Hi,

as the error states the format of the invoice is not recognized by their system, you are showing only the namespaces in the header of the XML document. The document must conform to these namespaces. So if the namespace xlmns:p defines nodes like <p:FatturaElettronica> the following:

<FatturaElettronicaHeader> 
      <DatiTrasmissione>

Will probably be:

<p:FatturaElettronicaHeader> 
      <p:DatiTrasmissione>

Ans so on. Verify if there are nodes that are breaking these rules. If you have difficulties, please share a full example of this document and the related documentation.

Read More

Hi Jailani,

in your code you are using:

$value = $_GET['change'];

which will not work if the form set the method to POST:

<form method="post">

if you perform a POST request then you have to use $_POST in the PHP side to access the values of the input fields. You could use $_GET, but only if appending values to the action link of the form tag, for example:

<form method="post" action="script.php?id=123">

Also, you are trying to access the id, like this:

$id = $_REQUEST['id'];

I suppose you want to get it from this line:

echo"<td><font color='black'>" .$test['id']."</font></td>";

It will not work, unless you do not add an input field like this:

<input type="hidden" name="id" value="<?php echo $test['id']; ?>">

This is more correct, but you are also looping the array from the query, so you are going to create a group of rows, in the HTML, each with:

echo"<td><input type='text' name='change'/></td>";

In this case, since you are not submitting $_POST['change'] as an array and since this is a text type, you will apply only the last one in the list:

<tr>
    <td><input type='text' name='change'/>
<tr>
    <td><input type='text' name='change'/>
<tr>
    <td><input type='text' name='change'/> <-- only this will be applied

So the input name should look like more name='change[]':

<tr>
    <td><input type='text' name='change[]'>
<tr>
    <td><input type='text' name='change[]'>

Even by applying this your update query will still not work, because you have to loop the $_POST['change'] and the other fields values.

This post may help you:

it applies to <select> tags, but ...

Read More

Re:

C:\Program Files (x86)\EasyPHP-DevServer-14.1VC9\data\localweb\masterlinkci2\application\site\views\errors\html\error_php.php

Can you reach the error_php.php file by following the path described in the warning?

Read More

Check arp-scan -ln it outputs something like this:

> arp-scan -ln
Interface: wls1, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.8.1 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.0.1     00:c0:9f:09:b8:db       QUANTA COMPUTER, INC.
192.168.0.5     00:02:a5:90:c3:e6       Compaq Computer Corporation
192.168.0.87    00:0b:db:b2:fa:60       Dell ESG PCBA Test
192.168.0.90    00:02:b3:06:d7:9b       Intel Corporation
192.168.0.153   00:10:db:26:4d:52       Juniper Networks, Inc.
192.168.0.191   00:01:e6:57:8b:68       Hewlett-Packard Company
192.168.0.196   00:30:c1:5e:58:7d       HEWLETT-PACKARD

7 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.8.1: 256 hosts scanned in 1.628 seconds (157.25 hosts/sec). 7 responded

And you could simply parse the output. But I'm not sure if there is a version for Windows platforms. Some info here:

Read More

Re:

Well, I redirect application_folder value to application/site since I divided application folders into two folders admin and site. admin for backend and site for frontend.
[...]
and still receiving that same error:

To make it work, both applications must have the requested folders and files. In practice make a copy of what is inside application/ into application/admin/ and application/site/. I'm assuming your admin panel is inside the application/admin/ folder. So you end up with something like this:

.
├── .htaccess                        <-- 1st .htaccess
├── admin
│   ├── .htaccess                    <-- 2nd .htaccess
│   └── index.php
├── application
│   ├── admin
│   │   ├── cache
│   │   ├── config
│   │   ├── controllers
│   │   ├── core
│   │   ├── helpers
│   │   ├── hooks
│   │   ├── index.html
│   │   ├── language
│   │   ├── libraries
│   │   ├── logs
│   │   ├── models
│   │   ├── third_party
│   │   └── views
│   └── site
│       ├── cache
│       ├── config
│       ├── controllers
│       ├── core
│       ├── helpers
│       ├── hooks
│       ├── index.html
│       ├── language
│       ├── libraries
│       ├── logs
│       ├── models
│       ├── third_party
│       └── views
├── index.php
└── system

In the above structure there is an index.php file in the document root and another in the admin folder. The former will point to the site application, the latter to the admin application, by editing the $application_folder value for the former to:

$application_folder = 'application/site';

And the values of the ...

Read More

Re:

i am just curious how to access social media accounts like facebook, watspp etc. with the users' permission in order to help them prevent unethical hackers from breaking into their accounts.

Even if ethical, that would probably be a misuse of FaceBook terms of services. There are projects, like BugCrowd, which allows you to hack into a service, limiting the activity to specific targets requested by the owner and following specific rules: non disclosure & co. Facebook partecipates to that, and usually pays bounties through their system. So, if you are really interested check it out: https://bugcrowd.com/

Read More

Re:

Ok, so you changed the $application_folder value to application/site, is this correct?

Are you creating an application folder named site inside the application folder? I mean, do you have something like the following:

application/
└── site
    ├── cache
    ├── config
    ├── controllers
    ├── core
    ├── helpers
    ├── hooks
    ├── index.html
    ├── language
    ├── libraries
    ├── logs
    ├── models
    ├── third_party
    └── views
        └── errors
            ├── cli
            └── html

Otherwise restore the $application_folder value to his default application and it should work fine.

See: https://www.codeigniter.com/user_guide/general/managing_apps.html

Read More

Re:

Hi,

are you loading the database library? You can do that in the application/config/autoload.php file, to make it available in all controllers and models:

$autoload['libraries'] = array('database');

Instead, if you do not want to load it for every resource, you can load it in the constructor of the model or in the specific method. For example:

<?php

class Gallery_model extends CI_Model
{

    public function __construct()
    {
        parent::__construct();
        $this->load->database();
    }

    public function get_picture($id) { /* ... */ }

}

It could go also in the controller (method or constructor), the library then would be used by the loaded models as well.

See:

Read More

Ok,

it does not work because you are not accessing to the returned row when you call $stmt->otdq_ordernum.

Use:

$row = $stmt->fetch();

And then:

$row->otdq_ordernum;

Or use a MySQL variable.

Also rowCount() in PDO, assuming you are using it, does not return the rows found in a SELECT statement, but only the rows affected by INSERT, UPDATE, DELETE & similar statements.

See:

Read More

In this very specific case, because $ID is expected to be an integer, you could use exec() which returns the number of affected rows by the statement or something that evaluates to boolean FALSE (if something goes wrong) but you have to properly sanitize the variable.

$ID = filter_input(INPUT_GET, 'ID', FILTER_VALIDATE_INT);

if(FALSE !== $ID)
{
    $update = $db->exec("UPDATE table SET count = count + 1 WHERE id=".$ID);

    if(FALSE === $update)
    {
         // log the error, kill the script, etc.
    }

    else
    {
        // successful update
    }
}

else
{
    // $ID is not valid
}

In case of strings, instead, the filter function is not enough, because sending something like 0 OR 1=1 would be valid and expose your query to an SQL injection attack.

I prefer to have few extra lines of code and go with prepared statements.

Besides, in PDO you can send the values as an array, in the execute() method:

$stmt->execute([':ID' => $ID]);

Read More

I was supposing the $_POST['Net'] arrays to hold float values, not file names. Anyway you could write:

$files    = [];
$products = [];

while($rowProduct = mysql_fetch_array($productSQL))
{
    $products[] = $rowProduct['POProductNet'];
}

if(TRUE === isset($_POST['Net']) && TRUE === is_array($_POST['Net']))
{
    $files = array_map('basename', $_POST['Net']);
    $diff  = array_diff_assoc($products, $files);

    if(count($diff) > 0)
    {
        // write data to db
    }
}

Here I'm just using the array functions, instead of the loops, it's just a choice. You can go with loops.

But if $_POST['Net'] is supposed to always be an array, then I would check it in the sanitizing step, not after the query to the database. So it would look like more:

$net = filter_input(INPUT_POST, 'Net', FILTER_SANITIZE_STRING, FILTER_REQUIRE_ARRAY);

if(FALSE !== $net)
{
    $files    = array_map('basename', $net);
    $products = [];

    // select query the database
    // populate the $products array
    // compare with $files
}

Read More

I also wonder if I could upload pdf through Roxy Filemanager?

It seems possible. This is defined by the ALLOWED_UPLOADS and FORBIDDEN_UPLOADS of the conf.json file (see previous link). The former is the whitelist, define for example pdf jpg png to allow these files to be uploaded. The latter is a blacklist, which his own defaults, make sure pdf is not listed there and it should work fine.

Then use insert link, browse to file and select Add file to upload a file from your computer.

Once is uploaded, if you can select the file, like in their demo, then there should not be the need to type, as you can add a description text in the modal view.

I have to type it according to the folder.

That's the point, it's not upload but uploader. In any case you can insert an HTML link, but use an absolute path:

<a href="/assets/uploaded/artikel/file.pdf">[PDF] Description of file</a>

Read More

Oh, ok, there is a configuration option FILES_ROOT in the conf.json file of the Roxyfileman, used to define the path in which upload the files. According to the documentation the path MUST be absolute to the document root of the website:

Looking at the HTML of the first link you posted, it does not seem to be absolute:

<div style="text-align:justify"><p><a title="Presentasi Tugas LPJK ke 5" href="../../../../assets/upload/artikel/2007TugasLPJKke5.pdf" target="_blank" rel="noopener noreferrer">Presentasi: Tugas LPJK ke 5</a></p></div>

Here the value assigned to FILES_ROOT should probably be /assets/uploaded/ or /assets/uploaded/artikel/ if you want to restrict it to that path.

Are you able to browse to the PDF through the plugin? Can you upload? Like in their demo?

Read More

Hi,

the first link redirects with 302 to the home page, when instead should show a 404 error page.

Look here:

And go to the first folder:

You server is listing the index, from there you can see that the upload directory does not exists. It exists uploaded, from there you can get the file. Fix the link and it should work fine.

The second link you posted points to cpanel because it referes to a cpanel session, it cannot download a file without having a valid session. That's for security, so it is correct.

Read More

@AssertNull

Hi,

just to add something: the first step to avoid spam filters is to setup SPF and DKIM in the TXT records of the domain. That way Google, Hotmail & co. can verify if the sender address is allowed and if the origin is correct. For example, take Daniweb setup:

# query Google DNS
> dig daniwebmail.com ANY @8.8.8.8

daniwebmail.com.    299 IN  MX  5 daniwebmail-com.mail.protection.outlook.com.
daniwebmail.com.    299 IN  A   169.55.25.110
daniwebmail.com.    299 IN  TXT "MS=ms74324738"
daniwebmail.com.    299 IN  TXT "v=spf1  include:spf.protection.outlook.com ip4:169.55.25.96/28 ip4:169.55.29.192/27 ip4:74.53.219.128/25 a mx include:_spf.google.com ~all"

The TXT record is saying from which IP addresses the emails should be considered valid, this includes a range of IPs, the mail server defined in the MX record and the IP from the A record.

For example last newsletter came from community@daniwebmail.com and from IP 169.55.25.110. With spfquery you can test the validity of the origin:

spfquery -guess "v=spf1 mx a -all" -ip 169.55.25.110 -sender community@daniwebmail.com

The response looks like this:

passpass

spfquery: domain of daniwebmail.com designates 169.55.25.110 as permitted sender
Received-SPF: pass (spfquery: domain of daniwebmail.com designates 169.55.25.110 as permitted sender) client-ip=169.55.25.110; envelope-from=community@daniwebmail.com;

Which is basically what are doing mail services when receiving an email message. If the SPF is genuine then there are good chances to avoid the SPAM folder. But at that point it's necessary to act like you wrote, by rate limiting messages and by choosing correct phrasing.

More info:

Bye!

Read More

Comments
Good info

Hi,
the PHPMailer hack would probably fail if submitting filtered data to the library, i.e.:

  • sanitizing through filter_input()
  • and by using SMTP, because it will not use sendmail, nor mail()

Note, a filter_* function is also used in the PHPMailer library, but as default option of their validateAddress() switch and does not run, if other extensions are loaded.

In reference to your first request search for SSLsplit and mitmproxy, in practice the attacker takes the role of the gateway and intercepts & modifies the requests, but it requires to be in the same network.

Read More

Hi,

it happens because their server detects you are using a bot, by setting a User-Agent their server replies with a Location header that suggests where to redirect the request, this is a time-limited login link that redirects back to the requested page. Example with HTTPie:

http -vv GET http://www.aaii.com/sentimentsurvey/sent_results User-Agent:'Mozilla/5.0 (X11; Linux i686) AppleWebKit [...]'

You send:

GET /sentimentsurvey/sent_results HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: www.aaii.com
User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit [...]

And get back in response:

HTTP/1.1 302 Moved Temporarily
Cache-Control: no-cache
Content-Encoding: gzip
Content-Type: text/html; charset=UTF-8
Date: Sat, GMT
Location: https://user.aaii.com/sso/login.aspx?vi=8&vt=[ALPHANUM_STRING]&DPLF=Y
Pragma: no-cache
Set-Cookie: CFID=; HttpOnly;expires=Mon, ;path=/
Set-Cookie: CFTOKEN=UUID-STRING; HttpOnly;expires=Mon, ;path=/
Set-Cookie: JSESSIONID=ALPHANUM-STRING;path=/; HttpOnly
Transfer-Encoding: chunked

Now, the browser at this points follows the Location header, so you get the page. With HTTPie is done by repeating the request and by adding --follow and you finally get:

HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/html; charset=UTF-8
Date: Sat, GMT
Set-Cookie: VISIT=1; HttpOnly;expires=;path=/
Set-Cookie: JOINAD=; HttpOnly;path=/
Set-Cookie: COUNTER=0; HttpOnly;path=/
Set-Cookie: POPCOOKIE5=0;expires=;path=/
Set-Cookie: POPCOOKIE90=0;expires=Sun, ;path=/
Set-Cookie: POPCOOKIE5=1; HttpOnly;path=/
Set-Cookie: POPCOOKIE90=1; HttpOnly;path=/
Set-Cookie: NOTBOT=0;expires= GMT;path=/
Set-Cookie: EXPIREHOLD=
Transfer-Encoding: chunked

The NOTBOT cookie seems to be the key, but it will not work in first instance if you don't send also the other cookies.

You can try to use curl CURLOPT_FOLLOWLOCATION or a stream context within file_get_contents but I suspect that in both cases you would violate their terms of services. See if they have an API or an XML feed that you can query regularly.

Read More