

If cookies are meant to be read by servers, and the localStorage is a mini database that can be read by client (using JavaScript in this case). What happens if I issue document.cookie="username=John Doe; expires=Thu, 18 Dec 2020 12:00:00 UTC"? That string is thus written in my localStorage, how does PHP get to know about it (and it's value)?

Cookies on the other hand are meant to be read by the server as they are sent with all HTTP requests from the client to the server

But how do I know, which cookies to serve it, without my browser knowing the PHP code? It can't read the file, it doesn't know that server has echo $_COOKIE["themes"] in their files. And PHP doesn't send "in-between" requests with "hey, pass me "themes" cookie".

JavaScript isn't being parsed. It's more like a manual, nobody cares what's inside, but it's supposed to be attached (according to HTML/PHP). Servers don't read these files. It couldn't possibly gather from it what's the value of …

localStorage is not the same as cookies

But the quote you pointed out said:

[...] Cookies are a mechanism for storing data in the remote browser and thus tracking or identifying return users. [...]

Isn't "remote browser" part of my "local storage"? Don't I write cookies created by JavaScript into my local temporal storage? If positive, how does PHP access them? If negative, where are they written? Is it a plain variable stuck in browser? string[] cookies = {"", ""}; ?

-----

[...]Cookies are part of the HTTP header[...]

I didn't notice any! Maybe because:

PHP transparently supports HTTP cookies[...]

But then, how it's done? Do I send all the cookies I have for this website, to the PHP per header? It's not like server is saying "send me your username". It needs entire cookie reference to parse at once without interruptions. Wouldn't that create A LOT of security holes? What if I'm malicious user, and I put up 1TB of fake cookies?

It might be obvious, but I can't seem to understand it. So don't laugh.

Let's assume this scenario. My website has 5 themes, there are 5 buttons. Clicking each button changes theme respectively and uniquely. I use JavaScript to do that, so I set name of theme in a cookie, for example theme=DarkOne and set it to expire over 10 years. My very local storage, saves that variable. Without knowledge of the server.

Visitor of my website decides to change his theme to theme=DarkOne by clicking one of buttons. Then, goes off wondering visiting of the wonderful images and very informative, stuff... meanwhile reloading the address (by going to various sub-pages) about 80 times.

Then decides to scroll down the website, takes glance at the footer and notices You're visiting our website using: DarkOne. Issued by $_COOKIE["theme"] from server-side PHP, my question is. How does the server know what the variable is set as? The JavaScript saved my variable on my personal local storage. PHP has never known my variables or any interaction with cookies.

Does Apache server request list of my cookies? I've been Googling the example HTTP requests, and have visited websites which show requests I send. But none of that appears on the request.

I realize that there's a thing called "cache". But it's content doesn't appear in HTTP headers.

Could someone shine some more light on this please?

No code can be provided, this isn't an error, nor malfunction. I'm just wondering how it works. And …

Before slamming solution into my editor, I'd like to ask you some questions (looking at your modifications). I want to learn it and understand it, instead of braindead-ily copy-paste everything.

[snap! deleted two questions, after some thinking I understood]

Line 56, you said:

By changing line 50 with:
return array_map('trim', $z);
you avoid new lines in the ParseVariables() generated array and let the regular expression match the pattern.

it's stupid, but I can't understand what you mean, could you shine some more light on it? Are there any changes in outcome or something?

Also, I didn't know I could globalize the variables directly in the class! Thanks for informing me.

Edit: Also thanks for solving 3 problems I planned to work on after this one got solved (wow, that sounded really rude).

Unfortunately I can't. Two reasons for that, here's one (DaniWeb), the second is that the script is dependant on 2 files (if not 3 or 4). Pasting it here would be quite a mess.
The code "box". Doesn't support standard right-click menu.
Kinda sucks I can't upload attachments :|

I gather what you mean, but I can't :(
The only thing I can do is place the file somewhere more permanent. But thus far I haven't found reliable hosting.

Not so long time ago, I asked you for help with preg_match().
Pritaeas gave me nice answer and Cereal showed me nice webpage where I could try out the latest queries, live. The query provided seems to be working on the website granted, but not on my project. 4 out of 6 "hits" are triggered, even though all 6 are supposed to hit.

I can only modify index.php. I couldn't try anything, because it is supposed to hit. Unless I messed up somehow (obviously I did).
http://s000.tinyupload.com/?file_id=83224890448780662681 (click the name)

May I ask you for help on fixing this bug, by explaining what's causing it?

Notice message at the top, is supposed to be there, I still need to code yet.

As stupid as one can get, putting in third parameter called $matches, has granted me access to array with all hits. So easy, yet so hard to find.

The answer is perfect. But apparently I asked incorrect question. preg_match() bring up bool whether match has been found, not the content of match (how foolish of me).

The contents of --this is an example--. I need to retrieve them, as there are variables and settings within the double --. So I would need to find them match, retrieve it's content (and then I know exactly how), explode the content, execute function properly and replace the found line.

Do you have any recommendations on where to learn tricks you provided? So far I look at it, it looks like black magic, any recommendations on where I could puzzle upon it?

Is there a way to grab strings that match patterns --*-- and ++*++ (two seperate queries) where * is a wildcard and --, ++, are criteria to meet. I'd like to write matches within variable fully, like --daniweb.com-- and ++this just an example++.

preg_match() provides solution on alphanumerical identities. And there's been about 3 pages which focus grabbing all special characters, however, I need to focus these two. As I need to replace these two of these in future (after I find out the variables within -- or ++).

Full error: xengine.js:2 Uncaught SyntaxError: Block-scoped declarations (let, const, function, class) not yet supported outside strict mode

I have no framework. This is pure flat HTML, CSS and JavaScript.

HTML goes on like this (up to relevant moment):
http://pastebin.com/s8s2KLmt

And the JavaScript (starting from line 1, no additional files, entire xengine.js):
http://pastebin.com/TcZSPi9D

Sorry for not putting this into code tags. I have issue with copying with Ctrl+V and the pop-up doesn't support the pasting in right-click menu.

I have been Googling for answers, but they involved frameworks. I don't use any. This error occurs both on Opera and Chrome, and I think that it will occur in every other browser. Any idea on how solve this?

Have I just found a bug, or my environment is screwed up?

No. It used to work perfectly with new design as well.

It started exactly same day I posted this topic. After about 10 minutes of attempts of finding the cause, I decided to write this topic.

It works everywhere, except for DaniWeb.

It works in dual-boot Linux, works in Notepad++, works in address bar above, works for Opera, works for Google, works for Windows Search, works for Gnome-Konsole. Doesn't work for DaniWeb.

Only this particular site, doesn't allow me copy, pasting and selecting all text by keyboard shortcuts.

Maybe upon a fact, that I can't copy...

I just wanted to ask for help with understanding C++ code. Suddenly I realized, that I can't copy the code. Yes, my keyboard is working fine on every other program.
After further inspection I found out, that every Ctrl usage (except Ctrl+Z, Ctrl+X) has been blocked.

\(<.<)/ what?!

Nevermind, cereal solved issue of value not printing due to scopes. Now I can modify script to print my values, which it does, they're not correct yet, but I'll do it myself.

Thanks cereal.

Here's the challenge, may shine more light.

Nice that you provided answer, but there's not a lot I can learn from that :|

The script provided, has to solve two test-cases, it did solve the first, it didn't solve the second :|, because of missing loop.

Still trying to get your first suggestion to work.

This is ALL of the PHP code. At least the part that I write.

I'm working on certain PHP-skill-teaser. No background is really needed as error is purely PHP-based. The PasteBin.

I have double do-while in there, however I can't modify variables from within that loop, they simply don't affect the variable anyhow. I have tried a lot of solutions, including those about $GLOBALS and global $x, $y, $z; definitons within the scope. Many other solutions on similiar problems went about foreach() which didn't apply in my situation :|

But to no avail.

Writing Code: 30 minutes.
Bug Fixing: 3 hours.

#justCodersThing()

Ah, screw it, I give up.

It seems nobody reads to first post. Oh and jwenting https://www.daniweb.com/community-center/threads/499658/recommended-life-time-hosting#post2185508
Big Daniweb used only 2 hostings, I don't see you being offensive douche to whomever stuck along two hostings. Why do you have to be such an a-- against me?

Anyways I'm off, I was mistaken.

You can't protect 100% against what somebody may do in the future. That's futile.

Maaaaaaaaaaaaaaaaaaaaaaaannnnnn...

I know that there are some very high-end website crackers who will find some hyper-super-duper 5TiB long SQL query, which will incinerate the script. But will it keep 99.9% of tryhards/script kiddies away? It is RELATIVELY impossible to break?

Anyhow, considering another thread of yours about "perpetual hosting", it sounds like you're going to build a few sites and just let them run without any maintenance. Tell me you're not, heh heh.

Never! Wow, my reputation preceeds me, if you think I would leave it built once, you must think low of me.

nevermind

Yes, that's 33% of the answer.

But I asked whether htmlEntities(), would provide more security. Over 10 years there will be nutjob that will find way to bypass those prepaired statements mentioned in your tutorial (as we can now evade mysqli_real_escape_string() using non-standard characters, when people thought it was impossible (it is fixable, but soon will be not, then it will, then not anymore etc.)). I was just wondering whether htmlEntities() would help with it. Or it's just another waste of time and processing power. I think it would dodge malicious intents, with mention precautions (that I also mentioned in the post).

The other part is about XSS, is htmlEntities($example, ENT_QUOTES) going to protect me from virtually any type of input?

$allowedForUniversalUsage = htmlEntities($_GET["potentially_super_malicious_code"], ENT_QUOTES);

Does script above help me against XSS and MySQLi injection?

My thoughts would be:

Protection against XSS: Yes
I mean. XSS means that someone would be able to input code, which will be shown publicly and will be executed, the htmlEntities(). It converts actual code into encoded strings, it is as <a href="#">Close</a> according to browser. I can print this, but it won't be executed so it can't really do anything anymore, can it?

Why do I ask, if I found an answer? I still have concerns. Will the line that I served at begin, block malicious content in $_GET["potentially_super_malicious_code"] ? Single quotes, double quotes, penta quotes, triangles, daggers, Doritos everything that could be understood as code, will be parsed into textual-like form? No general way to bypass it?

Protection against MySQLi injection: Yes
Same as with XSS. Doesn't htmlEntities() forbid ' and "'s? Which are super essential? If I bound params, used MySQLi string escapes, allow only alphanumericals and force htmlEntities() parsing, does this block every possible attempt of "bad things happening"?

I know that there are some very high-end website crackers who will find some hyper-super-duper 5TiB long SQL query, which will incinerate the script. But will it keep 99.9% of tryhards/script kiddies away? It is RELATIVELY impossible to break?